[教程][原创] Cheat Engine 6.4 Tutorial —— 闯关教程 #4
05 Jan 2015教程 #1: [教程][原创] Cheat Engine 6.4 Tutorial —— 闯关教程 #1
教程 #2: [教程][原创] Cheat Engine 6.4 Tutorial —— 闯关教程 #2
教程 #3:[教程][原创] Cheat Engine 6.4 Tutorial —— 闯关教程 #3
看完教程#1到#3再来继续哦
Step 7
Step 7: Code Injection: (PW=013370) Code injection is a technique where one injects a piece of code into the target process, and then reroute the execution of code to go through your own written code
In this tutorial you’ll have a health value and a button that will decrease your health with 1 each time you click it. Your task is to use code injection to increase the value of your health with 2 every time it is clicked
Start with finding the address and then find what writes to it. then when you’ve found the code that decreases it browse to that address in the disassembler, and open the auto assembler window (ctrl+a) There click on template and then code injection, and give it the address that decreases health (If it isn’t already filled in correctly) That will generate a basic auto assembler injection framework you can use for your code.
Notice the alloc, that will allocate a block of memory for your code cave, in the past, in the pre windows 2000 systems, people had to find code caves in the memory(regions of memory unused by the game), but that’s luckily a thing of the past since windows 2000, and will these days cause errors when trying to be used, due to SP2 of XP and the NX bit of new CPU’s
Also notice the line newmem: and originalcode: and the text “Place your code here” As you guessed it, write your code here that will increase the health with 2. An usefull assembler instruction in this case is the “ADD instruction” here are a few examples: “ADD [00901234],9” to increase the address at 00901234 with 9 “ADD [ESP+4],9” to increase the address pointed to by ESP+4 with 9 In this case, you’ll have to use the same thing between the brackets as the original code has that decreases your health
Notice: It is recommended to delete the line that decreases your health from the original code section, else you’ll have to increase your health with 3 (you increase with 3, the original code decreases with 1, so the end result is increase with 2), which might become confusing. But it’s all up to you and your programming.
Notice 2: In some games the original code can exist out of multiple instructions, and sometimes, not always, it might happen that a code at another place jumps into your jump instruction end will then cause unknown behavior. If that happens, you should usually look near that instruction and see the jumps and fix it, or perhaps even choose to use a different address to do the code injection from. As long as you’re able to figure out the address to change from inside your injected code.
主界面:
之前呢我们只是涉及如何找出数据的位置、更改数据、或者是冻结数据
可是现在……更加好玩的东西来啦——我们可以往程序注入自己的代码!
但是前提是:你得要懂得汇编(ASM)
因为Code injection都是用ASM 写的哦
这篇笔者我会说得比较快哦
想看看Step 7 的 objective吧:
Your task is to use code injection to increase the value of your health with 2 every time it is clicked
就是每一次点击Hit 的时候,Health 的值会增加2
所以还等啥呢
直接找出Health的地址吧!
然后找出什么code writes to this address (用access的也可以哦,但是在这个情况write的话会更加容易一些)
dec [ebx+00000478] 这样的代码不难猜到他的功能吧?
decrement 呗,就是将值减1
其实如果不知道特定的opcode 代表的是什么的话,Extra Info 旁边会显示他的功能的:
点击 Show disassembler,就会跳出一个Memory Viewer
当前高亮的那一行就是将Health 减1的代码了
然后点击Tools > Auto Assemble CtrlA
点击Template > Code injection CtrlI
点击OK
现在呢我们就有一个可以用来注入代码的模板了
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
dec [ebx+00000478]
exit:
jmp returnhere
"Tutorial-i386.exe"+26C40:
jmp newmem
nop
returnhere:先来解释模板里面的代码吧
先看看:
label(returnhere)
label(originalcode)
label(exit)label应该都懂啥意思吧?
label(labelname)呢,就是将一个地址取名字,那么你就可以直接用labelname来读取/写入/跳转到那个地址了(就像IP 和 域名那样)
接下来呢:
alloc(newmem,2048)
alloc 就是 “allocate”的简写,华文叫做“分配”
ALLOC(allocname,sizeinbytes, preferedregion OPTIONAL)摘自Cheat Engine Help 文件
因为你要注入的代码需要有地方可以“住”,但是内存里面不是每一个地方都可以随便乱闯的
所以alloc的功能就是在一个可用的地方“开辟”一个可用的内存空间,就拿alloc(newmem,2048)来说,就是开辟一个大小为2048 bytes的空间,然后将其取名为newmem (就有一点类似label,但是alloc是一个有自己空间的label)
newmem: 一个label的名称后面追加一个冒号就表示接下来的代码是属于newmem的,就类似一个function那样……
现在呢,就是写代码的时候啦!
因为之前的代码呢是将Health的值减1
originalcode:
dec [ebx+00000478]不难看出,Health 储存的地方就是在[ebx+00000478]内
所以,我们要将Health 的值加2的代码就灰常简单了:add [ebx+00000478],2
完整的代码就是这样:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
add [ebx+00000478],2
jmp exit
originalcode:
dec [ebx+00000478]
exit:
jmp returnhere
"Tutorial-i386.exe"+26C40:
jmp newmem
nop
returnhere:
有没有发现到额外的jmp exit
jmp 是无条件跳转,为什么呢要有一个jmp呢?
因为如果没有jmp的话 dec [ebx+00000478] 执行完之后就会直接执行originalcode的代码(就是一行一行往下执行的,label只是一个名称,不能阻止code flow)
点击 Execute,然后在点击Yes
CE就会跳出一个窗口,里面就会显示newmem分配到的地址,点击OK:
回到CE Tutorial,点击Hit Me
如果一切正常,狠狠地按下Next吧:
