 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
liledition
Cheater
![]() Reputation: 0
Joined: 12 Sep 2014
Posts: 49
|
 Posted: Tue Feb 10, 2015 3:43 am Post subject: How to identify the right opcode??? |
 |
|
Hello
How do I identify right opcode for AA script? There are always more then one and they look all very similar... Can anyone give me some hint ont this?
Example:
| Code: |
0BE602CF - 0F7E 86 F0000000 - movd [esi+000000F0],mm0
0BE631AD - F3 0F7E 80 F0000000 - movq xmm0,[eax+000000F0]
0BE63659 - F3 0F7E 81 F0000000 - movq xmm0,[ecx+000000F0]
0C49B26C - F3 0F7E 8A F0000000 - movq xmm1,[edx+000000F0]
0C5E5B27 - F3 0F7E 8A F0000000 - movq xmm1,[edx+000000F0]
0C61403B - F3 0F7E 80 F0000000 - movq xmm0,[eax+000000F0]
0C614047 - 66 0FD6 80 F0000000 - movq [eax+000000F0],xmm0
0C6141EA - F3 0F7E 88 F0000000 - movq xmm1,[eax+000000F0]
|
This is after one hit one me (hp dmg) I am trying to do godmode (it is a flash game)
|
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Feb 10, 2015 4:53 am Post subject: |
|
|
Check all of them to see if any of those codes are accessing to your health only.
_________________
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
 Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Tue Feb 10, 2015 10:41 am Post subject: |
|
|
Use this option:
This will show if an opcode is accessing more than 1 address at same time. Then pick the opcode with (1) access. If every opcode is accessing more than 1 address (shared code) then press "More Information" and use that info (registers or StackView) to dissect and determine the correct address
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
liledition
Cheater
![]() Reputation: 0
Joined: 12 Sep 2014
Posts: 49
|
| Posted: Tue Feb 10, 2015 1:25 pm Post subject: |
|
|
Well here
All of them access only health address...
| Description: |
|
| Filesize: |
232.55 KB |
| Viewed: |
17106 Time(s) |
|
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Feb 10, 2015 1:59 pm Post subject: |
|
|
Then just pick one that you like.
_________________
|
|
| Back to top |
|
|
liledition
Cheater
![]() Reputation: 0
Joined: 12 Sep 2014
Posts: 49
|
| Posted: Tue Feb 10, 2015 2:41 pm Post subject: |
|
|
And can u tell me what is wrong with this script?
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
push eax //place your code here
mov eax,[_player+b8] //this is toughness
add eax,eax
add eax,#65 //max hp is (2*toughness)+65
mov [esi+000000F0],eax
pop eax
originalcode:
movd [esi+000000F0],mm0
exit:
jmp returnhere
0BE602CF:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0BE602CF:
movd [esi+000000F0],mm0
//Alt: db CC 7E 86 F0 00 00 00 |
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Feb 10, 2015 2:56 pm Post subject: |
|
|
Yes, you have used wrong instructions and value type. Your value is double and you are using instructions for integers instead.
Since you are clearly not familiar with handling double values at the moment, I recommend to just force a static value instead of trying to go for the max HP (in other words, freeze the value to some fix amount).
You can do that with mov instructions and it will work, just don't forget that you have to modify 8 bytes, not only 4.
If you insist on doing it the hard way, you have to use instructions for float values and if toughness is an integer, you also have to convert it to double.
Or you can find an address where max HP is stored and copy the max HP to the current HP, which is also possible with mov instructions.
_________________
|
|
| Back to top |
|
|
liledition
Cheater
![]() Reputation: 0
Joined: 12 Sep 2014
Posts: 49
|
| Posted: Tue Feb 10, 2015 4:34 pm Post subject: |
|
|
| Quote: | | If you insist on doing it the hard way, you have to use instructions for float values and if toughness is an integer, you also have to convert it to double. |
Toughness value is double. _player+b8 = address to double value 15...max hp is 2*x+65 where x=toughness...there is not too much about float instructions here or i didnt look in right tutorials. I found some: fld, fadd, fstp but with a little explanation what they do and how to use them...
I didnt find max hp value and when i try to freez hp it slow down game and usualy crash after a while...I dont think there is max hp value becouse if I set hp to 1000 when my actual max id 95 it will not jump back to 95 but decrease from 1000 when i get hit...
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Feb 10, 2015 5:38 pm Post subject: |
|
|
If health will not jump back to some max HP value, then why don't you just change health to a really high amount instead of freezing it? Then you wouldn't run out of health and you don't have to freeze it.
As for float instructions, they work differently from the ones that you have used for integers.
fld will load the first value (eg toughness). Then you can use fadd to add a certain amount to it. Keep it in mind that you have to add float value to a float value, not integer and that float instructions will not accept a number as parameter, so you have to store (double)65 on an address.
When you are done, use fstp to store the value where you want it to be (eg store it on the health address).
You also have to use qword instead of dword, because your value is double.
