 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Seergaze3
Master Cheater
![]() Reputation: -1
Joined: 10 Mar 2009
Posts: 347
Location: earth
|
 Posted: Sun Nov 17, 2019 1:53 am Post subject: getting address from aob scan register issue |
 |
|
Am trying to make simple resource pointers in aoe2:DE by copying the address from the registers which can located via aob scan
I found the 2 functions that accesses the resource, first one i assume is the global resource generation, but it also jumps from player to player. and a second one that I think related to score (?)
here is my current script for the first one
parent script
| Code: |
[ENABLE]
{$asm}
registersymbol(Base0)
registersymbol(Base1)
alloc(Base0, 8)
alloc(Base1, 8)
[DISABLE]
{$asm}
unregistersymbol(Base0)
unregistersymbol(Base1)
dealloc(Base0)
dealloc(Base1)
|
and getting the address from the register
| Code: | [ENABLE]
aobscanmodule(Baserax,AoE2DE_s.exe,F3 42 0F 11 04 80 66) // should be unique
alloc(newmem,$1000,"AoE2DE_s.exe"+9F8989)
label(code)
label(return)
newmem:
push rax
mov [Base0],rax
pop rax
code:
movss [rax+r8*4],xmm0
jmp return
Baserax:
jmp newmem
nop
return:
registersymbol(Baserax)
[DISABLE]
Baserax:
db F3 42 0F 11 04 80
unregistersymbol(Baserax)
dealloc(newmem) |
which i then use Base0 as a pointer for different resource, but it jumps between players so its not robust
however I tried the same thing for the second function and the script won't run
| Code: | [ENABLE]
aobscanmodule(Basercx,AoE2DE_s.exe,F3 0F 11 04 91 41 0F B7 82 9E) // should be unique
alloc(newmem1,$1000,"AoE2DE_s.exe"+9ECFA7)
label(code)
label(return)
newmem1:
push rcx
mov [Base1],rcx
pop rcx
code:
movss [rcx+rdx*4],xmm0
jmp return
Basercx:
jmp newmem1
return:
registersymbol(Basercx)
[DISABLE]
Basercx:
db F3 0F 11 04 91
unregistersymbol(Basercx)
dealloc(newmem1) |
anyone can tell me what the problem might be?
thanks!
|
|
| Back to top |
|
 |
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Sun Nov 17, 2019 7:10 am Post subject: |
|
|
First of all, what are these parts for:
| Code: | newmem:
push rax
mov [Base0],rax
pop rax |
| Code: | newmem1:
push rcx
mov [Base1],rcx
pop rcx |
it is useless to push and pop the registers, If the value in EAX is 0x1000 and you push it remains 0x1000, save it in the memory region you have allocated and then restore it using the pop, but in all 3 instructions the value of EAX is always 0x1000, you can directly write:
| Code: | newmem:
mov [Base0],rax |
(And you can also remove "{$asm}")
Regarding the fact that the pointer changes you can separate them in the same way that is explained in Step 9 of the Cheat Engine tutorial.
The scripts are identical, the problem could be in the scanning of the AOB, try replacing the scan of "Basercx" with:
| Code: | | aobscanmodule(Basercx,AoE2DE_s.exe,F3 0F 11 04 91) //should be unique |
Even if I don't think that's the problem, but I have noticed that the instructions you are looking for have specified the module name and the offset, you could try the "Code injection" model as it would be better than the AOB.
|
|
| Back to top |
|
|
Seergaze3
Master Cheater
![]() Reputation: -1
Joined: 10 Mar 2009
Posts: 347
Location: earth
|
| Posted: Sun Nov 17, 2019 8:28 am Post subject: |
|
|
Thanks for the reply, I'm just a layman so I was using some old templates, I simplified the first one to:
and it does still give me the address of rax and stores it into Base0
But the problem with rcx still persists, the script won't compile for whatever reason when I use
but I somehow made it work by
| Code: | mov rax,rcx
mov [Base1],rax
|
so i guess my question for now is why? I read that one is accumulator register and one is counting register but I thought both could be used for storage no?
|
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Sun Nov 17, 2019 8:59 am Post subject: |
|
|
You could also do:
| Code: | push rcx
pop [Base1] |
which would be equal to:
I don't know about you, but with all my debuggers I can assemble the instruction "mov [Any_Address], rcx", this is certainly not the problem.
obviously the instruction fails if the page on which the address is located is protected by denying write access, but this is not the case.
You should be able to enable this script:
| Code: | [ENABLE]
alloc(newmem1,$1000,"AoE2DE_s.exe"+9ECFA7)
alloc(Base0, 8)
registersymbol(Base0)
label(code)
label(return)
newmem1:
mov [Base0],rcx
code:
movss [rcx+rdx*4],xmm0
jmp return
"AoE2DE_s.exe"+9ECFA7: //Basercx
jmp newmem1
return:
[DISABLE]
"AoE2DE_s.exe"+9ECFA7:
movss [rcx+rdx*4],xmm0
dealloc(newmem1)
dealloc(Base0)
unregistersymbol(Base0) |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sun Nov 17, 2019 11:04 am Post subject: |
 |
|
First post:
The {$asm} directives are unnecessary (it's the default), the push/pop instructions are unnecessary (you're not writing to rax), and I'd put the allocs before the registersymbols in each section (personal preference).
The two allocs in the parent script aren't close enough to newmem for RIP-relative addressing to be used. Thus instructions like these may fail to assemble:
You can put the two allocs from the parent script in each respective child script and pass them the same third argument as newmem:
| Code: | alloc(newmem1,$1000,"AoE2DE_s.exe"+9ECFA7)
alloc(Base1,8,"AoE2DE_s.exe"+9ECFA7)
registersymbol(Base1) |
(don't forget dealloc/unregistersymbol, and do the same for Base0)
This way, CE will allocate Base0/1 near enough to newmem for RIP-relative addressing.
Or, even better, make them labels instead and put them in newmem:
| Code: | alloc(newmem1,$1000,"AoE2DE_s.exe"+9ECFA7)
label(Base1)
registersymbol(Base1)
...
newmem1+400:
Base1:
dq 0
... |
Alternatively, use a register as an intermediary:
| Code: | mov rdx,Base0
mov [rdx],rcx |
Make sure the game doesn't need whatever value was in rdx later on. (if it does, pick a different register, or use push/pop)
| Seergaze3 wrote: | | so i guess my question for now is why? I read that one is accumulator register and one is counting register but I thought both could be used for storage no? |
There's a specific instruction for rax:
Look up opcode 0xA3 in some reference manual (e.g. here).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
