 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
tysman
Cheater
![]() Reputation: 0
Joined: 06 Jan 2020
Posts: 29
|
 Posted: Wed Apr 06, 2022 3:42 pm Post subject: Infinite fuel without effecting refuel |
 |
|
i am creating an infinite fuel script and it works except for when refueling or calling a certain vehicle it will write 0 to fuel tank. I know the offset for the fuel cap is at 3EC. not sure how can use that to allow refueling but not decrease fuel consumption.
| Code: |
[ENABLE]
aobscanmodule(fuel,MudRunner.exe,F3 0F 11 89 E8 03 00 00) // should be unique
alloc(newmem,$100,"MudRunner.exe"+8904D6)
label(code)
label(return)
newmem:
sub [rcx+000003E8],0
jmp return
code:
movss [rcx+000003E8],xmm1
jmp return
fuel:
jmp newmem
nop
nop
nop
return:
registersymbol(fuel)
[DISABLE]
fuel:
db F3 0F 11 89 E8 03 00 00
unregistersymbol(fuel)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "MudRunner.exe"+8904D6
"MudRunner.exe"+8904B7: 0F 57 F6 - xorps xmm6,xmm6
"MudRunner.exe"+8904BA: 0F 2F F1 - comiss xmm6,xmm1
"MudRunner.exe"+8904BD: 48 8B D9 - mov rbx,rcx
"MudRunner.exe"+8904C0: 76 05 - jna MudRunner.exe+8904C7
"MudRunner.exe"+8904C2: 0F 28 CE - movaps xmm1,xmm6
"MudRunner.exe"+8904C5: EB 08 - jmp MudRunner.exe+8904CF
"MudRunner.exe"+8904C7: 0F 2F C8 - comiss xmm1,xmm0
"MudRunner.exe"+8904CA: 76 03 - jna MudRunner.exe+8904CF
"MudRunner.exe"+8904CC: 0F 28 C8 - movaps xmm1,xmm0
"MudRunner.exe"+8904CF: 0F 2F 05 DE 20 18 00 - comiss xmm0,[MudRunner.exe+A125B4]
// ---------- INJECTING HERE ----------
"MudRunner.exe"+8904D6: F3 0F 11 89 E8 03 00 00 - movss [rcx+000003E8],xmm1
// ---------- DONE INJECTING ----------
"MudRunner.exe"+8904DE: 76 07 - jna MudRunner.exe+8904E7
"MudRunner.exe"+8904E0: 0F 28 F1 - movaps xmm6,xmm1
"MudRunner.exe"+8904E3: F3 0F 5E F0 - divss xmm6,xmm0
"MudRunner.exe"+8904E7: 48 8B 81 50 02 00 00 - mov rax,[rcx+00000250]
"MudRunner.exe"+8904EE: 33 FF - xor edi,edi
"MudRunner.exe"+8904F0: 48 2B 81 48 02 00 00 - sub rax,[rcx+00000248]
"MudRunner.exe"+8904F7: 48 C1 F8 04 - sar rax,04
"MudRunner.exe"+8904FB: 48 85 C0 - test rax,rax
"MudRunner.exe"+8904FE: 74 76 - je MudRunner.exe+890576
"MudRunner.exe"+890500: 0F 29 7C 24 30 - movaps [rsp+30],xmm7
}
|
|
|
| Back to top |
|
 |
TsTg
Master Cheater
 Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Wed Apr 06, 2022 4:40 pm Post subject: |
|
|
this line sets the fuel to zero
| Code: | | "MudRunner.exe"+8904C2: 0F 28 CE - movaps xmm1,xmm6 |
the reason is because you are not updating the fuel value correctly
a proper way should be:
| Code: |
[ENABLE]
aobscanmodule(fuel,MudRunner.exe,F3 0F 11 89 E8 03 00 00) // should be unique
alloc(newmem,$100,"MudRunner.exe"+8904D6)
label(code)
label(return)
newmem:
//sub [rcx+000003E8],0 <----this line does nothing
