apocalypticx
Expert Cheater
![]() Reputation: 4
Joined: 19 Jul 2009
Posts: 117
Location: UK
|
 Posted: Wed May 15, 2024 1:45 am Post subject: |
 |
|
Here's an example from my Neverwinter Nights Remake Steam you can adapt to to other 64bit games etc, I have a 32bit version if your interested?
I also find it quite useful to have a XYZ tracker which again if you want I'll share with you?
This way you can see the XYZ to see every point in the game and just notepad down interesting locations, then manually edit the teleport cheat to where you want to teleport to!
| Code: | { Game : nwmain.exe
Version:
Date : 2024-02-22
Author : Apocalypticx
This script does store and teleport K=Store L=Teleport
}
[ENABLE]
aobscanmodule(storetele,nwmain.exe,F2 0F 10 87 D0 02 00 00 F2) // should be unique
alloc(newmem,$1000,storetele)
label(code)
label(return)
label(keychecker)
label(storexyz)
label(doteleport)
label(PlayerX)
label(PlayerY)
label(PlayerZ)
newmem:
pushfq //save the flags
cmp [rdi+00000238],1 //compare against me
je keychecker //jumnp to keychecking code
popfq //restore the flags
code:
movsd xmm0,[rdi+000002D0] //original instruction
jmp return //jump back to gamecode
keychecker:
popfq //restore the flags
movsd xmm0,[rdi+000002D0] //original instruction
pushfq //save the flags
push rax //push all regsiters affected by GetAsyncKeyState
push rcx
push rdx
push r8
push r9
push r10
push r11
sub rsp,28
mov rcx,4B //check for K keypress microsoft virtual keycodes
call GetAsyncKeyState
add rsp,28
pop r11 //restore all registers affaected by GetAsyncKeyState
pop r10
pop r9
pop r8
pop rdx
pop rcx
test ax,8001
pop rax
jnz storexyz //jump to our store routine
popfq //restore the flags
pushfq //save the flags
push rax //push all regsiters affected by GetAsyncKeyState
push rcx
push rdx
push r8
push r9
push r10
push r11
sub rsp,28
mov rcx,4C //check for L keypress microsoft virtual keycodes
call GetAsyncKeyState
add rsp,28
pop r11 //restore all registers affaected by GetAsyncKeyState
pop r10
pop r9
pop r8
pop rdx
pop rcx
test ax,8001
pop rax
jnz doteleport //jump to our teleport routine
popfq //restore the flags
jmp return //jump back to gamecode
storexyz:
popfq //restore flags
push rbx //save rbx on stack so we can use it
mov rbx,[rdi+000002D0] //move current X into rbx
mov [PlayerX],rbx //mov current X into our address
mov rbx,[rdi+000002D4] //move current Y into rbx
mov [PlayerY],rbx //move current Y into our address
mov rbx,[rdi+000002D8] //mov current Z into rbx
mov [PlayerZ],rbx //mov current Z into our address
pop rbx //restore rbx from the stack
jmp return //jump back to gamecode
doteleport:
popfq //restore flags
push rbx //save rbx on stack so we can use it
mov rbx,[PlayerX] //move current X into rbx
mov [rdi+000002D0],rbx //move current X into Player X position
mov rbx,[PlayerY] //move Current Y into rbx
mov [rdi+000002D4],rbx //move current Y into Player Y position
mov rbx,[PlayerZ] //move current Z into rbx
mov [rdi+000002D8],rbx //move current Z into Player Z position
pop rbx //restore rbx from the stack
jmp return //jump back to gamecode
PlayerX:
dd 0
PlayerY:
dd 0
PlayerZ:
dd 0
storetele:
jmp newmem
nop
nop
nop
return:
registersymbol(storetele)
registersymbol(PlayerX)
registersymbol(PlayerY)
registersymbol(PlayerZ)
[DISABLE]
storetele:
db F2 0F 10 87 D0 02 00 00
unregistersymbol(PlayerX)
unregistersymbol(PlayerY)
unregistersymbol(PlayerZ)
unregistersymbol(storetele)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: nwmain.exe+737A2A
nwmain.exe+7379EF: 45 0F 57 E4 - xorps xmm12,xmm12
nwmain.exe+7379F3: F3 44 0F 10 35 C4 B9 51 00 - movss xmm14,["nwmain.`InstanceLookup::List<DataPump>::active'::`2'::`dynamic atexit destructor for 's''"+6940]
nwmain.exe+7379FC: 83 BF 08 03 00 00 00 - cmp dword ptr [rdi+00000308],00
nwmain.exe+737A03: 0F 85 67 01 00 00 - jne nwmain.exe+737B70
nwmain.exe+737A09: 45 0F 28 EB - movaps xmm13,xmm11
nwmain.exe+737A0D: 83 BF E8 02 00 00 01 - cmp dword ptr [rdi+000002E8],01
nwmain.exe+737A14: 75 09 - jne nwmain.exe+737A1F
nwmain.exe+737A16: F3 44 0F 10 2D E5 EF 5B 00 - movss xmm13,[nwmain.exe+CF6A04]
nwmain.exe+737A1F: 45 0F 57 D2 - xorps xmm10,xmm10
nwmain.exe+737A23: 48 8B 9F B0 02 00 00 - mov rbx,[rdi+000002B0]
// ---------- INJECTING HERE ----------
nwmain.exe+737A2A: F2 0F 10 87 D0 02 00 00 - movsd xmm0,[rdi+000002D0]
// ---------- DONE INJECTING ----------
nwmain.exe+737A32: F2 0F 11 44 24 48 - movsd [rsp+48],xmm0
nwmain.exe+737A38: 8B 87 D8 02 00 00 - mov eax,[rdi+000002D8]
nwmain.exe+737A3E: 89 44 24 50 - mov [rsp+50],eax
nwmain.exe+737A42: F3 0F 10 54 24 4C - movss xmm2,[rsp+4C]
nwmain.exe+737A48: F3 0F 10 5C 24 48 - movss xmm3,[rsp+48]
nwmain.exe+737A4E: 66 90 - nop 2
nwmain.exe+737A50: F2 0F 10 03 - movsd xmm0,[rbx]
nwmain.exe+737A54: 8B 43 08 - mov eax,[rbx+08]
nwmain.exe+737A57: 89 44 24 78 - mov [rsp+78],eax
nwmain.exe+737A5B: 0F 28 F8 - movaps xmm7,xmm0
} |
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
