Need help with script - Converting BLUE-PRINTS to TOKENS - Asphalt 8 v3.9.0h

[MartaLabieniec]

Hello Guys,

Today I need help with updating old script for Converting BLUE-PRINTS to TOKENS. I and my friend, we can't update it to the newest version of the game (Asphalt 8 v3.9.0h) and we are thinking that developers change a lot of bytes in memory regions or they fixed this bug.

The script which was allowing you to convert BLUE-PRINTS to TOKENS in Asphalt 8 from version 3.5.0j was like below:

Code: Select all

[enable]
"Asphalt8.exe"+122EE3:
db 89 10
"Asphalt8.exe"+3B40D2:
db 89 01
[disable]
"Asphalt8.exe"+122EE3:
db 39 10
"Asphalt8.exe"+3B40D2:
db 39 01

39 10 means cmp [eax],edx - when you change it to 89 10 it will look like that: mov [eax],edx
39 01 means cmp [ecx],eax - when you change it to 89 01 it will look like that: mov [ecx],eax

It will change BLUE-PRINTS currency to TOKENS currency of every BP car and this is very good because you can buy a car immediately using TOKENS.

We also saved a MEMORY SNAPSHOTS (REGIONS) from 3.5.0j version of Asphalt 8 game for First and Second Address but in the newest version of the game - v3.9.0h - we can't find any similar bytes! Please look in the attachments for the files (file named MEMORY SNAPSHOTS (REGIONS)).

My friend was trying to update this script but he found something different - please watch this short video:

[Link]

He wrote:
"Check what I found, it is doing something with BLUEPRINTS - the address - "NOT CRASHING DZIWNE" is: Asphalt8.exe+F740E6 and the address - "CRASHING - DZIWNE - TO TO TO TO" is: Asphalt8.exe+F6D533.

Asphalt8.exe+F740E6 and Asphalt8.exe+F6D533 have functions cmp [ecx],eax (in bytes it will be: 39 01).

When you change these functions from cmp [ecx],eax to mov [ecx],eax (in bytes from 39 01 to 89 01) - it will do something with BLUE-PRINTS, but now I am lost and don't know what to do further."

I attached also his CT files which he sent me.

Please help us, thank you.

[MartaLabieniec]

Here is an example video how the cheat BP TO TOKENS was working in older version in Asphalt 8. Please watch:

[Link]

[TimFun13]

Ok so first you should look into using AOBs instead of addresses.
Then you should keep surrounding code to more easily find the same opcode again later, try using the CE templates.
i.e.: (note the big comment at the bottom of the script)

Example script

Code: Select all

{
	Process			: mafia2.exe  -  (x32)
	Module			: mafia2.exe
	Game Title		: mafia 2
	Game Version	: 1.0.0.1
	CE Version		: 6.81
	Script Version	: 0.0.1
	Date			: 10/14/18
	Author			: ShyTwig16
	Name			: MoneyDecHook

	Money Dec Hook

	edi , xmm0 = decrease amount
	eax = money
}

{$STRICT}

define(address, mafia2.exe+54227C)
define(bytes, 8B 5C 24 18 8B F2)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
// aobScanModule(aobMoneyDecHook, mafia2.exe, 8Bxxxxxx8Bxx3Bxx8Bxx7Cxx7Fxx3Bxxxxxx76xx2B)
i2aobScanModule(aobMoneyDecHook, mafia2.exe, 8Bxxxxxx8Bxx3Bxx8Bxx7Cxx7Fxx3Bxxxxxx76xx2B)
define(injMoneyDecHook, aobMoneyDecHook)
// assert(injMoneyDecHook, bytes)
i2assert(injMoneyDecHook, bytes)
registerSymbol(injMoneyDecHook)

alloc(memMoneyDecHook, 0x400, injMoneyDecHook)

label(fltMoneyDecHook)
registerSymbol(fltMoneyDecHook)

label(ptrMoneyDecHook)
registerSymbol(ptrMoneyDecHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memMoneyDecHook:
	fltMoneyDecHook:
		dd (float)0.25
		dd (float)500
		dd (float)100
	align 10
	ptrMoneyDecHook:
		dd 0
	align 10 CC
	n_code:
		mov [ptrMoneyDecHook],ecx
		mulss xmm0,[fltMoneyDecHook]
		cvtss2si edi,xmm0
		cvtsi2ss xmm0,eax
		divss xmm0,[fltMoneyDecHook+8]
		comiss xmm0,[fltMoneyDecHook+4]
		jae @f
			movss xmm0,[fltMoneyDecHook+4]
			mulss xmm0,[fltMoneyDecHook+8]
			cvtss2si eax,xmm0
			xor edi,edi
		@@:
		cvtsi2ss xmm0,edi
		mov [esp+14],edi
	o_code:
		mov ebx,[esp+18]
		mov esi,edx
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injMoneyDecHook:
	jmp n_code
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injMoneyDecHook:
	db bytes

unregisterSymbol(injMoneyDecHook)

unregisterSymbol(fltMoneyDecHook)

unregisterSymbol(ptrMoneyDecHook)

dealloc(memMoneyDecHook)

