Cheat Engine / Auto Assemble Possibilities

[ysfc3m]

Hello, this is auto assemble template. Is this possible ?

Code: Select all

[ENABLE]

aobscanmodule(INJECT,Game.bnbx,89 86 94 06 00 00 39)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [esi+00000694],eax
  //WRITE TO FILE VALUE OF [esi+00000694]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 86 94 06 00 00

unregistersymbol(INJECT)
dealloc(newmem)

[miraikolus]

Totally. That is one of the very basics of code injection. Well, depending on the game, lets say easy for simple and offline games. Harder in case of some AntiCheat and not allowed to here if it's an online game.
Do the cheat engine tutorials and you'll know how it goes. There are also guides on that like mentioned in f.e. the other recent topic .
Btw. file value? Which file. This is all about editing memory. Well, you can use CE for finding injection points to, but editing files will be usually done in another way and tool. //EDIT: ah, did I missunderstand that?

[kantoboy69]

Hello, this is auto assemble template. Is this possible ?

code:
mov [esi+00000694],eax
//WRITE TO FILE VALUE OF [esi+00000694]

Doable,

You just need to convert the value to string (if not yet string) then save it to file

Code: Select all

// 64-bit version 

label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)


newmem:
  pushfq
  push    rax
  push    rcx
  push    rdx
  push    r8
  push    r9
  mov  rax, qword ptr [esi+00000694] // let say it store 64bit number
  call  inttohex                                 // convert to hex and save to hexcbuf
  lea   rdx, [hexcbuf+0] // write string buffer null terminated
  // lea rdx,  [esi+00000694]    // if this is already a string 
  call    savefile
  lea     rdx, [crlf+0]   // write  crlf
  call    savefile
  pop     r9
  pop     r8
  pop     rdx
  pop     rcx
  pop     rax
  popfq
code:
 // original code usually
  jmp    return

newmem+200:
savefile:
  sub     rsp, 80
  mov     rax, 0
  xor     rax, rsp
  mov     [rsp+88-18], rax
  mov     qword ptr [rsp+48], rdx // buffer to write
  mov     qword ptr [rsp+58], 0
  xor     eax, eax
  xor     r9d, r9d
  mov     [rsp+30], 0
  mov     rcx, FileName              // full path filename
  mov     [rsp+28], 80
  mov     qword ptr [rsp+40], 0   // Bytes written
  xor     r8d, r8d
  lea     edx, [r9+4]
  mov     [rsp+68], al
  mov     [rsp+20], 4
  call    CreateFileA
  mov     rbx, rax
  mov     r8, FFFFFFFFFFFFFFFF
  mov     rax, qword ptr [rsp+48]
aloop:  // get string length
  inc     r8
  cmp     byte ptr [rax+r8], 0
  jnz     short aloop               // loop until end of null terminated string r8 will contain the string length to write
  lea     r9, [rsp+40]                
  mov     qword ptr [rsp+20], 0
  mov     rdx, [rsp+48]            // string buffer to write
  mov     rcx, rbx
  call    WriteFile
  mov     rcx, rbx
  call    CloseHandle
  add     rsp, 80
  retn

newmem+300:
inttohex:
// put data to rax
  lea rdx, [hexcbuf+0]
  mov r8, 10
loophere:
  mov cl, al
  and cl, f
  add cl, 30
  cmp cl, 39
  jle isnum
  add cl, 7
  isnum:
  dec r8
  mov byte ptr [rdx+r8], cl
  sar rax, 4
  cmp r8, 0
  jne loophere
ret

newmem+400:
FileName:
  db 'D:\games\myvaluesave.txt',0
crlf:
  db 0a 0d 00
hexcbuf:
  dq 0 0
  db 0
  