movaps xmm1,xmm0 <----from my reading, xmm0 should be the max fuel value, you need to confirm it, also check the value in the pointer [MudRunner.exe+A125B4] to make sure
movss [rcx+000003E8],xmm1 <----store new xmm1 (fuel) value in the target fuel address
jmp return
code:
movss [rcx+000003E8],xmm1
jmp return
fuel:
jmp newmem
nop
nop
nop
return:
registersymbol(fuel)
[DISABLE]
fuel:
db F3 0F 11 89 E8 03 00 00
unregistersymbol(fuel)
dealloc(newmem)
|
|
|
| Back to top |
|
|
tysman
Cheater
![]() Reputation: 0
Joined: 06 Jan 2020
Posts: 29
|
| Posted: Wed Apr 06, 2022 4:48 pm Post subject: |
|
|
| Yes xmm0 is fuel cap and xmm1 is current fuel. So how would i write it so that have it never decreasing but if its not at the cap can fill it up to the cap?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 150
Joined: 06 Jul 2014
Posts: 4645
|
| Posted: Wed Apr 06, 2022 4:57 pm Post subject: |
|
|
So allow it to increase but not decrease? Just check if the new value is more than the current value. If so, write the new value; else, skip past it.
| Code: | newmem:
comiss xmm1,[rcx+3E8]
jbe @f
movss [rcx+000003E8],xmm1
@@:
jmp return |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
tysman
Cheater
![]() Reputation: 0
Joined: 06 Jan 2020
Posts: 29
|
| Posted: Wed Apr 06, 2022 5:27 pm Post subject: |
|
|
Thanks works great what are these doing?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4645
|
| Posted: Wed Apr 06, 2022 5:38 pm Post subject: |
|
|
It's just a shortcut for accessing and defining labels. "@f" means "the closest label forward" (@b is backward) and @@ is an anonymous label (a label that has no name).
Same thing:
| Code: | newmem:
comiss xmm1,[rcx+3E8]
jbe code
movss [rcx+000003E8],xmm1
code:
jmp return |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
tysman
Cheater
![]() Reputation: 0
Joined: 06 Jan 2020
Posts: 29
|
| Posted: Wed Apr 06, 2022 6:31 pm Post subject: |
|
|
Ok. Now i also have a script that i use to have cheat engine find the fuel address for me but found out the address for vehicle damage is in another location. How can i use the one script to inject in 2 places (merge both scripts)?
| Code: |
[ENABLE]
aobscanmodule(veh_stats,MudRunner.exe,F3 0F 10 B0 E8 03 00 00 F3) // should be unique
alloc(newmem,$100,"MudRunner.exe"+8E6B5D)
label(code)
label(return)
label(veh_base)
registersymbol(veh_base)
newmem:
mov [veh_base],rax
code:
movss xmm6,[rax+000003E8]
jmp return
veh_base:
dd 0
veh_stats:
jmp newmem
nop
nop
nop
return:
registersymbol(veh_stats)
[DISABLE]
veh_stats:
db F3 0F 10 B0 E8 03 00 00
unregistersymbol(veh_stats)
unregistersymbol(veh_base)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "MudRunner.exe"+8E6B5D
"MudRunner.exe"+8E6B24: 0F 2F C2 - comiss xmm0,xmm2