{
//// Injection Point: mafia2.exe+54227C  -  0094227C
//// AOB address: 0094227C  -  mafia2.exe+54227C
//// Process: mafia2.exe  -  00400000
//// Module: mafia2.exe  -  00400000
//// Module Size: 0195D000
mafia2.exe+54224E:  CC                          -  int 3                              
mafia2.exe+54224F:  CC                          -  int 3                              
mafia2.exe+542250:  55                          -  push ebp                           
mafia2.exe+542251:  8B E9                       -  mov ebp,ecx                        
mafia2.exe+542253:  8B 45 18                    -  mov eax,[ebp+18]                   
mafia2.exe+542256:  2B 45 14                    -  sub eax,[ebp+14]                   
mafia2.exe+542259:  A9 FCFFFFFF                 -  test eax,FFFFFFFC                  
mafia2.exe+54225E:  75 08                       -  jne 00942268                       
mafia2.exe+542260:  33 C0                       -  xor eax,eax                        
mafia2.exe+542262:  33 D2                       -  xor edx,edx                        
mafia2.exe+542264:  5D                          -  pop ebp                            
mafia2.exe+542265:  C2 0800                     -  ret 0008                           
mafia2.exe+542268:  8B 45 14                    -  mov eax,[ebp+14]                   
mafia2.exe+54226B:  8B 08                       -  mov ecx,[eax]                      
mafia2.exe+54226D:  53                          -  push ebx                           
mafia2.exe+54226E:  56                          -  push esi                           
mafia2.exe+54226F:  57                          -  push edi                           
mafia2.exe+542270:  E8 0B290600                 -  call 009A4B80                      
mafia2.exe+542275:  8B C8                       -  mov ecx,eax                        
mafia2.exe+542277:  E8 341BFEFF                 -  call 00923DB0                      
////  INJECTING START  ----------------------------------------------------------
mafia2.exe+54227C:  8B 5C 24 18                 -  mov ebx,[esp+18]                   <<<--- AOB Starts Here
mafia2.exe+542280:  8B F2                       -  mov esi,edx                        
////  INJECTING END  ----------------------------------------------------------
mafia2.exe+542282:  3B F3                       -  cmp esi,ebx                        
mafia2.exe+542284:  8B F8                       -  mov edi,eax                        
mafia2.exe+542286:  7C 2F                       -  jl 009422B7                        
mafia2.exe+542288:  7F 06                       -  jg 00942290                        
mafia2.exe+54228A:  3B 7C 24 14                 -  cmp edi,[esp+14]                   
mafia2.exe+54228E:  76 27                       -  jna 009422B7                       
mafia2.exe+542290:  2B 7C 24 14                 -  sub edi,[esp+14]                   
mafia2.exe+542294:  8B 6D 14                    -  mov ebp,[ebp+14]                   
mafia2.exe+542297:  8B 4D 00                    -  mov ecx,[ebp+00]                   
mafia2.exe+54229A:  1B F3                       -  sbb esi,ebx                        
mafia2.exe+54229C:  56                          -  push esi                           
mafia2.exe+54229D:  57                          -  push edi                           
mafia2.exe+54229E:  E8 DD280600                 -  call 009A4B80                      
mafia2.exe+5422A3:  8B C8                       -  mov ecx,eax                        
mafia2.exe+5422A5:  E8 161BFEFF                 -  call 00923DC0                      
mafia2.exe+5422AA:  8B 44 24 14                 -  mov eax,[esp+14]                   
mafia2.exe+5422AE:  5F                          -  pop edi                            
mafia2.exe+5422AF:  5E                          -  pop esi                            
mafia2.exe+5422B0:  8B D3                       -  mov edx,ebx                        
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

And I would start using ".txt" files to keep your notes in (I like [Link], and "NotePad++" is very popular), using Microsoft Word documents requires people to have a program that can open those file, or at least use an open office format not a proprietary file format (that will run macros and is known for spreading viruses, this one macros are not enabled but still); and there is also [Link] that is great for sharing that kind of stuff.

As for now you'll likely just have to find the opcode the same way it was found the first time.

[MartaLabieniec]

Thank you for your comment. I know how to use code templates but the CE template was too small to find a correct AOB so we copied aobs with opcodes from much much bigger memory region and still we can't find any correct aobs. If you don't believe it, just try it by yourself installing asphalt 8 from Microsoft Windows store.

[TimFun13]

Thank you for your comment. I know how to use code templates but the CE template was too small to find a correct AOB so we copied aobs with opcodes from much much bigger memory region and still we can't find any correct aobs. If you don't believe it, just try it by yourself installing asphalt 8 from Microsoft Windows store.

