|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
NanoByte Expert Cheater Reputation: 1
Joined: 13 Sep 2013 Posts: 222
|
Posted: Sun Sep 28, 2014 4:51 pm Post subject: double value scripting. Explain If you got time :D |
|
|
so i tryed to make a script as i usually do. right click the double value "what writes to this address" and i get a code like "mov [ecx+04],ebp"
now i expected the ebp to be the new value but it is a high number like 40100000 = the double value is 4 at this point so i looked around and i found out that it was in xmm0 in the fpu stack but it could be a coincident that its double value was 4 like the value i wanted.
so if you guys could point me at the right direction it would be much appreciated. how would you go about making a script that freeze the value at 5
rest of the code
Code: |
"gauntlet.exe"+188E11: 75 53 - jne gauntlet.exe+188E66
"gauntlet.exe"+188E13: 39 41 08 - cmp [ecx+08],eax
"gauntlet.exe"+188E16: 75 4E - jne gauntlet.exe+188E66
"gauntlet.exe"+188E18: 83 79 04 FF - cmp dword ptr [ecx+04],-01
"gauntlet.exe"+188E1C: 74 2B - je gauntlet.exe+188E49
"gauntlet.exe"+188E1E: F6 45 04 04 - test byte ptr [ebp+04],04
"gauntlet.exe"+188E22: 0F 85 93 00 00 00 - jne gauntlet.exe+188EBB
"gauntlet.exe"+188E28: 0F B6 46 FD - movzx eax,byte ptr [esi-03]
"gauntlet.exe"+188E2C: 8B 6C C2 04 - mov ebp,[edx+eax*8+04]
"gauntlet.exe"+188E30: 8B 04 C2 - mov eax,[edx+eax*8]
// ---------- INJECTING HERE ----------
"gauntlet.exe"+188E33: 89 69 04 - mov [ecx+04],ebp
"gauntlet.exe"+188E36: 89 01 - mov [ecx],eax
// ---------- DONE INJECTING ----------
"gauntlet.exe"+188E38: 8B 06 - mov eax,[esi]
"gauntlet.exe"+188E3A: 0F B6 CC - movzx ecx,ah
"gauntlet.exe"+188E3D: 0F B6 E8 - movzx ebp,al
"gauntlet.exe"+188E40: 83 C6 04 - add esi,04
"gauntlet.exe"+188E43: C1 E8 10 - shr eax,10
"gauntlet.exe"+188E46: FF 24 AB - jmp dword ptr [ebx+ebp*4]
"gauntlet.exe"+188E49: 83 7D 10 00 - cmp dword ptr [ebp+10],00
"gauntlet.exe"+188E4D: 74 CF - je gauntlet.exe+188E1E
"gauntlet.exe"+188E4F: 89 4C 24 10 - mov [esp+10],ecx
"gauntlet.exe"+188E53: 8B 4D 10 - mov ecx,[ebp+10] |
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sun Sep 28, 2014 5:27 pm Post subject: |
|
|
Looks like Lua to me.
I had similar thing while making trainer for Don't Starve.
mov [ecx+04],ebp
mov [ecx],eax
And it is probably a shared code. Nop those two instructions to find out.
I think, in this case, EBP register and EAX register contains double value (8bytes).
As you probably know, double type is in reality a 8 bytes, so one quadword, or two doubleword, or four words. In the above code, EAX has low double word, EBP has high double word. You must treat it as a pair, like this - EBP:EAX
For some "normal" values (1.0, 2.0, 3.0) EAX will be 00000000, as shown in this table:
Code: | | EBP : EAX
----------------------------
1.0 | 3FF00000 : 00000000
----------------------------
2.0 | 40000000 : 00000000
----------------------------
3.0 | 40080000 : 00000000
----------------------------
4.0 | 40100000 : 00000000 |
now with fractions:
Code: | | EBP : EAX
------------------------------------
1.1 | 3FF19999 : 9999999A
------------------------------------
2.212 | 4001B22D : 0E560419
------------------------------------
10.9 | 4025CCCC : CCCCCCCD
------------------------------------
2048.001 | 40100000 : 00000000 |
EDIT:
yeah, I'm right. This game http://en.wikipedia.org/wiki/Gauntlet_%282014_video_game%29
runs on BitSquid engine:
http://www.bitsquid.se/technology.html
And it uses Lua, just read "Papers and Presentations" part.
