Script causing game to crash

[D1g1Byt3]

I was just making a simple script for the game Crea

Spoiler

[Link]

Steam specifically

For now all I was trying to do was store the base address in label to access later
and then add the health and stamina offsets to get the addresses. I really don't know how to explain it properly.

Anyways the problem I am having is this.
I tried adding what I think to be the base address to a label, when I enable the script it acts like its going to add the address, and when a value such as the health changes. The game just crashes. No warning or error or anything. I was wondering if there is something I am missing. I was able to debug just fine with no crash, but as soon as I enable the script and a value changes. It crashes.


Here is the script:

Spoiler

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

globalalloc(_playerbase,4)

newmem:

code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

[Schnitzelmaker]

Was rcx not 8 byte length? So globalalloc(_playerbase,8)
Also as i hear it is recommend to set 3rd parameter on alloc.
Example: alloc(newmem,$1000, hpread)

Code: Select all

ALLOC(allocName, sizeInBytes, Optional: AllocateNearThisAddress)
Allocates a certain amount of memory and defines the specified name in the script.
If AllocateNearThisAddress is specified CE will try to allocate the memory near that address.
This is useful for 64-bit targets where the jump distance could be bigger than 2GB otherwise

I don't like globalalloc at all. I prefer more the variant: (But thats my personal feeling)

Code: Select all

...
label(pPlayerbase)
registersymbol(pPlayerbase)


newmem:
code:
  mov [pPlayerbase],rcx 
  mov [rcx+00000084],eax 
  jmp return 

pPlayerbase:
  dq 0
 ...

[D1g1Byt3]

Nope still nothing, game still keeps crashing. I managed to find the log and apparently the game also uses python. But heres what I found to be the "error" before the crash.

Spoiler

C:\Program Files (x86)\Steam\steamapps\common\Crea\modules\traceback.py", line 278, in format_stack
return format_list(extract_stack(f, limit))

I don't know if it will help any, but I'm at a loss

[Squall8]

Is your aob unique? Click the little 'writeable' box in the main UI until you get the square mark and do a scan for your array while the script is deactivated.

If it is unique you can always try finding a different injection point. Use 'what accesses' or find something else in the player structure.

[D1g1Byt3]

Yes the AOB is unique.Iv'e tried finding different injection points, and checking another part of the structure. But it acts like as soon as I "Add" anything to the game code it crashes.

[Squall8]

Could be some kind of protection. Try adding an unmodified script to your table and enable it. See if it still crashes.

I don't really know any ways around it if it is protected other than pointer scanning/manually finding the pointer or doing a sig scan/aob to data..
You can try any of those if all else fails.

[D1g1Byt3]

I tried doing a pointer scan earlier to no avail. The pointers kept dead ending after a few rescans. what do u mean by a sig scan/aob to data?

[Recifense]

Try change the line:

alloc(newmem,$1000)

to

alloc(newmem,$1000,crea.exe)


Cheers!

[D1g1Byt3]

Ok this is what I have now:

Spoiler

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000,crea.exe)

label(code)
label(return)

globalalloc(_playerbase,8)

newmem:


code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

But now the script isn't enabling at all since I put the "alloc(newmem,$1000,crea.exe)" part

Has anyone successfully made a table for crea on a more recent version yet? I can't see why this is being so difficult

It just seems like it don't want to allocate in the process for some reason.

[++METHOS]

With the instruction highlighted inside of memory viewer, click on Tools from the drop-down menu and select Auto Assemble.

In the Auto Assemble window, click on Template from the drop-down menu and select Cheat Table Framework Code.

Click on Template again and select Code Injection. Click okay.

Click on File from the drop-down menu and select Assign to Current Cheat Table.

Try to enable the script. If it is working, try to add your custom code and report back.

[Recifense]

Ok this is what I have now:

Spoiler

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000,crea.exe)

label(code)
label(return)

globalalloc(_playerbase,8)

newmem:


code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

But now the script isn't enabling at all since I put the "alloc(newmem,$1000,crea.exe)" part

Has anyone successfully made a table for crea on a more recent version yet? I can't see why this is being so difficult

It just seems like it don't want to allocate in the process for some reason.

Sorry. I did not see that you use globalalloc as well.

change:

globalalloc(_playerbase,8)

to:

alloc(_playerbase,8,crea.exe)

and add at the end:

dealloc(newmem)
dealloc(_playerbase)


[NOTE] The reason you have to make those changes is that you are working with 64bits game. In this case, you have to make sure that the your code and variables will be at the same 32bits segment of the main code. If you were dealing with a 32bits game, you first code would have worked.

For the reason above, in "mov [_playerbase],rcx", _playerbase is out of range (Script will not load).

Cheers!

