Base Address needed to inject code?

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
isofix
Noobzor
Noobzor
Posts: 6
Joined: Mon May 01, 2023 6:29 pm
Reputation: 1

Base Address needed to inject code?

Post by isofix »

Hi @ all,

I used a popular video tut on YT to get an overview to Cheat Engine. But what i maybe have missed in the video Tutorial, is the base address required to inject code into the game?

Sorry for the newbie question and I hope the post is not redundant, the search function did not yield any hits.
In advance, thank you for your help.

User avatar
LeFiXER
LeFixer
LeFixer
Posts: 489
Joined: Wed Mar 24, 2021 9:35 am
Reputation: 251

Re: Base Address needed to inject code?

Post by LeFiXER »

You can inject code at any location provided the memory section permits read/write/execute privileges.

isofix
Noobzor
Noobzor
Posts: 6
Joined: Mon May 01, 2023 6:29 pm
Reputation: 1

Re: Base Address needed to inject code?

Post by isofix »

maybe I should have been more precise, the inject code is also address dependent I guess, means if the underlying address for e.g. health is no longer valid (by restarting the game) the inject code will also not work anymore? Does this inject Code to be able to work after a restart requires the base address?

User avatar
LeFiXER
LeFixer
LeFixer
Posts: 489
Joined: Wed Mar 24, 2021 9:35 am
Reputation: 251

Re: Base Address needed to inject code?

Post by LeFiXER »

This is why array of byte scanning is a thing. You find the correct location based on the instructions searched for. A unique array of bytes will always yield the correct location for injection. I would recommend doing some research on copy injection. This will allow you to use pointers held within the registers at the injection point so you will always have a valid address.

isofix
Noobzor
Noobzor
Posts: 6
Joined: Mon May 01, 2023 6:29 pm
Reputation: 1

Re: Base Address needed to inject code?

Post by isofix »

First thank you for your answers and time.
Since i am not that much of an advanced CE user, could you Show on an excample what you are refering to? Thank

User avatar
LeFiXER
LeFixer
LeFixer
Posts: 489
Joined: Wed Mar 24, 2021 9:35 am
Reputation: 251

Re: Base Address needed to inject code?

Post by LeFiXER »

What the code injection does is place a jump at the location found by the aob scan function which jumps to the allocated memory, executes the new instructions we implemented and then jumps back to the respective place to resume functionality

Pseudo-example:

Code: Select all

[ENABLE]
// aobscanmodule(symbol_name, module, array of bytes)
// Note: "?" and "*" characters are wildcards meaning that it doesn't matter the value of the byte within the array.
aobscanmodule(aob_example,process.exe,48 8D 64 24 D8 C6 05 * * * * 00 4C) // should be unique

// Allocate 1000 bytes of memory near the result returned by aobscanmodule
alloc(newmem,$1000,aob_example)

// alloc(symbol_name, size_in_bytes)
// Allocate memory to store the pointer address
alloc(my_pointer, 4)

// assign two labels to use within the script respectively
label(code)
label(return)

newmem:
  // Your new instructions go here
  // For example: say rax was the register that held the pointer address of the player we could extract it.
  mov [my_pointer],rax
  // What this instruction does is take the value held within rax, and set the value of the symbol (not the address) to the value held in rax
  // here it will continue to the code section which have the original instructions

code:
  lea rsp,[rsp-28]
  jmp return

aob_example:
  jmp newmem

return:
registersymbol(aob_example)
// We need to register the symbol so that we can use it within the cheat table
registersymbol(my_pointer)
[DISABLE]

// This restores the bytes previously at the injection point
aob_example:
  db 48 8D 64 24 D8

// This is pretty self-explanatory
unregistersymbol(aob_example)
dealloc(newmem)

isofix
Noobzor
Noobzor
Posts: 6
Joined: Mon May 01, 2023 6:29 pm
Reputation: 1

Re: Base Address needed to inject code?

Post by isofix »

Hi,

to be honest I didn't understand everything, what is the difference between AOBinjection and normal code injection?