_________________
|
|
| Back to top |
|
|
liledition
Cheater
![]() Reputation: 0
Joined: 12 Sep 2014
Posts: 49
|
| Posted: Tue Feb 10, 2015 6:31 pm Post subject: |
|
|
| Quote: | | If health will not jump back to some max HP value, then why don't you just change health to a really high amount instead of freezing it? Then you wouldn't run out of health and you don't have to freeze it. |
Becouse hp have graphic bar and with higher value then max it goes right throught middle of the screen so u cant see things behind bar...
I changed script a little but there is still something wrong with instructions...
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(_add)
registersymbol(_add)
newmem: //this is allocated memory, you have read,write,execute access
_add:
push eax
mov eax,db65
mov [_add],eax
fld qword [_add]
fld qword [_player+b8]
fadd [_player+b8]
fadd [_add]
fst qword [esi+000000F0]
pop eax
originalcode:
movd [esi+000000F0],mm0
exit:
jmp returnhere
0BE602CF:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0BE602CF:
movd [esi+000000F0],mm0
//Alt: db CC 7E 86 F0 00 00 00 |
It set hp to 15 (i guess toughness value [_player+b8]) and it crashes a game.
PS: sorry for my english...
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Feb 10, 2015 6:50 pm Post subject: |
|
|
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem+500:
dq 4050400000000000 //this is (double)65 in hex, stored on a randomly chosen empty location in newmem
newmem: //this is allocated memory, you have read,write,execute access
movd [esi+000000F0],mm0 //this comes first, or your code is useless
fld qword ptr [_player+b8] //load toughness
fadd qword ptr [_player+b8] //add toughness to double it
fadd qword ptr [newmem+500] //add 65
fstp qword ptr [esi+000000F0] //save the value on health
originalcode:
exit:
jmp returnhere
0BE602CF:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0BE602CF:
movd [esi+000000F0],mm0
//Alt: db CC 7E 86 F0 00 00 00 |
But I have no idea how do you get toughness, because it's not defined in this script.
_________________
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Tue Feb 10, 2015 6:50 pm Post subject: |
|
|
Hey, read this:
http://forum.cheatengine.org/viewtopic.php?p=5572126
Your original opcode is doing this:
| Code: | | movd [esi+000000F0],mm0 |
Then you can modify mm0, like this:
| Code: |
label(newvalue)
code:
movd xmm0,[newvalue]
movd [esi+000000F0],mm0
jmp return
newvalue:
dq (float)999
|
You need to define a new label and asign the value with dd or dq (double or quadra), then use movd or modq [label]
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
liledition
Cheater
![]() Reputation: 0
Joined: 12 Sep 2014
Posts: 49
|
| Posted: Tue Feb 10, 2015 7:44 pm Post subject: |
|
|
| Quote: | | But I have no idea how do you get toughness, because it's not defined in this script. |
I have other script that define _player + table with offsets for stats
| Code: | [ENABLE]
aobscan(player, 80 40 ?? ?? 03 00 00 ?? ?? ?? ?? 06 ?? ?? ?? 07 ?? 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 68 D2 ?? ?? 68 D2 ?? ?? 68 D2 ?? ?? 68 D2)
label(_player)
registersymbol(_player)
player:
_player:
[DISABLE]
unregistersymbol(_player) |
I tried your script but it didnt work...
| Quote: | | You need to define a new label and asign the value with dd or dq (double or quadra), then use movd or modq [label] |
Tried like this and it didnt work...
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem+500:
dq 408F380000000000
newmem: //this is allocated memory, you have read,write,execute access
movd xmm0,[newmem+500]
movd [esi+000000F0],mm0
jmp returnhere
originalcode:
movd [esi+000000F0],mm0
exit:
jmp returnhere
0BF3031F:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0BF3031F:
movd [esi+000000F0],mm0
//Alt: db 0F 7E 86 F0 00 00 00 |
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Tue Feb 10, 2015 7:54 pm Post subject: |
|
|
The script works, you only need to use dq or dd in your example.
Try another thing... look some opcodes above and find where mm0 get the value, imagine this:
| Code: |
...
...
movd xmm0,[edi+50] //here is where mm0 get the value
movd xmm1,[edi+60]
...
...
subsd xmm0,xmm1
...
...
...
movd [esi+000000F0],mm0 //original opcode
|
Then do this:
| Code: |
...
...
mov [edi+50],(double)99999 //here is where I set my newvalue
movd xmm0,[edi+50] //here is where mm0 get the value (9999)
movd xmm1,[edi+60]
...
...
subsd xmm0,xmm1
...
...
...
movd [esi+000000F0],mm0 //original opcode "modified"
|
But seriusly, read the link I posted above, it works if you use dq or dd and movd or movq in your example.
=============================
Or try this:
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(newvalue)
newmem:
movd mm0,[newvalue]
jmp originalcode
originalcode:
movd [esi+000000F0],mm0
jmp returnhere
exit:
jmp returnhere
newvalue:
dd 500(float)
0BF3031F:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0BF3031F:
movd [esi+000000F0],mm0
//Alt: db 0F 7E 86 F0 00 00 00 |
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Feb 10, 2015 8:02 pm Post subject: |
|
|
Be more specific. What didn't work and what happens exactly?
You should also try code injection on some other codes, maybe this one is not working after all.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
