AoB inject crush the game

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

AoB inject crush the game

Post by SilverRabbit90 »

I tried to modify my character's HP with an Aob script. The script works as long as I create a new script every time the game is restarted.

Ex:

// This cheat work, but if I restart the game the cheat cannot be activated anymore

[ENABLE]

aobscan (INJECT, 7A DA D2 89 11 8B 0D 40 9F 92 01) // should be unique
alloc (newmem, $ 1000)

label (code)
label (return)

newmem:

code:
mov edx, (float) 800
mov [ecx], edx
mov ecx, [pcsx2.exe + 1199F40]
jmp return

INJECT + 03:
jmp newmem
nop 3
return:
registersymbol (INJECT)

[DISABLE]

INJECT + 03:
db 89 11 8B 0D 40 9F 92 01

unregistersymbol (INJECT)
dealloc (newmem)


When I start the game the script does not activate anymore, so I do the AoB scan and replace the scan values that change at each restart with ? ...

Ex:

// With this the cheat can be activated, but if I take damage the game crashes. aobscan is unique (I tested it)

[ENABLE]

aobscan(INJECT,0F 88 ?? ?? E? D2 89 11 8B 0D 40 9F 92 01 81 C1 10 04 00 00 89 C8 C1 E8 0C 8B 04 85 30 ?0 ?? 1E BB ?? ?? ?? 30 01 C1 0F 88 ?? ?? E? D2 0F BF 01 99) // should be unique
alloc(newmem,$1004)

label(code)
label(return)
label(exit)

newmem:

jmp exit

code:
mov edx,(float)800
mov [ecx],edx
mov ecx,[pcsx2.exe+1199F40]
jmp return

exit:
jmp return

INJECT+03:
jmp newmem
nop 3
return:
registersymbol(INJECT)

[DISABLE]

INJECT+03:
db 89 11 8B 0D 40 9F 92 01

unregistersymbol(INJECT)
dealloc(newmem)

Now I can activate the cheat, but when I take damage the game crashes. I don't know what I need to do to fix this. In other games Aob Scan does not give any problem, the cheat is activated and taking damage the game does not crash. I tried to scan with cheat engine to see if inject was unique and is actually unique.
What should I do to fix?

User avatar
MBRKiNG
Table Makers
Table Makers
Posts: 324
Joined: Fri Feb 23, 2018 5:13 pm
Reputation: 555

Re: AoB inject crush the game

Post by MBRKiNG »

if you use several scripts with "INJECT" this can cause errors, change Symbol "INJECT" to custom name like "HealthAOB" .

another solution,
u dont really need scripts for ps2 games, just use cached and uncached ee ram directy each value is static. hope that helps

Image
Attachments
pcsx2.CT
sample ct pcsx2 v1.6.0
(16.58 KiB) Downloaded 1877 times

GreenHouse
Expert Cheater
Expert Cheater
Posts: 852
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 896

Re: AoB inject crush the game

Post by GreenHouse »

SilverRabbit90 wrote:
Sat Nov 06, 2021 6:15 pm
With this the cheat can be activated, but if I take damage the game crashes. aobscan is unique (I tested it)
I mean, the second script makes no sense at all. You just jump to newmem, which jumps to exit, which jumps to return. So you're pretty much doing nothing, and that's skipping the original instructions that need to be ran. So that's why it crashes.

And like MBRKiNG said, both scripts have a symbol with the same name(INJECT), so if you activate both it'll break stuff.

User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

Re: AoB inject crush the game

Post by SilverRabbit90 »

GreenHouse wrote:
Sat Nov 06, 2021 10:12 pm
SilverRabbit90 wrote:
Sat Nov 06, 2021 6:15 pm
With this the cheat can be activated, but if I take damage the game crashes. aobscan is unique (I tested it)
I mean, the second script makes no sense at all. You just jump to newmem, which jumps to exit, which jumps to return. So you're pretty much doing nothing, and that's skipping the original instructions that need to be ran. So that's why it crashes.

And like MBRKiNG said, both scripts have a symbol with the same name(INJECT), so if you activate both it'll break stuff.


Actually in the second example code works perfectly when used in the first example, I forgot to put // to do this example.
For example I should have written:
// label (exit)
// jmp exit
// exit:
// jmp return

This is another way of doing Nop. I've tried whatever I know even normal nop, but on the second code nothing works ...
Remember that both codes do the same thing only that the first works, but the second crashes the game (they are the same code). The problem with the first script is that I have to redo it every time the game is restarted because the aobscan is dynamic.
I didn't try to run both scripts at the same time. At every restart of the game I try to activate only one of the two (for the first
case I have to redo the script at each reboot).
The problem is not so simple, I have been working on it for a month now.
As for wanting to script it is useful for some games, like infinite ammunition in some games each weapon has its values ​​and you should look for the ammunition of each single weapon, while with a script you have infinite ammunition for all weapons (of a certain category). Same thing for the Hp of the enemies, I cannot search the Hp of 100 enemies, with a script I can change the Hp of all the enemies at the same time easily.

User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

Re: AoB inject crush the game

Post by SilverRabbit90 »

As for MBRKiNG, I have no clue what cached and uncached is, I will have to inform me about it.

