Solved Unable to get mid-function codecaving to work with this game

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
In cheatengine AOB Scan script - the code works perfect when I apply it to my trainer for Huniepop it doesn't work. It gives an address or when I give more pattern and more mask - it returns 00 for the address. I understand when it hasn't found anything the FindPattern function returns null.

I don't think specifying code to you guys will help - so I won't put you guys through all that junk.

However, for the instant puzzle AOB script for cheat engine what I do is:

C++:
original code:
mov [edi+000000A0], eax //--- what this is telling me that this is where the puzzle score is.

injected code:
push ebx
mov ebx, [edi+000000A4] //-- this is the total score needed to win puzzle for Huniepop.
mov [edi+000000A0], ebx //-- move the total score into player's score.
pop ebx
This is what I'm trying to achieve with mid-function hooking code caving tutorial. My trainer creates the jump point however, it may be at the wrong location because it's not doing anything. So I thought okay well go into Ollydbg and sample a larger code for Test Sig. I copy and pasted the pattern and mask into the program and got returned 00.

Should I gather larger sample of code for Test Sig or perhaps go through the program over and over again finding out which hex values stick and which one change then alter the mask and pattern that way?

So what should I do? I've got the ability to mid-function hooking in my GUI Trainer.

Unsure what to do.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
If it's not in a module scan between 0 and FFFFFFFF using PatternScanEx

C++:
//External Wrapper
char* Pattern::Ex::Scan(char* pattern, char* mask, char* begin, char* end, HANDLE hProc)
{
    char* match = nullptr;
    SIZE_T bytesRead;
    DWORD oldprotect;
    char* buffer = nullptr;
    MEMORY_BASIC_INFORMATION mbi = { 0 };

    char* curr = begin;

    for (char* curr = begin; curr < end; curr += mbi.RegionSize)
    {
        if (!VirtualQueryEx(hProc, curr, &mbi, sizeof(mbi))) return nullptr;
        if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS) continue;

        buffer = new char[mbi.RegionSize];

        if (VirtualProtectEx(hProc, mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &oldprotect))
        {
            ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead);
            VirtualProtectEx(hProc, mbi.BaseAddress, mbi.RegionSize, oldprotect, &oldprotect);

            char* internalAddr = In::Scan(pattern, mask, buffer, (unsigned int)bytesRead);

            if (internalAddr != nullptr)
            {
                //calculate from internal to external
                match = curr + (uintptr_t)(internalAddr - buffer);
                break;
            }
        }
    }
    delete[] buffer;
    return match;
}

//Internal Pattern Scan
char* Pattern::In::Scan(char* pattern, char* mask, char* begin, unsigned int size)
{
    size_t patternLen = strlen(mask);

    for (unsigned int i = 0; i < size - patternLen; i++)
    {
        bool found = true;
        for (unsigned int j = 0; j < patternLen; j++)
        {
            if (mask[j] != '?' && pattern[j] != *(begin + i + j))
            {
                found = false;
                break;
            }
        }
        if (found)
        {
            return (begin + i);
        }
    }
    return nullptr;
}

//Scan entire process combo
char* Pattern::Ex::Proc(char* combopattern, ProcessEx* proc)
{
    char pattern[100];
    char mask[100];
    Parse(combopattern, pattern, mask);

    unsigned long long int kernelMemory;

if (IsWow64Proc(proc->handle)) kernelMemory = 0x80000000;
else kernelMemory = 0x00007FFFFFFFFFFF;

    return Scan(pattern, mask, 0x0, (char*)kernelMemory, proc->handle);
}
 

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
I ran the game three times and place the opcodes and such in notepad++. Nothing changes but still get 00.

C++:
			char *pattern =  "\x83\xC4\x10\x89\x87\xA0\x00\x00\x00\x8B\x47\x64\x83\xEC\x08";
			char *mask = "xxxxxxxxxxxxxxx";
			DWORD winAddy = FindPattern("HuniePop.exe", pattern, mask); //-- Find Pattern is same from previous tutorial of FLEEPS.