[Eric]

also, globalalloc supports the 3th parameter (allocate near) as well

[D1g1Byt3]

Ok this is what I have now:

Spoiler

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



aobscanmodule(hpread,crea.exe,89 81 84 00 00 00 C6) // should be unique
alloc(newmem,$1000,crea.exe)

label(code)
label(return)

globalalloc(_playerbase,8)

newmem:


code:
mov [_playerbase],rcx
mov [rcx+00000084],eax
jmp return

hpread:
jmp newmem
nop
return:
registersymbol(hpread)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
hpread:
db 89 81 84 00 00 00

unregistersymbol(hpread)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "crea.exe"+75C27A

"crea.exe"+75C252: C7 40 18 00 00 00 00 - mov [rax+18],00000000
"crea.exe"+75C259: 48 8D 50 08 - lea rdx,[rax+08]
"crea.exe"+75C25D: 48 8D 40 10 - lea rax,[rax+10]
"crea.exe"+75C261: 0F 2F D8 - comiss xmm3,xmm0
"crea.exe"+75C264: 48 0F 46 D0 - cmovbe rdx,rax
"crea.exe"+75C268: 48 8D 44 24 70 - lea rax,[rsp+70]
"crea.exe"+75C26D: F3 0F 10 02 - movss xmm0,[rdx]
"crea.exe"+75C271: 0F 2F C2 - comiss xmm0,xmm2
"crea.exe"+75C274: 48 0F 47 C2 - cmova rax,rdx
"crea.exe"+75C278: 8B 00 - mov eax,[rax]
// ---------- INJECTING HERE ----------
"crea.exe"+75C27A: 89 81 84 00 00 00 - mov [rcx+00000084],eax
// ---------- DONE INJECTING ----------
"crea.exe"+75C280: C6 81 C0 00 00 00 01 - mov byte ptr [rcx+000000C0],01
"crea.exe"+75C287: 48 81 C1 98 00 00 00 - add rcx,00000098
"crea.exe"+75C28E: E8 9D AD FF FF - call crea.exe+757030
"crea.exe"+75C293: EB 3E - jmp crea.exe+75C2D3
"crea.exe"+75C295: 0F 57 C9 - xorps xmm1,xmm1
"crea.exe"+75C298: C7 44 24 78 00 00 00 00 - mov [rsp+78],00000000
"crea.exe"+75C2A0: 48 8D 81 8C 00 00 00 - lea rax,[rcx+0000008C]
"crea.exe"+75C2A7: 48 8D 4C 24 68 - lea rcx,[rsp+68]
"crea.exe"+75C2AC: 0F 2F 18 - comiss xmm3,[rax]
"crea.exe"+75C2AF: 48 0F 47 C8 - cmova rcx,rax
}

But now the script isn't enabling at all since I put the "alloc(newmem,$1000,crea.exe)" part

Has anyone successfully made a table for crea on a more recent version yet? I can't see why this is being so difficult

It just seems like it don't want to allocate in the process for some reason.

Sorry. I did not see that you use globalalloc as well.

change:

globalalloc(_playerbase,8)

to:

alloc(_playerbase,8,crea.exe)

and add at the end:

dealloc(newmem)
dealloc(_playerbase)


[NOTE] The reason you have to make those changes is that you are working with 64bits game. In this case, you have to make sure that the your code and variables will be at the same 32bits segment of the main code. If you were dealing with a 32bits game, you first code would have worked.

For the reason above, in "mov [_playerbase],rcx", _playerbase is out of range (Script will not load).

Cheers!

Ok now the script activates, but nothing is being put into [_playerbase], no address or anything, and I also tried the base + offset, and there is nothing. I appreciate the help, and please bear with me. I think we've almost got it. I'm just stupid I guess.

Edit: Ok it sorta works when I change it back to globalalloc with the "globalalloc(_playerbase,8,crea.exe)" But not with just the alloc(_playerbase,8) unless I'm just missing something about how to use it properly

Edit 2: Ok something wierd. rcx+84 seems to somehow control both HP,and stamina. It kinda switches between them. based on which one changes. So Im guessing it doesn't just effect one or the other :/

Edit 3: Ok aparently I didn't do a good enough check, and yeah the code does modify both, as well as the enemy's HP it would seem, I don't know where to look to find a good clean spot that only accesses the HP or stamina of the player.

[Recifense]

If you want to access "_playerbase" outside AA, you have to register it at [enable] part and unregister it at [disable] part. But DONNOT use globalalloc.

Cheers!

[D1g1Byt3]

Hmm ok well I'm still not finding anything that just access one aspect, but however when My HP or Stamina changes. So does the address that [_playerbase]+84 is accessing. Is there a way I could just store that address and use it as a pointer or something? Also thanks Recifense, I changed it and the script is enabling it. Iv'e just been using the globalalloc method cus it seemed to be the only way to me. From following Rydian's tutorial at:

Spoiler

[Link]