Page 1 of 1
Cheat Engine / Auto Assemble Possibilities
Posted: Sat May 02, 2020 1:14 pm
by ysfc3m
Hello, this is auto assemble template. Is this possible ?
Code: Select all
[ENABLE]
aobscanmodule(INJECT,Game.bnbx,89 86 94 06 00 00 39)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [esi+00000694],eax
//WRITE TO FILE VALUE OF [esi+00000694]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 86 94 06 00 00
unregistersymbol(INJECT)
dealloc(newmem)
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Sun May 03, 2020 5:09 pm
by miraikolus
Totally. That is one of the very basics of code injection. Well, depending on the game, lets say easy for simple and offline games. Harder in case of some AntiCheat and not allowed to here if it's an online game.
Do the cheat engine tutorials and you'll know how it goes. There are also guides on that like mentioned in f.e.
the other recent topic .
Btw. file value? Which file. This is all about editing memory. Well, you can use CE for finding injection points to, but editing files will be usually done in another way and tool. //EDIT: ah, did I missunderstand that?
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Mon May 04, 2020 2:12 pm
by kantoboy69
ysfc3m wrote: ↑Sat May 02, 2020 1:14 pm
Hello, this is auto assemble template. Is this possible ?
code:
mov [esi+00000694],eax
//WRITE TO FILE VALUE OF [esi+00000694]
Doable,
You just need to convert the value to string (if not yet string) then save it to file
Code: Select all
// 64-bit version
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
newmem:
pushfq
push rax
push rcx
push rdx
push r8
push r9
mov rax, qword ptr [esi+00000694] // let say it store 64bit number
call inttohex // convert to hex and save to hexcbuf
lea rdx, [hexcbuf+0] // write string buffer null terminated
// lea rdx, [esi+00000694] // if this is already a string
call savefile
lea rdx, [crlf+0] // write crlf
call savefile
pop r9
pop r8
pop rdx
pop rcx
pop rax
popfq
code:
// original code usually
jmp return
newmem+200:
savefile:
sub rsp, 80
mov rax, 0
xor rax, rsp
mov [rsp+88-18], rax
mov qword ptr [rsp+48], rdx // buffer to write
mov qword ptr [rsp+58], 0
xor eax, eax
xor r9d, r9d
mov [rsp+30], 0
mov rcx, FileName // full path filename
mov [rsp+28], 80
mov qword ptr [rsp+40], 0 // Bytes written
xor r8d, r8d
lea edx, [r9+4]
mov [rsp+68], al
mov [rsp+20], 4
call CreateFileA
mov rbx, rax
mov r8, FFFFFFFFFFFFFFFF
mov rax, qword ptr [rsp+48]
aloop: // get string length
inc r8
cmp byte ptr [rax+r8], 0
jnz short aloop // loop until end of null terminated string r8 will contain the string length to write
lea r9, [rsp+40]
mov qword ptr [rsp+20], 0
mov rdx, [rsp+48] // string buffer to write
mov rcx, rbx
call WriteFile
mov rcx, rbx
call CloseHandle
add rsp, 80
retn
newmem+300:
inttohex:
// put data to rax
lea rdx, [hexcbuf+0]
mov r8, 10
loophere:
mov cl, al
and cl, f
add cl, 30
cmp cl, 39
jle isnum
add cl, 7
isnum:
dec r8
mov byte ptr [rdx+r8], cl
sar rax, 4
cmp r8, 0
jne loophere
ret
newmem+400:
FileName:
db 'D:\games\myvaluesave.txt',0
crlf:
db 0a 0d 00
hexcbuf:
dq 0 0
db 0
Convert unsigned integer to string
mov rax, #1234
call inttostr
Code: Select all
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
newmem+400:
inttostr:
// put data to rax
lea rcx, [buf+0]
// initialize buf[50]
mov r8, #50
itoaloop:
mov byte ptr [rcx], 0
inc rcx
dec r8
cmp r8, 0
jg itoaloop
// Convert rax to string
lea rcx, [buf+0]
xor r9, r9
mov r8, #10
itoaloop2:
xor rdx, rdx
div r8
add dl, 30
mov byte ptr [rcx], dl
inc rcx
inc r9
cmp rax, 0
jne itoaloop2
// String reverse
xor rdx, rdx
mov rax, r9
mov r8, 2
div r8
dec r9
xor r8, r8
lea rcx, [buf+0]
itoaloop3:
mov dl, byte ptr [rcx+r8]
mov dh, byte ptr [rcx+r9]
mov byte ptr [rcx+r8], dh
mov byte ptr [rcx+r9], dl
dec rax
dec r9
inc r8
cmp rax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
buf: // buf should be 50 characters
db 0
Not my finest code
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Wed May 06, 2020 11:54 am
by ysfc3m
miraikolus wrote: ↑Sun May 03, 2020 5:09 pm
Totally. That is one of the very basics of code injection. Well, depending on the game, lets say easy for simple and offline games. Harder in case of some AntiCheat and not allowed to here if it's an online game.
