|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Mon Nov 30, 2015 4:15 pm Post subject: |
|
|
Code: | cmp dword [edi+30],(float)49.725 |
You're using a comparison meant for integers on floats. Floating point numbers are not integers.
If you want to use the fpu stack, load both values onto it, then use one of the FCOMI instructions. If you want to use SSE, use UCOMISS.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Sun Jun 26, 2016 8:16 pm Post subject: |
|
|
okay, so after a long time of doing other things, i've come back to this for the moment.
i do have a new script that modifies the FOV in a different way however. my previous method was directly modifying the fpu stack before the fstp but the way it changed the FOV was unpredictable.
now? i intercept the 51 float much earlier and do an addss to modify the xmm0 value after comparing the value in the xmm0 (i make sure to copy the xmm0 value before comparison and put it back on the xmm0 before the end of the script so things work normally). while the compare methods are the same as before (see below the PP quote for my response to that), this has had the net effect of being able to precisely control the FOV plus detection of numbers seems to be more reliable that way.
Code: |
[ENABLE]
aobscanmodule(NewFOVInject,R6Vegas2_Game.exe,14 F3 0F 10 0D F8 92 FA 11 D9 9E) // should be unique
alloc(newmem,$1000)
alloc(xmmComp,16)
alloc(xmmRep,16)
alloc(xmmLAdd,16)
alloc(xmmSAdd,16)
registersymbol(xmmSAdd)
registersymbol(xmmLAdd)
registersymbol(xmmRep)
registersymbol(xmmComp)
label(origCode)
label(PushCode)
label(CompCode1)
label(CompCode2)
label(CompCode3)
label(ModCode1)
label(ModCode2)
label(PopCode)
label(return)
newmem:
PushCode:
movdqu dqword [xmmComp],xmm0
push [xmmComp]
pop [xmmRep]
//mov [xmmLAdd],(float)19
//mov [xmmSAdd],(float)39
jmp CompCode1
CompCode1:
//check lowest end
cmp [xmmComp],(float)39
jge CompCode2
jmp PopCode
CompCode2:
//check highest end
cmp [xmmComp],(float)52
jle CompCode3
jmp origCode
CompCode3:
//check for lean
cmp [xmmComp],(float)41
jle ModCode1
jmp ModCode2
ModCode1:
//lean code
//addss [xmmRep],(float)19
movdqu xmm0,dqword [xmmComp]
addss xmm0,[xmmLAdd]
jmp origCode
ModCode2:
//stand/crouch code
//addss [xmmRep],(float)39
movdqu xmm0,dqword [xmmComp]
addss xmm0,[xmmSAdd]
jmp origCode
PopCode:
movdqu xmm0,dqword [xmmComp]
jmp origCode
origCode:
movss xmm1,[R6Vegas2_Game.Fnx_Gamers_FeatureMeanSubtract+492178]
jmp return
NewFOVInject+01:
jmp PushCode
nop
nop
nop
return:
registersymbol(NewFOVInject)
[DISABLE]
NewFOVInject+01:
db F3 0F 10 0D F8 92 FA 11
unregistersymbol(NewFOVInject)
unregistersymbol(xmmComp)
unregistersymbol(xmmRep)
unregistersymbol(xmmLAdd)
unregistersymbol(xmmSAdd)
dealloc(xmmSAdd)
dealloc(xmmLAdd)
dealloc(xmmRep)
dealloc(xmmComp)
dealloc(newmem) |
i know it probably still needs a heck of a lot of work to be "good code" but i've only been able to do so much about it without any more reference.
and a note on the xmmLAdd and xmmSAdd:
LAdd is the FOV modifier for when leaning out of cover (using the 39 i'd use for standing/crouching when not leaning makes it really wide so i usually use 19)
SAdd is the standing/crouching one. (usually set to 39 to increase from 51 to 90).
in order to modify the added values on the fly just make 2 address entries for xmmLAdd and xmmSAdd respectively and when the script is running you can just enter the mod values. otherwise just uncomment the following lines instead:
Code: | //mov [xmmLAdd],(float)19
//mov [xmmSAdd],(float)39 |
----
now another issue i'm having: pinning down a way to force 3rd person. offline a player can pause midgame and use the "Hold RB and press XBXB LS LS AYAY RS RS" method to go into full third person. but that is disabled in any sort of multiplayer.
so i did what came to mind: look for the 1 and 0 bits that would change in memory when you enter the code. primarily 1-4byte searches but i did also try floats incase the game was an oddball like that. what i got was a lot of memory addresses that change what is visible.
example: in third person, it uses 1 viewmodel of a full player but in 1st person it uses just a viewmodel of arms, gun and legs. i found the bits that enable/disable areas of both the 1st and 3rd person viewmodels in both modes (which produces the third person viewmodel walking around while in first person or a completely invisible 1st person viewmodel depending on the bits set).
but no sleuthing i've been able to do has lead me back to the individual bit that says "go into third person" when set. if i had the address for that one thing, i'd be able to possibly force a passive script to modify the value to always be in third person, hence enabling it online.
any ideas on the third person thing or how my current FOV script could be less crap?
