Script causing game to crash

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#1
I was just making a simple script for the game Crea
http://store.steampowered.com/app/280520/Crea/

Steam specifically

For now all I was trying to do was store the base address in label to access later
and then add the health and stamina offsets to get the addresses. I really don't know how to explain it properly.

Anyways the problem I am having is this.
I tried adding what I think to be the base address to a label, when I enable the script it acts like its going to add the address, and when a value such as the health changes. The game just crashes. No warning or error or anything. I was wondering if there is something I am missing. I was able to debug just fine with no crash, but as soon as I enable the script and a value changes. It crashes.


Here is the script:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

globalalloc(_playerbase,4)

newmem:

code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}
 

Schnitzelmaker

Expert Cheater
Mar 3, 2017
105
0
16
#2
Was rcx not 8 byte length? So globalalloc(_playerbase,8)
Also as i hear it is recommend to set 3rd parameter on alloc.
Example: alloc(newmem,$1000, hpread)
Code:
ALLOC(allocName, sizeInBytes, Optional: AllocateNearThisAddress)
Allocates a certain amount of memory and defines the specified name in the script.
If AllocateNearThisAddress is specified CE will try to allocate the memory near that address.
This is useful for 64-bit targets where the jump distance could be bigger than 2GB otherwise
I don't like globalalloc at all. I prefer more the variant: (But thats my personal feeling)
Code:
...
label(pPlayerbase)
registersymbol(pPlayerbase)


newmem:
code:
  mov [pPlayerbase],rcx 
  mov [rcx+00000084],eax 
  jmp return 

pPlayerbase:
  dq 0
 ...
 

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#3
Nope still nothing, game still keeps crashing. I managed to find the log and apparently the game also uses python. But heres what I found to be the "error" before the crash.
C:\Program Files (x86)\Steam\steamapps\common\Crea\modules\traceback.py", line 278, in format_stack
return format_list(extract_stack(f, limit))

I don't know if it will help any, but I'm at a loss
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
335
29
28
#4
Is your aob unique? Click the little 'writeable' box in the main UI until you get the square mark and do a scan for your array while the script is deactivated.

If it is unique you can always try finding a different injection point. Use 'what accesses' or find something else in the player structure.
 

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#5
Yes the AOB is unique.Iv'e tried finding different injection points, and checking another part of the structure. But it acts like as soon as I "Add" anything to the game code it crashes.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
335
29
28
#6
Could be some kind of protection. Try adding an unmodified script to your table and enable it. See if it still crashes.

I don't really know any ways around it if it is protected other than pointer scanning/manually finding the pointer or doing a sig scan/aob to data..
You can try any of those if all else fails.
 

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#7
I tried doing a pointer scan earlier to no avail. The pointers kept dead ending after a few rescans. what do u mean by a sig scan/aob to data?
 

Recifense

RCE Fanatics
Talents
Mar 2, 2017
643
172
43
#8
Try change the line:

alloc(newmem,$1000)

to

alloc(newmem,$1000,crea.exe)


Cheers!
 

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#9
Ok this is what I have now:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000,crea.exe)

label(code)
label(return)

globalalloc(_playerbase,8)

newmem:


code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

But now the script isn't enabling at all since I put the "alloc(newmem,$1000,crea.exe)" part

Has anyone successfully made a table for crea on a more recent version yet? I can't see why this is being so difficult

It just seems like it don't want to allocate in the process for some reason.
 

++METHOS

Expert Cheater
Mar 2, 2017
201
1
18
#10
With the instruction highlighted inside of memory viewer, click on Tools from the drop-down menu and select Auto Assemble.

In the Auto Assemble window, click on Template from the drop-down menu and select Cheat Table Framework Code.

Click on Template again and select Code Injection. Click okay.

Click on File from the drop-down menu and select Assign to Current Cheat Table.

Try to enable the script. If it is working, try to add your custom code and report back.
 

