 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
memorasus
Newbie cheater
![]() Reputation: 0
Joined: 27 Sep 2016
Posts: 19
|
 Posted: Thu Nov 10, 2016 1:14 pm Post subject: Could really use some help an injection copy |
 |
|
I'm trying to make a script for teleporting, I've found the opcode that writes to the players coordinates and verified if i change the value at the address/coordinate i can teleport. I tried just using pointer scanning but unfortunately the game uses a different pointer for every map. Here is the snippet of the function for the coordinate:
| Code: |
+C01FF - movaps [rbp-70],xmm0
+C0203 - mulps xmm6,xmm10
+C0207 - movaps [rsi+10],xmm6
+C020B - movaps xmm0,[rbp-70]
+C020F - movaps [rsi],xmm
|
at this point im mainly concerned with being able to make an injection copy, I'm already working on dissecting the structure around the coordinate addresses to identify if it's me or enemy. I appreciate any help because I've hit a wall.
edit: cleaned up the code
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Thu Nov 10, 2016 5:11 pm Post subject: |
|
|
You may not have to look at the structure for a unique identifier. Typically, with coordinates, you can use a second injection point that is exclusive to hero player.
Anyway, work on finding an identifier first, before proceeding, as any script that you write will be mostly worthless without it.
|
|
| Back to top |
|
|
memorasus
Newbie cheater
![]() Reputation: 0
Joined: 27 Sep 2016
Posts: 19
|
| Posted: Thu Nov 10, 2016 5:21 pm Post subject: |
|
|
| ++METHOS wrote: | You may not have to look at the structure for a unique identifier. Typically, with coordinates, you can use a second injection point that is exclusive to hero player.
Anyway, work on finding an identifier first, before proceeding, as any script that you write will be mostly worthless without it. |
I've found my unique identifier, at offset +24 I have a value of 0, enemies have a value of -0.15. I'm still trying to figure out how to right the value of RSI to a variable I create, nothing seems to work.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri Nov 11, 2016 2:42 am Post subject: |
|
|
That identifier may not be reliable. Typically, you want to avoid any identifiers that contain 0, but not always.
Why are you trying to write the value of RSI? Which of the above lines is your primary injection point?
Anyway, let CE build a script for you, using AOB Injection template, at your primary injection point, and paste it here...then we can assist you further.
|
|
| Back to top |
|
|
memorasus
Newbie cheater
![]() Reputation: 0
Joined: 27 Sep 2016
Posts: 19
|
| Posted: Fri Nov 11, 2016 11:58 am Post subject: |
|
|
Here is my primary injection point:
| Code: |
+C020F - movaps [rsi],xmm0
|
Here is the AA script, without any edits, since all my edits don't work
| Code: |
[ENABLE]
aobscanmodule(INJECT,RainbowSix.RDsGPolygonSurface2D<RLcHybridArray<RDsSegment,16>,RLcHybridArray<RDs2DTri,16> >::WillMergedPolygonBeConvex+C020F,0F 29 06 E8 B9)
alloc(newmem,2048,RainbowSix.RDsGPolygonSurface2D<RLcHybridArray<RDsSegment,16>,RLcHybridArray<RDs2DTri,16> >::WillMergedPolygonBeConvex+C020F)
stealtheditex(stealth,INJECT,5)
label(originalcode)
label(returnhere)
label(_teleport)
registersymbol(_teleport)
//======================================================
newmem:
movaps [rsi],xmm0
call RainbowSix.RDcBreakAllCutter::GetCutterType+1B9A0
originalcode:
jmp returnhere
//enable:
//db 0
//======================================================
stealth:
_teleport:
jmp newmem
db 90 90 90
returnhere:
[DISABLE]
_teleport:
movaps [rsi],xmm0
call RainbowSix.RDcBreakAllCutter::GetCutterType+1B9A0
unregistersymbol(_teleport)
dealloc(newmem)
|
Also, while there are a dozen addresses that contain my coordinates, the address at RSI is the only one that actually changes anything when i change the value, and this is the only thing that writes to it. I noticed there also is actually a static address that always contains my coordinates but changing it does nothing, and when i try to "see what accesses this address" the game crashes.
edit:
The static address for my coordinates is "RainbowSix.exe"+6194280. Could I potentially cmp the value of the address at RSI to see if it matches, if so write RSI to my variable, instead of comparing an offset of RSI?
