 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
DodgeWolfy
Newbie cheater
![]() Reputation: 0
Joined: 13 May 2017
Posts: 19
|
 Posted: Thu Aug 02, 2018 8:37 pm Post subject: "mov" command copies into address not value? |
 |
|
Ok, so i am doing a one hit kill script for TW3 and have been trying many different methods for about 2 hours now and nothing works, because when you run a compare between current health of the player and the value of the instruction [rax+rcx*4] it doesn't work because your ACTUAL health is a tiny bit higher (or lower) due to regeneration or something else i can't be bothered to fix right now, so i decided to do it the Really lazy way - Just moving my max HP value into the current HP right after running the code that decreases enemy health, effectively eliminating the need for a filter or comparison between the player and npcs.
Now to the topic at hand, for some reason while doing this i couldn't actually move the VALUE i wanted to where i wanted it to move, and decided to allocate a temporary value and found something strange i don't understand
| Code: |
[ENABLE]
aobscanmodule(OHK,witcher3.exe,F3 0F 11 34 88 83 FB)
alloc(newmem,1024,"witcher3.exe"+E3C4F3)
registersymbol(OHK)
label(code)
label(return)
alloc(var,8) //temporary value for testing
registersymbol(var)
newmem:
code:
movss [rax+rcx*4],xmm6 //original code that writes enemy AND player values like health, stamina, toxicity
cmp [rax+rcx*4],(Float)101 //compare if health is already decreased so it doesn't freeze their hp
jle return
mov [rax+rcx*4],(Float)101 //decrease enemy health to 101 points
//(101 for convenience so it ignores stamina and toxicity as their values are 0-100)
mov [var],(Float)200 //This is the problem..
jmp return
OHK:
jmp newmem
return:
[DISABLE]
OHK:
db F3 0F 11 34 88
unregistersymbol(OHK)
dealloc(newmem)
unregistersymbol(var)
dealloc(var)
|
The problem: i have no clue why the pointed out piece of code moves 200 into the Address of "[var]" rather than the value so when i add "[var]" as an address it pops up as "43480000" and a value of 0, meaning the mov command put the float of 200 into the address rather than the value, not sure if i explained the problem correctly. How would i move the float of 200 into the VALUE of [var].
On the other hand if i use "var" as an address everything is correct and i get the result i want, however my health value is in [].
To elaborate here's how my code looks when it's actually made to be useful rather than testing out a variable.
| Code: |
[ENABLE]
aobscanmodule(OHK,witcher3.exe,F3 0F 11 34 88 83 FB)
alloc(newmem,1024,"witcher3.exe"+E3C4F3)
registersymbol(OHK)
label(code)
label(return)
newmem:
code:
movss [rax+rcx*4],xmm6
cmp [rax+rcx*4],(Float)101
jle return
mov [rax+rcx*4],(Float)101
push rdx
mov rdx,[player_base+4]
mov [player_base],rdx
pop rdx
jmp return
//player_base - current hp
//player_base+4 - max hp
//both are custom symbols obviously
OHK:
jmp newmem
return:
[DISABLE]
OHK:
db F3 0F 11 34 88
unregistersymbol(OHK)
dealloc(newmem)
|
|
|
| Back to top |
|
 |
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Thu Aug 02, 2018 9:21 pm Post subject: |
|
|
I'm not entirely sure what the problem is (maybe just a confusion over var being an address and [var] being the value at that address) but... if you already have the player's address, why not just compare the addresses?
| Code: | push rdx
push rbx
lea rdx, [player_base+4] // player cur hp
lea rbx, [rax+rcx*4]
cmp rbx, rdx
pop rbx
pop rdx
// maybe just cmp rax, player_base but without knowing what rcx is...
je return // player
// else enemy
mov [rax+rcx*4], 0 // kill or whatever
jmp return |
_________________
|
|
| Back to top |
|
|
DodgeWolfy
Newbie cheater
![]() Reputation: 0
Joined: 13 May 2017
Posts: 19
|
| Posted: Thu Aug 02, 2018 9:46 pm Post subject: |
|
|
| FreeER wrote: | I'm not entirely sure what the problem is (maybe just a confusion over var being an address and [var] being the value at that address) but... if you already have the player's address, why not just compare the addresses?
| Code: | push rdx
push rbx
lea rdx, [player_base+4] // player cur hp
lea rbx, [rax+rcx*4]
cmp rbx, rdx
pop rbx
pop rdx
// maybe just cmp rax, player_base but without knowing what rcx is...
je return // player
// else enemy
mov [rax+rcx*4], 0 // kill or whatever
jmp return |
|
Well, i guess coding when you haven't slept in 30 hours doesn't help, i completely forgot i can just use lea to compare ADDRESSES not the values and make the filtering a dozen times easier... and waaaay less complicated previously i was using a custom symbol and something somewhere was messing up and i just couldn't compare to the value, also at some point the pop command didn't work in some context and was CTDing the game etc.  
Just to get back at you about the problem it's shown in this image, the bottom 2 addresses, this is what happens when i do
| Code: | | mov [var],(Float)200 |
The result is the first address you see there is var which is how it should look, instead of like the bottom which is [var].
