Difference between revisions of "Cheat Engine:Auto Assembler"

From Cheat Engine
Jump to navigation Jump to search
(Injecting a DLL)
m (General Information)
 
(18 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{cleanup}}
+
[[Category:Assembler]]
=== Writing a Script ===
+
== Writing a Script ==
 
You need to have the Memory Viewer window open and go to "Tools->Auto Assemble" or hit CTRL+A to open the Auto assemble window.  When you click "Execute" the code is '''not''' actually executed, but ''assembled'' into machine code.  The code is actually executed when you overwrite existing game code and the game executes it in the normal course of playing or when you call CREATETHREAD.
 
You need to have the Memory Viewer window open and go to "Tools->Auto Assemble" or hit CTRL+A to open the Auto assemble window.  When you click "Execute" the code is '''not''' actually executed, but ''assembled'' into machine code.  The code is actually executed when you overwrite existing game code and the game executes it in the normal course of playing or when you call CREATETHREAD.
  
Line 7: Line 7:
 
[[Auto Assembler Example 1|Simple Example]] - Example showing ALLOC, LABEL, REGISTERSYMBOL and CREATETHREAD.
 
[[Auto Assembler Example 1|Simple Example]] - Example showing ALLOC, LABEL, REGISTERSYMBOL and CREATETHREAD.
  
=== Assigning a Script to a CheatTable ===
+
 
 +
== Assigning a Script to a CheatTable ==
 
Scripts assigned to cheat tables usually have two sections, "[ENABLE]" and "[DISABLE]".  Code before "[ENABLE]" will be '''''assembled''''' every time the script is enabled OR disabled.  The code in the "[ENABLE]" section will be '''''assembled''''' (not executed) when the entry is checked and the code in the "[DISABLE]" section will be '''''assembled''''' when the entry is unchecked.
 
Scripts assigned to cheat tables usually have two sections, "[ENABLE]" and "[DISABLE]".  Code before "[ENABLE]" will be '''''assembled''''' every time the script is enabled OR disabled.  The code in the "[ENABLE]" section will be '''''assembled''''' (not executed) when the entry is checked and the code in the "[DISABLE]" section will be '''''assembled''''' when the entry is unchecked.
  
 
You will generally alloc memory in [ENABLE] and overwrite existing instructions inside the process you have opened to jump to your code where you can modify values  and jump back.  You will then dealloc the memory and put the original instructions back when disabling.
 
You will generally alloc memory in [ENABLE] and overwrite existing instructions inside the process you have opened to jump to your code where you can modify values  and jump back.  You will then dealloc the memory and put the original instructions back when disabling.
  
To assign it to your cheat table, click on "File->Assign to current cheat table" and close the window because to edit the table script you have to double-click on the "<script>" value in your table.
+
To assign it to your cheat table, click on "File->Assign to current cheat table" and close the window because to edit the table script you have to double-click on the "&lt;script&gt;" value in your table.
  
 
[[Auto Assembler Example 2|Serious Sam 3 BFE Example]] - Example showing ENABLE and DISABLE
 
[[Auto Assembler Example 2|Serious Sam 3 BFE Example]] - Example showing ENABLE and DISABLE
  
 
plese vait is wild ones hack on playdom de hack pet and wepon 10 99 1000000 trean plz on coputer
 
  
=== General Information ===
+
== Injecting a DLL ==
 +
loadlibrary(name) can be used to load a dll and register it's symbols for
 +
use by your assembly code.  Note that you should not put quotes around the DLL name.  Here's an example:
 +
 
 +
[[Auto Assembler Example 3|LoadLibrary Example]]
 +
 
 +
== General Information ==
 
Auto assemble allows you to write assembler code at different locations using a script. It can be found in the memory view part of cheat engine under extra.
 
Auto assemble allows you to write assembler code at different locations using a script. It can be found in the memory view part of cheat engine under extra.
  
