| View previous topic :: View next topic |
| Author |
Message |
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
 Posted: Sun Mar 20, 2016 6:09 am Post subject: Need help with fsub and fadd |
 |
|
Im playing Company of Heroes Complete Edition and want to capture strategic points automatically the problem is there are two types of it the enemys strategic point and non occupied strategic point.
Enemys strategic points use both fsub and fadd, fsub for removing enemy line and fadd for me to capture.
| Code: | 6F7CA804 - E8 6739F9FF - call WW2Mod.std::_Mutex::_Mutex+18962A
6F7CA809 - D9 5C 24 08 - fstp dword ptr [esp+08]
6F7CA80D - D9 87 F4010000 - fld dword ptr [edi+000001F4] <<
6F7CA813 - 51 - push ecx
6F7CA814 - D8 64 24 0C - fsub dword ptr [esp+0C]
EAX=0E630120
EBX=011BF77C
ECX=011BF430
EDX=0E63F850
ESI=0B421C68
EDI=0CCB8870
ESP=011BF450
EBP=011BF570
EIP=6F7CA813
|
| Code: | 6F7CB8E4 - EB 02 - jmp WW2Mod.std::_Mutex::_Mutex+1F6DA2
6F7CB8E6 - DDD8 - fstp st(0)
6F7CB8E8 - D9 87 F4010000 - fld dword ptr [edi+000001F4] <<
6F7CB8EE - 51 - push ecx
6F7CB8EF - D8 44 24 10 - fadd dword ptr [esp+10]
EAX=00000140
EBX=011BF77C
ECX=00000118
EDX=0CCB8A6C
ESI=0B421CB8
EDI=0CCB8870
ESP=011BF460
EBP=011BF570
EIP=6F7CB8EE
|
Non occupied strategic point use only fadd for me to capture.
| Code: | 6F7CB9C3 - E8 C824F4FF - call WW2Mod.std::_Mutex::_Mutex+13934A
6F7CB9C8 - D9 5C 24 08 - fstp dword ptr [esp+08]
6F7CB9CC - D9 87 F4010000 - fld dword ptr [edi+000001F4] <<
6F7CB9D2 - 51 - push ecx
6F7CB9D3 - D8 44 24 0C - fadd dword ptr [esp+0C]
EAX=104B0120
EBX=006EF77C
ECX=3FC00000
EDX=104BDDD0
ESI=0DE532B0
EDI=2DC64198
ESP=006EF468
EBP=006EF570
EIP=6F7CB9D2 |
I already made a script for Non occupied strategic point and it work but not on Enemys strategic point if someone knew pls I need ur help...
| Code: | { Game : RelicCOH.exe
Version:
Date : 2016-03-20
Author : KiM
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,WW2Mod.dll,D9 9F F4 01 00 00 85) // should be unique
alloc(newmem,$1000)
alloc(capture,4)
label(code)
label(return)
capture:
dd (float)500
newmem:
code:
fadd dword ptr [capture]
fstp dword ptr [edi+000001F4]
test eax,eax
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9F F4 01 00 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "WW2Mod.dll"+319CAC
"WW2Mod.dll"+319C9C: CC - int 3
"WW2Mod.dll"+319C9D: CC - int 3
"WW2Mod.dll"+319C9E: CC - int 3
"WW2Mod.dll"+319C9F: CC - int 3
"WW2Mod.dll"+319CA0: D9 44 24 04 - fld dword ptr [esp+04]
"WW2Mod.dll"+319CA4: 53 - push ebx
"WW2Mod.dll"+319CA5: 56 - push esi
"WW2Mod.dll"+319CA6: 57 - push edi
"WW2Mod.dll"+319CA7: 8B F8 - mov edi,eax
"WW2Mod.dll"+319CA9: 8B 47 10 - mov eax,[edi+10]
// ---------- INJECTING HERE ----------
"WW2Mod.dll"+319CAC: D9 9F F4 01 00 00 - fstp dword ptr [edi+000001F4]
// ---------- DONE INJECTING ----------
"WW2Mod.dll"+319CB2: 85 C0 - test eax,eax
"WW2Mod.dll"+319CB4: 0F 84 A3 00 00 00 - je WW2Mod.dll+319D5D
"WW2Mod.dll"+319CBA: 8B 70 4C - mov esi,[eax+4C]
"WW2Mod.dll"+319CBD: 85 F6 - test esi,esi
"WW2Mod.dll"+319CBF: 0F 84 98 00 00 00 - je WW2Mod.dll+319D5D
"WW2Mod.dll"+319CC5: 83 3D AC E5 AC 6F 00 - cmp dword ptr [WW2Mod.dll+61E5AC],00
"WW2Mod.dll"+319CCC: 8B 40 40 - mov eax,[eax+40]
"WW2Mod.dll"+319CCF: 75 3C - jne WW2Mod.dll+319D0D
"WW2Mod.dll"+319CD1: 85 C0 - test eax,eax
"WW2Mod.dll"+319CD3: 74 38 - je WW2Mod.dll+319D0D
} |
|
|
| Back to top |
|
 |
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Sun Mar 20, 2016 7:15 am Post subject: |
|
|
| I gues you'll have to set the value from fsub to zero first (so that the point is treated as non occupied) and then your fadd script will trigger ... |
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Sun Mar 20, 2016 8:24 am Post subject: |