"MudRunner.exe"+8E6B27: 73 17 - jae MudRunner.exe+8E6B40
"MudRunner.exe"+8E6B29: 0F 2F 0D E8 BB 12 00 - comiss xmm1,[MudRunner.exe+A12718]
"MudRunner.exe"+8E6B30: 76 15 - jna MudRunner.exe+8E6B47
"MudRunner.exe"+8E6B32: 40 88 B5 88 01 00 00 - mov [rbp+00000188],sil
"MudRunner.exe"+8E6B39: 41 89 B6 CC 00 00 00 - mov [r14+000000CC],esi
"MudRunner.exe"+8E6B40: C6 85 70 01 00 00 01 - mov byte ptr [rbp+00000170],01
"MudRunner.exe"+8E6B47: F3 41 0F 58 B6 CC 00 00 00 - addss xmm6,dword ptr [r14+000000CC]
"MudRunner.exe"+8E6B50: F3 41 0F 11 B6 CC 00 00 00 - movss [r14+000000CC],xmm6
"MudRunner.exe"+8E6B59: 48 8B 47 10 - mov rax,[rdi+10]
// ---------- INJECTING HERE ----------
"MudRunner.exe"+8E6B5D: F3 0F 10 B0 E8 03 00 00 - movss xmm6,[rax+000003E8]
// ---------- DONE INJECTING ----------
"MudRunner.exe"+8E6B65: F3 0F 5E B0 EC 03 00 00 - divss xmm6,[rax+000003EC]
"MudRunner.exe"+8E6B6D: F3 0F 10 05 13 BB 12 00 - movss xmm0,[MudRunner.exe+A12688]
"MudRunner.exe"+8E6B75: F3 44 0F 10 05 02 C2 12 00 - movss xmm8,[MudRunner.exe+A12D80]
"MudRunner.exe"+8E6B7E: 0F 2F C6 - comiss xmm0,xmm6
"MudRunner.exe"+8E6B81: 76 3B - jna MudRunner.exe+8E6BBE
"MudRunner.exe"+8E6B83: FF 15 B7 0E 07 00 - call qword ptr [MudRunner.exe+957A40]
"MudRunner.exe"+8E6B89: 66 0F 6E C8 - movd xmm1,eax
"MudRunner.exe"+8E6B8D: 0F 5B C9 - cvtdq2ps xmm1,xmm1
"MudRunner.exe"+8E6B90: F3 41 0F 5E C8 - divss xmm1,xmm8
"MudRunner.exe"+8E6B95: F3 0F 5E 35 EB BA 12 00 - divss xmm6,[MudRunner.exe+A12688]
}
|
Damage code
| Code: |
[ENABLE]
aobscanmodule(veh_stats2,MudRunner.exe,8B 86 C8 00 00 00 0F 57 C9 0F) // should be unique
alloc(newmem,$100,"MudRunner.exe"+86B9B5)
label(code)
label(return)
label(veh_base2)
registersymbol(veh_base2)
newmem:
mov [veh_base2],rsi
code:
mov eax,[rsi+000000C8]
jmp return
veh_base2:
dd 0
veh_stats2:
jmp newmem
nop
return:
registersymbol(veh_stats2)
[DISABLE]
veh_stats2:
db 8B 86 C8 00 00 00
unregistersymbol(veh_stats2)
unregistersymbol(veh_base2)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "MudRunner.exe"+86B9B5
"MudRunner.exe"+86B98B: 48 3B C2 - cmp rax,rdx
"MudRunner.exe"+86B98E: 72 C0 - jb MudRunner.exe+86B950
"MudRunner.exe"+86B990: 80 7F 4E 00 - cmp byte ptr [rdi+4E],00
"MudRunner.exe"+86B994: F3 0F 59 35 10 6C 1A 00 - mulss xmm6,[MudRunner.exe+A125AC]
"MudRunner.exe"+86B99C: 48 8B 5C 24 50 - mov rbx,[rsp+50]
"MudRunner.exe"+86B9A1: 74 08 - je MudRunner.exe+86B9AB
"MudRunner.exe"+86B9A3: F3 0F 59 35 BD 6F 1A 00 - mulss xmm6,[MudRunner.exe+A12968]
"MudRunner.exe"+86B9AB: 8B 8E CC 00 00 00 - mov ecx,[rsi+000000CC]
"MudRunner.exe"+86B9B1: 85 C9 - test ecx,ecx
"MudRunner.exe"+86B9B3: 74 2B - je MudRunner.exe+86B9E0
// ---------- INJECTING HERE ----------
"MudRunner.exe"+86B9B5: 8B 86 C8 00 00 00 - mov eax,[rsi+000000C8]
// ---------- DONE INJECTING ----------