Convert unsigned integer to string
mov rax, #1234
call inttostr

Code: Select all

label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)

newmem+400:
inttostr:
// put data to rax
lea rcx, [buf+0]
// initialize buf[50]
mov r8, #50
itoaloop:
mov byte ptr [rcx], 0
inc rcx
dec r8
cmp r8, 0
jg itoaloop
// Convert rax to string
lea rcx, [buf+0]
xor r9, r9
mov r8, #10
itoaloop2:
xor rdx, rdx
div r8
add dl, 30
mov byte ptr [rcx], dl
inc rcx
inc r9
cmp rax, 0
jne itoaloop2
// String reverse
xor rdx, rdx
mov rax, r9
mov r8, 2
div r8
dec r9
xor r8, r8
lea rcx, [buf+0]
itoaloop3:
mov dl, byte ptr [rcx+r8]
mov dh, byte ptr [rcx+r9]
mov byte ptr [rcx+r8], dh
mov byte ptr [rcx+r9], dl
dec rax
dec r9
inc r8
cmp rax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
buf: // buf should be 50 characters
db 0

Not my finest code

[ysfc3m]

Totally. That is one of the very basics of code injection. Well, depending on the game, lets say easy for simple and offline games. Harder in case of some AntiCheat and not allowed to here if it's an online game.
Do the cheat engine tutorials and you'll know how it goes. There are also guides on that like mentioned in f.e. the other recent topic .
Btw. file value? Which file. This is all about editing memory. Well, you can use CE for finding injection points to, but editing files will be usually done in another way and tool. //EDIT: ah, did I missunderstand that?

hello, thank you for answer, maybe you missunderstand. This is an online game but i have bypass anticheat.
I want to write vaules of adresses to txt file, thats all.

[ysfc3m]

Hello, this is auto assemble template. Is this possible ?

code:
mov [esi+00000694],eax
//WRITE TO FILE VALUE OF [esi+00000694]

Doable,

You just need to convert the value to string (if not yet string) then save it to file

Code: Select all

// 64-bit version 

label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)


newmem:
  pushfq
  push    rax
  push    rcx
  push    rdx
  push    r8
  push    r9
  mov  rax, qword ptr [esi+00000694] // let say it store 64bit number
  call  inttohex                                 // convert to hex and save to hexcbuf
  lea   rdx, [hexcbuf+0] // write string buffer null terminated
  // lea rdx,  [esi+00000694]    // if this is already a string 
  call    savefile
  lea     rdx, [crlf+0]   // write  crlf
  call    savefile
  pop     r9
  pop     r8
  pop     rdx
  pop     rcx
  pop     rax
  popfq
code:
 // original code usually
  jmp    return

newmem+200:
savefile:
  sub     rsp, 80
  mov     rax, 0
  xor     rax, rsp
  mov     [rsp+88-18], rax
  mov     qword ptr [rsp+48], rdx // buffer to write
  mov     qword ptr [rsp+58], 0
  xor     eax, eax
  xor     r9d, r9d
  mov     [rsp+30], 0
  mov     rcx, FileName              // full path filename
  mov     [rsp+28], 80
  mov     qword ptr [rsp+40], 0   // Bytes written
  xor     r8d, r8d
  lea     edx, [r9+4]
  mov     [rsp+68], al
  mov     [rsp+20], 4
  call    CreateFileA
  mov     rbx, rax
  mov     r8, FFFFFFFFFFFFFFFF
  mov     rax, qword ptr [rsp+48]
aloop:  // get string length
  inc     r8
  cmp     byte ptr [rax+r8], 0
  jnz     short aloop               // loop until end of null terminated string r8 will contain the string length to write
  lea     r9, [rsp+40]                
  mov     qword ptr [rsp+20], 0
  mov     rdx, [rsp+48]            // string buffer to write
  mov     rcx, rbx
  call    WriteFile
  mov     rcx, rbx
  call    CloseHandle
  add     rsp, 80
  retn

newmem+300:
inttohex:
// put data to rax
  lea rdx, [hexcbuf+0]
  mov r8, 10
loophere:
  mov cl, al
  and cl, f
  add cl, 30
  cmp cl, 39
  jle isnum
  add cl, 7
  isnum:
  dec r8
  mov byte ptr [rdx+r8], cl
  sar rax, 4
  cmp r8, 0
  jne loophere
ret

newmem+400:
FileName:
  db 'D:\games\myvaluesave.txt',0
crlf:
  db 0a 0d 00
hexcbuf:
  dq 0 0
  db 0
  