|
|
| hhhuut wrote: | | I gues you'll have to set the value from fsub to zero first (so that the point is treated as non occupied) and then your fadd script will trigger ... |
not working if i set it to 0 it needs bigger value to subtract default value is 320 if i put 500 for example it works but doesnt trigger the next operation which is fadd |
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Sun Mar 20, 2016 8:26 am Post subject: |
|
|
| Then just subtract the needed value (i.e. 320) minus one, so 319, so that the game itself does the last bit and can initialize the other routines |
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Sun Mar 20, 2016 8:13 pm Post subject: |
|
|
| hhhuut wrote: | | Then just subtract the needed value (i.e. 320) minus one, so 319, so that the game itself does the last bit and can initialize the other routines |
Still doesnt do anything when I capture enemy strategic point or something wrong with my script
| Code: | { Game : RelicCOH.exe
Version:
Date : 2016-03-20
Author : KiM
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,WW2Mod.dll,D9 9F F4 01 00 00 85) // should be unique
alloc(newmem,$1000)
alloc(capture,4)
label(code)
label(return)
capture:
dd (float)319
newmem:
code:
fsub dword ptr [capture]
fadd dword ptr [capture]
fstp dword ptr [edi+000001F4]
test eax,eax
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9F F4 01 00 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "WW2Mod.dll"+319CAC
"WW2Mod.dll"+319C9C: CC - int 3
"WW2Mod.dll"+319C9D: CC - int 3
"WW2Mod.dll"+319C9E: CC - int 3
"WW2Mod.dll"+319C9F: CC - int 3
"WW2Mod.dll"+319CA0: D9 44 24 04 - fld dword ptr [esp+04]
"WW2Mod.dll"+319CA4: 53 - push ebx
"WW2Mod.dll"+319CA5: 56 - push esi
"WW2Mod.dll"+319CA6: 57 - push edi
"WW2Mod.dll"+319CA7: 8B F8 - mov edi,eax
"WW2Mod.dll"+319CA9: 8B 47 10 - mov eax,[edi+10]
// ---------- INJECTING HERE ----------
"WW2Mod.dll"+319CAC: D9 9F F4 01 00 00 - fstp dword ptr [edi+000001F4]
// ---------- DONE INJECTING ----------
"WW2Mod.dll"+319CB2: 85 C0 - test eax,eax
"WW2Mod.dll"+319CB4: 0F 84 A3 00 00 00 - je WW2Mod.dll+319D5D
"WW2Mod.dll"+319CBA: 8B 70 4C - mov esi,[eax+4C]
"WW2Mod.dll"+319CBD: 85 F6 - test esi,esi
"WW2Mod.dll"+319CBF: 0F 84 98 00 00 00 - je WW2Mod.dll+319D5D
"WW2Mod.dll"+319CC5: 83 3D AC E5 AC 6F 00 - cmp dword ptr [WW2Mod.dll+61E5AC],00
"WW2Mod.dll"+319CCC: 8B 40 40 - mov eax,[eax+40]
"WW2Mod.dll"+319CCF: 75 3C - jne WW2Mod.dll+319D0D
"WW2Mod.dll"+319CD1: 85 C0 - test eax,eax
"WW2Mod.dll"+319CD3: 74 38 - je WW2Mod.dll+319D0D
} |
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Mon Mar 21, 2016 2:47 am Post subject: |
|
|
| You'll have to do two seperate injections. One on the fsub instruction and one on the fadd instruction. |
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Mon Mar 21, 2016 7:09 pm Post subject: |
|
|
| this two fsub and fadd store/writes in single instruction fstp dword ptr [edi+000001F4] if I do that it will crash my game |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Mon Mar 21, 2016 7:25 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(something,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 64 24 0C)
something:
db D9 EE 90 90 90 90
registersymbol(something)
[DISABLE]
something:
db D9 87 F4 01 00 00
unregistersymbol(something) |
|
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Mon Mar 21, 2016 9:18 pm Post subject: |
|
|
| Zanzer wrote: | | Code: | [ENABLE]
aobscanmodule(something,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 64 24 0C)
something:
db D9 EE 90 90 90 90
registersymbol(something)
[DISABLE]
something:
db D9 87 F4 01 00 00
unregistersymbol(something) |
|
what is EE mean?