Do the cheat engine tutorials and you'll know how it goes. There are also guides on that like mentioned in f.e.
the other recent topic .
Btw. file value? Which file. This is all about editing memory. Well, you can use CE for finding injection points to, but editing files will be usually done in another way and tool. //EDIT: ah, did I missunderstand that?
hello, thank you for answer, maybe you missunderstand. This is an online game but i have bypass anticheat.
I want to write vaules of adresses to txt file, thats all.
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Wed May 06, 2020 11:57 am
by ysfc3m
kantoboy69 wrote: ↑Mon May 04, 2020 2:12 pm
ysfc3m wrote: ↑Sat May 02, 2020 1:14 pm
Hello, this is auto assemble template. Is this possible ?
code:
mov [esi+00000694],eax
//WRITE TO FILE VALUE OF [esi+00000694]
Doable,
You just need to convert the value to string (if not yet string) then save it to file
Code: Select all
// 64-bit version
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
newmem:
pushfq
push rax
push rcx
push rdx
push r8
push r9
mov rax, qword ptr [esi+00000694] // let say it store 64bit number
call inttohex // convert to hex and save to hexcbuf
lea rdx, [hexcbuf+0] // write string buffer null terminated
// lea rdx, [esi+00000694] // if this is already a string
call savefile
lea rdx, [crlf+0] // write crlf
call savefile
pop r9
pop r8
pop rdx
pop rcx
pop rax
popfq
code:
// original code usually
jmp return
newmem+200:
savefile:
sub rsp, 80
mov rax, 0
xor rax, rsp
mov [rsp+88-18], rax
mov qword ptr [rsp+48], rdx // buffer to write
mov qword ptr [rsp+58], 0
xor eax, eax
xor r9d, r9d
mov [rsp+30], 0
mov rcx, FileName // full path filename
mov [rsp+28], 80
mov qword ptr [rsp+40], 0 // Bytes written
xor r8d, r8d
lea edx, [r9+4]
mov [rsp+68], al
mov [rsp+20], 4
call CreateFileA
mov rbx, rax
mov r8, FFFFFFFFFFFFFFFF
mov rax, qword ptr [rsp+48]
aloop: // get string length
inc r8
cmp byte ptr [rax+r8], 0
jnz short aloop // loop until end of null terminated string r8 will contain the string length to write
lea r9, [rsp+40]
mov qword ptr [rsp+20], 0
mov rdx, [rsp+48] // string buffer to write
mov rcx, rbx
call WriteFile
mov rcx, rbx
call CloseHandle
add rsp, 80
retn
newmem+300:
inttohex:
// put data to rax
lea rdx, [hexcbuf+0]
mov r8, 10
loophere:
mov cl, al
and cl, f
add cl, 30
cmp cl, 39
jle isnum
add cl, 7
isnum:
dec r8
mov byte ptr [rdx+r8], cl
sar rax, 4
cmp r8, 0
jne loophere
ret
newmem+400:
FileName:
db 'D:\games\myvaluesave.txt',0
crlf:
db 0a 0d 00
hexcbuf:
dq 0 0
db 0
Convert unsigned integer to string
mov rax, #1234
call inttostr
Code: Select all
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
newmem+400:
inttostr:
// put data to rax
lea rcx, [buf+0]
// initialize buf[50]
mov r8, #50
itoaloop:
mov byte ptr [rcx], 0
inc rcx
dec r8
cmp r8, 0
jg itoaloop
// Convert rax to string
lea rcx, [buf+0]
xor r9, r9
mov r8, #10
itoaloop2:
xor rdx, rdx
div r8
add dl, 30
mov byte ptr [rcx], dl
inc rcx
inc r9
cmp rax, 0
jne itoaloop2
// String reverse
xor rdx, rdx
mov rax, r9
mov r8, 2
div r8
dec r9
xor r8, r8
lea rcx, [buf+0]
itoaloop3:
mov dl, byte ptr [rcx+r8]
mov dh, byte ptr [rcx+r9]
mov byte ptr [rcx+r8], dh
mov byte ptr [rcx+r9], dl
dec rax
dec r9
inc r8
cmp rax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
buf: // buf should be 50 characters
db 0
Not my finest code
hello, thank you for answer. As you can see my first posts
i am totally new. Can you give me a simple example for better understanding.
