Cheat Engine

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

Hi, I am trying to write my first script and need some help, I have found 2 multilevel pointers in a game and want to make them into aobscan scripts.

I have found how to do that but I can’t seem to get it to work because I probably have it set up wrong.

What I want is when I check the box in the script for it to find the array and freeze or don’t use the mana and gold but I’m not sure what command to give it to do that.

The mana line is CraftWorld.exe+E1884 - F3 0F11 46 1C - movss [esi+1C],xmm0

The gold line is CraftWorld.exe+57A83 - 01 5F 4C - add [edi+4C],ebx

My array for mana is F3 0F 11 46 1C 76 05 F3 0F 11 4E 1C 0F 57 C0 0F 2F 46 1C

I still need to find the array for gold but I can add it later.

So what command would I put in the newmem area for each to freeze it or to not use it?

UnIoN · Posted: Wed Jan 01, 2014 1:59 am Post subject:

thats not lua but auto assemble (asm)?

for gold aob, click on disassembler and read bytes near opcode?

you know that you can do a aob scan in ce to verify that he finds your aob first (or only) ?

btw. the gold line is for "add"... if you want to stop decreasing when bying you need othere line with "dec"...

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

OK I think I have it so far.
Thanks goes to UnIoN, Rydian, and Geri for their help and Tutorials.

This is my script,

UnIoN · Posted: Wed Jan 01, 2014 12:10 pm Post subject:

in asm you have two options
1. set gold every time to a choosen value
2. compare with value 0 and set than to a choosen value only if 0

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

I tried,

UnIoN · Posted: Wed Jan 01, 2014 2:59 pm Post subject:

please provide more lines from mana (above and under)

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

Here,

UnIoN · Posted: Wed Jan 01, 2014 5:56 pm Post subject:

so this opcodes are operating when you loose some mana?

then (assuming xmm0 holds you reduced mana, and xmm1 holds you max mana):

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

So this is my script,

UnIoN · Posted: Thu Jan 02, 2014 3:34 am Post subject:

you are doing a lot wrong

1. at your injection line, you have still a nop command, the array of bytes for movss [esi+1C],xmm0 should be 5 bytes long, your code injection jmp newmem, nop is 6 bytes long and is destroying the gamecode, that is causing your crash.

2. asm executes your code 1 command per line so when you write

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

Thank you UnIoN for all your help Smile

I have learned a lot from you. Here are the 2 finished scripts if you want to see them.

UnIoN · Posted: Fri Jan 03, 2014 3:36 am Post subject:

1. your aob is good, aob stands for "array of bytes" (opcodes written in bytes). with this you can search for a pattern that is (hopefully) everytime the game reloads the same.
aob can help to make your table work for future releases, but you dont know it, it can be for example that the offset from [esi+1C] will change to [esi+1A]. you dont know it.
the main reason why aob exists, is that some games are creating their code dynamically at runtime. for example when it loads a new level. so that your code that you wanna manipulate will always be at a different address. aob scans for your pattern and finds the new address.

the counterpart, you dont know when the game loads new array of bytes that will slightly be the same as your pattern and that can break your code.
other counterpart is, on some games (big library files) it can take up to 10 seconds when you click on activate on the table until it takes effect

2. just my experience while dealing with opcodes, movss and the SSE registers (xmm0...). if you create a code injection (jmp newmem) it normally needs 5 bytes. but i still am learning too, i am not a ASM developer. if yes i would give you more detailed information why that statement is X's bytes long

3. you will find out, a lot games are using the same code to do different things. the hard part will come, if you need to manipulate this only if you want, for example, when the code will be used for your health, enemys health, health displaying, movements etc... all at the same time...

the worst case i have encountered until now is with games created with "RPG Mager". almost all game logic is using the same code

Bartimaeus · How do I cheat? Reputation: 0 Joined: 22 Dec 2013 Posts: 8

Thanks UnIoN you have been a great help.

justa_dude · Posted: Fri Jan 03, 2014 7:39 pm Post subject:

The jump to your code-cave assembles into five bytes of machine code. You can determine how many (if any) nops you need by looking at the bits that you're overwriting with your jump. You didn't include byte-code with your snippets, and I'm not able to guess from memory, but you can look in the memory viewer at the code you're replacing and work it out... if the opcode you're injecting at is less than five bytes, then you must include the next and the next until they add up to five or more bytes. Then, if the number is greater than five you have to pad your jump with nops (which are one byte each) equal to the remainder. One of the nice features of the templates that the autoassembler provides is that it can compute the necessary number of nops and set it up for you automagically. Just select the line you want to hack, do a ctrl+a to bring up the autoassembler, then choose to add a table framework and a code injection.