----
ParkourPenguin wrote: | ... |
i am aware of this and for the past few months when i have even had the motivation to come back to trying to sort this, i have been trying to take said advice.
but after some poking around in the game, it seems both the FPU and xmm are off limits for storing things temporarily since the game actually uses them. i try even modifying the fpu stack for comparison and the FOV goes to shit because i changed the contents at an earlier point.
xmm0 also holds the 51.00 value at some point (which is how my new method changes it as referenced above) so both FCOMI and UCOMISS seem to be out of the question. so how else would you go about comparison in that case? i've been making an effort to try and figure this shit out so it's not for a lack of trying (regardless of the radar silence i've been giving).
Description: |
|
Download |
Filename: |
R6Vegas2_Game.CT |
Filesize: |
439.08 KB |
Downloaded: |
908 Time(s) |
|
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Mon Jun 27, 2016 9:53 am Post subject: |
|
|
quick update:
after sleeping, i've managed to implement UCOMISS compares instead of cmp compares in the FOV script.
Code: | [ENABLE]
aobscanmodule(NewFOVInject,R6Vegas2_Game.exe,14 F3 0F 10 0D F8 92 FA 11 D9 9E) // should be unique
alloc(newmem,$1000)
alloc(xmmComp,16)
alloc(xmmRep,16)
alloc(xmmLAdd,16)
alloc(xmmSAdd,16)
registersymbol(xmmSAdd)
registersymbol(xmmLAdd)
registersymbol(xmmRep)
registersymbol(xmmComp)
label(origCode)
label(PushCode)
label(CompCode1)
label(CompCode2)
label(CompCode3)
label(ModCode1)
label(ModCode2)
label(PopCode)
label(return)
newmem:
PushCode:
movdqu dqword [xmmComp],xmm0
push [xmmComp]
pop [xmmRep]
movdqu xmm0,dqword [xmmComp]
//mov [xmmLAdd],(float)19
//mov [xmmSAdd],(float)39
jmp CompCode1
// MUST REWRITE ORIGINAL XMM0 VALUE BEFORE COMPARISON
CompCode1:
//check lowest end
//cmp [xmmComp],(float)39
mov [xmmComp],(float)39
movss xmm5,[xmmComp]
ucomiss xmm0,xmm5
jae CompCode2
jmp PopCode
CompCode2:
//check highest end
//cmp [xmmComp],(float)52
mov [xmmComp],(float)0
movss xmm5,[xmmComp]
mov [xmmComp],(float)52
movss xmm5,[xmmComp]
ucomiss xmm0,xmm5
jbe CompCode3
jmp origCode
CompCode3:
//check for lean
//cmp [xmmComp],(float)41
mov [xmmComp],(float)41
movss xmm5,[xmmComp]
ucomiss xmm0,xmm5
jbe ModCode1
jmp ModCode2
ModCode1:
//lean code
//addss [xmmRep],(float)19
mov [xmmComp],(float)0
movss xmm5,[xmmComp]
addss xmm0,[xmmLAdd]
jmp origCode
ModCode2:
//stand/crouch code
//addss [xmmRep],(float)39
mov [xmmComp],(float)0
movss xmm5,[xmmComp]
addss xmm0,[xmmSAdd]
jmp origCode
PopCode:
movdqu xmm0,dqword [xmmComp]
jmp origCode
origCode:
mov [xmmComp],(float)0
movss xmm5,[xmmComp]
movss xmm1,[R6Vegas2_Game.Fnx_Gamers_FeatureMeanSubtract+492178]
jmp return
NewFOVInject+01:
jmp PushCode
nop
nop
nop
return:
registersymbol(NewFOVInject)
[DISABLE]
NewFOVInject+01:
db F3 0F 10 0D F8 92 FA 11
unregistersymbol(NewFOVInject)
unregistersymbol(xmmComp)
unregistersymbol(xmmRep)
unregistersymbol(xmmLAdd)
unregistersymbol(xmmSAdd)
dealloc(xmmSAdd)
dealloc(xmmLAdd)
dealloc(xmmRep)
dealloc(xmmComp)
dealloc(newmem) |
found that during this time, i can modify xmm5 without any negative effects so i've stuck the value i want to compare to in there (the mov of a float into [xmmComp] then the movss of [xmmComp] into xmm5), compared to the value in xmm0 directly with ucomiss and then used jae instead of jge and jbe instead of jle.