Just write to file "hello" when code injection works everytime. I found arrow of bytes with "find what adresses this instruction access" option. I can add more details if needed.
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Sun May 10, 2020 11:13 pm
by ysfc3m
@kantoboy69 can you give me very simple code write to txt file only "Hello" please. I will start there and go step by step
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Tue May 12, 2020 2:12 pm
by kantoboy69
ysfc3m wrote: ↑Sun May 10, 2020 11:13 pm
@kantoboy69 can you give me very simple code write to txt file only "Hello" please. I will start there and go step by step
sorry for the late response
Tutorial-x86_64.CT
Tutorial-i386.CT
just change the path/filename a much as possible no space
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Tue May 12, 2020 3:46 pm
by ysfc3m
Windows: 64 bit
Game: 32 bit
Values: 4 byte
Not important note:
Do you know any place where can i find paid help for this problem ?
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Tue May 12, 2020 6:18 pm
by ysfc3m
I can^'t make it work. Can you go from my aob code please ? I am totally new and looking for starting point.
Code: Select all
[ENABLE]
aobscanmodule(INJECT,Knight OnLine Client.bnbx,89 86 94 06 00 00 39)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [esi+00000694],eax
WRITE TO TXT FILE "HELLO"
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 86 94 06 00 00
unregistersymbol(INJECT)
dealloc(newmem)
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Tue May 12, 2020 7:06 pm
by kantoboy69
ysfc3m wrote: ↑Tue May 12, 2020 6:18 pm
I can^'t make it work. Can you go from my aob code please ? I am totally new and looking for starting point.
Use the 64-bit for 64-bit games
And 32 for 32-bit games
in 32-bit it's easy to save registers to stack using pushfd for flags and pushad for the rest of the registers then restore them by using popad and popfd. In 64-bit you have to save them manually, specially those that can affect the original code flow. This code is simply basic
but can be tedious to use. I still need to create some string manipulation codes like, strlen, strcat, strcmp so it won't need to
savefile each strings I need to save. Also I still don't have any idea howto convert floats to string.