There are 3 special commands you can give it, ALLOC , LABEL and FULLACCESS. With LABEL you can give a address a name by declaring it before you use it. ALLOC is basicly the same as LABEL but allocates some memory for you.<br>
+
See [[Auto_Assembler:Commands|Auto Assembler Commands]] for a full list of all Auto Assembler commands.
Usage: <br>
+
 
LABEL(labelname) //Enables the word labelname to be used as a address<br>
+
{| class="gallery" style="background-color:#f4f4f4"
ALLOC(allocname,sizeinbytes) //same as label, but allocates the memory it points to itself<br>
+
|+ Auto Assembler Commands
DEALLOC(allocname) //Deallocates a block of memory allocated with alloc. It always gets executed last, no matter where it is positioned in the code, and only actually frees the memory when all allocations have been freed. only usable in a script designed as cheattable. (e.g used for the disable cheat)<br>
+
! Command !! Description
FULLACCESS(address,size) //makes a memory region at the specified address and at least "size" bytes readable, writable and executable<br>
+
|-
<br>
+
| [[Auto Assembler:aobScan|AOBSCAN]](name, xx xx xx xx xx) || Scans the memory for the given array of byte and sets the result to the symbol named "name"
REGISTERSYMBOL(symboname) //adds the symbol to the userdefined symbol list so cheattables and the memory browser can use that name instead of a address (The symbol has to be declared in the script when using it)<br>
+
|-
UNREGISTERSYMBOL(symbolname) //removes the symbol from the userdefined symbol list. It won't give a error if it isn't found<br>
+
| [[Auto Assembler:aobScanModule|AOBSCANMODULE]](name, moduleName, xx xx xx xx xx) || Scans the memory of a specific module for the given array of byte and sets the result to the symbol names "name"
 +
|-
 +
| [[Auto Assembler:aobScanRegion|AOBSCANREGION]](name, Sadd$, Fadd$, xx xx xx) || Will scan the specific range from start address to finish addressfor the given AOB and labels it with the given name
 +
|-
 +
| [[Auto Assembler:alloc|ALLOC]](allocName, sizeInBytes, Optional: AllocateNearThisAddress) || Allocates a certain amount of memory and defines the specified name in the script. If AllocateNearThisAddress is specified CE will try to allocate the memory near that address. This is useful for 64-bit targets where the jump distance could be bigger than 2GB otherwise
 +
|-
 +
| [[Auto Assembler:dealloc|DEALLOC]](allocName) || Deallocates a block of memory allocated with Alloc. It always gets executed last, no matter where it is positioned in the code, and only actually frees the memory when all allocations have been freed. Only usable in a script designed as a cheat table. (e.g used for the disable cheat)
 +
|-
 +
| [[Auto Assembler:createThread|CREATETHREAD]](address) || Will spawn a thread in the process at the specified address
 +
|-
 +
| [[Auto Assembler:define|DEFINE]](name,whatever) || Creates a token with the specified name that will be replaced with the text of whatever
 +
|-
 +
| [[Auto Assembler:fullAccess|FULLACCESS]](address,size,preferedsize) || Makes a memory region at the specified address and at least "size" bytes readable, writable and executable
 +
|-
 +
| [[Auto Assembler:globalAlloc|GLOBALALLOC]](name,size) || Allocates a certain amount of memory and registers the specified name. Using GlobalAlloc in other scripts will then not allocate the memory again, but reuse the already existing memory. (Or allocate it anyhow if found it wasn't allocated yet)
 +
|-
 +
| [[Auto Assembler:include|INCLUDE]](filename) || Includes another auto assembler file at that spot
 +
|-
 +
| [[Auto Assembler:label|LABEL]](labelName) || Enables the word labelName to be used as an address
 +
|-
 +
| [[Auto Assembler:loadBinary|LOADBINARY]](address,filename) || Loads a binary file at the specified address
 +
|-
 +
| [[Auto Assembler:loadLibrary|LOADLIBRARY]](filename) || Injects the specified DLL into the target process
 +
|-
 +
| [[Auto Assembler:readMem|READMEM]](address,size) || Writes the memory at the specified address with the specified size to the current location
 +
|-
 +
| [[Auto Assembler:registerSymbol|REGISTERSYMBOL]](symbolName) || Adds a symbol to the user-defined symbol list so cheat tables and the memory browser can use that name instead of a address (The symbol has to be declared in the script when using it)
 +
|-
 +
| [[Auto Assembler:unregisterSymbol|UNREGISTERSYMBOL]](symbolName) || Removes a symbol from the user-defined symbol list. No error will occur if the symbol doesn't exist.
 +
|}
 +
 
