Cheat Engine Tutorial探索之过关斩将(二)

本来是想写完这个放到首页的,后来发现这些“将”斩的也太容易了,所以就不放在首页丢人了。

这里相对于第一篇的调整,将截图换为flash,这样占用篇幅变小,同时可以展示的内容变多。

flash是使用wink制作的,使用下来发现的确是个不错的工具,大家如果对这个flash有什么意见,可以告诉我。

OK,下面开始:

5. 指针

Step 6:Pointers: (PW=098712)

In the previous step I explained how to use the Code finder to handle changinglocations. But that method alone makes it difficult to find the address to setthe values you want.

That's why there are pointers:

At the bottom you'll find 2 buttons. One will change the value, and the other changesthe value AND the location of the value.

For this step you don't really need to know assembler, but it helps a lot if you do.

First find the address of the value. When you've found it use the function to findout what accesses this address.

Change the value again, and a item will show in the list. Double click that item. (orselect and click on more info) and a new window will open with detailedinformation on what happened when the instruction ran. If the assembler instruction doesn't have anything between a '[' and ']' then use another itemin the list.

If it does it will say what it think will be the value of the pointer you need.

Go back to the main cheat engine window (you can keep this extra info window open ifyou want, but if you close it, remember what is between the [ and ] ) and do a4 byte scan in hexadecimal for the value the extra info told you.

When done scanning it may return 1 or a few hundred addresses. Most of the time theaddress you need will be the smallest one. Now click on manually add and selectthe pointer checkbox.

The window will change and allow you to type in the address of a pointer and aoffset.

Fill in as address the address you just found.

If the assembler instruction has a calculation (e.g: [esi+12]) at the end then typethe value in that's at the end. else leave it 0. If it was a more complicatedinstruction look at the calculation.

 

example of a more complicated instruction:

[EAX*2+EDX+00000310]eax=4C and edx=00801234.

In this case EDX would be the value the pointer has, and EAX*2+00000310 the offset, sothe offset you'd fill in would be 2*4C+00000310=3A8.  (this is all in hex, use cal.exe from windowsin scientific mode to calculate)

Back to the tutorial, click OK and the address will be added, If all went right theaddress will show P->xxxxxxx, with xxxxxxx being the address of the valueyou found. If thats not right, you've done something wrong.

Now,change the value using the pointer you added in 5000 and freeze it. Then clickChange pointer, and if all went right the next button will become visible.

 

extra:

And you could also use thepointer scanner to find the pointer to this address

过关动画:

 

6. 代码注入

Step 7:Code Injection: (PW=013370)

Codeinjection is a technique where one injects a piece of code into the targetprocess, and then reroute the execution of code to go through your own written code

In this tutorial you'll have a health value and a button that will decrease your healthwith 1 each time you click it.

Your task is to use code injection to increase the value of your health with 2 every timeit is clicked

Start with finding the address and then find what writes to it.

then when you've found the code that decreases it browse to that address in thedisassembler, and open the auto assembler window (ctrl+a)

There click on template and then code injection, and give it the address thatdecreases health (If it isn't already filled in correctly)

That will generate a basic auto assembler injection framework you can use for your code.

Notice the alloc, that will allocate a block of memory for your code cave, in thepast, in the pre windows 2000 systems, people had to find code caves in thememory(regions of memory unused by the game), but that's luckily a thing of thepast since windows 2000, and will these days cause errors when trying to beused, due to SP2 of XP and the NX bit of new CPU's

Also notice the line newmem: and originalcode: and the text "Place your codehere"

As you guessed it, write your code here that will increase the health with 2.

a useful assembler instruction in this case is the "ADD instruction"

here area few examples:

"ADD[00901234],9" to increase the address at 00901234 with 9

"ADD[ESP+4],9" to increase the address pointed to by ESP+4 with 9

In this case, you'll have to use the same thing between the brackets as the originalcode has that decreases your health

 

Notice:

It isrecommended to delete the line that decreases your health from the originalcode section, else you'll have to increase your health with 3 (you increasewith 3, the original code decreases with 1, so the end result is increase with2), which might become confusing. But it's all up to you and your programming.

 

Notice 2:

In somegames the original code can exist out of multiple instructions, and sometimes,not always, it might happen that a code at another place jumps into your jumpinstruction end will then cause unknown behavior. If that happens, you shouldusually look near that instruction and see the jumps and fix it, or perhapseven choose to use a different address to do the code injection from. As longas you're able to figure out the address to change from inside your injected code.