Convert unsigned integer to string
mov rax, #1234
call inttostr

Code: Select all

label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)

newmem+400:
inttostr:
// put data to rax
lea rcx, [buf+0]
// initialize buf[50]
mov r8, #50
itoaloop:
mov byte ptr [rcx], 0
inc rcx
dec r8
cmp r8, 0
jg itoaloop
// Convert rax to string
lea rcx, [buf+0]
xor r9, r9
mov r8, #10
itoaloop2:
xor rdx, rdx
div r8
add dl, 30
mov byte ptr [rcx], dl
inc rcx
inc r9
cmp rax, 0
jne itoaloop2
// String reverse
xor rdx, rdx
mov rax, r9
mov r8, 2
div r8
dec r9
xor r8, r8
lea rcx, [buf+0]
itoaloop3:
mov dl, byte ptr [rcx+r8]
mov dh, byte ptr [rcx+r9]
mov byte ptr [rcx+r8], dh
mov byte ptr [rcx+r9], dl
dec rax
dec r9
inc r8
cmp rax, 0
jne itoaloop3
// Finally
ret
db 90 90 90 90
buf: // buf should be 50 characters
db 0

Not my finest code

hello, thank you for answer. As you can see my first posts i am totally new. Can you give me a simple example for better understanding.

Just write to file "hello" when code injection works everytime. I found arrow of bytes with "find what adresses this instruction access" option. I can add more details if needed.

[ysfc3m]

@kantoboy69 can you give me very simple code write to txt file only "Hello" please. I will start there and go step by step

[kantoboy69]

@kantoboy69 can you give me very simple code write to txt file only "Hello" please. I will start there and go step by step

sorry for the late response

Tutorial-x86_64.CT
Tutorial-i386.CT

just change the path/filename a much as possible no space

[ysfc3m]

Windows: 64 bit
Game: 32 bit
Values: 4 byte

Not important note:
Do you know any place where can i find paid help for this problem ?

[ysfc3m]

I can^'t make it work. Can you go from my aob code please ? I am totally new and looking for starting point.

Code: Select all

[ENABLE]

aobscanmodule(INJECT,Knight OnLine Client.bnbx,89 86 94 06 00 00 39)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [esi+00000694],eax
  WRITE TO TXT FILE "HELLO"
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 86 94 06 00 00

unregistersymbol(INJECT)
dealloc(newmem)

[kantoboy69]

I can^'t make it work. Can you go from my aob code please ? I am totally new and looking for starting point.

Use the 64-bit for 64-bit games
And 32 for 32-bit games

in 32-bit it's easy to save registers to stack using pushfd for flags and pushad for the rest of the registers then restore them by using popad and popfd. In 64-bit you have to save them manually, specially those that can affect the original code flow. This code is simply basic
but can be tedious to use. I still need to create some string manipulation codes like, strlen, strcat, strcmp so it won't need to
savefile each strings I need to save. Also I still don't have any idea howto convert floats to string.

Code: Select all

[ENABLE]

aobscanmodule(INJECT,Knight OnLine Client.bnbx,89 86 94 06 00 00 39)
alloc(newmem,$1000)
alloc(buf, 50)
alloc(buf2, $100)

label(code)
label(return)
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
label(savefile)
label(byteswritten)
label(hellostr)

buf: // allocated 50 bytes
db 0

buf2:
FileName:
  db 'D:\games\myvaluesave.txt',0
byteswritten:
  dd 0
tmp_register:
  dd 0
crlf:
  db 0d 0a 00
rbxstr1:
  db 'esi = ',0
rbxstr2:
  db '  [esi+00000694] = ',0
hellostr:
  db 'HELLO',0
hexcbuf:
  dd 0 0
  db 0


newmem:
  mov [esi+00000694],eax
// ^^^^^ ORIG code
// WRITE TO TXT FILE "HELLO"

  mov     dword ptr [tmp_register], esi
  pushfd
  pushad  // I missed this at 64-bit :D
  lea     edx, [hellostr+0]
  call    savefile          // Save Hello
  mov     eax, esi          // convert to hex value of esi
  call    inttohex          // save to hexcbuf
  lea     edx, [rbxstr1+0]  // writes prefix first
  call    savefile
  lea     edx, [hexcbuf+0]  // writes prefix first
  call    savefile
  lea     edx, [rbxstr2+0]  // writes 2nd prefix first
  call    savefile
  mov     esi, dword ptr [tmp_register] // restore ebx
  mov     eax, dword ptr [esi+00000694] // the value of int32
  call    inttostr          // convert to string save to buf
  lea     edx, [buf+0]     // writes buf
  call    savefile
  lea     edx, [crlf+0]     // write  crlf
  call    savefile
  popad
  popfd
code:
  jmp return