Makinfg trainers for such games is more difficult.
1) a lot of compares. In Lua, everything is a table. Every variable is in fact a table entry...
My Don't Starve older main script looks like this http://pastebin.com/BNSRnvqf
2) hijack Lua State (game's Lua, not CE's Lua) - http://forum.cheatengine.org/viewtopic.php?t=564665
My newer version of trainer for Don't Starve uses this method too.
_________________
|
|
Back to top |
|
|
NanoByte Expert Cheater Reputation: 1
Joined: 13 Sep 2013 Posts: 222
|
Posted: Sun Sep 28, 2014 7:12 pm Post subject: |
|
|
Hehe i'm still a newbie, just using my logic to make scripts really didnt know all the technical stuff behind it
so double = 8bytes got it
Thanks man i really appreciate it
|
|
Back to top |
|
|
Caliber Expert Cheater Reputation: 2
Joined: 20 Aug 2007 Posts: 102
|
Posted: Mon Sep 29, 2014 12:48 pm Post subject: |
|
|
NanoByte wrote: | Hehe i'm still a newbie, just using my logic to make scripts really didnt know all the technical stuff behind it
so double = 8bytes got it
Thanks man i really appreciate it |
the best method is to use the variable's descriptor..
generally if the value is stored at 'x'
then the descriptor pointer is at 'x+8' or 'x+10'
THEN at THAT address, the descriptor (i.e. 'gold') is located 10-18 bytes later
so if the gold is 1000 then search double 1000
then if that address is 'x'
then 'x+8' is pointer to descriptor
then '( x+ 8 )+10 holds descriptor text (i.e. 'gold')
many script based games are like this.
its easier (if possible) to completely change the LUA or scripts themselves before they are compiled, or inject into the LUA compiler, like many did with payday 2. however, this game is so simple that it was easier to do descriptor method. with Don't Starve we simply modified the scripts themselves..
however, the real problem is separating the players from the NPC/enemies.... which takes some structure evaluation and reversing of the code. there's already one ripper here on C.E. posting CH code.
I hope this helped. many games use the descriptor for each variable.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Mon Sep 29, 2014 3:11 pm Post subject: |
|
|
Yes, if you read script from pastebin.com from above link, you will see almost the same approach.
With "Don't Starve", if v is an address of value (health, sanity, fuel, maxFule, whatever) then value at 'v+0x10' is in fact an address to 'descriptor' ( I think we should call it a 'key', Lua tables are in fact Key/Value pairs)
k=[v+0x10]
at 'k+0xC' there is 'key' string length,
at 'k+0x10' there is 'key' string
We could use built-in string compare function, but it is easier to just use CMP. So, yes, a lot of compares.
Code: | cmp dword ptr [k+10],'curr'
jne notCurrentHealth
cmp dword ptr [k+14],'enth'
jne notCurrentHealth
cmp dword ptr [k+18],'ealt'
jne notCurrentHealth
// health found. Do stuff like this:
fld1
fstp qword ptr [v]
notCurrentHealth:
|
I had to additionally add this check: "Is dword at 'v+0x18' equal to 4?"
This check prevented some crashes. This is for DS.
Gauntlet can use different implementation of Lua, so it could be slightly different (offsets, used registers, etc)
_________________
|
|
Back to top |
|
|
NanoByte Expert Cheater Reputation: 1
Joined: 13 Sep 2013 Posts: 222
|
Posted: Tue Sep 30, 2014 7:33 am Post subject: |
|
|
i never tried lua before
i'm gonna give it a go, se how that turns out
Dayum that pastbin script is long as hell almost a book hehe
|
|
Back to top |
|
|
MalachXaviel How do I cheat? Reputation: 0
Joined: 05 Oct 2011 Posts: 1
|
Posted: Thu Oct 02, 2014 11:52 pm Post subject: |
|
|
You figure that out? I've been dabbling myself with trying to make a table with a working pointer that will lock onto several values in the game (more specifically potions). The values and pointers are easy enough to find, but making any of it stick the old fashioned way has been a problem for me so it's got me looking into the scripting side of things now.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|