Having trouble finalizing a cheat from two consistent pointers

[henee21]

Game Gun Girl2. Is a old 2d side scrolling platform freeware steam game. I have successfully created Inf ammo, health and a 1 hit kill. But I am desperately in need of assistance creating an infinite jump code.

So I use a 4 byte search of exact value. Using 1 and zero as my values. Freeze at 0 when on the ground. And freeze jumping in the air at value 1. It takes 4 searches to find my cheat. Clicking the cheat allows me to jump to the ceiling indefinitely as long as I press thee jump button. I add it to my list. And check what accesses and or writes to this address. I get two opcodes every time. They are exactly the same every session.
004117A9 89 4E 08 -MOV [ESI+08],ECX
0040F207 8B 48 08 -MOV ECX,[EAX+08]
I then get the value of the pointer needed to find my cheat address. Paste that back into the scan. Change to hex and I get two of the same results every session 0009E058
& 0009E060 These results are in black. Double clicking these two results and adding my offset of 08 turns into a pointer. That works. But if I script the pointer the game crashes every time. If I save the table with these two pointers. Restarting the game causes these pointers to no longer work. Just ?? appear in the value column. At this point I am not sure how to proceed. I had no problem doing an aob injection to create scripts for my health and ammo. Any help to push me in the right direction is appreciated.

[LeFiXER]

Select this line and click Show in disassembler:

Code: Select all

004117A9 89 4E 08 -MOV [ESI+08],ECX

Click Tools > Auto Assemble > In the new window > Template > AOB Injection.

Under newmem put:

Code: Select all

 mov ecx,1

Click File > Add to table. There is no need for a pointer. But if you wish to have it anyway, you can add some things to the script (assuming that esi holds the address you want):

Code: Select all

...
label(mysymbol)

newmem:
  test esi,esi
  jz code
  mov [mysymbol],esi
  mov ecx,1

align 8 CC
mysymbol:
  dd 0

...

return:
  ...
  registersymbol(mysymbol)
...
[DISABLE]
...
unregistersymbol(mysymbol)
dealloc(mysymbol)
...

Then add a new address to the table with the address 'mysymbol'

[henee21]

So I tried both options you wrote. When replacing the code with NOP. The character jumps by them selves indefinitely. Restoring the original code the character allows me to control the character. Each time I tap the jump button I can keep the character in the air. Applying both your instructions to the script. The game immediately crashes.

Just a few notes about this game. It is a free Steam game. It does not install files to the C-drive. Unless you install it there on purpose. It is almost like a portable game. It is 42 megabytes in size. Under the disassembler it says Read only. Could that be the reason why both the scripts are crashing?

The same developer has another title they developed. With that game. I can easily create an aob inject script for inf jumping with that game no problem. That game is newer. And it will install files to the C-drive. As well as to your steamapps game folder. I am more interested in figuring out why my attemts to script a code never work. Than I am at playing the game at this point. LOL. My theory is maybe portable games aren't able to be edited by cheat engine?

[henee21]

Here is the script

Game : stdrt.exe
Version:
Date : 2024-03-28
Author :

This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,stdrt.exe,89 4E 08 5F 5E 5D 5B C3 90) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:


code:
mov ecx,1
pop edi
pop esi
jmp return

INJECT:
jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
db 89 4E 08 5F 5E

unregistersymbol(INJECT)
dealloc(newmem)

[Toga]

LeFiXER never said you'll need a

Code: Select all

pop edi
pop esi

in fact that will corrupt the stack and will crash your game.

you can't just pop things.. without pushing them first

[henee21]

I am at the Elementary school level as far as the scripting side of cheat engine. Generally finding the cheats is pretty straight forward. But editing the script I make is like reading a foreign language. Been studying C++ for a few days. To be good at cheat engine should the average newbie study x86 first?