newmem+200:
savefile:
  mov     ebx, edx        // buffer to write
  push    0
  push    80
  push    4
  push    0
  push    0
  push    4
  push    FileName
  call    CreateFileA
  mov     dword ptr [byteswritten], 0
  mov     esi, eax        // move file handle to esi
  mov     edx, ebx
  mov     eax, ebx
  mov     ebx, FFFFFFFF
aloop:                    // get string length
  inc     ebx
  cmp     byte ptr [eax+ebx], 0
  jnz     short aloop
  push    0
  push    [byteswritten]
  push    ebx             // nNumberOfBytesToWrite
  push    eax             //; lpBuffer
  push    esi             //; hFile
  call    WriteFile
  push    esi
  call    CloseHandle
  ret

newmem+300:
inttohex:
// put data to eax
  lea edx, [hexcbuf+0]
  mov ebx, 8
loophere:
  mov cl, al
  and cl, f
  add cl, 30
  cmp cl, 39
  jle isnum
  add cl, 7
  isnum:
  dec ebx
  mov byte ptr [edx+ebx], cl
  sar eax, 4
  cmp ebx, 0
  jne loophere
ret


newmem+400:
inttostr:
// put data to eax
  lea ecx, [buf+0]
// initialize buf[50]
  mov ebx, #50
itoaloop:
  mov byte ptr [ecx], 0
  inc ecx
  dec ebx
  cmp ebx, 0
  jg itoaloop
// Convert rax to string
  lea ecx, [buf+0]
  xor esi, esi
  mov ebx, #10
itoaloop2:
  xor edx, edx
  div ebx
  add dl, 30
  mov byte ptr [ecx], dl
  inc ecx
  inc esi
  cmp eax, 0
  jne itoaloop2
// String reverse
  xor edx, edx
  mov eax, esi
  mov ebx, 2
  div ebx
  dec esi
  xor ebx, ebx
  lea ecx, [buf+0]
itoaloop3:
  mov dl, byte ptr [ecx+ebx]
  mov dh, byte ptr [ecx+esi]
  mov byte ptr [ecx+ebx], dh
  mov byte ptr [ecx+esi], dl
  dec eax
  dec esi
  inc ebx
  cmp eax, 0
jne itoaloop3
// Finally
  ret
db 90 90 90 90

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 86 94 06 00 00

unregistersymbol(INJECT)
dealloc(newmem)

[ysfc3m]

Hi again, last code worked perfectly. Can i ask one code block once more ? Sorry if bother you.

This is my target:

Code: Select all

[ENABLE]

aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  mov [eax],dx
  mov [eax+04],ecx
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 66 89 10 89 48 04

unregistersymbol(INJECT)
dealloc(newmem)

Example output per line (code,boolean,price)
220410000-0-500000

[kantoboy69]

Hi again, last code worked perfectly. Can i ask one code block once more ? Sorry if bother you.

This is my target:

Example output per line (code,boolean,price)
220410000-0-500000

Code: Select all

[ENABLE]

aobscanmodule(INJECT,Game.bnbx,66 89 10 89 48 04)
alloc(newmem,$1000)

alloc(newmem,$1000)
alloc(buf, 50)
alloc(buf2, $100)

label(code)
label(return)
label(hexcbuf)
label(isnum)
label(inttohex)
label(FileName)
label(crlf)
label(itoaloop)
label(itoaloop2)
label(itoaloop3)
label(inttostr)
label(savefile)
label(byteswritten)
label(dash)

buf: // allocated 50 bytes
db 0

buf2:
FileName:
  db 'D:\games\myvaluesave.txt',0
byteswritten:
  dd 0
tmp_register:
  dd 0
crlf:
  db 0d 0a 00
dash:
  db '=',0
hexcbuf:
  dd 0 0
  db 0


newmem:
// [eax+04]-[eax+0C]-[eax+08]

