 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
NanoByte
Expert Cheater
![]() Reputation: 1
Joined: 13 Sep 2013
Posts: 222
|
 Posted: Fri May 30, 2014 9:05 am Post subject: Need Advice :D Help Me WouldYouKindly |
 |
|
i'm trying to make godmode but the problem is that code is shared with everyone so i give it to me every(npc) gets it too and there is no id that seperates them from you, so this is what i came up with
// health address stays the same until you die and get another one
i want to find the first address(or value) that get edited by the code (movss [rcx+18],xmm1) and validate it with that, dmg youself and get godmode.
just point me into the right dirrection thx
any sort of advice is appreciated 
this is my old code
| Code: | memxm:
dq (float)0
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
//cmp [rcx+1C],(float)100
cmp [rcx+1C],(float)100 //i'm validating with maximum health but some npc have the same amount of maximum health as you so they get gm also
je pl
jmp en
en: //1hit kill
cmp [hkval],0
je originalcode
movss xmm1,[memxm]
jmp exit
pl: //godmode
cmp [rcx+40],0 //trying to filter out enemy
je en
cmp [rcx+A2C],(float)0 //trying to filter out enemy
je en
cmp [gmval],1
je exit
originalcode:
movss [rcx+18],xmm1
|
|
|
| Back to top |
|
 |
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Fri May 30, 2014 11:14 am Post subject: |
|
|
You could try something like this (untested):
| Code: |
cmp [memxm],0
jne @f
push rax
lea rax,[rcx+18]
mov [memxm],rax
pop rax
jmp originalcode
@@:
push rax
lea rax,[rcx+18]
cmp rax,[memxm]
pop rax
je p1
jmp en
|
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
NanoByte
Expert Cheater
![]() Reputation: 1
Joined: 13 Sep 2013
Posts: 222
|
| Posted: Fri May 30, 2014 1:59 pm Post subject: Main man :D |
|
|
Thx alot man it works but i if u got some time to explain your code to me, its better to know why instead of just copy past
| Code: | push rax //could i have used any register here? eax,esi r10d etc?
lea rax,[rcx+18] // why lea instead of mov? what did the lea command store in rax,, address or value?
mov [vali],rax
pop rax
jmp newmem
@@:
push rax
lea rax,[rcx+18]
cmp rax,[vali]
pop rax |
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Fri May 30, 2014 2:41 pm Post subject: |
|
|
| justa_dude wrote: | You could try something like this (untested):
| Code: |
cmp [memxm],0 - have we already recorded an address (that we presume is the player)?
jne @f - if we have, skip to @@
-- save first-time address
push rax - we don't see enough of your code to guess which registers might be free for us to use, so save rax and use it for temp
lea rax,[rcx+18] - save a ptr to health or damage or whatever it is you're hacking
mov [memxm],rax - move ptr into alloc space
pop rax - restore rax
jmp originalcode - done
@@:
-- already have saved address, compare new one against it
push rax
lea rax,[rcx+18]
cmp rax,[memxm]
pop rax
je p1
jmp en
|
|
| NanoByte wrote: | | could i have used any register here? eax,esi r10d etc? |
I wouldn't use eip or esp or whatever, but most are fine. If we saw more of your code, we could probably find one or more registers guaranteed to be written before being read and therefore safe to overwrite. Since we're moving a qword around, you're going to want to stick to the 64-bit registers (rax vs eax, rsi vs esi, etc).
| NanoByte wrote: | | why lea instead of mov? what did the lea command store in rax,, address or value? |
lea = load effective address. I don't want the value inside [ecx+18] (the health or whatever), I want the address (pointer) it is stored in because although the value isn't unique to the player the address probably is.
Again, I haven't tested this and I'm exceedingly ignorant when it comes to x64, but that's the basic idea. It really would be better if you could find a unique identifier (perhaps using the dissect structure tool, eg step 9 in the tutorial). It may be as simple as just looking at the value of [rcx].
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
NanoByte
Expert Cheater
![]() Reputation: 1
Joined: 13 Sep 2013
Posts: 222
|
| Posted: Fri May 30, 2014 3:54 pm Post subject: |
|
|
Yeah dissect data/structure was the first place i went
but there were few addresses that had different group value
like this:
pl en1 en2 en3 en4
High number 0 0 0 0
but still it was very buggy some npc still got gm
| Code: |
label(_valih)
registersymbol(_valih)
aobscan(vali,70 17 AF F6 FF 7F 00 00 ?? ?? ?? ?? 00 00 00 00 13 23 DA CE 01 00 00 00 ?? ?? ?? 42 00 00 C8 42)
vali:
_valih:
[DISABLE]
unregistersymbol(_valih) |
this code gives me the new health value, but i have to reactivate the code each time when i die to get the new value, trying to intergrate this with the other code somehow brain storming this shit |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Fri May 30, 2014 5:12 pm Post subject: |
|
|
Yup. Writing code is a left brain + right brain process, so to then hacking must be.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
Daijobu
Master Cheater
 Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Fri May 30, 2014 7:30 pm Post subject: |
|
|
When the player dies in Watch Dogs the [rcx+18] value is set to 0 during loading. You could use this to reset the [memxm] stored value to 0 and have it load the renewed address.
