(WIP)
This mainly use flash as3 as examples.
memcpy
----------
memcpy is to copy byte-array(AoB) from a source address to a destination address. In auto assembler script used in Cheat Engine CT file, it is called readmem, and the usage is like this:
_dst+12:
readmem(_src+34, 5)
_src is the label represented the source address.
_dst is the label represented the destination address.
label in CE is commonly generate by AobScan(label, AoB-Pattern) function or alloc(label, size) function or similar that a label invoved.
what the use
--------------
memcpy is not necessary to make AoB cheat, but it help to make a certain class of cheat update-resistant, minimize the need of manual update.
In most flash AS3 cheat make by AoB search and patch mechanism, the byte value specifically wrote is not change by update, or even in different game.
For example, to make "gain money on spending money", it is common to replace the subtraction-byte-code-command (A1 in AS3 bytecode) in the search pattern to addition-byte-code-command (A0 in AS3 bytecode) in patch pattern.
Some thing like this:
AoBSwap("d0 d0 66 98 76 24 0A A1 61 98 76", "d0 d0 66 98 76 24 0A A0 61 98 76")
The A0 addition won't change on update, the cheat should work as long as the whole AoB pattern is not changed.
memcpy has no use to make it update resistant in these cases.
But sometime, a certain reference/index value need in the patch pattern. For example, some function name/string value index in string pool. They are likely change on every update.
Here use the MAA Auto Player cheat as an example:
The idea is to change Controller of the player team's agent/hero, from human Input (InputController) to an AI Controller (here, ScriptableAIController).
ps: A *Controller is to select action and target when the agent/hero's turn start.
The idea is similar to change the substration command to addition command, but this time the patch pattern will involve some function/string refrence.
The source of patch pattern can be found in loadSequencer @ package mvcs.views.combat.PvpCombatPageMediator
...
for each (_loc_7 in _userProf.strikeTeam.offense)
{
_loc_22 = _loc_7 == _loc_2 ? (_loc_3.getPvpAgent(_userProf, _loc_4)) : (_loc_3.getPvpHero(_loc_7, _userProf, _loc_4));
_loc_6.push(_loc_22);
_loc_23 = ControllerList.getClass(_loc_22.defaultController) as Class;
_loc_22.controller = new _loc_23;
}
You can see that it for Player's Offense team, which will assigned a human inputController.
It is the _loc_22.defaultController part to be modified. (***)
The source of the function using this paramemter is getClass @ package engine.combat.controllers.ControllerList
public static function getClass(param1:String) : Object
{
if (param1 != "ScriptableAIController" && param1 != "UserController")
{
return getDefinitionByName("combat.core.controllers." + param1);
}
return getDefinitionByName("engine.combat.controllers." + param1);
}//
It is the string ScriptableAIController to be modified into (***), so that the player agent/hero can use the AI Controller,ie. auto player.
Here the bytecode list,
for(***)
//4f f0 d0 01 01
_as3_callpropvoid http://adobe.com/AS3/2006/builtin::push(param count:1)
//60 e9 78
_as3_getlex engine.combat.controllers::ControllerList
//62 16
_as3_getlocal <22>
//66 ef ef 01
_as3_getproperty defaultController
//46 91 94 01 01
_as3_callproperty getClass(param count:1)
//60 52
_as3_getlex Class
and for the reference string part;
//d0
_as3_getlocal <0>
//30
_as3_pushscope
//d1
_as3_getlocal <1>
//2c cb 0f
_as3_pushstring "ScriptableAIController"
//ab
_as3_equals
//96
_as3_not
//2a
_as3_dup
//12 07 00 00
_as3_iffalse offset: 7
//29
_as3_pop
//d1
_as3_getlocal <1>
//2c 97 7c
Now let's convert it into AoB with RawAoB tool, give:
reference pattern
d0 30 d1 2c cb 0f ab 96 2a 12 07 00 00 29 d1 2c 97 7c
search pattern
4f f0 d0 01 01 ad 60 e9 78 62 16 66 ef ef 01 46 91 94 01 01 60 52
The patch pattern is to fill the string reference into red text part of search pattern, with filling 02 = no op to keep the length, give
4f f0 d0 01 01 ad 60 e9 78 2c cb 0f 02 02 02 46 91 94 01 01 60 52
Now the hard-coded version of the cheat can be like this (the reference pattern is not need):
AoBSWAP("4f f0 d0 01 01 ad 60 e9 78 62 16 66 ef ef 01 46 91 94 01 01 60 52",
"4f f0 d0 01 01 ad 60 e9 78 2c cb 0f 02 02 02 46 91 94 01 01 60 52")
Now we are going to make this Update-resistant:
1st, all index reference in the AoB patterns that may be change with update should be made wild-card.
reference pattern
d0 30 d1 2c ?? ?? ab 96 2a 12 07 00 00 29 d1 2c ?? ??
search pattern
4f ?? ?? ?? 01 ad 60 ?? ?? 62 ?? 66 ?? ?? ?? 46 ?? ?? ?? 01 60 ??
We can shorten the AoB a bit as long as the search result is unique, and in assembler format now:
Aobscan(_pvpai, d0 30 d1 2c ?? ?? ab 96 2a 12 ?? 00 00 29 d1 2c) // reference pattern of string for ScriptableAI, +3,3
Aobscan(_defense,01 60 ?? ?? 62 ?? 66 ?? ?? ?? 46 ?? ?? ?? 01 60) // main search pattern to be modified
// Now to make the patch pattern using memcpy/readmem, check the offset.
_defense+04:
readmem(_pvpai+03,3) // 2c xx xx
// and fill no op to keep patched size match
_defense+07:
db 02 02 02
So this a update ressitant version of the auto player (pvp) cheat.
---
hope the presentation is understandable.
bye~
No +karma or thanks post please,
we shall exchange appreciation via telepathy ;)