|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Tue Sep 06, 2016 9:15 pm Post subject: How to assemble this code? |
|
|
Hello, it's been a while since I last worked on a table and I'm trying to get back into it again, but these results have me stumped on how to edit it to make it an unlimited health script.
I'm looking at the line movss xmm0,[rcx+10] because each time my character was hit, the count went up. But, there is also the one below that line (in the screenshot), so I'm not sure which one I should be paying attention to.
I originally wrote it this way:
newmem:
movss [rcx+10],(Float)999
originalcode:
movss xmm0,[rcx+10]
But, didn't work. How can I properly assemble this code? Thanks.
PS: This is a 64-bit game if that makes a difference.
Description: |
|
Filesize: |
351.69 KB |
Viewed: |
11335 Time(s) |
|
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Tue Sep 06, 2016 9:19 pm Post subject: |
|
|
this code will work:
Code: |
newmem:
mov [rcx+10],(Float)999
originalcode:
movss xmm0,[rcx+10]
|
It's a 4 byte value, encoded as a float. Mov will work fine
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Thu Sep 08, 2016 10:58 pm Post subject: |
|
|
Thanks, that worked but only temporarily. The higher level enemies must be sharing an address with the player because they won't die.
I did "Find out what address this instruction accessed" and got hit a few times by different enemies, and they showed up in the window along with the player. I'm not sure where to go from here. This is all the code I have.
Should I try something different? Like using pointers instead? Thanks.
Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(health,2048,"CryGameSDK.dll"+DA794)
label(returnhere)
label(originalcode)
label(exit)
health:
mov [rcx+10],(float)1000
originalcode:
//movss [rcx+10],xmm0
exit:
jmp returnhere
"CryGameSDK.dll"+DA794:
jmp health
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(health)
"CryGameSDK.dll"+DA794:
movss [rcx+10],xmm0
//Alt: db F3 0F 11 41 10
|
|
|
Back to top |
|
|
hhhuut Grandmaster Cheater Reputation: 6
Joined: 08 Feb 2015 Posts: 607
|
Posted: Fri Sep 09, 2016 2:19 am Post subject: |
|
|
Right-click them in the debugger window and select "Open in dissect window" (or something like that).
Then see if you can find any player-strings, IDs or whatsoever to separate your player from the AI.
|
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Tue Sep 13, 2016 9:17 pm Post subject: |
|
|
Judging by your code, I'm assuming "rcx+08" is equal to 100 for all enemies and never the player.
If it's the opposite, then change JE to JNE.
edit: Since you now provided the error, your problem is that your label is called "returnhere" not "return".
Don't just copy code blindly, try to understand what it is you are doing.
Code: | health:
cmp dword [rcx+08],(float)100
je originalcode
mov [rcx+10],(float)1000
jmp returnhere
originalcode:
movss [rcx+10],xmm0 |
|
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Tue Sep 13, 2016 9:43 pm Post subject: |
|
|
Zanzer wrote: | Judging by your code, I'm assuming "rcx+08" is equal to 100 for all enemies and never the player.
If it's the opposite, then change JE to JNE. |
The 100 is supposed to be equal for the player only, it is compared against the enemies 19.60000038, so I should change it then, to what you said: JNE
Quote: |
edit: Since you now provided the error, your problem is that your label is called "returnhere" not "return".
Don't just copy code blindly, try to understand what it is you are doing.
|
Thanks for the help. I am trying to learn and also understand, so I assumed if I found the instructions on a tutorial then it was the correct way to write it. But, I'll be more careful in the future and make sure everything matches up. I'll post back again later with the results.
|
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Wed Sep 14, 2016 3:14 pm Post subject: |
|
|
Well, with the new code added edited in, it makes the player die in one hit as well as the enemy.
So, I'm not sure what's going on. I first tried it with je originalcode, then with jne originalcode, but both had the same outcome.
I looked over the dissect structure again and added more enemies to compare by.
The player still has an unchanging 100 next to the offset 0008 and the enemies have different numbers, which from my understanding (reading the tutorial) is how it should be.
I think I'm just going to have to take a break on this one, because I feel like I'm getting more confused than being able to understand.
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Wed Sep 14, 2016 6:50 pm Post subject: |
|
|
Why did you move your injection point down? Use the original instruction you showed.
Code: | movss xmm0,[rcx+10] |
Code: | health:
cmp dword [rcx+08],(float)100
jne originalcode
xorps xmm1,xmm1
originalcode:
movss xmm0,[rcx+10] |
|
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Thu Sep 15, 2016 3:37 pm Post subject: |
|
|
I wrote these notes yesterday as I was trying one more time to get it to work...
Something weird:
Before I go any further I was taking a look over the structure in my most recent screenshot. Well, the offset that came up the most in all of my reads was 0010, none of the others appeared in my reads, but looking at it now it appears to me that 000C is my health and 0008 is my max health.