 +
== Value Notation ==
 +
Normally everything is written as hexadecimal in auto assembler, but there are ways to override this so you can input decimal values, and even floating point values.
 +
for example, a integer value of 100 can be written in hex as 64, but you can also write it as #100, or as (int)100
 +
for floating point value like 100.1 you can use (float)100.1
 +
and for a double, you could use (double)100.1
 +
NOTE:Use 'dq (double)100.1' instead of 'dd'!
 +
 
 +
=== {$lua} ===
 +
Auto assembler scripts support section written in Lua.You can start such a section using the [[Auto Assembler:LUA ASM|{$lua}]] keyword, and end it with [[Auto Assembler:LUA ASM|{$asm}]].
 +
 
 +
The return value of such a function (if it returns a value at all) will be interpreted as normal auto assembler commands.
 +
 
 +
When syntax checking, the lua sections get executed. To make sure your lua script behaves properly in those situations, check the "syntaxcheck" boolean.  If it's true, then do not make permanent changes.
 +
e.g:
 +
<pre>
 +
if syntaxcheck then return end
 +
</pre>
 +
Of course, if your script is meant to generate code, do make it return code so that it passes the initial syntax check. (e.g label definitions etc...)
 +
 
 +
== Examples ==
 +
 
 +
=== Basic Example ===
 +
<pre>
 +
00451029:
 +
jmp 00410000
 +
nop
 +
nop
 +
nop
 +
 
 +
00410000:
 +
mov [00580120],esi
 +
mov [esi+80],ebx
 +
xor eax,eax
 +
jmp 00451031
 +
</pre>
 +
 
 +
 
 +
=== Example using LABEL ===
 +
<pre>
 +
label(mylabel)
 +
 
 +
00451029:
 +
jmp 00410000
 +
nop
 +
nop
 +
nop
 +
mylabel:
 +
 
 +
00410000:
 +
mov [00580120],esi
 +
mov [esi+80],ebx
 +
xor eax,eax
 +
jmp mylabel
 +
</pre>
 +
 
 +
 
 +
=== Example using ALLOC ===
 +
<pre>
 +
alloc(alloc1,4)
 +
 
 +
00451029:
 +
jmp 00410000
 +
nop
 +
nop
 +
nop
 +
 
 +
00410000:
 +
mov [alloc1],esi
 +
mov [esi+80],ebx
 +
xor eax,eax
 +
jmp 00451031
 +
</pre>
 +
 
 +
=== Example using ALLOC and LABEL ===
 +
<pre>
 +
alloc(alloc1,4)
 +
label(mylabel)
 +
 
 +
00451029:
 +
jmp 00410000
 +
nop
 +
nop
 +
nop
 +
mylabel:
  
 +
00410000:
 +
mov [alloc1],esi
 +
mov [esi+80],ebx
 +
xor eax,eax
 +
jmp mylabel
 +
</pre>
  
DEFINE(name,whatever) :Will replace all tokens with the specified name with the text of whatever<br>
 
INCLUDE(filename) :includes another auto assembler file at that spot<br>
 
LOADBINARY(address,filename) :Will load a binary file at the specified address<br>
 
CREATETHREAD(address) :Will spawn a thread in the process at the specified address<br>
 
LOADLIBRARY(filename) :Will inject the specified dll into the target process<br>
 
READMEM(address,size) :Will write the addresses at address at the location this instruction is placed<br>
 
  
 +
=== Example using FULLACCESS ===
 +
<pre>
 +
FULLACCESS(00400800,4) //00400800 is usually read only non executable data, this makes it writeable and executable
 +
00451029:
 +
jmp 00410000
 +
nop
 +
nop
 +
nop
  