I needed this because i tried using | Code: | | mov [player_base],(Float)10000 |
This is the image, couldn't get the img tag to work https://prnt.sc/ke32w1
Regardless, the code you have provided works better and is MUCH simpler, thank you, apologies for the confusion.
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
 Reputation: 50
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Thu Aug 02, 2018 10:04 pm Post subject: |
|
|
0x43480000 == (float)200.
and with a CE memory record's address; if you use "var" then the MR's addess is, the address of the "var" symbol; but if you use "[var]" then the MR's addess is, the value at the address, of the "var" symbol.
_________________
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Fri Aug 03, 2018 8:19 am Post subject: |
|
|
| Quote: | | Well, i guess coding when you haven't slept in 30 hours doesn't help |
Not in my experience, no Glad to be of help 
and yeah as Tim explained var is the address, [var] is the value/address stored at var, it's an alternative pointer syntax. And yes, that does even work in AA for more complicated ones eg. [[[game.exe+34]+4]+C] however it makes it into a constant address by reading the path once when the script is enabled (so if the address changes in game it'll crash, because the original address hardcoded into the assembly isn't valid anymore).
So in AA mov [var],... means move ... into the value at address var, and in the address list you'd want to give var for the address not [var] which means the value (aka address/pointer in this context) at var.
Hope that clears up the confusion, it's a fairly important thing to understand when you do start creating your own variables that you want accessible outside the script
_________________
|
|
| Back to top |
|
|
DodgeWolfy
Newbie cheater
![]() Reputation: 0
Joined: 13 May 2017
Posts: 19
|
| Posted: Fri Aug 03, 2018 11:08 am Post subject: |
|
|
| FreeER wrote: |
So in AA mov [var],... means move ... into the value at address var, and in the address list you'd want to give var for the address not [var] which means the value (aka address/pointer in this context) at var.
Hope that clears up the confusion, it's a fairly important thing to understand when you do start creating your own variables that you want accessible outside the script |
Yeah i understand now, one last thing though, how would i then copy a value into the value instead of the address for example
| Code: | | mov [player_base],(Float)1000 //[player_base] being my HP value |
This does nothing, even though in all games i've hacked up until now it's worked just fine, in this it only tries to replace the address of player_base as i said before, so how would i make it move into the value. And i'm saying "tries" because the address of player_base is being constantly updated by my "Get Witcher Stats" script which is this basically
| Code: | code:
mov ecx,[rax+rdx*4] //This instruction Accesses the player HP constantly
push rcx
lea rcx,[rax+rdx*4]
//Filter 1
cmp [rcx+8],#0
jne pre_return
//Filter 2
cmp [rcx+10],(Float)100
jne pre_return
//Filter 3
cmp [rcx+14],#2
jne pre_return
mov [player_base],rcx
jmp pre_return
pre_return:
pop rcx
mov [rsi],ecx //this here is continuation of the original code
jmp return |
But when i try doing this:
| Code: | | mov player_base,(Float)1000 |
The assembler throws out an error saying it can't be compiled and the script simply doesn't start.
Again, thank you for everything
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Fri Aug 03, 2018 11:24 am Post subject: |
|
|
| Quote: | | Code: | | mov [player_base],(Float)1000 //[player_base] being my HP value |
This does nothing, even though in all games i've hacked up until now it's worked just fine |
Assuming player_base is the address of your HP, not a pointer, that is exactly how you'd do it and if it doesn't work you have to look at other things (like maybe some code below the hook overwrites it, or it wasn't set properly etc.).
If it's a pointer (like with an injection copy) then you'd do something like | Code: | mov rax, [player_base] // read address from pointer into rax
mov [rax], (float)1000 // write to value at address |
| Code: | | mov player_base,(Float)1000 |
tries to replace an address with a float value which doesn't make sense because you can't replace addresses It's like saying mov 5, 3 or mov true, false
_________________
|
|
| Back to top |
|
|
DodgeWolfy
Newbie cheater
![]() Reputation: 0
Joined: 13 May 2017
Posts: 19
|
| Posted: Fri Aug 03, 2018 11:41 am Post subject: |
|
|
| FreeER wrote: | | Quote: | | Code: | | mov [player_base],(Float)1000 //[player_base] being my HP value |
This does nothing, even though in all games i've hacked up until now it's worked just fine |
Assuming player_base is the address of your HP, not a pointer, that is exactly how you'd do it and if it doesn't work you have to look at other things (like maybe some code below the hook overwrites it, or it wasn't set properly etc.).
If it's a pointer (like with an injection copy) then you'd do something like | Code: | mov rax, [player_base] // read address from pointer into rax
mov [rax], (float)1000 // write to value at address |
| Code: | | mov player_base,(Float)1000 |
tries to replace an address with a float value which doesn't make sense because you can't replace addresses It's like saying mov 5, 3 or mov true, false |
Ah, now it makes sense, because the variable "player_base" is storing my HP address in [player_base] so moving a float of 1000 would not work because it tries to replace the address, because [player_base] is an address that i'm using not the actual value.
Thanks again for helping me out and clearing things up for me!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
