Resetting a value after disabling script

[Fruitpunch]

Hello,

I have a script which works per se but I am changing a value in an address where nothing writes. I need to reset the value when the script is disabled. Is there a simple way to do this?

I'd prefer the solution is in Assembly and does not involve aobscan unless there is no other way.

[ShyTwig16]

Code: Select all

...
valueAddress:
    dd (int)100
...

Maybe [Link] would do it, hard to say with no code posted.

Code: Select all

[Enable]
...
storedValueAddress:
    readMem(valueAddress, 4)
...
[Disable]
...
valueAddress:
    readMem(storedValueAddress, 4)
...

[FreeER]

That depends on how the script works. If you have a static address or pointer then you can use the method ShyTwig16 showed, if you have to hook code to get the address then you could have that hook write the address to memory that you could access later when you disable it. If you've created a thread/timer to constantly write to it (unlikely since you said nothing else writes to it) then you'd probably need to modify that to reset the value when it stops.

[Fruitpunch]

Thanks for the input.

Yeah, I already stumbled upon readmem but since the examples have been just so, I have not been able to understand how to write one correctly.

Is this anywhere near what is should be?

Code: Select all

[ENABLE]
alloc(newmem,2048)
alloc(storedvalue, 4)
alloc(originalvalue, 4)
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r14],(float)1

originalcode:
comiss xmm6,[r14]

exit:
jmp returnhere

originalvalue:
dd (float)1.4

storedvalue:
readMem(originalvalue, 4)

[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
dealloc(originalvalue)
readMem(storedvalue, 4)

[ShyTwig16]

You have the "newmem" with code but not injection point, if you are only reading and writing to an address that is static or pulled from some other script then it could work. But with that code and the "newmem", it looks like you're trying to inject.

with out knowing the injection point, this is the best I can figure:

Code: Select all

[ENABLE]
alloc(newmem,2048)

alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique

label(returnhere)
label(originalcode)
label(exit)


newmem:
	mov [r14],(float)1
	originalcode:
		comiss xmm6,[r14]
	exit:
		jmp returnhere


storedvalue:
	readMem({ Address or AOB Symbol of the original value}, 4)


some_injection_point:
	jmp newmem
	//any needed nops
	returnhere:


[DISABLE]
some_injection_point:
	db { original bytes }

{ Address or AOB Symbol of the original value}:
	readMem(storedvalue, 4)

dealloc(newmem)
dealloc(storedvalue)

unregisterSymbol(storedvalue)

[Link]

But the "some_injection_point" needs to be an address or you will need to set up an AOB and register the symbol.

Code: Select all

aobScanModule(some_injection_point, GAME.exe, F3xxxxxxxxxxxxxxF3xxxxxxxxD9xxxxF3xxxxxxxx0F2F)
registerSymbol(some_injection_point) // must be unique

Code: Select all

[ENABLE]
aobScanModule(some_injection_point, GAME.exe, { injection point AOB })
registerSymbol(some_injection_point) // must be unique
alloc(newmem,2048)

alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique

label(returnhere)
label(originalcode)
label(exit)


newmem:
	mov [r14],(float)1
	originalcode:
		comiss xmm6,[r14]
	exit:
		jmp returnhere


storedvalue:
	readMem({ Address or AOB Symbol of the original value}, 4)


some_injection_point:
	jmp newmem
	//any needed nops
	returnhere:


[DISABLE]
some_injection_point:
	db { original bytes }

{ Address or AOB Symbol of the original value}:
	readMem(storedvalue, 4)

dealloc(newmem)
dealloc(storedvalue)

unregisterSymbol(storedvalue)
unregisterSymbol(some_injection_point)

If you are trying to inject then go to the memory view form select some code with the injection point in the middle press Ctrl+C, click Ok on the prompt then post that in a Code Block (</>) and mark the injection point in an understandable way, then people can help a little better.

But this is a trial and error process so just keep trying.

There are some new tutorials on the Cheat Engine Wiki also.
[Link]
[Link]

[Fruitpunch]

Sorry, I left out too much.

The injection is done at the same point where I am doing the modification.
I'm having trouble getting the right address in the readMem, and no the address is not static.

Can't use another script because there doesn't seem to be other instructions accessing this address.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
alloc(storedvalue, 4)
registersymbol(storedvalue)
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r14],(float)1

originalcode:
comiss xmm6,[r14]

exit:
jmp returnhere

storedvalue:
readMem(xxxx,4) //if I have understood correctly xxxx should be replaced with the address that is stored in r14


"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
readMem(storedvalue,4)
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00

unregistersymbol(storedvalue)

[ShyTwig16]

In that case, I would try to find where the R14 registry is written, I'd bet there is a base with an offset, and R14 is calculated with those.

EDIT: Then just inject there and store the base for later use, and you may need to store the offset as well.

[Fruitpunch]

Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?

I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.

[jungletek]

Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?

I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.

You don't have it straight, to write to an arbitrary address, use the syntax:

Code: Select all

address:
  db 90 90 90

or:

Code: Select all

address:
  mov r14,#999

where 'address' is the address you're trying to write to, can be a hex address, a label name, etc. The first is writing direct byte values (NOPs in this case), the second is using instructions that get converted to the same thing (moving 999 to r14).

[ShyTwig16]

Not sure if I am understanding correctly but this may be what you are looking for.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value

EDIT: This will only work if the original value is not zero.

[Blayde]

Not sure if I am understanding correctly but this may be what you are looking for.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value

EDIT: This will only work if the original value is not zero.

! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14

[TimFun13]

Not sure if I am understanding correctly but this may be what you are looking for.

Code: Select all

[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value

EDIT: This will only work if the original value is not zero.

! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14

Could you elaborate please. Not sure why you're saying this (on insults intended, just curious).

[Blayde]

Could you elaborate please.

No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".

Not sure why you're saying this (on insults intended, just curious).

For "security" reasons is better to save the flag(s).

[TimFun13]

Could you elaborate please.

No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".

Not sure why you're saying this (on insults intended, just curious).

For "security" reasons is better to save the flag(s).

Which compare is the concern?

Code: Select all

cmp  [storedvalue+4],0

or

Code: Select all

comiss xmm6,[r14]

My thinking was that the original compare would reset the flags. Am I understanding this wrong?

EDIT:
So cmp sets the CF, OF, SF, ZF, AF, and PF flags in the EFLAGS register according to the result.
And comiss sets the ZF, PF, and CF flags in the EFLAGS register according to the result.

So is it the OF, SF, and AF flags that are the concern?

[Blayde]

....... there doesn't seem to be other instructions accessing this address.

Because it's only compare reg,mem.

.................

Keep it simple and stupid:

push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14

Done.