FearLess Cheat Engine

Hello all, looking for someone more experienced that can help me out as I can't for the life of me figure out what's causing the crash.



Basically I located the address and altered it to do what I want it to do but each time I restart the game, unless I perform the unaltered action first in game prior to activating the script it crashes. But if I perform the action once the script works fine. I'm hoping someone can shed some light as to why this is happening and how to fix it. I've included a picture showing the altered code causing the crash in question. Cheers!



[IMG]https://i.imgur.com/GluynQu.png[/IMG]

Does the code exist before the action is performed?

Do you just change bytes at an address or are you doing an AOB scan in a script?



EDIT:

Seeing the unchanged opcode my also help.

Sorry I should have been a little more specific. The bytes in the picture are unchanged, a simple nop (db 90) does what I need it to do, and I am accessing it through aobscan. The only issue is I need to perform said unchanged function in game on restart PRIOR to activating the script or it crashes. Almost as if what I'm trying to inject to doesn't exist unless the game sees it first. This is the code to make it simpler.



[COLOR=rgb(44, 130, 201)][ENABLE][/COLOR]



[COLOR=rgb(44, 130, 201)]aobscanmodule(INJECT,Game.exe,74 29 8B 86 EC 00 00 00)

registersymbol(INJECT)[/COLOR]



[COLOR=rgb(44, 130, 201)]INJECT:

db 90 90[/COLOR]



[COLOR=rgb(44, 130, 201)][DISABLE][/COLOR]



[COLOR=rgb(44, 130, 201)]INJECT:

db 74 29 8B 86 EC 00 00 00[/COLOR]



[COLOR=rgb(44, 130, 201)]unregistersymbol(INJECT)[/COLOR]

I don't really see anything obvious... so, maybe just add a flag that's 0 and in newmem test it, if it's 0 set it to 1 and jump to the original code (test+je), otherwise jump back after the injection the same as if it was just a nop (probably easiest to inject at the original test rather than the je).

That way the hack doesn't start until after the original code is run once (and presumably done some initialization etc. that prevents it from crashing later)

The AOB([COLOR=rgb(41, 105, 176)]74 29 8B 86 EC 00 00 00[/COLOR]), that you are using for the scan, looks too short to be unique.



Restart the game, but don't do the action in game.

Then do manual AOB scan like this: Make sure the Writable checkbox is black square.

[IMG]https://image.ibb.co/iP3Egy/Aob_Scan_Unique.jpg[/IMG]

See how many addresses you get...



Now do the action in game and click on 'First Scan' again. Now see how many results you get.

At both times you should get only one result.

[B][USER=980]@FreeER[/USER] [/B] I think I understand what you mean but I'm not sure the best way to go about that, still got a lot to learn. Do you mind showing me an example?



[B][USER=18664]@koderkrazy[/USER][/B]

You were right I was coming up with more than one address, but the one I wanted was the first one that shows up each time so the result is the same. Even with a longer AOB string and only 1 result I get crash and burn.



Also to specify further, the game crashes when the button is pressed in game, not when the script is activated. And for what it's worth jne seems to works as well as nopping the instruction. If anyone has any other ideas on how to get it to work I'd be eternally grateful.

could you try by nopping both cmp and je instructions. Because cmp sets flags.



Provide entire function implementation so that we get better understanding.

[LIST=1]

[*]Select line [ICODE]cmp word ptr[esi+000000cc],14[/ICODE]

[*]Right lick and select 'Select current function'. If it isn't selecting entire function then do it manually select from start till last ret instruction.

[*]Go to menu 'File' -> 'Save disassembled output'

[*]Attach text file here.

[/LIST]



BTW, what game is this?

Sure thing boss, let me know if you need anything else. Nopping the compare flag still causes a crash, I've messed around with most of the opcodes in that area and I'm just lost. And the game I'm working on is Biohazard 3.

You should refine your AOB so that you only get 1 result.