The weird thing about 000C is that when I change the value to anything, it just snaps back to what it was before. If I change the value in 0008 from 100 to 200, then it affects the value in 000C by 100 points. So, it would end up 223.42836 in 000C.
Now, if I make any changes to any value in 0010, my player automatically dies, why is this? The value right now is around 5.544 but if I change it to 5.55 the player will die. For lower values than 5.55, too.
I wrote the following notes and code today...
Starting over:
Well, ended up starting from scratch but this time I'll use AOB injection and use "What Accesses" instead of "What Writes". This time around I quickly found an address that only matches the player. I really want to understand this, so I'll write down what I'm doing and make notes in the comments. If there is something I'm not understaning correctly in my notes, please correct me.
At this point I've already found the player's base health:
Step 1: I showed the disassembler on the following: 390D02DD - F3 44 0F10 61 10 - movss xmm12,[rcx+10]
Step 2: From the disassembler I right clicked on it and selected "Find out what addresses this instruction access".
Step 3: I ran around and got hit and hit enemies and still nothing showed up in the window. So that means it's only my player's code right?
Step 4: I then proceeded to go to Tools->Dissect Data/Structures and do the usual. My player's Health ID at the time was 0A91B510, so I did that minus offset 10. Put 0A91B510-10 in the box, then Tools->Define new struture->new. The window populates.
The structure window:
Code: |
0000 - Pointer A91B500 : P->52BEED80
0008 - Float A91B508 : 100 //Max Health; It doesn't change.
000C - Float A91B50C : 123.42836 //Actual Health; Snaps back if manually changed.
0010 - Double A91B510 : 5.55068092692731E-315 //If this value is changed the player will die automatically.
0018 - Float A91B518 : 0.05000000075 //I don't know what this is, I don't know if it matters or not.
001C - 4 Bytes (Hex) A91B51C : DEDEDEDE
0020 - 4 Bytes (Hex) A91B520 : DEDEDEDE
0024 - 4 Bytes (Hex) A91B524 : DEDEDEDE
|
The full script:
Code: |
[ENABLE]
aobscanmodule(health,CryGameSDK.dll,F3 44 0F 10 61 10 * * * * 84)
alloc(newmem,$1000,"CryGameSDK.dll"+D02DD)
label(code)
label(return)
newmem:
//I didn't use cmp this time because I was able to find a value that was unique to the player only. The script works without comparing player/enemy, but should I still use it anyway?
push rax //push rax on the stack - uses rax to store some information
mov rax,[rcx+08] //max health - moves the value of rcx+08 into rax (rcx+08 is 123.5975266)
mov [rcx+0C],rax //actual health - moves rax into the value of rcx+0C (rcx+0C is 100)
pop rax //erase rax from the stack - rax is done being used, so erase what's in it
jmp return
code:
movss xmm12,[rcx+10] //didn't touch the orginal code
jmp return
health:
jmp newmem //changed this from code to newmem since I didn't edit code.
nop
return:
registersymbol(health)
[DISABLE]
health:
db F3 44 0F 10 61 10
unregistersymbol(health)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "CryGameSDK.dll"+D02DD
"CryGameSDK.dll"+D02A9: 66 44 0F 6E D0 - movd xmm10,eax
"CryGameSDK.dll"+D02AE: 48 8B 05 4B 97 7F 00 - mov rax,[CryGameSDK.dll+8C9A00]
"CryGameSDK.dll"+D02B5: 48 8B 88 08 01 00 00 - mov rcx,[rax+00000108]
"CryGameSDK.dll"+D02BC: 45 0F 5B D2 - cvtdq2ps xmm10,xmm10
"CryGameSDK.dll"+D02C0: 48 8B 01 - mov rax,[rcx]
"CryGameSDK.dll"+D02C3: FF 90 E8 01 00 00 - call qword ptr [rax+000001E8]
"CryGameSDK.dll"+D02C9: 66 44 0F 6E C0 - movd xmm8,eax
"CryGameSDK.dll"+D02CE: 48 8B 47 70 - mov rax,[rdi+70]
"CryGameSDK.dll"+D02D2: 48 8B 88 30 25 00 00 - mov rcx,[rax+00002530]
"CryGameSDK.dll"+D02D9: 45 0F 5B C0 - cvtdq2ps xmm8,xmm8
// ---------- INJECTING HERE ----------
"CryGameSDK.dll"+D02DD: F3 44 0F 10 61 10 - movss xmm12,[rcx+10]
// ---------- DONE INJECTING ----------
"CryGameSDK.dll"+D02E3: F3 44 0F 11 84 24 20 01 00 00 - movss [rsp+00000120],xmm8
"CryGameSDK.dll"+D02ED: E8 6E AC 00 00 - call CryGameSDK.dll+DAF60
"CryGameSDK.dll"+D02F2: 48 8B 4F 70 - mov rcx,[rdi+70]
"CryGameSDK.dll"+D02F6: 48 8B 81 38 25 00 00 - mov rax,[rcx+00002538]
"CryGameSDK.dll"+D02FD: 48 8B 89 48 25 00 00 - mov rcx,[rcx+00002548]
"CryGameSDK.dll"+D0304: F3 44 0F 5E E0 - divss xmm12,xmm0
"CryGameSDK.dll"+D0309: F3 44 0F 10 78 10 - movss xmm15,[rax+10]
"CryGameSDK.dll"+D030F: F3 44 0F 10 68 0C - movss xmm13,[rax+0C]
"CryGameSDK.dll"+D0315: E8 46 AC 00 00 - call CryGameSDK.dll+DAF60
"CryGameSDK.dll"+D031A: 48 8B 4F 70 - mov rcx,[rdi+70]
}
|
The only thing now that I find weird is that when the script is enabled it shows 123.5/100. See in screenshot. And as I explained further above, when I change the value in 0008 the health snaps back to what it was.
