Ghend
How do I cheat?
![]() Reputation: 0
Joined: 14 Mar 2017
Posts: 1
|
 Posted: Sat Aug 25, 2018 8:29 am Post subject: [REQ] Finding a changing base address |
 |
|
I'm playing around with MHW hacking and want to change base Attack. The problem is that every time you change equipment, the address changes. Fortunately it's easy enough to find Sharpness (a separate address) and then find the base address of the Player Stats using "find what writes to", then Attack is always [base+19F4]. Changing it on a one-time basis then is really simple, but still a bit time consuming having to do every time the game is restarted or equipment changes.
So my question is, what would be the best way to find a static version of this Attack address, or how can I "find" the base address and record it with the offset +19F4 to get my Attack address?
I can do an AOB scan to Sharpness and get the Player Stats base address no problem, but again I cannot do "find what writes to" for Attack because right when the value changes, the base address that it's based off of has already changed so it gives no results. I've also tried generating a pointermap for 2 separate instances of the Attack value and comparing the 2, which gave me 0 results.
e: So I was able to use "Find What Accesses" on Sharpness, found an opcode and clicked "More Info" which gave me the probable pointer. Then I searched that in Hex 4byte, added the address of one of those values manually as a pointer + the offset for Sharpness (1DD0) and it worked. Then I used that same pointer+19F4 and that also worked for Attack, but then as soon as I changed equipment again it broke. There were no green values returned in my initial search, but am I on the right track?
e2: I was able to do "what accesses" on the Attack value, hit some stuff and found the opcode that gets called when damage is dealt: mov eax, [rcx+19F4] with the address of rcx+19F4 being my Attack. Did a break and trace on that, hit something, and I'm kind of lost to be honest. Code injection and break+trace is fairly new to me, though I'm looking up some tutorials now to see if I can make sense of it. I can toggle a breakpoint on it to consistently find my Attack / the "player stats" base address when that does change, but beyond that I'm not sure how to make use of having this.
Other potentially useful info if this is helpful: The address of that instruction is MHW.exe+C09FB0F, bytes are "8B 81 F4190000"
e3: Did an AOB injection on that instruction to store the base address for player stats, then added it to my table as basepointer+19F4. I have to attack something to update the table value, but it does work. So now my question is how do I get the cheat table to have an entry that dynamically updates the "Attack" address without me having to physically hit something?
| Code: | { Game : MonsterHunterWorld.exe
Version:
Date : 2018-08-25
Author : Ghend
This script finds the base address of player stats and stores them in [basepointer]
}
[ENABLE]
aobscanmodule(attack,MonsterHunterWorld.exe,8B 81 F4 19 00 00 45) // should be unique
alloc(newmem,$1000,"MonsterHunterWorld.exe"+C09FB0F)
globalalloc(basepointer,8)
registersymbol(basepointer)
label(basepointer)
label(code)
label(return)
newmem:
mov [basepointer],rcx
jmp code
basepointer:
dq 0
code:
mov eax,[rcx+000019F4]
jmp return
attack:
jmp newmem
nop
return:
registersymbol(attack)
[DISABLE]
attack:
db 8B 81 F4 19 00 00
unregistersymbol(attack)
unregistersymbol(basepointer)
dealloc(newmem)
dealloc(basepointer)
{
// ORIGINAL CODE - INJECTION POINT: "MonsterHunterWorld.exe"+C09FB0F
"MonsterHunterWorld.exe"+C09FAEA: 48 89 F9 - mov rcx,rdi
"MonsterHunterWorld.exe"+C09FAED: E8 BE BA 48 F5 - call MonsterHunterWorld.exe+152B5B0
"MonsterHunterWorld.exe"+C09FAF2: 41 89 C4 - mov r12d,eax
"MonsterHunterWorld.exe"+C09FAF5: 48 8B 73 08 - mov rsi,[rbx+08]
"MonsterHunterWorld.exe"+C09FAF9: 45 0F 57 D2 - xorps xmm10,xmm10
"MonsterHunterWorld.exe"+C09FAFD: 48 8B 8E 90 72 00 00 - mov rcx,[rsi+00007290]
"MonsterHunterWorld.exe"+C09FB04: 48 85 C9 - test rcx,rcx
"MonsterHunterWorld.exe"+C09FB07: 74 4D - je MonsterHunterWorld.exe+C09FB56
"MonsterHunterWorld.exe"+C09FB09: F6 41 0C 0E - test byte ptr [rcx+0C],0E
"MonsterHunterWorld.exe"+C09FB0D: 74 47 - je MonsterHunterWorld.exe+C09FB56
// ---------- INJECTING HERE ----------
"MonsterHunterWorld.exe"+C09FB0F: 8B 81 F4 19 00 00 - mov eax,[rcx+000019F4]
// ---------- DONE INJECTING ----------
"MonsterHunterWorld.exe"+C09FB15: 45 0F 57 C9 - xorps xmm9,xmm9
"MonsterHunterWorld.exe"+C09FB19: 8B 91 74 1F 00 00 - mov edx,[rcx+00001F74]
"MonsterHunterWorld.exe"+C09FB1F: F3 4C 0F 2A C8 - cvtsi2ss xmm9,rax
"MonsterHunterWorld.exe"+C09FB24: 85 D2 - test edx,edx
"MonsterHunterWorld.exe"+C09FB26: 7E 32 - jle MonsterHunterWorld.exe+C09FB5A
"MonsterHunterWorld.exe"+C09FB28: 8D 82 FF FF FF FF - lea eax,[rdx-00000001]
"MonsterHunterWorld.exe"+C09FB2E: 48 63 C8 - movsxd rcx,eax
"MonsterHunterWorld.exe"+C09FB31: 48 8B 05 E0 FB A7 F7 - mov rax,[MonsterHunterWorld.exe+3B1F718]
"MonsterHunterWorld.exe"+C09FB38: 0F B6 8C 01 24 2A 00 00 - movzx ecx,byte ptr [rcx+rax+00002A24]
"MonsterHunterWorld.exe"+C09FB40: 66 0F 6E C1 - movd xmm0,ecx
} |
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