			NotifyAddress(winAddy); //-- Same as MsgBoxAddy() just renamed.
This is what I saw in Cheat Engine. It never changes whatsoever.

C++:
//-- first time running the game.

05D2DA82   83C4 10          ADD ESP,10
05D2DA85   8987 A0000000    MOV DWORD PTR DS:[EDI+A0],EAX
05D2DA8B   8B47 64          MOV EAX,DWORD PTR DS:[EDI+64]
05D2DA8E   83EC 08          SUB ESP,8

//-- second time running game.

05D2DDCA - 83 C4 10              - add esp,10
05D2DDCD - 89 87 A0000000        - mov [edi+000000A0],eax
05D2DDD3 - 8B 47 64              - mov eax,[edi+64]
05D2DDD6 - 83 EC 08              - sub esp,08

//-- third time running game.
05D43DDA - 83 C4 10              - add esp,10
05D43DDD - 89 87 A0000000        - mov [edi+000000A0],eax
05D43DE3 - 8B 47 64              - mov eax,[edi+64]
05D43DE6 - 83 EC 08              - sub esp,08
It's a unique signature too I made sure with OllyDbg Test Signature.
It should be able to grab me an address instead of saying 00.
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
I ran the game three times and place the opcodes and such in notepad++. Nothing changes but still get 00.

C++:
			char *pattern =  "\x83\xC4\x10\x89\x87\xA0\x00\x00\x00\x8B\x47\x64\x83\xEC\x08";
			char *mask = "xxxxxxxxxxxxxxx";
			DWORD winAddy = FindPattern("HuniePop.exe", pattern, mask); //-- Find Pattern is same from previous tutorial of FLEEPS.

			NotifyAddress(winAddy); //-- Same as MsgBoxAddy() just renamed.
This is what I saw in Cheat Engine. It never changes whatsoever.

C++:
//-- first time running the game.

05D2DA82   83C4 10          ADD ESP,10
05D2DA85   8987 A0000000    MOV DWORD PTR DS:[EDI+A0],EAX
05D2DA8B   8B47 64          MOV EAX,DWORD PTR DS:[EDI+64]
05D2DA8E   83EC 08          SUB ESP,8

//-- second time running game.

05D2DDCA - 83 C4 10              - add esp,10
05D2DDCD - 89 87 A0000000        - mov [edi+000000A0],eax
05D2DDD3 - 8B 47 64              - mov eax,[edi+64]
05D2DDD6 - 83 EC 08              - sub esp,08

//-- third time running game.
05D43DDA - 83 C4 10              - add esp,10
05D43DDD - 89 87 A0000000        - mov [edi+000000A0],eax
05D43DE3 - 8B 47 64              - mov eax,[edi+64]
05D43DE6 - 83 EC 08              - sub esp,08
It's a unique signature too I made sure with OllyDbg Test Signature.
It should be able to grab me an address instead of saying 00.
If the pattern is correct, the problem must be the FindPattern function. And are you sure that the signature is in the memory region of the "HuniePop.exe" module?
 

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
Вroihon;36258 said:
If the pattern is correct, the problem must be the FindPattern function. And are you sure that the signature is in the memory region of the "HuniePop.exe" module?
I'm glad you brought that up because in Amnesia I did a pattern scan it pointed straight to where the tinder boxes decrement it's value. What I've noticed is in OllyDebugger it says Amnesia module. Where as in huniepop it says Thread. I go to the main thread of huniepop.exe and search again and find it.

I don't know how I would be able to access the game's different thread, though.
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
I'm glad you brought that up because in Amnesia I did a pattern scan it pointed straight to where the tinder boxes decrement it's value. What I've noticed is in OllyDebugger it says Amnesia module. Where as in huniepop it says Thread. I go to the main thread of huniepop.exe and search again and find it.