Description: |
|
Filesize: |
105.55 KB |
Viewed: |
10621 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Sep 15, 2016 4:55 pm Post subject: |
|
|
You're treating the value at the address +10 as a double when it should be treated as a float. The address at +8 isn't important and should be ignored.
Now that you have an instruction which only accesses your health, do the same thing you did with DB's advice. Don't make things more complicated than they need to be.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Thu Sep 15, 2016 8:01 pm Post subject: |
|
|
This worked, Thanks! Can you explain to me why the other ones didn't work? They were both originally using newmem: mov [rcx+10],(Float)999. Is it because of the originalcode: movss xmm0,[rcx+10] & originalcode: movss [rcx+10],xmm0 being incorrect? I also don't understand "treating the value at the address +10 as a double when it should be treated as a float"? Does that mean they are two different values, the one that I saw in the dissect window is not the same as the one in the opcodes? Sorry for all the questions, you've all been very helpful and I appreciate it.
Code: |
[ENABLE]
alloc(health,2048,"CryGameSDK.dll"+DA794)
label(returnhere)
label(originalcode)
label(exit)
health:
mov [rcx+10],(Float)999
originalcode:
movss xmm12,[rcx+10]
exit:
jmp returnhere
"CryGameSDK.dll"+DA794:
jmp health
returnhere:
[DISABLE]
dealloc(health)
"CryGameSDK.dll"+DA794:
movss [rcx+10],xmm0
//Alt: db F3 0F 11 41 10
|
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Sep 15, 2016 8:47 pm Post subject: |
|
|
You keep changing up your injection point to different locations.
First location failed because it was used by the enemy too.
Second location failed because you were using a CMP and it was messing up the previous compare's flags.
The final location works because it's already player only and you're simply setting an address.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Thu Sep 15, 2016 8:52 pm Post subject: |
|
|
Quote: | I originally wrote it this way:
newmem:
movss [rcx+10],(Float)999 |
At first you thought the value type at that address was a float. I'm assuming you modified this value and it had a correlative effect on your health in-game.
Quote: | Now, if I make any changes to any value in 0010, my player automatically dies... The value right now is around 5.544....
The structure window:
Code: | 0000 - Pointer A91B500 : P->52BEED80
0008 - Float A91B508 : 100 //Max Health; It doesn't change.
000C - Float A91B50C : 123.42836 //Actual Health; Snaps back if manually changed.
0010 - Double A91B510 : 5.55068092692731E-315 //If this value is changed the player will die automatically.
... |
|
Here you thought the value type at that address was a double, and that changing the value would cause your player to die. I'm not sure why you thought the value magically changed types, but I'm guessing it's because you didn't notice it and just believed CE when it told you that it's a double. CE isn't psychic; it's not always correct in its guesses about values' types.
What's important is that the game consistently treats that value as a float. This is evident by the instructions that access that address: namely, movss, an instruction that is used to move single-precision floating point data (i.e. the "float" value type).
The reason why it was crashing for you when you changed that value was because you were changing it as if it were a double when it wasn't. This could have modified not only those 4 bytes abnormally but also the 4 bytes after it (no clue what that value is used for). Those first 4 bytes probably would've only set your health to a weird value (e.g. easy to kill), but modifying those other 4 bytes could've crashed the game.
Your third script (the one before your current working one) didn't work because you were trying to modify a value that had little to do with your health. Just because something looks like it could be important doesn't mean it is.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Taibreah Cheater Reputation: 0
Joined: 19 Mar 2014 Posts: 35
|
Posted: Tue Sep 20, 2016 10:59 pm Post subject: |
|
|
Thanks for all the help, guys. I have a much clearer understanding now, but I will still continue to learn more.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|