I have tried the game again and have chosen health as a target. It seems to me that a dodge function is also affected by the address. A scan for communalitys of entries accessing the same function resulted in the image attached.
For explanation:

1. shows one of the many pointers which remained even after restarting the game.
2. the address which is responsible for the dodge function in the game (cooldown of 1. second). This address also accesses the health function.
3. result of the scan which still accesses the function. (dodge function; value 1 group 2)
4. result of the scan which still accesses the function. (Health group 1)
5. function of health; value 100
6. find differences
7. try a code injection to not affect the dodge function when the function is called. unfortunately I get an error message which says that line 12 is not compailable.

If chance is with me this time, maybe you speak german? Would help with communication.

User avatar
LeFiXER
LeFixer
LeFixer
Posts: 489
Joined: Wed Mar 24, 2021 9:35 am
Reputation: 251

Re: Base Address needed to inject code?

Post by LeFiXER »

Code injection is pretty much the same as AOB injection. The AOB injection part just locates the section in memory where to place the code injection. From the image you uploaded, nothing seems to be out of the ordinary except you missed the space between cmp and [rcx+63C]. Ich bin Englander und mein Deutsch is nicht gut genug, sry.

jgoemat
Table Makers
Table Makers
Posts: 73
Joined: Fri Jul 21, 2017 6:47 pm
Reputation: 77

Re: Base Address needed to inject code?

Post by jgoemat »

I assume you are talking about when you have found code that accesses the address you are interested in and want to write a script to inject your own code, and to do that you have the line selected and hit CTRL+A to open the Auto Assemble window and are using the 'Template' menu...

I think the address used is normally the address that is selected in the main 'Memory Viewer' disassembly area. So if you found that address by 'Find what code modifies this address' and are looking at that instruction, it should populate. Otherwise you need to copy that address and use it.

I actually wrote the Full Injection and AOB Injection templates. The normal 'Code Injection' template just relocates game code to new memory and replaces it with a JMP instruction to that relocated code and has a JMP instruction after that relocated code to go back to the point after the code you removed. This *does not* include the [enable] and [disable] sections or the AA commands needed to restore the original code in the game, so you can execute your script but not assign it to your table.

The 'Full Injection' does the same thing, but includes the [Enable] and [Disable] sections so you can add it to your cheat table and enable/disable it.

Those are good for a static game, but any time a new version of the game comes out, all the addresses change and your scripts will no longer work. They also don't work for *many* games if you simply restart them because a lot of games are no longer simple executables and include code that is compiled at run time and will be at a different location every time you restart the game.

To deal with those, 'AOB Injection' tries to find a unique signature for the code at the address. It looks at the bytes in memory for the instruction(s) you are replacing with a JMP and the instructions before and after and comes up with a search that should uniquely identify that instruction in memory even if you restart a game and it is recompiled into a different memory address or if the game is updated. Note that this is not fool-proof and will very often require some changes. For example if the instruction you found for modifying health is 'mov [rcx+0140],edx' and the game is updated where a new field is added to the player object and the offset is n ow +148 instead of +140, there is no way to automatically tell that. The bytes for the instruction will now be different and it won't be found when searching for the original bytes. Also some run-time compilers don't always compile to the exact same instructions, so now the health might be in ebx and the bytes will be different. Neither of these cases would work with the other templates either so you will have to find a way to deal with it and update your scripts.

Also you have to know something about assembly and how they work to find the right spot to inject. For example if you have 'xor eax,eax' followed by 'call Game.exe+103457' and try to inject on the 'xor eax,eax' instruction, the required JMP actually takes more bytes so it will include the call in your injection. In this case that address will change with any game update and the AOB will no longer be found since it needs to know the exact bytes it is replacing ahead of time.

From your last post it looks as if you found several instructions in code in the disassembly window that do different things with health and are trying to figure out which one to use. This is highly dependent on the game and what the code does and is impossible to answer without looking at it myself. If you are just looking at memory addresses and want to write a re-usable script to do something I think you need to find other videos or tutorials to be able to find the code that accesses those addresses and updates it.

Post Reply

Who is online

Users browsing this forum: No registered users