"MudRunner.exe"+86B9BB: 0F 57 C9 - xorps xmm1,xmm1
"MudRunner.exe"+86B9BE: 0F 57 C0 - xorps xmm0,xmm0
"MudRunner.exe"+86B9C1: F3 48 0F 2A C1 - cvtsi2ss xmm0,rcx
"MudRunner.exe"+86B9C6: F3 48 0F 2A C8 - cvtsi2ss xmm1,rax
"MudRunner.exe"+86B9CB: F3 0F 5E C8 - divss xmm1,xmm0
"MudRunner.exe"+86B9CF: 0F 2F 0D 46 6E 1A 00 - comiss xmm1,[MudRunner.exe+A1281C]
"MudRunner.exe"+86B9D6: 76 08 - jna MudRunner.exe+86B9E0
"MudRunner.exe"+86B9D8: F3 0F 59 35 1C 6F 1A 00 - mulss xmm6,[MudRunner.exe+A128FC]
"MudRunner.exe"+86B9E0: 41 B0 01 - mov r8l,01
"MudRunner.exe"+86B9E3: 33 D2 - xor edx,edx
}
|
|
|
| Back to top |
|
|
TsTg
Master Cheater
Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Thu Apr 07, 2022 12:25 am Post subject: |
|
|
merged scripts, make sure to read my notes too  .
| Code: |
[ENABLE]
aobscanmodule(veh_stats,MudRunner.exe,F3 0F 10 B0 E8 03 00 00 F3) // script 1 scan pattern
aobscanmodule(veh_stats2,MudRunner.exe,8B 86 C8 00 00 00 0F 57 C9 0F) //script 2
alloc(newmem,$100,"MudRunner.exe"+8E6B5D) //<----you can use "MudRunner.exe"+86B9B5 too, also one memory allocation is enough
//the following defines stuff for first script
label(code)
label(veh_base)
registersymbol(veh_base)
//then the stuff used in 2nd script
label(code2)
label(veh_base2)
registersymbol(veh_base2)
//these for making the jumps from AOB scan into the memory here
registersymbol(code)
registersymbol(code2)
//register the target addresses here if you need to look at them in memory, etc
registersymbol(veh_stats)
registersymbol(veh_stats2)
newmem:
code:
mov [veh_base],rax
movss xmm6,[rax+000003E8]
jmp veh_stats+8 //jump back to "MudRunner.exe"+8E6B65
veh_base:
dq 0 //changed these to 8 bytes since its storing an address, and game is 64-bit, you can revert it to "dd" if necessary
code2:
mov [veh_base2],rsi
mov eax,[rsi+000000C8]
jmp veh_stats2+6 //jump back to "MudRunner.exe"+86B9BB
veh_base2: //same as above
dq 0
veh_stats:
jmp code
nop
nop
nop
veh_stats2:
jmp code2
nop
[DISABLE]
veh_stats:
db F3 0F 10 B0 E8 03 00 00
veh stats2:
db 8B 86 C8 00 00 00
unregistersymbol(veh_stats)
unregistersymbol(veh_base)
unregistersymbol(veh_stats2)
unregistersymbol(veh_base2)
unregistersymbol(code)
unregistersymbol(code2)
dealloc(newmem)
|
|
|
| Back to top |
|
|
tysman
Cheater
![]() Reputation: 0
Joined: 06 Jan 2020
Posts: 29
|
| Posted: Thu Apr 07, 2022 10:29 am Post subject: |
|
|
| I see so the jmp is used in code: and code2: not in the veh_stats: and veh_stats2: and its jumping into there offsets below the original injection point
|
|
| Back to top |
|
|
tysman
Cheater
![]() Reputation: 0
Joined: 06 Jan 2020
Posts: 29
|
| Posted: Thu Apr 07, 2022 7:26 pm Post subject: |
|
|
| Works Great thanks for the help
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
