opcode int 3 crash anti-cheat??

mlengka93 · Post by **mlengka93** » Mon Nov 25, 2019 5:06 pm

tried some script for RPGmaker game RGSS104E.dll
it's for pokemon rejuv, what i did is : create AOB for that eviv and then even with only original code (unmodified) the game crash and pointed out at this int 3 memory location. Is it somekind of anti cheat debug or did i do something wrong? help me

mlengka93 · Post by **mlengka93** » Mon Nov 25, 2019 5:08 pm

with the same kind method it's working for Pokemon reborn tho..

mlengka93 · Post by **mlengka93** » Thu Nov 28, 2019 2:11 pm

the idea is when accessing inventory this mov eax,[eax+ecx*4] get eax address for the item

Code: Select all

[ENABLE]

aobscanmodule(aob_itemedit,RGSS104E.dll,8B 04 88 5D C3) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
globalalloc(p_isSome,4)
newmem:
  mov [p_isSome],eax
code:
  mov eax,[eax+ecx*4]
  pop ebp
  ret
  jmp return

aob_itemedit:
  jmp newmem
return:
registersymbol(aob_itemedit)

[DISABLE]

aob_itemedit:
  db 8B 04 88 5D C3
unregistersymbol(aob_itemedit)
unregistersymbol(p_isSome)
dealloc(newmem)

Post by **cfemen** » Thu Nov 28, 2019 2:23 pm

Looks like you return to the INT3 coz you are using the overriden ret in your allocated memory.

easiest solution : Inject at 8B 4D 0C/+2A2C3 = ret stays and will jump correctly back.

mlengka93 · Post by **mlengka93** » Thu Nov 28, 2019 3:03 pm

cfemen wrote: ↑
Thu Nov 28, 2019 2:23 pm
Looks like you return to the INT3 coz you are using the overriden ret in your allocated memory.

easiest solution : Inject at 8B 4D 0C/+2A2C3 = ret stays and will jump correctly back.

hehehe it works. By any chance do you know why this one cause the game crash, its for filtering, next step of finding the base address. Anyway, thanks a lot for your help

Code: Select all

push ebx
mov ebx,[health]
cmp [eax+ecx*4],ebx
pop ebx
jne evive_orig

crash point at cmp [eax+ecx*4],ebx part/line

Post by **cfemen** » Thu Nov 28, 2019 3:10 pm

mlengka93 wrote: ↑
Thu Nov 28, 2019 3:03 pm

cfemen wrote: ↑
Thu Nov 28, 2019 2:23 pm
Looks like you return to the INT3 coz you are using the overriden ret in your allocated memory.

easiest solution : Inject at 8B 4D 0C/+2A2C3 = ret stays and will jump correctly back.
hehehe it works. By any chance do you know why this one cause the game crash, its for filtering, next step of finding the base address. Anyway, thanks a lot for your help
Code: Select all
push ebx
mov ebx,[health]
cmp [eax+ecx*4],ebx
pop ebx
jne evive_orig
crash point at cmp [eax+ecx*4],ebx part/line

mh you could try something like:

Code: Select all

push edx
mov edx, [eax+ecx*4]
cmp edx, ebx
pop edx

if its still crash then use a breakpoint and check the values of eax and ecx

mlengka93 · Post by **mlengka93** » Thu Nov 28, 2019 3:22 pm

Spoiler

cfemen wrote: ↑
Thu Nov 28, 2019 3:10 pm
mlengka93 wrote: ↑
Thu Nov 28, 2019 3:03 pm

cfemen wrote: ↑
Thu Nov 28, 2019 2:23 pm
Looks like you return to the INT3 coz you are using the overriden ret in your allocated memory.

easiest solution : Inject at 8B 4D 0C/+2A2C3 = ret stays and will jump correctly back.
hehehe it works. By any chance do you know why this one cause the game crash, its for filtering, next step of finding the base address. Anyway, thanks a lot for your help
Code: Select all
push ebx
mov ebx,[health]
cmp [eax+ecx*4],ebx
pop ebx
jne evive_orig
crash point at cmp [eax+ecx*4],ebx part/line

mh you could try something like:

Code: Select all

push edx
mov edx, [eax+ecx*4]
cmp edx, ebx
pop edx

if its still crash then use a breakpoint and check the values of eax and ecx
[/quote]

still crash at the part mov ebx, [eax+ecx*4] can't i even do anything with [eax+ecx*4] code haha, can't even cmp them and mov

Post by **cfemen** » Thu Nov 28, 2019 3:26 pm

use breakpoint to check eax and ecx to see the values, looks like eax does not have a correct address.