Last edited by memorasus on Fri Nov 11, 2016 12:05 pm; edited 1 time in total |
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Nov 11, 2016 12:05 pm Post subject: |
|
|
Your problem is you're overwriting a CALL instruction, which changes each time the game loads.
Have you tried simply moving your injection point up by 1 instruction?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri Nov 11, 2016 12:08 pm Post subject: |
|
|
You also did not follow my instructions - you're using a custom template for your script.
Regarding the compare, if you recall, I mentioned using a secondary injection point. I would advise trying that first. If you can't attach on 'what accesses', try using the VEH debugger or different breakpoint/debugger settings.
|
|
| Back to top |
|
|
memorasus
Newbie cheater
![]() Reputation: 0
Joined: 27 Sep 2016
Posts: 19
|
| Posted: Fri Nov 11, 2016 12:15 pm Post subject: |
|
|
Oh oops, I'm sorry here is the original, I should have had the injection point up 1 line like Zanzer said, here is original AOB injection:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(PlayerLocation,RainbowSix.exe,0F 28 45 90 0F 29 06) // should be unique
alloc(newmem,$1000,"RainbowSix.exe"+210C6AB)
label(code)
label(return)
newmem:
code:
movaps xmm0,[rbp-70]
movaps [rsi],xmm0
jmp return
PlayerLocation:
jmp newmem
nop
nop
return:
registersymbol(PlayerLocation)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
PlayerLocation:
db 0F 28 45 90 0F 29 06
unregistersymbol(PlayerLocation)
dealloc(newmem)
|
Regarding a second injection point, (I feel so dumb even thinking this) what exactly do you mean? This is the only code that writes to the address. Do you mean to try finding an address close to the RSI address, find out what writes to that, and see if I can inject there?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri Nov 11, 2016 1:01 pm Post subject: |
 |
|
Regarding the second injection point, you need to check 'what accesses' the coordinate address (instead of what writes). As I said, you may need to change your debugger/breakpoint settings. Once the debugger shows you the additional instructions, you'll want to check if those opcodes access other addresses by right-clicking on an open white space inside the debugger window. You'll be able to see if any instructions ONLY access the coordinate address, and thus, are exclusive to YOUR coordinates. Once you have this, you can store the address that it accesses and use it inside of your script for your compare.
This may contain errors, but should give you the gist:
| Code: | //Target: RainbowSix.exe
//Author: ++METHOS
//Script: Teleport
[ENABLE]
{==================== teleport ====================}
aobscanmodule(aob_teleport,RainbowSix.exe,0F 28 45 90 0F 29 06)
alloc(newmem_teleport,$1000,"RainbowSix.exe"+210C6AB)
label(return_teleport)
label(originalcode_teleport)
label(save_c)
label(load_c)
label(save_coordinates)
label(load_coordinates)
label(x_c)
label(y_c)
label(z_c)
registersymbol(aob_teleport)
registersymbol(save_coordinates)
registersymbol(load_coordinates)
registersymbol(x_c)
registersymbol(y_c)
registersymbol(z_c)
newmem_teleport:
cmp [rsi+24],0 //////////////include compare here
jne originalcode_teleport
cmp byte ptr [save_coordinates],1
je save_c
cmp byte ptr [load_coordinates],1
je load_c
jmp originalcode_teleport
save_c:
mov byte ptr [save_coordinates],0
push rax
mov rax,[rsi]
mov [x_c],rax
mov rax,[rsi+4]
mov [y_c],rax
mov rax,[rsi+8]
mov [z_c],rax
pop rax
jmp originalcode_teleport
load_c:
mov byte ptr [load_coordinates],0
