 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
kagato1980
Cheater
![]() Reputation: 0
Joined: 30 Oct 2020
Posts: 30
Location: The netherlands
|
 Posted: Mon Feb 15, 2021 11:52 am Post subject: Help me understand this CE script [Frostpunk] |
 |
|
I made some cheats for Frostpunk, but after a day of messing around in the code I couldn't find out how to speed up the 'research tech' process.
I found this trainer that works, but don't understand some parts:
-The ?? used in the scan is probably for compatibility with different versions I think?
-What does the 'db C7 85', readmem, dd 0 do? Why write it in bytes instead of assembly instructions?
The script looks simple enough, but I wonder how the creator found this part of assembly to change in the first place.
I checked for a timer with all kinds of increase/decrease scans but there were just too many results.
| Code: |
[ENABLE]
aobscanmodule(FASTRESEARCH,Frostpunk.exe,48 8B 85 ????0000 48 89 44 24 ?? F3) // should be unique
alloc(newmem,$1000,FASTRESEARCH)
label(lblResOrig)
label(lblResStart)
label(return)
label(retResearch)
registersymbol(retResearch)
newmem:
retResearch:
//read 7 bytes = original instruction
//only used to register as symbol
readmem(FASTRESEARCH,7)
lblResStart:
//mov [rbp+000000B8],0
//define byte, but what do they mean?
db C7 85
//Read the '????0000' into mem
//"Writes the memory at the specified address with the specified size to the current location."
readmem(FASTRESEARCH+3,4)
//What does this do?
dd 0
lblResOrig:
//mov rax,[rbp+000000B8]
readmem(FASTRESEARCH,7)
jmp return
FASTRESEARCH:
jmp lblResStart
//nop nop
db 90 90
return:
registersymbol(FASTRESEARCH)
[DISABLE]
FASTRESEARCH:
// db 48 8B 85 B8 00 00 00
readmem(retResearch,7)
unregistersymbol(retResearch)
unregistersymbol(FASTRESEARCH)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Frostpunk.exe"+12491EB
"Frostpunk.exe"+12491B5: FF 15 D5 DC 9F 00 - call qword ptr [Frostpunk.exe+1C46E90]
"Frostpunk.exe"+12491BB: CC - int 3
"Frostpunk.exe"+12491BC: 48 8D 8F 48 22 00 00 - lea rcx,[rdi+00002248]
"Frostpunk.exe"+12491C3: 48 89 74 24 50 - mov [rsp+50],rsi
"Frostpunk.exe"+12491C8: 48 8D 54 24 30 - lea rdx,[rsp+30]
"Frostpunk.exe"+12491CD: C6 87 41 22 00 00 01 - mov byte ptr [rdi+00002241],01
"Frostpunk.exe"+12491D4: 48 89 6C 24 30 - mov [rsp+30],rbp
"Frostpunk.exe"+12491D9: E8 D2 DB FF FF - call Frostpunk.exe+1246DB0
"Frostpunk.exe"+12491DE: C7 00 01 00 00 00 - mov [rax],00000001
"Frostpunk.exe"+12491E4: 48 89 AF 60 22 00 00 - mov [rdi+00002260],rbp
// ---------- INJECTING HERE ----------
"Frostpunk.exe"+12491EB: 48 8B 85 B8 00 00 00 - mov rax,[rbp+000000B8]
// ---------- DONE INJECTING ----------
"Frostpunk.exe"+12491F2: 48 89 44 24 30 - mov [rsp+30],rax
"Frostpunk.exe"+12491F7: F3 0F 10 44 24 30 - movss xmm0,[rsp+30]
"Frostpunk.exe"+12491FD: 0F 2F C6 - comiss xmm0,xmm6
"Frostpunk.exe"+1249200: 76 0A - jna Frostpunk.exe+124920C
"Frostpunk.exe"+1249202: 48 8B CF - mov rcx,rdi
"Frostpunk.exe"+1249205: E8 26 02 00 00 - call Frostpunk.exe+1249430
"Frostpunk.exe"+124920A: EB 2A - jmp Frostpunk.exe+1249236
"Frostpunk.exe"+124920C: 48 8D 8F 70 22 00 00 - lea rcx,[rdi+00002270]
"Frostpunk.exe"+1249213: 48 C7 01 00 00 80 3F - mov qword ptr [rcx],3F800000
"Frostpunk.exe"+124921A: F3 0F 10 97 6C 22 00 00 - movss xmm2,[rdi+0000226C]
}
|
Thanks for your help
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Mon Feb 15, 2021 12:23 pm Post subject: |
|
|
| kagato1980 wrote: | | The ?? used in the scan is probably for compatibility with different versions I think? |
Probably. "?? ?? 00 00" in the pattern is the offset +B8 in the instruction.