If the AOB comes up with multiply results, then if the code is JIT code then it may not exist before some action and you might be injecting in the wrong spot. I would make the unique AOB, then restart the PC and game then before doing anything scan for the AOB to see if it exists. The code could be reallocated and JITed for new levels and what not.



Do you use "INJECT" as a symbol anywhere else, the symbol name must be unique?

Before disabling the script, in the memory view form use "go to address" and input the "INJECT" symbol to see where the disabled code is written.



I like to not change bytes to just test the injection it self. So if this crashes then it's not the code; it's the injection spot, memory checks, or something else.

[CODE=cea][ENABLE]

aobscanmodule(INJECT,Game.exe,74 29 8B 86 EC 00 00 00 8B 8E E8 00 00 00 33 D2 C7 46 04 01 07 02 00)

registersymbol(INJECT)

INJECT:

db 74 29



[DISABLE]

INJECT:

db 74 29

unregistersymbol(INJECT)[/CODE]

While I'd recommend a more unique symbol name the flag approach would be something like

[code]

[ENABLE]

// and yeah, it's best to have a unique aob just in case with modern games

// older ones without dynamic code won't care as long as it's the first (barring updates that could add or move things)

aobscanmodule(INJECT,Game.exe,A9 00 00 00 80 74 29 8B 86 EC 00 00 00 8B 8E E8 00 00 00 33 D2)

alloc(newmem,$1000, INJECT)



newmem:

cmp [flag], 0

jne skip // bypass original check

// otherwise if 0 fallthrough to original

original:

inc [flag] // make it not be 0 in the future

test eax, 80000000 // original (overwritten) test

jmp return // jump to original je

flag: // value indicating whether to run original check or not

dd 0



INJECT:

jmp newmem

return: // define label at je

return+2:

skip: // define label after je



registersymbol(INJECT)

[DISABLE]

INJECT:

db A9 00 00 00 80

unregistersymbol(INJECT)

dealloc(newmem)

[/code]

[B][USER=91]@ShyTwig16[/USER] Tested that earlier on and it doesn't crash with unaltered code so it's not the injection point. I also tried a longer array of bytes string and turn one up only one result each time and it still causes a crash unfortunately.[/B]



[B][USER=980]@FreeER[/USER] Thanks for typing that out I understand it for the most part, just not sure how to really insert my own code into that so it checks that the code has been changed in game first. Sorry still pretty new to assembly please bear with me.[/B]

I'm not sure what you mean, you didn't describe your code checking anything just nopping a je so it wasn't taken. The example provided does a similar thing, skipping the je and letting the code after it run, but only after a flag variable is not 0, when it is 0 (the first time) it increments it and does the original test and je.

So if you enable it and then click the button or whatever causes that code to run the first time it'd do whatever it would have without the hack and every other time (until it's disabled and reenabled) it'd skip the je.

Ah well when I tested the code you posted as is it crashed the game the same way, so I assumed I missed something and just didn't know how to implement it.

well, it was worth a shot. Only other thing I can think of without being able to test myself would be changing it to run the original code multiple times eg. 5-25-100 etc. before doing the hack. Basically change the cmp to 0 to check that number and then jl rather than je. Though if the code only runs once when you click a button etc. then that doesn't make much sense to me.

[B][USER=980]@FreeER[/USER][/B]

Basically I'm trying to bypass a trigger for activation, normally the function requires strict timing so I wanted to skip the timing check and just have it activate on button press and it works but again it only works if the function is performed once before injection or else it crashes. My guess is something is loaded into memory when the function is performed and I have to trace it somehow and inject that part first but figuring out what gets loaded has been a headache. I just feel lost looking at the wall of functions. I'll try what you suggested though and see if it helps.



[B][USER=18664]@koderkrazy[/USER][/B]

Did you have a chance to check that disassembled code by any chance? I tried nopping the cmp and je simultaneously earlier and it had the same effect by the way.