cmp [x_c],0
je originalcode_teleport
push rax
mov rax,[x_c]
mov [rsi],rax
mov rax,[y_c]
mov [rsi+4],rax
mov rax,[z_c]
mov [rsi+8],rax
pop rax
jmp originalcode_teleport
originalcode_teleport:
movaps xmm0,[rbp-70]
movaps [rsi],xmm0
jmp return_teleport
save_coordinates:
db 0
load_coordinates:
db 0
x_c:
dq 0
y_c:
dq 0
z_c:
dq 0
aob_teleport:
jmp newmem_teleport
db 90 90
return_teleport:
[DISABLE]
dealloc(newmem_teleport)
aob_teleport:
db 0F 28 45 90 0F 29 06
unregistersymbol(aob_teleport)
unregistersymbol(save_coordinates)
unregistersymbol(load_coordinates)
unregistersymbol(x_c)
unregistersymbol(y_c)
unregistersymbol(z_c) |
Once the script is activated, you'll want to create custom addresses for your activation toggles and assign hotkeys for them:
save_coordinates (byte type)
load_coordinates (byte type)
Last edited by ++METHOS on Sat Nov 12, 2016 12:11 am; edited 1 time in total |
|
| Back to top |
|
|
Betcha
Expert Cheater
 Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Fri Nov 11, 2016 4:03 pm Post subject: |
|
|
| ++METHOS wrote: | This may contain errors, but should give you the gist:
|
I guess this:
| Code: | aobscanmodule(PlayerLocation,RainbowSix.exe,0F 28 45 90 0F 29 06)
alloc(newmem,$1000,"RainbowSix.exe"+210C6AB) |
Into this:
| Code: | aobscanmodule(aob_teleport,RainbowSix.exe,0F 28 45 90 0F 29 06)
alloc(newmem_teleport,$1000,"RainbowSix.exe"+210C6AB) |
Awesome Script !
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Nov 12, 2016 12:12 am Post subject: |
|
|
Thanks for pointing that out, Betcha.
Post updated.
|
|
| Back to top |
|
|
memorasus
Newbie cheater
![]() Reputation: 0
Joined: 27 Sep 2016
Posts: 19
|
| Posted: Sat Nov 12, 2016 4:49 pm Post subject: |
|
|
| Thanks, that actually helped me out a lot, unfortunately, my compares aren't working right they seem to sometimes change values sometimes they don't. as a result sometimes i teleport sometimes an enemy does, lol. Im going to have to dissect more structures, or analyze the traces to see if i can pinpoint something that won't change on me
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Nov 12, 2016 4:57 pm Post subject: |
|
|
I already gave you the answer, did you try it? 
|
|
| Back to top |
|
|
memorasus
Newbie cheater
![]() Reputation: 0
Joined: 27 Sep 2016
Posts: 19
|
| Posted: Sun Nov 13, 2016 12:16 pm Post subject: |
|
|
| I'm working on converting it to use stealth edit, without stealth edit game crashes. but then again this game also crashes all the time without any mods, lol. I think I need to do some more reversing and find a better unique identifier, or something before trying to run any more injections. I did try implementing the cmp part of the code you provided and it still sometimes would teleport enemies or even sometimes, a block of wood..?
|
|
| Back to top |
|
|
Betcha
Expert Cheater
Reputation: 4
Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space
|
| Posted: Sun Nov 13, 2016 12:39 pm Post subject: |
|
|
| memorasus wrote: | | sometimes would teleport enemies or even sometimes, a block of wood..? |
It is cause there isnt unique value for cmp..
Some items / enemies use same value on your cmp, so -
Do dissect data structure on everything what pops out in:
''Find Out What Addresses This Instruction Accesses''
Move your value in group 2 - and write down all group differences -
Restart game couple times by doing same i wrote above.
After few restarts you must end up with unique cmp -
That will stop teleport items / enemy's with you.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