  pushfd
  pushad  // I missed this at 64-bit :D
  mov     ebx, dword ptr [eax+08]
  push    ebx
  mov     ebx, dword ptr [eax+0C]
  push    ebx
  mov     ebx, dword ptr [eax+04]

  mov     eax, ebx          // convert inttost ebx
  call    inttostr          // save to buf
  lea     edx, [buf+0]      // code [eax+04]
  call    savefile

  lea     edx, [dash+0]     // dash
  call    savefile

  pop     eax               // convert inttost eax
  call    inttostr          // save to buf
  lea     edx, [buf+0]      // code [eax+0C]
  call    savefile

  lea     edx, [dash+0]     // dash
  call    savefile

  pop     eax               // convert inttost eax
  call    inttostr          // save to buf
  lea     edx, [buf+0]      // code [eax+08]
  call    savefile

  lea     edx, [crlf+0]     // cr/lf
  call    savefile

  popad
  popfd
code:
  mov [eax],dx
  mov [eax+04],ecx
  jmp return

newmem+200:
savefile:
  mov     ebx, edx        // buffer to write
  push    0
  push    80
  push    4
  push    0
  push    0
  push    4
  push    FileName
  call    CreateFileA
  mov     dword ptr [byteswritten], 0
  mov     esi, eax        // move file handle to esi
  mov     edx, ebx
  mov     eax, ebx
  mov     ebx, FFFFFFFF
aloop:                    // get string length
  inc     ebx
  cmp     byte ptr [eax+ebx], 0
  jnz     short aloop
  push    0
  push    [byteswritten]
  push    ebx             // nNumberOfBytesToWrite
  push    eax             //; lpBuffer
  push    esi             //; hFile
  call    WriteFile
  push    esi
  call    CloseHandle
  ret

newmem+300:
inttohex:
// put data to eax
  lea edx, [hexcbuf+0]
  mov ebx, 8
loophere:
  mov cl, al
  and cl, f
  add cl, 30
  cmp cl, 39
  jle isnum
  add cl, 7
  isnum:
  dec ebx
  mov byte ptr [edx+ebx], cl
  sar eax, 4
  cmp ebx, 0
  jne loophere
ret


newmem+400:
inttostr:
// put data to eax
  lea ecx, [buf+0]
// initialize buf[50]
  mov ebx, #50
itoaloop:
  mov byte ptr [ecx], 0
  inc ecx
  dec ebx
  cmp ebx, 0
  jg itoaloop
// Convert rax to string
  lea ecx, [buf+0]
  xor esi, esi
  mov ebx, #10
itoaloop2:
  xor edx, edx
  div ebx
  add dl, 30
  mov byte ptr [ecx], dl
  inc ecx
  inc esi
  cmp eax, 0
  jne itoaloop2
// String reverse
  xor edx, edx
  mov eax, esi
  mov ebx, 2
  div ebx
  dec esi
  xor ebx, ebx
  lea ecx, [buf+0]
itoaloop3:
  mov dl, byte ptr [ecx+ebx]
  mov dh, byte ptr [ecx+esi]
  mov byte ptr [ecx+ebx], dh
  mov byte ptr [ecx+esi], dl
  dec eax
  dec esi
  inc ebx
  cmp eax, 0
jne itoaloop3
// Finally
  ret
db 90 90 90 90

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 66 89 10 89 48 04

unregistersymbol(INJECT)
dealloc(newmem)

[ysfc3m]

Game crashes after injection and start search in game.

This is the txt file

Code: Select all

1668312668=1650418802=1634689631
1668312668=1650418802=1634689631
1668312668=1701279083=1601138015
1668312668=1701666657=1919905119
1668312668=1835100275=1601138015

Last time (working code) we wrote original code to "newmem". This can be problem ?
You wrote alloc(newmem,$1000) 2 times, mistake ?

[kantoboy69]

Game crashes after injection and start search in game.


Last time (working code) we wrote original code to "newmem". This can be problem ?
You wrote alloc(newmem,$1000) 2 times, mistake ?

remove the other one
it's a mistake
I just woke up when I copy and paste things

[ysfc3m]

When i only write "=" no problem, this is good news it is working.

When enable all codes, crashing on half and outpot not look true.

edit: Here is another comment about code

Code: Select all

There's no check on the pointers (and what you access thru them).
Wrap those in try/except blocks and see what happens.