I don't know how I would be able to access the game's different thread, though.
It's probably not about threads but simply about the memory region where the address is. The easiest way to find out in which module the address is would be scanning for the pattern in CE what should give you a green (static) result.
If you add that address to your list and doubleclick it should something like "BlaBla.exe + 0x123456" or "hue.dll + 0x123456". In this case you need to scan in that module. It'd be usefull if you post the FindPattern function aswell.
If you don't get a static (green) address things'll get a little bit nastier.
 

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
Вroihon;36260 said:
It's probably not about threads but simply about the memory region where the address is. The easiest way to find out in which module the address is would be scanning for the pattern in CE what should give you a green (static) result.
If you add that address to your list and doubleclick it should something like "BlaBla.exe + 0x123456" or "hue.dll + 0x123456". In this case you need to scan in that module. It'd be usefull if you post the FindPattern function aswell.
If you don't get a static (green) address things'll get a little bit nastier.
I've updated the scan function but here it is:

C++:
bool MatchPattern(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for (; *szMask; ++szMask, ++pData, ++bMask)
		if (*szMask == 'x' && *pData != *bMask)
			return false;
	return (*szMask) == NULL;
}

DWORD AOBScan(DWORD address, DWORD length, BYTE *pattern, const char *mask) {
	for (DWORD i = 0; i < length; i++)
		if (MatchPattern((BYTE*)(address + i), pattern, mask))
			return (DWORD)(address + i);

	//--crap didn't find jack!
	return 0;
}
DWORD FindPattern(char *hModuleName, char *pattern, char *mask) {
	//Get all module related information
	MODULEINFO mInfo = GetModuleInfo(hModuleName);
	//Assign our base and module size
	//Having the values right is ESSENTIAL, this makes sure
	//that we don't scan unwanted memory and leading our game to crash
	DWORD base = reinterpret_cast<DWORD>(mInfo.lpBaseOfDll);
	DWORD size = mInfo.SizeOfImage;

	//Get length for our mask, this will allow us to loop through our array
	DWORD patternLength = strlen(mask);
	return (DWORD)AOBScan(base, size,(BYTE*)pattern, mask);

}
 

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
It doesn't say jack - nothing; no module name in the code section of disassemble. It says Protect:Execute/Read/White Base: Size: no Module name. When I click on change address - it gives me nothing. when i manually add pointer then see for what writes to that pointer i get nothing back returned. the manually added address is from the green highlited address.

The game is made from UNity however it shouldn't matter I don't think though. A guy on youtube found the AOB for The Forest but huniepop - there's zilch.

I also manually did the AOB Scan inside CB added to list then clicked on change address and nothing popped up as you mentioned.
 

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
It doesn't say jack - nothing; no module name in the code section of disassemble. It says Protect:Execute/Read/White Base: Size: no Module name. When I click on change address - it gives me nothing. when i manually add pointer then see for what writes to that pointer i get nothing back returned. the manually added address is from the green highlited address.

The game is made from UNity however it shouldn't matter I don't think though. A guy on youtube found the AOB for The Forest but huniepop - there's zilch.

I also manually did the AOB Scan inside CB added to list then clicked on change address and nothing popped up as you mentioned.

Okay I had to click on the op code in the disassembler to get the module name - yup, it's module name is HuniePop.exe
 

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
Okay I had to click on the op code in the disammembler to get the module name - yup, it's module name is HuniePop.exe
again I was wrong. I thought it was but it shows nothing - no module. Why wouldn't it show any module name? Or am I completely lost....

I took a snap shot but can't upload it because it says invalid format - had to go through imgur.



it's pointing at the location in Huniepop.exe but there's no module name inside the dump code box. You know what I'm talking about? Why is thatt?
 
Last edited:

SICGames88

Newbie
Full Member
Nobleman
Sep 6, 2015
70
768
0
here is the AOB scan from Amnesia.exe and as you can see it points to the module name - however Huniepop.exe doesn't. Funny because I have to make a cheat table for Huniepop but my trainer won't work :(

So what gives - why can't it point to the module name like this picture does:

 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods