Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Memory scanning, code injection, debugger internals and other gamemodding related discussion
gideon25
Table Makers
Table Makers
Posts: 1389
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 2288

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by gideon25 »

Its on the gold address which is a float (you have to hit escape or pause game so it stops increasing. Only takes a couple of searches to get the address for it

User avatar
notpikachu
Table Makers
Table Makers
Posts: 311
Joined: Wed Apr 01, 2020 10:32 am
Reputation: 331

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by notpikachu »

Uh..oh :shock: . You can't do that break condition there. Put some shortcut key for pausing the game, pause. then break and trace. R.click again, set/change condition breakpoint. Then, resume game using shortcut (totally useful for shared opcode). If I remember right, that two box start and stop condition is quite different from set/change condition breakpoint. :P. Yes, my previous post showing the value of break and trace of gold.
Last edited by notpikachu on Thu Apr 02, 2020 9:16 pm, edited 1 time in total.

gideon25
Table Makers
Table Makers
Posts: 1389
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 2288

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by gideon25 »

notpikachu wrote:
Thu Apr 02, 2020 8:54 pm
Judging by the name, a different game? First, not all game work the same. Then again, what do u mean, cannot break and trace? Is it empty break and trace outcome without condition, or do you put some conditional break and trace? As the game is quite small, Shieldwall yeah? I download it and try break and trace. No problem here :?

Image
yea its a conditional break and trace on gold. Float value (just pause game and search for exact value)

gideon25
Table Makers
Table Makers
Posts: 1389
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 2288

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by gideon25 »

notpikachu wrote:
Thu Apr 02, 2020 9:15 pm
Uh..oh :shock: . You can't do that break condition there. Put some shortcut key for pausing the game, pause. then break and trace. R.click again, set/change condition breakpoint. Then, resume game using shortcut (totally useful for shared opcode). If I remember right, that two box start and stop condition is quite different from set/change condition breakpoint. :P
Ah ok let me try that :)

gideon25
Table Makers
Table Makers
Posts: 1389
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 2288

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by gideon25 »

gideon25 wrote:
Thu Apr 02, 2020 9:16 pm
notpikachu wrote:
Thu Apr 02, 2020 9:15 pm
Uh..oh :shock: . You can't do that break condition there. Put some shortcut key for pausing the game, pause. then break and trace. R.click again, set/change condition breakpoint. Then, resume game using shortcut (totally useful for shared opcode). If I remember right, that two box start and stop condition is quite different from set/change condition breakpoint. :P
Ah ok let me try that :) I thought it was basically the same thing

gideon25
Table Makers
Table Makers
Posts: 1389
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 2288

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by gideon25 »

notpikachu wrote:
Thu Apr 02, 2020 9:15 pm
Uh..oh :shock: . You can't do that break condition there. Put some shortcut key for pausing the game, pause. then break and trace. R.click again, set/change condition breakpoint. Then, resume game using shortcut (totally useful for shared opcode). If I remember right, that two box start and stop condition is quite different from set/change condition breakpoint. :P. Yes, my previous post showing the value of break and trace of gold.
Did you trace on R15 or R8 and where? Can I get a scrreeenshot of exactly how you formatted the condition? Thanks!

User avatar
notpikachu
Table Makers
Table Makers
Posts: 311
Joined: Wed Apr 01, 2020 10:32 am
Reputation: 331

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by notpikachu »

The first one I used RDX on VCRuntime, for any code after the ret, I used RBX. Why? Because on that particular function, RBX from the start didn't change until the end. That mean, its a good way to refer from your previous break and trace. I tried my previous method, the cmp version seems ok so far, but not working for non-cmp one. Might be a good time to test back trace again later, until then, im gonna sleep.

Screenshot? Is just the old plain "RDX == 0x00", its either that or ReadFloat/Int, as usual, depend on situation.

gideon25
Table Makers
Table Makers
Posts: 1389
Joined: Mon Mar 20, 2017 1:42 am
Reputation: 2288

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by gideon25 »

notpikachu wrote:
Thu Apr 02, 2020 9:34 pm
The first one I used RDX on VCRuntime, for any code after the ret, I used RBX. Why? Because on that particular function, RBX from the start didn't change until the end. That mean, its a good way to refer from your previous break and trace. I tried my previous method, the cmp version seems ok so far, but not working for non-cmp one. Might be a good time to test back trace again later, until then, im gonna sleep.
Ah so you are not using the exact gold address for the condition, but what RBX was when you did your first break and trace? Ah, I understand. Thanks!

mohanhegde
Noobzor
Noobzor
Posts: 11
Joined: Mon Dec 03, 2018 5:39 pm
Reputation: 0

Re: Some Slightly Advanced help: Game runs scripts thr code in VCRuntime Please read.

Post by mohanhegde »

cfemen wrote:
Mon Mar 02, 2020 7:15 pm
hey,
( at first : i dont have the game, this is about UE4 and MemCopy in generaly)

the call on +75B9AB is used many times, you can see that with a "Find out what addresses this instruction accesses"

call will lead to several functions, and eventually to a call to the MemCopy.

your money address is on RDX (in the MemCopy)
before the call( on +75B9AB ) the registers get parameters
look at +795B995 -> add r8,r15
usually r8 contains the address that will be used on RDX in the MemCopy.

you can use a condition breakpoint(Ctrl+B) -> R8 == 0xRDX_From_MemCopy
now the breakpoint will only break if R8 is holding the address of your money.

so now you can look for a compare.
maybe the stack
maybe some register

or you can backtrace R8.
in your case:
movsxd r8,[RCX+44] -> backtrace this
add r8,15

RCX+44 moves to R8, and something on RCX, and so on.

you know the X64 Calling Convention?

register RCX,RDX,R8,R9 and then stack will be used to give Bool,Short,Int,Long,String,Pointer parameters to functions/methods

one of this registers at the prologue will hold a address that contains the [RCX+44] address.
copy the value of this register.

coz something is calling this function with parameters.
and this parameters are most likely used for more than only this function.
use the stack to find out what is calling, go to this address, and use a condition breakpoint(before the call) on the register that was used to hold the adddress at the prologue of the function.
most likely this call will also be a RAX+xx call.
with the condition breakpoint you can trace every function that is called related to money, and eventually you will find a unqiue function.

inject at this spot and alloc 8 byte to copy the address of the register that is used for the condition breakpoint.

this address can now be used as CMP at the +75B9AB spot ( the address from the prologue parameter register is now usually on R14 or similar)

thats just one of the ways, maybe the call on +75B9AB leads to a function that is already unique if you do a breakpoint on R8 with the RDX MemCopy Address.

i hope this helps you to trace things/ finding related functions / use condition breakpoints :)
Hi @cfemen,
Could you please please do a step by step tutorial for these VCRUNTIME and MemCpy scenarios?

I'm trying to follow the instructions for Medieval Dynasty which also uses Unreal Engine and can't figure out how to keep backtracing the registers 😭

It would be so kind of you if you can show us how to do this backtrace, even if it's just one backtracing example on one game, with screenshots or YouTube video or something.

I'm currently using Cake-Sans dumper tools to cheat in Medieval Dynasty, but would really like to learn how to backtrace and find the actual code which is responsible for the player's stats like food, water, health, stamina etc.

Thanks

Post Reply

Who is online

Users browsing this forum: AmazonBot