GLOBALALLOC(name,size) : Will allocate a certain amount of memory and registers the specified name. Using GlobalAlloc in other scripts will then not allocate the memory again, but reuse the already existing memory. (Or allocate it anyhow if found it wasn't allocated yet)
+
00410000:
 +
mov [00400800],esi
 +
mov [esi+80],ebx
 +
xor eax,eax
 +
jmp 00451031
 +
</pre>
  
Basic Example:<br>
 
00451029:<br>
 
jmp 00410000<br>
 
nop<br>
 
nop<br>
 
nop<br>
 
<br>
 
00410000:<br>
 
mov [00580120],esi<br>
 
mov [esi+80],ebx<br>
 
xor eax,eax<br>
 
jmp 00451031<br>
 
<br>
 
Example using LABEL:<br>
 
label(mylabel)<br>
 
<br>
 
00451029:<br>
 
jmp 00410000<br>
 
nop<br>
 
nop<br>
 
nop<br>
 
mylabel:<br>
 
<br>
 
00410000:<br>
 
mov [00580120],esi<br>
 
mov [esi+80],ebx<br>
 
xor eax,eax<br>
 
jmp mylabel<br>
 
<br>
 
Example using ALLOC:<br>
 
alloc(memloc1,4)<br>
 
<br>
 
00451029:<br>
 
jmp 00410000<br>
 
nop<br>
 
nop<br>
 
nop<br>
 
<br>
 
00410000:<br>
 
mov [alloc1],esi<br>
 
mov [esi+80],ebx<br>
 
xor eax,eax<br>
 
jmp 00451031<br>
 
<br>
 
Example using ALLOC and LABEL<br>
 
alloc(alloc1,4)<br>
 
label(mylabel)<br>
 
<br>
 
00451029:<br>
 
jmp 00410000<br>
 
nop<br>
 
nop<br>
 
nop<br>
 
mylabel:<br>
 
<br>
 
00410000:<br>
 
mov [alloc1],esi<br>
 
mov [esi+80],ebx<br>
 
xor eax,eax<br>
 
jmp mylabel<br>
 
  
 +
=== Example using DEFINE ===
 +
<pre>
 +
DEFINE(clear_eax,xor eax,eax)
 +
00400500:
 +
clear_eax
 +
</pre>
  
Example using FULLACCESS<br>
 
FULLACCESS(00400800,4) //00400800 is usually read only non executable data, this makes it writeable and executable<br>
 
00451029:<br>
 
jmp 00410000<br>
 
nop<br>
 
nop<br>
 
nop<br>
 
  
00410000:<br>
+
=== Example using READMEM ===
mov [00400800],esi<br>
+
<pre>
mov [esi+80],ebx<br>
+
alloc(x,16)
xor eax,eax<br>
+
alloc(script,2048)
jmp 00451031<br>
 
  
Example using DEFINE<br>
+
script:
DEFINE(clear_eax,xor eax,eax)<br>
+
mov eax,[x]
00400500:<br>
+
mov edx,[x+c]
clear_eax<br>
+
ret
  
ReadMem example<br>
+
x:
alloc(x,16)<br>
+
readmem(00410000,16) //place the contents of address 00410000 at the address of X
alloc(script,2048)<br>
+
</pre>
  
script:<br>
 
mov eax,[x]<br>
 
mov edx,[x+c]<br>
 
ret<br>
 
  
x:<br>
+
== See also ==
readmem(00410000,16) //place the contents of address 00410000 at the address of X<br>
+
* [[Assembler]]
 +
* [[Tutorials]]

Latest revision as of 06:11, 20 June 2019

Writing a Script[edit]

You need to have the Memory Viewer window open and go to "Tools->Auto Assemble" or hit CTRL+A to open the Auto assemble window. When you click "Execute" the code is not actually executed, but assembled into machine code. The code is actually executed when you overwrite existing game code and the game executes it in the normal course of playing or when you call CREATETHREAD.