| Code: | something:
db D9 EE 90 90 90 90 |
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Mon Mar 21, 2016 9:22 pm Post subject: |
|
|
D9 EE means fldz
fldz means load 0.0 |
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Mon Mar 21, 2016 10:00 pm Post subject: |
|
|
| Zanzer wrote: | D9 EE means fldz
fldz means load 0.0 |
what if i want to load a bigger value? coz fadd needs bigger value |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Mon Mar 21, 2016 10:11 pm Post subject: |
|
|
Are you saying that code successfully removed the enemy line?
Maybe this one will instantly capture it.
| Code: | [ENABLE]
aobscanmodule(something2,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 44 24 0C)
alloc(newmem,$1000)
label(code)
label(return)
label(myvar)
newmem:
code:
fld dword ptr [edi+000001F4]
fadd dword ptr [myvar]
jmp return
myvar:
dd (float)500
something2:
jmp code
nop
return:
registersymbol(something2)
[DISABLE]
something2:
db D9 87 F4 01 00 00
unregistersymbol(something2)
dealloc(newmem) |
|
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Mon Mar 21, 2016 10:21 pm Post subject: |
|
|
| Zanzer wrote: | Are you saying that code successfully removed the enemy line?
Maybe this one will instantly capture it.
| Code: | [ENABLE]
aobscanmodule(something2,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 44 24 0C)
alloc(newmem,$1000)
label(code)
label(return)
label(myvar)
newmem:
code:
fld dword ptr [edi+000001F4]
fadd dword ptr [myvar]
jmp return
myvar:
dd (float)500
something2:
jmp code
nop
return:
registersymbol(something2)
[DISABLE]
something2:
db D9 87 F4 01 00 00
unregistersymbol(something2)
dealloc(newmem) |
|
yes it removes enemy line but need to wait for fadd will try this one
edit: it works now on both thanks! Zanzer
one last question how can i merge them both into one script?
edit: ahm forget this one I can enable them both with hotkeys |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Mon Mar 21, 2016 10:45 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(something,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 64 24 0C)
aobscanmodule(something2,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 44 24 0C)
alloc(newmem,$1000)
label(code)
label(return)
label(myvar)
something:
db D9 EE 90 90 90 90
newmem:
code:
fld dword ptr [edi+000001F4]
fadd dword ptr [myvar]
jmp return
myvar:
dd (float)500
something2:
jmp code
nop
return:
registersymbol(something)
registersymbol(something2)
[DISABLE]
something:
db D9 87 F4 01 00 00
something2:
db D9 87 F4 01 00 00
unregistersymbol(something)
unregistersymbol(something2)
dealloc(newmem) |
|
|
| Back to top |
|
|
kimpet
Newbie cheater
![]() Reputation: 0
Joined: 09 Nov 2015
Posts: 22
|
| Posted: Mon Mar 21, 2016 10:53 pm Post subject: |
|
|
| Zanzer wrote: | | Code: | [ENABLE]
aobscanmodule(something,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 64 24 0C)
aobscanmodule(something2,WW2Mod.dll,D9 87 F4 01 00 00 51 D8 44 24 0C)
alloc(newmem,$1000)
label(code)
label(return)
label(myvar)
something:
db D9 EE 90 90 90 90
newmem:
code:
fld dword ptr [edi+000001F4]
fadd dword ptr [myvar]
jmp return
myvar:
dd (float)500
something2:
jmp code
nop
return:
registersymbol(something)
registersymbol(something2)
[DISABLE]
something:
db D9 87 F4 01 00 00
something2:
db D9 87 F4 01 00 00
unregistersymbol(something)
unregistersymbol(something2)
dealloc(newmem) |
|
nice! Thanks a lot! Zanzer |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