Code: Select all
[ENABLE]
aobscanmodule(INJECT,Knight OnLine Client.bnbx,89 86 94 06 00 00 39)
alloc(newmem,$1000)
alloc(buf, 50)
alloc(buf2, $100)
label(code)
label(return)
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
label(savefile)
label(byteswritten)
label(hellostr)
buf: // allocated 50 bytes
db 0
buf2:
FileName:
db 'D:\games\myvaluesave.txt',0
byteswritten:
dd 0
tmp_register:
dd 0
crlf:
db 0d 0a 00
rbxstr1:
db 'esi = ',0
rbxstr2:
db ' [esi+00000694] = ',0
hellostr:
db 'HELLO',0
hexcbuf:
dd 0 0
db 0
newmem:
mov [esi+00000694],eax
// ^^^^^ ORIG code
// WRITE TO TXT FILE "HELLO"
mov dword ptr [tmp_register], esi
pushfd
pushad // I missed this at 64-bit :D
lea edx, [hellostr+0]
call savefile // Save Hello
mov eax, esi // convert to hex value of esi
call inttohex // save to hexcbuf
lea edx, [rbxstr1+0] // writes prefix first
call savefile
lea edx, [hexcbuf+0] // writes prefix first
call savefile
lea edx, [rbxstr2+0] // writes 2nd prefix first
call savefile
mov esi, dword ptr [tmp_register] // restore ebx
mov eax, dword ptr [esi+00000694] // the value of int32
call inttostr // convert to string save to buf
lea edx, [buf+0] // writes buf
call savefile
lea edx, [crlf+0] // write crlf
call savefile
popad
popfd
code:
jmp return
newmem+200:
savefile:
mov ebx, edx // buffer to write
push 0
push 80
push 4
push 0
push 0
push 4
push FileName
call CreateFileA
mov dword ptr [byteswritten], 0
mov esi, eax // move file handle to esi
mov edx, ebx
mov eax, ebx
mov ebx, FFFFFFFF
aloop: // get string length
inc ebx
cmp byte ptr [eax+ebx], 0
jnz short aloop
push 0
push [byteswritten]
push ebx // nNumberOfBytesToWrite
push eax //; lpBuffer
push esi //; hFile
call WriteFile
push esi
call CloseHandle
ret
newmem+300:
inttohex:
// put data to eax
lea edx, [hexcbuf+0]
mov ebx, 8
loophere:
mov cl, al
and cl, f
add cl, 30
cmp cl, 39
jle isnum
add cl, 7
isnum:
dec ebx
mov byte ptr [edx+ebx], cl
sar eax, 4
cmp ebx, 0
jne loophere
ret
newmem+400:
inttostr:
// put data to eax
lea ecx, [buf+0]
// initialize buf[50]
mov ebx, #50
itoaloop:
mov byte ptr [ecx], 0
inc ecx
dec ebx
cmp ebx, 0
jg itoaloop
// Convert rax to string
lea ecx, [buf+0]
xor esi, esi
mov ebx, #10
itoaloop2:
xor edx, edx
div ebx
add dl, 30
mov byte ptr [ecx], dl
inc ecx
inc esi
cmp eax, 0
jne itoaloop2
// String reverse
xor edx, edx
mov eax, esi
mov ebx, 2
div ebx
dec esi
xor ebx, ebx
lea ecx, [buf+0]
itoaloop3:
mov dl, byte ptr [ecx+ebx]
mov dh, byte ptr [ecx+esi]
mov byte ptr [ecx+ebx], dh
mov byte ptr [ecx+esi], dl
dec eax
dec esi
inc ebx
cmp eax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 86 94 06 00 00
unregistersymbol(INJECT)
dealloc(newmem)
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Tue May 12, 2020 11:33 pm
by ysfc3m
Hi again, last code worked perfectly. Can i ask one code block once more ? Sorry if bother you.
This is my target:
Code: Select all
[ENABLE]
aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [eax],dx
mov [eax+04],ecx
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 66 89 10 89 48 04
unregistersymbol(INJECT)
dealloc(newmem)
Example output per line (code,boolean,price)
220410000-0-500000
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Wed May 13, 2020 5:52 am
by kantoboy69
ysfc3m wrote: ↑Tue May 12, 2020 11:33 pm
Hi again, last code worked perfectly. Can i ask one code block once more ? Sorry if bother you.