| kagato1980 wrote: | | What does the 'db C7 85', readmem, dd 0 do? Why write it in bytes instead of assembly instructions? |
You don't know what the offset is: it was replaced with wildcards in the aob pattern. Assembling instructions manually with pseudoinstructions is the most direct way of solving that. Lua could also be used but is unnecessary in these simple cases.
"db C7 85, readmem(addr,4), dd 0" is equivalent to "mov [rbp+????????],0". It even says that in the comment above those pseudoinstructions:
| Quote: | lblResStart:
//mov [rbp+000000B8],0
db ... |
Minor nitpick on the author of that script, but under lblResOrig, it should be using reassemble(FASTRESEARCH) instead of readmem(FASTRESEARCH,7). This doesn't matter in the case of that mov instruction, but there exist location-dependent instructions where using readmem like that would crash the game when the code gets executed.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sbryzl
Master Cheater
![]() Reputation: 6
Joined: 25 Jul 2016
Posts: 252
|
| Posted: Mon Feb 15, 2021 1:04 pm Post subject: |
|
|
I wouldn't even jump to codecave for that. All the table does is zero rax and [rbp+b8]. The following codes would then zero [rsp+30] and xmm0. You could do that in 16 bytes or less and there's 18 bytes available.
| Code: | xor rax,rax
mov dword ptr[rsp+0x30],eax
mov dword ptr[rbp+b8],eax
xorps xmm0,xmm0
nop 2
|
|
|
| Back to top |
|
|
kagato1980
Cheater
![]() Reputation: 0
Joined: 30 Oct 2020
Posts: 30
Location: The netherlands
|
| Posted: Mon Feb 15, 2021 1:07 pm Post subject: |
|
|
Thanks, I assumed the commented out code was the original code or something..I hope you can clarify one more thing:
If C7 85 equals 'mov rbp', then why are most line with 'mov' in the trace starting with 48 instead of C7?
Is there a list online or some other resource to 'decode' something like 'mov [rbp+000000B8],0' to bytes?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Mon Feb 15, 2021 2:44 pm Post subject: |
|
|
| kagato1980 wrote: | | If C7 85 equals 'mov rbp', then why are most line with 'mov' in the trace starting with 48 instead of C7? |
C7 85 means "mov [rbp+????????],imm32". C7 is the opcode, 85 is an r/m32 byte (technically bits 3-5 in the r/m32 byte are part of the opcode: C7 /0 ), and imm32 is some 32-bit number.
"mov" is a mnemonic representing a set of opcodes that share similar behaviour. e.g. C7 /0 is "mov r/m32,imm32".
The 48 byte you're talking about is a REX prefix- it generally pertains to 64-bit operations. The instruction "mov [rbp+XXXXXXXX],0" is addressing the memory location rbp+XXXXXXXX as a 4-byte value (32 bits), so it doesn't need a REX prefix.
The official place to find this information is from the documentation of your particular architecture. e.g. Intel:
https://software.intel.com/content/www/us/en/develop/articles/intel-sdm.html
Volume 2 has all the information you want. (contemporary Intel/AMD architectures are similar enough to be effectively interchangeable at a high level)
There are more accessible mirrors online with a subset of the information, but they could be out of date. This is one I use:
https://www.felixcloutier.com/x86/
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
kagato1980
Cheater
![]() Reputation: 0
Joined: 30 Oct 2020
Posts: 30
Location: The netherlands
|
| Posted: Mon Feb 15, 2021 3:11 pm Post subject: |
|
|
Thanks for the details and links, this is a lot of new stuff to learn 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