so is this any better?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Mon Jun 27, 2016 11:20 am Post subject: |
|
|
Code: | [ENABLE]
aobscanmodule(NewFOVInject,R6Vegas2_Game.exe,14 F3 0F 10 0D F8 92 FA 11 D9 9E)
alloc(newmem,1024)
alloc(xmmLAdd,4)
alloc(xmmSAdd,4)
label(exit)
label(return)
registersymbol(NewFOVInject)
registersymbol(xmmSAdd)
registersymbol(xmmLAdd)
newmem:
// check lowest end
push (float)39
ucomiss xmm0,[esp]
jb short exit
// check highest end
mov [esp],(float)52
ucomiss xmm0,[esp]
ja short exit
// check for lean
mov [esp],(float)41
ucomiss xmm0,[esp]
ja short @f
// lean code
addss xmm0,[xmmLAdd]
jmp short exit
@@:
// stand/crouch code
addss xmm0,[xmmSAdd]
exit:
add esp,4
// original code
movss xmm1,[R6Vegas2_Game.Fnx_Gamers_FeatureMeanSubtract+492178]
jmp return
xmmLAdd:
dd (float)0.0
xmmSAdd:
dd (float)0.0
NewFOVInject+01:
jmp newmem
nop
nop
nop
return:
[DISABLE]
NewFOVInject+01:
db F3 0F 10 0D F8 92 FA 11
unregistersymbol(NewFOVInject)
unregistersymbol(xmmLAdd)
unregistersymbol(xmmSAdd)
dealloc(xmmSAdd)
dealloc(xmmLAdd)
dealloc(newmem) |
You can add the symbols xmmLAdd and xmmSAdd to your address list to modify them directly. Append them to the script, right click on the script, and select "Group config -> Hide children when deactivated" to hide those addresses when the script is deactivated.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Mon Jun 27, 2016 12:40 pm Post subject: |
|
|
ParkourPenguin wrote: | ... |
i knew my code needed work but damn. that works better. i think at this point, that's exactly what i wanted to achieve but more compact. i'm just wondering how the FPU stack isn't being corrupted with the line:
Code: | mov [esp],(float)52 |
either way, i'm grateful for the help with that cleanup.
sadly i'm still finding nothing of use to help with the third person forcing script i want to try and make as well. it seems like the bits i *want* to flip are not being found with all my searches. i did look into trying to get the console enabled in a decent fashion on the game to try and work on it like that but i ain't found squat.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Mon Jun 27, 2016 1:06 pm Post subject: |
|
|
There's a difference between "the stack" and "the FPU stack". The FPU stack is actually a series of registers that act similar to a stack, while the stack is more or less the memory location ESP is at. push (float)39 subtracts 4 from ESP (allocates space for a local variable) and moves 39 into the new address of [ESP]. From that point on, you don't need to subtract 4 from ESP any more, so you can simply move whatever value you want into [ESP]. When you exit your code injection, you have to clean up your local variable on the stack by adding 4 to ESP.
There may not be a single variable that determines if the game is in 3rd-person or 1st-person. It's probably a combination of many different variables that are set when a certain subroutine is called. If you are able to use it, Ultimap is made for finding calls.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Mon Jun 27, 2016 1:43 pm Post subject: |
|
|
ah. makes sense now.
as for the variables, the engine seems to have a lot of variables to say what parts of what viewmodels are visible at that moment. i found a lot of those so i was figuring that *something* had to trigger them but i couldn't figure out what. now you've mentioned the ultimap, i can see if i can use it.
and i'll also use this post to upload the CT file i have as of writing this post (with your name included as the person who fixed and cleaned up the code in the FOV script).
note to anyone else reading this for the FOV:
this table has a ton of other stuff in it primarily intended for testing and cursory "because i can" (such as Terrorist Hunt infinite health etc). please don't take it online and use those. i haven't tested online and don't plan to. i'll likely release a fully complete table/trainer/both without the actual cheaty shit later on. hopefully with third person view forcing integrated.