No windows 10. And you didn't post any opcode (even the tables you posted have no scripts in them) or enough bytes (scanning for a 2 byte AOB is pointless), so no idea how I would "try it myself" even if I had win 10 and the game. And like I said earlier, I'm not installing a program (or transfering to a different PC) just to view your notes.

And you can edit the script after you generate it with the template, big thing is it will add the commented out code for you. If you looked at the example script then you would see that it's not the same as any of the CE templates; thus the script, and more so the AOB, was edited after generating it. So yeah, the templates' AOB often needs to be manually checked and modified.

But again; without enough information, you'll likely just have to find the opcode the same way it was found the first time.

[MartaLabieniec]

Full script from v3.5.0j of Asphalt 8 game of CONVERTING BLUEPRINTS TO TOKENS:

Code: Select all

[enable]
"Asphalt8.exe"+122EE3:
db 89 10
"Asphalt8.exe"+3B40D2:
db 89 01
[disable]
"Asphalt8.exe"+122EE3:
db 39 10
"Asphalt8.exe"+3B40D2:
db 39 01

Snapshot of memory region for address: Asphalt8.exe+122EE3 - 39 10 - cmp [eax],edx
[Link]

Snapshot of memory region for address: Asphalt8.exe+3B40D2 - 39 01 - cmp [ecx],eax
[Link]

Please look now for snapshots of memory regions where Injection Starts for these addresses. You can see AOBs from 3.5.0j version of Asphalt 8. But in the newest version, you can't use any of these AOBs Bytes because all memory regions are completely different. Just look on it and then check it in the newest version. I can't find it anymore.

[MartaLabieniec]

ShyTwig16 - you wrote:

"And you didn't post any opcode (even the tables you posted have no scripts in them) or enough bytes (scanning for a 2 byte AOB is pointless), so no idea how I would "try it myself"

Like you can see in the memory region snapshot from 3.5.0j version of Asphalt 8 in injecting point is looking like this (for address Asphalt8.exe+122EE3):

Code: Select all

Asphalt8.exe+122EDE - 74 0E                 - je Asphalt8.exe+122EEE
Asphalt8.exe+122EE0 - 8B 55 08              - mov edx,[ebp+08]

////  INJECTING START  ----------------------------------------------------------

Asphalt8.exe+122EE3 - 39 10                 - cmp [eax],edx                        <<<--- AOB Starts Here
 
////  INJECTING END  ----------------------------------------------------------
 
Asphalt8.exe+122EE5 - 74 0F                 - je Asphalt8.exe+122EF6
Asphalt8.exe+122EE7 - 83 C0 28              - add eax,28 { 40 }
Asphalt8.exe+122EEA - 3B C1                 - cmp eax,ecx
Asphalt8.exe+122EEC - 75 F5                 - jne Asphalt8.exe+122EE3

Like you can see Injecting Point is in Asphalt8.exe+122EE3 and it has only 2 bytes - 39 10.

So for searching new address/update old script, I was using AOBs like that:

Code: Select all

74 ?? 8? ?? ?? 39 10 74 ?? ?? ?? ?? ?? ?? 75 ??

Like you can see, Aob is starting from: Asphalt8.exe+122EDE and it is ending at: Asphalt8.exe+122EEC. I just change some bytes to ?? which I think that they will be always changing with new version of the game.

What do you think about that ???

[MartaLabieniec]

I don't have any idea how to hack again BLUE-PRINTS TO TOKENS - maybe you will help with that?

Idea is like that: All BLUE-PRINTS cars were earlier in TOKEN price so you could use TOKENS currency to buy them. But GAMELOFT company is so greedy that they change a lot of TOKEN cars to BLUE-PRINTS cars!

BLUE-PRINTS cards cost a lot of REAL money and we don't want to pay so much money for getting 0.0001% Blue-Prints cards that we need to unlock ONE CAR ONLY!

I know that there is a possibility to convert once again Blue-Print cars to Token Cars but I don't have any idea how to find it, I don't know how to find a correct function which is changing the BP to Tokens but I am 100% sure that there is a possibility to do that because if cars earlier were in TOKEN price, so we can change it once again right?

[TimFun13]

Again no windows 10 or 8 and that is the minimum version the game works on, so I can't scan and help you look; really can't make that any more clear.
Try shifting the scan around, you don't have to scan for an AOB at the injection point you can scan for stuff that look less likely to change. But keep in mind the dev could have rewritten the entre function, thus you'll only find it by finding the address it accesses.
Try an AOB like this one: 83xxxxC7xxxx00000000C7xxxx00000000C7xxxx000000008D. And what I do is start with a smaller AOB (i.e. C7xxxx00000000), and add to it tell I work the results down to just a few. If that area yields no results move to a different area and start again, it's just a matter of having a little luck and a lot of persistence.

[MartaLabieniec]

Thanks for your help ShyTwig16. I already found a correct address for this function, I just followed the callers of old functions and that is the method which I found the correct address with correct function.