过关动画:

其中注入的代码为:

 

代码
 1 alloc(newmem,2048) //2kb should be enough
 2 label(returnhere)
 3 label(originalcode)
 4 label(exit)
 5 
 6  0045A063:
 7  jmp newmem
 8  nop
 9  returnhere:
10 
11  newmem: //this is allocated memory, you have read,write,execute access
12 //place your code here
13  add [ebx+00000310],3
14 
15  originalcode:
16  dec [ebx+00000310]
17 
18  exit:
19  jmp returnhere

 

7. 多重指针

Step 8: Multilevel pointers: (PW=525927)

This step will explain how to use multi-level pointers.

In step 6 you had a simple level-1 pointer, with the first address found already being the real base address.

This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health.

You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address you'll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable instruction and offset, and use that. and continue till you can't get any further (usually when the base address is a static address, shown up as green)

Click Change Value to let the tutorial access the health.

If you think you've found the pointer path click Change Register. The pointers and value will then change and you'll have 3 seconds to freeze the address to 5000

 

Extra: This problem can also be solved using a auto assembler script, or using the pointer scanner

Extra2: In some situations it is recommended to change ce's codefinder settings to Access violations when

encountering instructions like mov eax,[eax] since debugregisters show it AFTER it was changed, making it hard to find out the the value of the pointer

Extra3: If you're still reading. You might notice that when looking at the assembler instructions that the pointer is being read and filled out in the same codeblock (same routine, if you know assembler, look up till the start of the routine). This doesn't always happen, but can be really useful in finding a pointer when debugging is troublesome

过关动画:

 

8. 注入++

Step 9: Injection++: (PW=31337157)

In this step we'll do basically the same as in step 7(Code Injection) but now a little bit more difficult.

Now you have to edit the code that decreases health with a piece of code that sets the health to 1000 if the current second is equal to or bigger than 30, and 2000 if it's smaller

This can be done using a auto assembler scripts that does some api calls to some routines to get the current time, but it may be easier to use a C-SCRIPT injection here

Find the address of health and go to the script engine in Cheat Engine (ctrl+alt+a in memory view, or tools->script engine)

then opposed to the other tutorials I'll provide you with a big hint (in case you've never coded in C)

----------------

#include <time.h>

 

struct tm *timep;

time_t c;

c=time(0);

 

timep=localtime(&c);

 

if (timep->tm_sec>=30)

  *(int *)addresstochange=1000;

else

  *(int *)addresstochange=2000;

-------------

Here change addresstochange with the address of health. Don't forget to add 0x in front of it. So if the address was 0012345 then fill in 0x0012345

Select inject->Inject into current process and it'll open an auto assembler script with a call inside it.

Now, just like in step 7 go to the address that decreases health and do autoassembler->template->code injection.

And fill in as code the call instruction you got. Note that the call will change the value of EAX and some flags may change as well, so if you want to save them, push them before and pop them after.  And remove the original code, it's not used and only makes things harder.

Click Execute and then click "Hit me" in the trainer.

If all went right the clicking of the button caused your c-script to be executed and changed the value of health according to the current time.

Bonus:

As said before it can also be done with a normal assembler script. CE allows you to fill in functionnames for call instructions so that should make things easier 

And you could also just use a dll injection with an aa script. E.G: injectdll(mydll.dll) //dll written in any languge you like

codecave:

call functionofmydll

jmp exit

 

过关动画:

注入的C代码:

 

代码
 1 #include <time.h>
 2 
 3  struct tm *timep;
 4 time_t c;
 5 c=time(0);
 6 
 7  int addresstochange=0x00d62958;
 8 
 9 timep=localtime(&c);
10 
11  if (timep->tm_sec>=30)
12   *(int *)addresstochange=1000;
13  else
14   *(int *)addresstochange=2000;

 

 

注入的汇编代码:

 

代码
 1 alloc(newmem,2048) //2kb should be enough
 2 label(returnhere)
 3 label(originalcode)
 4 label(exit)
 5 
 6  00458EAA:
 7  jmp newmem
 8  nop
 9  returnhere:
10 
11  newmem: //this is allocated memory, you have read,write,execute access
12 //place your code here
13 
14 
15  originalcode:
16 //dec [ebx+00000318]
17  call 011D00FA
18 
19  exit:
20  jmp returnhere
21 //Call this code to execute the script from assembler
22 //call 011D00FA
23 
24 //eax==0 when successfully executed
25 //'call underc_geterror' to get a pointer to the last generated error buffer 

 

到此,通关完毕,有什么疑问可以留言给我,谢谢~

 

 

posted on 2009-12-07 21:36  cnyao  阅读(1946)  评论(0编辑  收藏  举报