User avatar
MBRKiNG
Table Makers
Table Makers
Posts: 324
Joined: Fri Feb 23, 2018 5:13 pm
Reputation: 555

Re: AoB inject crush the game

Post by MBRKiNG »

SilverRabbit90 wrote:
Sun Nov 07, 2021 12:33 pm
As for MBRKiNG, I have no clue what cached and uncached is, I will have to inform me about it.
emulated ram address range, each game value u lookin for is in this range START-0x20100000 - STOP-0x21FFFFFF


PS2 Memory and Hardware Mapped Registers Layout
Logical Address Range Physical Address Range Description Size

0x80000000-0x800FFFFF 0x00000000-0x000FFFFF EE Kernel 1 MB
0x00100000-0x01FFFFFF 0x00100000-0x01FFFFFF EE RAM (Cached) 31 MB
0x20100000-0x21FFFFFF 0x00100000-0x01FFFFFF EE RAM (Uncached) 31 MB
0x30100000-0x31FFFFFF 0x00100000-0x01FFFFFF EE RAM (Uncached&accelerated) 31 MB

CopperB
Noobzor
Noobzor
Posts: 7
Joined: Tue Sep 07, 2021 8:46 pm
Reputation: 2

Re: AoB inject crush the game

Post by CopperB »

Sorry to barge in here, New to CE trainer making - What does AoB stand for?

User avatar
SilverRabbit90
Table Makers
Table Makers
Posts: 214
Joined: Fri Jan 15, 2021 12:01 am
Reputation: 191

Re: AoB inject crush the game

Post by SilverRabbit90 »

CopperB wrote:
Wed Mar 01, 2023 12:55 pm
Sorry to barge in here, New to CE trainer making - What does AoB stand for?
Wiki:
[Link]

An AOB is just an Array of Bytes, it tends to be used as a signature. A signature is really only an AOB with wild cards. A signature can be found even if the address where it is changes, so long as the signature still exists.

Personally I always use it even when I don't need it XD.

It is used when the injection point of a code changes every time you restart the game not allowing to activate the script.Usually it is used on games that are often updated or on some emulated games.

Example:
Spoiler

Code: Select all

[ENABLE]

aobscanmodule(MissionTimeA,GE2RB.exe,66 89 86 38 11 17 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

label(seeMissionTime)
registersymbol(seeMissionTime)

newmem:

mov [seeMissionTime],esi

code:
  mov [esi+00171138],ax
  jmp return

  seeMissionTime:
  db 0

MissionTimeA:
  jmp newmem
  nop 2
return:
registersymbol(MissionTimeA)

[DISABLE]

MissionTimeA:
  db 66 89 86 38 11 17 00

unregistersymbol(*)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GE2RB.exe+155CC7D

GE2RB.exe+155CC5E: E8 6D 04 6E 00        - call GE2RB.exe+1C3D0D0
GE2RB.exe+155CC63: 83 C4 04              - add esp,04
GE2RB.exe+155CC66: CC                    - int 3 
GE2RB.exe+155CC67: 89 F9                 - mov ecx,edi
GE2RB.exe+155CC69: E8 AD 0D 55 00        - call GE2RB.exe+1AADA1B
GE2RB.exe+155CC6E: 0F B7 86 38 11 17 00  - movzx eax,word ptr [esi+00171138]
GE2RB.exe+155CC75: 31 C9                 - xor ecx,ecx
GE2RB.exe+155CC77: 66 39 C1              - cmp cx,ax
GE2RB.exe+155CC7A: 74 08                 - je GE2RB.exe+155CC84
GE2RB.exe+155CC7C: 48                    - dec eax
// ---------- INJECTING HERE ----------
GE2RB.exe+155CC7D: 66 89 86 38 11 17 00  - mov [esi+00171138],ax
// ---------- DONE INJECTING  ----------
GE2RB.exe+155CC84: 5F                    - pop edi
GE2RB.exe+155CC85: 5E                    - pop esi
GE2RB.exe+155CC86: 89 EC                 - mov esp,ebp
GE2RB.exe+155CC88: 5D                    - pop ebp
GE2RB.exe+155CC89: C3                    - ret 
GE2RB.exe+155CC8A: CC                    - int 3 
GE2RB.exe+155CC8B: CC                    - int 3 
GE2RB.exe+155CC8C: CC                    - int 3 
GE2RB.exe+155CC8D: CC                    - int 3 
GE2RB.exe+155CC8E: CC                    - int 3 
}
This is injection point of this script:
// ORIGINAL CODE - INJECTION POINT: GE2RB.exe+155CC7D
In this case when starting the game it never changes, unless the game is updated.

Sometimes you can find something like this:
// ORIGINAL CODE - INJECTION POINT: 279A0793709
In this case the injection point changes with each restart of the game not allowing you to activate the script, therefore you must use a script created with AoB.

To create a script with AoB you need to do: Tools - Auto Assemble (Or ctrl+A) - Template - AOB injection (or shift+ctrl+A). cheat engine will autogenerate the script with AoB.

User avatar
dna
Expert Cheater
Expert Cheater
Posts: 79
Joined: Sun Mar 31, 2019 12:14 am
Reputation: 10

Re: AoB inject crush the game

Post by dna »

CopperB wrote:
Wed Mar 01, 2023 12:55 pm
Sorry to barge in here, New to CE trainer making - What does AoB stand for?
array of bytes
[Link]

Post Reply

Who is online

Users browsing this forum: No registered users