Edit : you do this compare in aob_itemedit?
if yes:
Before or after:
mov eax,[eax+ecx*4]
?

mlengka93 · Post by **mlengka93** » Thu Nov 28, 2019 3:35 pm

cfemen wrote: ↑
Thu Nov 28, 2019 3:26 pm
use breakpoint to check eax and ecx to see the values, looks like eax does not have a correct address.

Edit : you do this compare in aob_itemedit?

edx is right but ebx is 0, and
yes, i mean its aobeviv but share the same code, i put the wrong one there
here is the script
is it a bad idea do a cmp in aob?

Code: Select all

[ENABLE]

aobscanmodule(aob_eviv,RGSS104E.dll,8B 4D 0C 8B 04 88) // should be unique
alloc(newmem,128,RGSS104E.dll)

label(code)
label(return)
label(findEvivPointer) //Find EV & IV Pointer
label(findEvivPointer_status)
registersymbol(findEvivPointer_status)
label(health) //HP
registersymbol(health)
label(attack) //Attack
registersymbol(attack)
label(defense) //Defense
registersymbol(defense)
label(specialAttack) //Special Attack
registersymbol(specialAttack)
label(specialDefense) //Special Defense
registersymbol(specialDefense)
label(speed) //Speed
registersymbol(speed)
globalalloc(p_isEviv,4) //EV & IV Pointer
//---------------------//
newmem:
cmp [findEvivPointer_status],1
je findEvivPointer
jmp code
//--------------------//
findEvivPointer:
push edx
push ebx
mov edx,[health]
mov ebx,[eax+ecx*4]
cmp edx,ebx
pop edx
pop ebx
jne code
push edx
mov edx,[attack]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[defense]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[speed]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[specialAttack]
cmp [eax+ecx*4],edx
pop edx
jne code
push edx
mov edx,[specialDefense]
cmp [eax+ecx*4],edx
pop edx
jne code

mov [p_isEviv],eax
mov ecx,[ebp+0C]
mov eax,[eax+ecx*4]
mov [findEvivPointer_status],0
jmp return

findEvivPointer_status:
dd 0

health:
dd 0

attack:
dd 0

defense:
dd 0

specialAttack:
dd 0

specialDefense:
dd 0

speed:
dd 0

code:
  mov ecx,[ebp+0C]
  mov eax,[eax+ecx*4]
  jmp return

aob_eviv:
  jmp newmem
  nop
return:
registersymbol(aob_eviv)

[DISABLE]

aob_eviv:
  db 8B 4D 0C 8B 04 88

unregistersymbol(aob_eviv)
dealloc(newmem)

unregistersymbol(findEvivPointer_status)
unregistersymbol(health)
unregistersymbol(attack)
unregistersymbol(defense)
unregistersymbol(specialAttack)
unregistersymbol(specialDefense)
unregistersymbol(speed)
unregistersymbol(p_isEviv)

Post by **cfemen** » Thu Nov 28, 2019 3:49 pm

Code: Select all

is it a bad idea do a cmp in aob?

no its ok, it would only be a problem(if you dont restore the flags) when you using a cmp if there is an conditial jump after the Inject.

i cant tell why its crashing.

but you have a logic error in your script:

Code: Select all

pop edx
pop ebx

its the wrong order ^^
first pop ebx then edx, coz you pushed edx first.

like i said, i cant tell why its crashing without debugging it myself :/

Post by **cfemen** » Thu Nov 28, 2019 3:54 pm

Wait i maybe see the problem

mov ebx,[eax+ecx*4]

ecx cant have the right value.

do a mov ecx,[ebp+0C] before

mlengka93 · Post by **mlengka93** » Thu Nov 28, 2019 4:11 pm

cfemen wrote: ↑
Thu Nov 28, 2019 3:54 pm
Wait i maybe see the problem

mov ebx,[eax+ecx*4]

ecx cant have the right value.

do a mov ecx,[ebp+0C] before

Well well well, finaly!!!! YEAAAAHH!!! THANK YOU

phew, now i can rest hehehehehehehe

FearLess Cheat Engine

opcode int 3 crash anti-cheat??

opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Re: opcode int 3 crash anti-cheat??

Who is online