Writing an address or label followed by a colon will do one of two opposite things. If the label is known, i.e. it is an address or if there is a defined symbol or memory has been allocated with that name, the assembler will move to that address for assembling the following code. If the label is unknown, it must have been passed to LABEL(name) (or you will get an error) and the value of that label will be set to the current position where code is set to be assembled.

Simple Example - Example showing ALLOC, LABEL, REGISTERSYMBOL and CREATETHREAD.


Assigning a Script to a CheatTable[edit]

Scripts assigned to cheat tables usually have two sections, "[ENABLE]" and "[DISABLE]". Code before "[ENABLE]" will be assembled every time the script is enabled OR disabled. The code in the "[ENABLE]" section will be assembled (not executed) when the entry is checked and the code in the "[DISABLE]" section will be assembled when the entry is unchecked.

You will generally alloc memory in [ENABLE] and overwrite existing instructions inside the process you have opened to jump to your code where you can modify values and jump back. You will then dealloc the memory and put the original instructions back when disabling.

To assign it to your cheat table, click on "File->Assign to current cheat table" and close the window because to edit the table script you have to double-click on the "<script>" value in your table.

Serious Sam 3 BFE Example - Example showing ENABLE and DISABLE


Injecting a DLL[edit]

loadlibrary(name) can be used to load a dll and register it's symbols for use by your assembly code. Note that you should not put quotes around the DLL name. Here's an example:

LoadLibrary Example

General Information[edit]

Auto assemble allows you to write assembler code at different locations using a script. It can be found in the memory view part of cheat engine under extra.

See Auto Assembler Commands for a full list of all Auto Assembler commands.

Value Notation[edit]

Normally everything is written as hexadecimal in auto assembler, but there are ways to override this so you can input decimal values, and even floating point values. for example, a integer value of 100 can be written in hex as 64, but you can also write it as #100, or as (int)100 for floating point value like 100.1 you can use (float)100.1 and for a double, you could use (double)100.1 NOTE:Use 'dq (double)100.1' instead of 'dd'!

{$lua}[edit]

Auto assembler scripts support section written in Lua.You can start such a section using the {$lua} keyword, and end it with {$asm}.

The return value of such a function (if it returns a value at all) will be interpreted as normal auto assembler commands.

When syntax checking, the lua sections get executed. To make sure your lua script behaves properly in those situations, check the "syntaxcheck" boolean. If it's true, then do not make permanent changes. e.g:

if syntaxcheck then return end

Of course, if your script is meant to generate code, do make it return code so that it passes the initial syntax check. (e.g label definitions etc...)

Examples[edit]

Basic Example[edit]

00451029:
jmp 00410000
nop
nop
nop

00410000:
mov [00580120],esi
mov [esi+80],ebx
xor eax,eax
jmp 00451031


Example using LABEL[edit]

label(mylabel)

00451029:
jmp 00410000
nop
nop
nop
mylabel:

00410000:
mov [00580120],esi
mov [esi+80],ebx
xor eax,eax
jmp mylabel


Example using ALLOC[edit]

alloc(alloc1,4)

00451029:
jmp 00410000
nop
nop
nop

00410000:
mov [alloc1],esi
mov [esi+80],ebx
xor eax,eax
jmp 00451031

Example using ALLOC and LABEL[edit]

alloc(alloc1,4)
label(mylabel)

00451029:
jmp 00410000
nop
nop
nop
mylabel:

00410000:
mov [alloc1],esi
mov [esi+80],ebx
xor eax,eax
jmp mylabel


Example using FULLACCESS[edit]

FULLACCESS(00400800,4) //00400800 is usually read only non executable data, this makes it writeable and executable
00451029:
jmp 00410000
nop
nop
nop

00410000:
mov [00400800],esi
mov [esi+80],ebx
xor eax,eax
jmp 00451031


Example using DEFINE[edit]

DEFINE(clear_eax,xor eax,eax)
00400500:
clear_eax


Example using READMEM[edit]

alloc(x,16)
alloc(script,2048)

script:
mov eax,[x]
mov edx,[x+c]
ret

x:
readmem(00410000,16) //place the contents of address 00410000 at the address of X


See also[edit]