Description: |
|
Download |
Filename: |
R6Vegas2_Game.CT |
Filesize: |
434.95 KB |
Downloaded: |
900 Time(s) |
|
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Wed Dec 07, 2016 4:10 pm Post subject: |
|
|
ugh. coming back to this has been a nightmare for TPS. the ultimap function seems kind of awkward and difficult to figure out (and i can't use Ultimap 2 because somehow my CPU doesn't support it) but i did manage to at least make a script to lock the viewmodel when changing modes. but that isn't gonna be of much use because i need to know what code triggers the game to activate the viewmodel change AND the camera position change (which i haven't found yet btw).
is there any way to use the ultimap in a coherent manner or without the crippling framerate issues? and is there some sort of tutorial on it that will help me pinpoint what called the change?
|
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Wed Dec 14, 2016 11:49 am Post subject: |
|
|
in lieu of progress on the third person part itself (Still looking out for a decent ultimap guide of some sort if anyone has a link or something), i'm looking at the way that the camera is handled. It has two sets of coordinates: the Camera and Character ones (character one being centered on the head).
In first person the camera and character co-ordinates are the same and looking up/down does not change the Z co-ordinates of the camera.
In Third person the camera and character co-ordinates are different and the Z co-ordinates of the Camera changes as you look up and down.
looking at what modifies the camera's Z co-ordinates left me with a possible hook point to change values of the Z co-ord but as to how? that's what i've got to work on. i'm thinking that the command that puts the co-ordinate into the right place can be manipulated to either add or subtract by an amount, making it possible to change the position of the camera in first and third person somehow.
Why work on the Z axis first? the X and Y axis seem to be tougher nuts to crack as co-ordinate positions for those are worked out in a harder way due to level co-ordinates being the basis of player and camera position.
Either way, would love some assistance somewhere in this bog of confusion and ideas
Edit:
okay, i have some stuff to do with the camera setup as demonstrated in the video:
https://youtu.be/4Jtumpgxm1M
as it is they do the old method that uses extra fadds since i haven't found any xmm stuff for the camera co-ords as is. but i can adapt them as happened with the FOV script to some degree when i do.
Any ideas as to where i could go from here? with either TPS (ultimap) or camera modifications? i fully realise that this could probably lead to some weird camera fly trick for other things too if i can get some sort of angle modification to have a full 360 degree modifiable camera. but as is? i'd need some sort of help on getting things to a decent standard
|
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Wed Dec 21, 2016 1:27 pm Post subject: |
|
|
ugh. still little to no progress because i've hit that walll of uncertainty again. but i have messed around with the camera mods a little more anyway and found that if i just feed it direct co-ordinates somehow the camera is still being changed in small part by player movement.
sometimes this shit really is confusing as anything. so again, putting out a call for any help on this at all. uploading the latest CT file for anyone interested in trying the camera stuff and hoping that someone else wants to give some help with my aims
Description: |
|
Download |
Filename: |
R6Vegas2_Game.CT |
Filesize: |
492.79 KB |
Downloaded: |
989 Time(s) |
|
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Wed Jan 04, 2017 3:21 pm Post subject: |
|
|
Okay, Ultimap ended up kind of working and getting me somewhere so now i'm at a stage where i am at the function that changes the view as far as i know. now? i want to invoke it at will. what would be the best way of calling the function if i know the name address and want to do it via button press/combo? some sort of key detection in the AA script possible without LUA (i have no clue what i'm doing with LUA)? i just want to get it to run the function that runs whenever i put in the XBXB LS LS YAYA RS RS button in singleplayer on the pause menu through a simpler keypress that works at anytime.
|
|
Back to top |
|
|
JJXB Newbie cheater Reputation: 0
Joined: 28 Aug 2015 Posts: 20
|
Posted: Mon Apr 10, 2017 12:55 pm Post subject: Help Wanted |
|
|
After a long time of not posting, i have managed to get closer to Third Person:
i have found some of the button check code but triggering it without the button input at all crashes (presumably because it's not setup correctly as far as memory addresses)
R6Vegas2_Game.DareObjectFactory::DareObjectFactory+90B12E - test eax,eax
This is part of the general button detection code
R6Vegas2_Game.DareObjectFactory::DareObjectFactory+3296BD - FF D2 - call edx
This must be the thing that triggers the action of the button/combo of buttons based on what edx is.
i cannot however figure out what sets edx for execution and directs it to the right edx.
plus how would i go about setting up the right memory map overall for that instruction/function to be executed? ideally i want to be able to set one bit that then executes the cascade of functions, leaving me able to assign that bit change to a button, essentially replacing the long string of inputs that you use normally to see if i can execute them outside of singleplayer (which i still have no clue how to do by the way and haven't been able to figure out)
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|