[LeFiXER]

Here is the script

Game : stdrt.exe
Version:
Date : 2024-03-28
Author :

This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,stdrt.exe,89 4E 08 5F 5E 5D 5B C3 90) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:


code:
mov ecx,1
pop edi
pop esi
jmp return

INJECT:
jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
db 89 4E 08 5F 5E

unregistersymbol(INJECT)
dealloc(newmem)

The information at the bottom of the script is also helpful which you should leave that there when sharing. If you are certain that the information isn't required/useful then you can remove it to save space. You should really place your changes under newmem, not only, for ease of reference in future, but also so that you can make changes without altering the main code. You can determine what was changed far easier, but also if you share your script with others they will also know what was added. Like Toga says you can't just pop a register without first using push. C++ is a higher-level language than ASM although you can use ASM within a C++ program. [Link] is a fantastic resource for beginning to learn x86 Assembly (there is a difference between x86 and ARM Assembly).

Given that the instructions in your script are:

Code: Select all

mov [esi+08],ecx
pop edi
pop esi
pop ebp
pop ebx
ret 

I would say that the script should be like this:

Code: Select all

...
newmem:
  mov ecx,1

code:
  mov [esi+08],ecx
  pop edi
  pop esi
  jmp return
...

You didn't really follow the instructions which is partially why it didn't work. The other reason is that you removed an instruction the game was expecting (mov [esi+08],ecx).

[henee21]

{ Game : stdrt.exe
Version:
Date : 2024-03-30
Author :

This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,stdrt.exe,89 4E 08 5F 5E 5D 5B C3 90) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
mov [esi+08],ecx
pop edi
pop esi
jmp return

INJECT:
jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
db 89 4E 08 5F 5E

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: INJECT

stdrt.exe+11799: 5B - pop ebx
stdrt.exe+1179A: C3 - ret
stdrt.exe+1179B: 8B 40 08 - mov eax,[eax+08]
stdrt.exe+1179E: 5F - pop edi
stdrt.exe+1179F: 89 46 08 - mov [esi+08],eax
stdrt.exe+117A2: 5E - pop esi
stdrt.exe+117A3: 5D - pop ebp
stdrt.exe+117A4: 5B - pop ebx
stdrt.exe+117A5: C3 - ret
stdrt.exe+117A6: 8B 48 08 - mov ecx,[eax+08]
// ---------- INJECTING HERE ----------
INJECT: 89 4E 08 - mov [esi+08],ecx
// ---------- DONE INJECTING ----------
stdrt.exe+117AC: 5F - pop edi
stdrt.exe+117AD: 5E - pop esi
stdrt.exe+117AE: 5D - pop ebp
stdrt.exe+117AF: 5B - pop ebx
stdrt.exe+117B0: C3 - ret
stdrt.exe+117B1: 90 - nop
stdrt.exe+117B2: 90 - nop
stdrt.exe+117B3: 90 - nop
stdrt.exe+117B4: 90 - nop
stdrt.exe+117B5: 90 - nop
}

Thanks so much LeFiXER. The above script was what I tried. I started with cheat engine a few weeks ago. And I underestimated the intricacies of scripting and the disassembler. I have no assembly knowledge. And I found the hp and inf ammo codes super quick. So I thought I could do the same and create an inf jump script. I studying the basics of C++ right now. And thanks for the link to the X86 documentation. Its been a frustrating journey. But all the same a fun one.

[Toga]

^ ah ok my faullt, didn't had this info before:

Code: Select all

// ---------- INJECTING HERE ----------
INJECT: 89 4E 08 - mov [esi+08],ecx
// ---------- DONE INJECTING ----------
stdrt.exe+117AC: 5F - pop edi
stdrt.exe+117AD: 5E - pop esi

you still need to change ECX tho before putting it in [esi+08]
otherwise nothing is changed

So what LeFiXeR said:

Code: Select all

newmem:
   mov  ecx, 1    // or what ever value

code:  // what you have already

[LeFiXER]

...
Thanks so much LeFiXER. The above script was what I tried. I started with cheat engine a few weeks ago. And I underestimated the intricacies of scripting and the disassembler. I have no assembly knowledge. And I found the hp and inf ammo codes super quick. So I thought I could do the same and create an inf jump script. I studying the basics of C++ right now. And thanks for the link to the X86 documentation. Its been a frustrating journey. But all the same a fun one.

It's no problem at all. Sometimes it's best to take a break when you become frustrated. Come back to it at a later time with a clear head. It is a long journey, but one very much worthwhile.