Recifense

RCE Fanatics
Talents
Mar 2, 2017
643
172
43
#11
D1g1Byt3 post_id=11389 time=1498046971 user_id=6429 said:
Ok this is what I have now:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000,crea.exe)

label(code)
label(return)

globalalloc(_playerbase,8)

newmem:


code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

But now the script isn't enabling at all since I put the "alloc(newmem,$1000,crea.exe)" part

Has anyone successfully made a table for crea on a more recent version yet? I can't see why this is being so difficult

It just seems like it don't want to allocate in the process for some reason.
Sorry. I did not see that you use globalalloc as well.

change:

globalalloc(_playerbase,8)

to:

alloc(_playerbase,8,crea.exe)

and add at the end:

dealloc(newmem)
dealloc(_playerbase)


[NOTE] The reason you have to make those changes is that you are working with 64bits game. In this case, you have to make sure that the your code and variables will be at the same 32bits segment of the main code. If you were dealing with a 32bits game, you first code would have worked.

For the reason above, in "mov [_playerbase],rcx", _playerbase is out of range (Script will not load).

Cheers!
 

Eric

Administrator
Administrator
Mar 2, 2017
40
2
8
#12
also, globalalloc supports the 3th parameter (allocate near) as well
 

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#14
Recifense post_id=11406 time=1498065404 user_id=68 said:
D1g1Byt3 post_id=11389 time=1498046971 user_id=6429 said:
Ok this is what I have now:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000,crea.exe)

label(code)
label(return)

globalalloc(_playerbase,8)

newmem:


code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

But now the script isn't enabling at all since I put the "alloc(newmem,$1000,crea.exe)" part

Has anyone successfully made a table for crea on a more recent version yet? I can't see why this is being so difficult

It just seems like it don't want to allocate in the process for some reason.
Sorry. I did not see that you use globalalloc as well.

change:

globalalloc(_playerbase,8)

to:

alloc(_playerbase,8,crea.exe)

and add at the end:

dealloc(newmem)
dealloc(_playerbase)


[NOTE] The reason you have to make those changes is that you are working with 64bits game. In this case, you have to make sure that the your code and variables will be at the same 32bits segment of the main code. If you were dealing with a 32bits game, you first code would have worked.

For the reason above, in "mov [_playerbase],rcx", _playerbase is out of range (Script will not load).

Cheers!
Ok now the script activates, but nothing is being put into [_playerbase], no address or anything, and I also tried the base + offset, and there is nothing. I appreciate the help, and please bear with me. I think we've almost got it. I'm just stupid I guess.

Edit: Ok it sorta works when I change it back to globalalloc with the "globalalloc(_playerbase,8,crea.exe)" But not with just the alloc(_playerbase,8) unless I'm just missing something about how to use it properly

Edit 2: Ok something wierd. rcx+84 seems to somehow control both HP,and stamina. It kinda switches between them. based on which one changes. So Im guessing it doesn't just effect one or the other :/

Edit 3: Ok aparently I didn't do a good enough check, and yeah the code does modify both, as well as the enemy's HP it would seem, I don't know where to look to find a good clean spot that only accesses the HP or stamina of the player.
 

Recifense

RCE Fanatics
Talents
Mar 2, 2017
643
172
43
#15
If you want to access "_playerbase" outside AA, you have to register it at [enable] part and unregister it at [disable] part. But DONNOT use globalalloc.

Cheers!
 

D1g1Byt3

Novice Cheater
Jun 9, 2017
18
0
1
#16
Hmm ok well I'm still not finding anything that just access one aspect, but however when My HP or Stamina changes. So does the address that [_playerbase]+84 is accessing. Is there a way I could just store that address and use it as a pointer or something? Also thanks Recifense, I changed it and the script is enabling it. Iv'e just been using the globalalloc method cus it seemed to be the only way to me. From following Rydian's tutorial at:
http://forum.cheatengine.org/viewtopic.php?t=572465
 
Top Bottom