When the God Mode is enabled the value will always be 100. When scripted events kill the player the value is set to 0.
_________________
|
|
| Back to top |
|
|
NanoByte
Expert Cheater
![]() Reputation: 1
Joined: 13 Sep 2013
Posts: 222
|
| Posted: Sat May 31, 2014 5:08 am Post subject: |
|
|
| Good idea Daijobu but i must finder another place to hook because [rcx+18] only triggers when u get dmg or do dmg to others |
|
| Back to top |
|
|
Daijobu
Master Cheater
Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Sat May 31, 2014 9:12 am Post subject: |
|
|
There are other places where [rcx+18] for player health is continiously accessed by the game.
You could add a second hook to such an address and grab the player health address from there to match with [rcx+18],xmm1.
EDIT:
Addendum, this seems to work perfectly:
| Code: |
[ENABLE]
//Allocations
alloc(_wd64GodMode,256,"Disrupt_b64.dll")
//Labels
label(_wd64God_var_1)
label(_wd64God_var_2)
//
label(_wd64GodMode_return)
label(_wd64GodMode_exit)
//
label(_wd64God_Enabled)
label(_wd64God_Disabled)
//
label(_wd64_Godmode_aob_jmp_1)
label(_wd64_Godmode_aob_jmp_2)
//
registersymbol(_wd64_Godmode_aob_jmp_1)
registersymbol(_wd64_Godmode_aob_jmp_2)
//
{This one's gonna break with a game update}
aobscanmodule(_wd64_Godmode_aob_1,Disrupt_b64.dll,F3 0F 10 41 18 C3 CC CC CC CC CC CC CC CC CC CC F3 0F 10 41 1C)//"Disrupt_b64.dll"+181B510
aobscanmodule(_wd64_Godmode_aob_2,Disrupt_b64.dll,48 83 79 08 00 F3 0F 11 49 18)//"Disrupt_b64.dll"+184FB9B
_wd64GodMode+0:
_wd64God_var_1:
dd 0
_wd64GodMode+8:
_wd64God_var_2:
dd 0
{LEA #1 Always Player, load once on activation}
_wd64GodMode+32:
movss xmm0,[rcx+18] {Original Code}
cmp [_wd64God_var_1],0
jne _wd64GodMode_return
push eax
lea eax,[rcx+18]
mov [_wd64God_var_1],eax
pop eax
jmp _wd64GodMode_return
{LEA #2 Active on hit. Player & NPC}
_wd64GodMode+64:
push eax
lea eax,[rcx+18]
mov [_wd64God_var_2],eax
{Compare}
mov eax,[_wd64God_var_1]
cmp eax,[_wd64God_var_2]
je _wd64God_Enabled
jmp _wd64God_Disabled
{Enable of Disable God Mode}
_wd64God_Enabled:
pop eax //pop as return from GodModeCheck
movss [rcx+18],xmm0
jmp _wd64GodMode_exit
_wd64God_Disabled:
pop eax //pop as return from GodModeCheck
movss [rcx+18],xmm1
jmp _wd64GodMode_exit
{Main Addresses}
_wd64_Godmode_aob_1:{"Disrupt_b64.dll"+181B510:}
_wd64_Godmode_aob_jmp_1:
jmp _wd64GodMode+32
_wd64GodMode_return:
_wd64_Godmode_aob_2+5: {"Disrupt_b64.dll"+184FBA0:}
_wd64_Godmode_aob_jmp_2:
jmp _wd64GodMode+64
_wd64GodMode_exit:
[DISABLE]
dealloc(_wd64GodMode)
_wd64_Godmode_aob_jmp_1: {"Disrupt_b64.dll"+181B510:}
db F3 0F 10 41 18
_wd64_Godmode_aob_jmp_2: {"Disrupt_b64.dll"+184FBA0:}
db F3 0F 11 49 18
//
unregistersymbol(_wd64_Godmode_aob_jmp_1)
unregistersymbol(_wd64_Godmode_aob_jmp_2)
|
_________________
|
|
| Back to top |
|
|
NanoByte
Expert Cheater
![]() Reputation: 1
Joined: 13 Sep 2013
Posts: 222
|
| Posted: Sat May 31, 2014 5:33 pm Post subject: |
|
|
| Holy shit ahahah GrandMaster Cheater!!! now i can finally take a rest from the godmode shit, it was starting to piss me off |
|
| Back to top |
|
|
Daijobu
Master Cheater
Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Sat May 31, 2014 5:49 pm Post subject: |
|
|
I've updated the player reference address. In case you want to add it to your table you can find it in my latest compilation update! 
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