This is my target:
Example output per line (code,boolean,price)
220410000-0-500000
Code: Select all
[ENABLE]
aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)
alloc(newmem,$1000)
alloc(buf, 50)
alloc(buf2, $100)
label(code)
label(return)
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
label(savefile)
label(byteswritten)
label(dash)
buf: // allocated 50 bytes
db 0
buf2:
FileName:
db 'D:\games\myvaluesave.txt',0
byteswritten:
dd 0
tmp_register:
dd 0
crlf:
db 0d 0a 00
dash:
db '=',0
hexcbuf:
dd 0 0
db 0
newmem:
// [eax+04]-[eax+0C]-[eax+08]
pushfd
pushad // I missed this at 64-bit :D
mov ebx, dword ptr [eax+08]
push ebx
mov ebx, dword ptr [eax+0C]
push ebx
mov ebx, dword ptr [eax+04]
mov eax, ebx // convert inttost ebx
call inttostr // save to buf
lea edx, [buf+0] // code [eax+04]
call savefile
lea edx, [dash+0] // dash
call savefile
pop eax // convert inttost eax
call inttostr // save to buf
lea edx, [buf+0] // code [eax+0C]
call savefile
lea edx, [dash+0] // dash
call savefile
pop eax // convert inttost eax
call inttostr // save to buf
lea edx, [buf+0] // code [eax+08]
call savefile
lea edx, [crlf+0] // cr/lf
call savefile
popad
popfd
code:
mov [eax],dx
mov [eax+04],ecx
jmp return
newmem+200:
savefile:
mov ebx, edx // buffer to write
push 0
push 80
push 4
push 0
push 0
push 4
push FileName
call CreateFileA
mov dword ptr [byteswritten], 0
mov esi, eax // move file handle to esi
mov edx, ebx
mov eax, ebx
mov ebx, FFFFFFFF
aloop: // get string length
inc ebx
cmp byte ptr [eax+ebx], 0
jnz short aloop
push 0
push [byteswritten]
push ebx // nNumberOfBytesToWrite
push eax //; lpBuffer
push esi //; hFile
call WriteFile
push esi
call CloseHandle
ret
newmem+300:
inttohex:
// put data to eax
lea edx, [hexcbuf+0]
mov ebx, 8
loophere:
mov cl, al
and cl, f
add cl, 30
cmp cl, 39
jle isnum
add cl, 7
isnum:
dec ebx
mov byte ptr [edx+ebx], cl
sar eax, 4
cmp ebx, 0
jne loophere
ret
newmem+400:
inttostr:
// put data to eax
lea ecx, [buf+0]
// initialize buf[50]
mov ebx, #50
itoaloop:
mov byte ptr [ecx], 0
inc ecx
dec ebx
cmp ebx, 0
jg itoaloop
// Convert rax to string
lea ecx, [buf+0]
xor esi, esi
mov ebx, #10
itoaloop2:
xor edx, edx
div ebx
add dl, 30
mov byte ptr [ecx], dl
inc ecx
inc esi
cmp eax, 0
jne itoaloop2
// String reverse
xor edx, edx
mov eax, esi
mov ebx, 2
div ebx
dec esi
xor ebx, ebx
lea ecx, [buf+0]
itoaloop3:
mov dl, byte ptr [ecx+ebx]
mov dh, byte ptr [ecx+esi]
mov byte ptr [ecx+ebx], dh
mov byte ptr [ecx+esi], dl
dec eax
dec esi
inc ebx
cmp eax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 66 89 10 89 48 04
unregistersymbol(INJECT)
dealloc(newmem)
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Wed May 13, 2020 11:26 am
by ysfc3m
Game crashes after injection and start search in game.
This is the txt file
Code: Select all
1668312668=1650418802=1634689631
1668312668=1650418802=1634689631
1668312668=1701279083=1601138015
1668312668=1701666657=1919905119
1668312668=1835100275=1601138015
Last time (working code) we wrote original code to "newmem". This can be problem ?
You wrote alloc(newmem,$1000) 2 times, mistake ?
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Wed May 13, 2020 2:56 pm
by kantoboy69
ysfc3m wrote: ↑Wed May 13, 2020 11:26 am
Game crashes after injection and start search in game.
Last time (working code) we wrote original code to "newmem". This can be problem ?
You wrote alloc(newmem,$1000) 2 times, mistake ?
remove the other one
it's a mistake
I just woke up when I copy and paste things
Re: Cheat Engine / Auto Assemble Possibilities
Posted: Wed May 13, 2020 5:04 pm
by ysfc3m
When i only write "=" no problem, this is good news it is working.
When enable all codes, crashing on half and outpot not look true.
edit: Here is another comment about code
Code: Select all
There's no check on the pointers (and what you access thru them).
Wrap those in try/except blocks and see what happens.