 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
 Posted: Tue Jan 24, 2017 10:29 am Post subject: Help with understanding some code - can't pin down an inject |
 |
|
So I am trying to create a table for Stars in Shadow. All the values are DOUBLE can be searched and found easily (although they are dynamic and change every game load). I tried pointer scanning up to level 7, higher offset, etc and after many hours came up empty so I need to inject. Well the problem is I am not understanding where I can do this. I get the credits value find out what accesses this address and I get:
| Code: |
nop [rax+rax+00]
cmp dword ptr [rbx+08],45 { 69 }
jne sis64.exe+45034
mov rsi,[rbx]
mov rdx,r15
mov rcx,rsi
call sis64.exe+41900
mov r14,rax
cmp dword ptr [rax+08],00 { 0 }
jne sis64.exe+45006
mov rcx,[rsi+10]
test rcx,rcx
je sis64.exe+45006
test byte ptr [rcx+0A],01 { 1 }
jne sis64.exe+45006
mov r8,[rbp+18]
xor edx,edx
mov r8,[r8+00000108]
call sis64.exe+459D0
mov rdx,rax
test rax,rax
jne sis64.exe+4504B
mov rax,[r14] <---- this is what accesses my credits, metals, influence, etc.
mov [r12],rax
mov eax,[r14+08]
mov [r12+08],eax
mov r14,[rsp+58]
mov rsi,[rsp+50]
mov rbx,[rsp+60]
mov rbp,[rsp+68]
add rsp,30 { 48 }
pop r15
pop r12
pop rdi
ret
xor r8d,r8d
mov rdx,rbx
mov rcx,rbp
call sis64.exe+45A10
mov rdx,rax
cmp dword ptr [rax+08],00 { 0 }
je sis64.exe+45092
mov eax,[rdx+08]
and eax,0F { 15 }
|
So for the mov rax,[r14] I choose "Find out What addresses this instruction access and its hundreds!" Same with the addresses around it. Whats more when I find the value for metals, for influence, for research, SAME address with the mov rax,[r14] and ONLY that one which of course accesses hundreds of addresses. It seems like it handles all kinds of things in the game. Its a 4X game so using structure viewer to compare is difficult as i can't really tell what the values of the other empires are.
With the find out what addressees this instruction accesses I did notice when looking at the register states that the register RCX differs and seems like its always the same for the particular game resources:
Here is a screenshot:
http://i64.tinypic.com/2hg67ok.jpg
So the RCX register
RCX=9B for Metals
RCX=4B for credits
RCX=82 for influence
they seem to be the same thru different games, maybe for other stuff in the game as well may have an rcx register on that operation but what can I do with it? here is a basic AOB script for it and THANKS for the Help!:
| Code: |
{ Game : sis64.exe
Version:
Date : 2017-01-24
Author : Gid
This script does blah blah blah
}
[ENABLE]
aobscanmodule(things,sis64.exe,09 00 00 48 8B D0 48 85 C0 75 45 49 8B 06 49 89 04 24) // should be unique
alloc(newmem,$1000,"sis64.exe"+45006)
label(code)
label(return)
newmem:
code:
mov rax,[r14]
mov [r12],rax
jmp return
things+0B:
jmp newmem
nop
nop
return:
registersymbol(things)
[DISABLE]
things+0B:
db 49 8B 06 49 89 04 24
unregistersymbol(things)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "sis64.exe"+45006
"sis64.exe"+44FE4: 74 20 - je sis64.exe+45006
"sis64.exe"+44FE6: F6 41 0A 01 - test byte ptr [rcx+0A],01
"sis64.exe"+44FEA: 75 1A - jne sis64.exe+45006
"sis64.exe"+44FEC: 4C 8B 45 18 - mov r8,[rbp+18]
"sis64.exe"+44FF0: 33 D2 - xor edx,edx
"sis64.exe"+44FF2: 4D 8B 80 08 01 00 00 - mov r8,[r8+00000108]
"sis64.exe"+44FF9: E8 D2 09 00 00 - call sis64.exe+459D0
"sis64.exe"+44FFE: 48 8B D0 - mov rdx,rax
"sis64.exe"+45001: 48 85 C0 - test rax,rax
"sis64.exe"+45004: 75 45 - jne sis64.exe+4504B
// ---------- INJECTING HERE ----------
"sis64.exe"+45006: 49 8B 06 - mov rax,[r14]
"sis64.exe"+45009: 49 89 04 24 - mov [r12],rax
// ---------- DONE INJECTING ----------
"sis64.exe"+4500D: 41 8B 46 08 - mov eax,[r14+08]
"sis64.exe"+45011: 41 89 44 24 08 - mov [r12+08],eax
"sis64.exe"+45016: 4C 8B 74 24 58 - mov r14,[rsp+58]
"sis64.exe"+4501B: 48 8B 74 24 50 - mov rsi,[rsp+50]
"sis64.exe"+45020: 48 8B 5C 24 60 - mov rbx,[rsp+60]
"sis64.exe"+45025: 48 8B 6C 24 68 - mov rbp,[rsp+68]
"sis64.exe"+4502A: 48 83 C4 30 - add rsp,30
"sis64.exe"+4502E: 41 5F - pop r15
"sis64.exe"+45030: 41 5C - pop r12
"sis64.exe"+45032: 5F - pop rdi
}
|
|
|
| Back to top |
|
 |
mgr.inz.Player
I post too much
 Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Jan 24, 2017 3:00 pm Post subject: |
|
|
| Code: | [ENABLE]
aobscanmodule(things,sis64.exe,09 00 00 48 8B D0 48 85 C0 75 45 49 8B 06 49 89 04 24) // should be unique
alloc(newmem,$1000,"sis64.exe"+45006)
label(code)
label(return)
newmem:
code:
cmp ecx,4B
jne orig
lea r14,[r14]
orig:
mov rax,[r14]
mov [r12],rax
jmp return
things+0B:
jmp newmem
nop
nop
return:
registersymbol(things)
[DISABLE]
things+0B:
db 49 8B 06 49 89 04 24
unregistersymbol(things)
dealloc(newmem) |
Activate above script, go to "sis64.exe"+45006, follow jmp, highlight "lea r14,[r14]" and choose "Find out What addresses this instruction accesses"
_________________
|
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Tue Jan 24, 2017 6:10 pm Post subject: |
|
|
Well it looks like there are other 4B on RCX. Looking at these and at the screenshot from the first post maybe the count is on RBX??
Here is what your script showed (the 900 is my credits):
http://i67.tinypic.com/8wcs2c.jpg
hmm, looks like RBX values change but its always in the credits are always in the 4B RCX group. Btw, when I disable that script the game crashes occasionally. But it looks like we are on the right track. But how to get it down to just the credit value?
Oh I did find a way to get the enemy ai credit amount. Here is the structure view of my credits (the first address is mine and then two of the other ai players:
http://i64.tinypic.com/23lmf7k.jpg
all the addresses are dynamic and change during each game load. Not sure exactly what I can do with this info. thanks!
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Thu Jan 26, 2017 8:01 am Post subject: |
|
|
Did you read tutorials about creating filters?
_________________
|
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Thu Jan 26, 2017 10:11 am Post subject: |
|
|
I did but I can't get any sort of stable offsets as entire areas shift around from game load to game load. It seems like I need to be able to pin down at least ONE opcode with an offset. All the info for everything, all stats for everyone reads from that one opcode: mov rax,[r14]
Even if I filtered for the player empire versus the ai, the entire structure for everyone would just shift around from game load to game load anyway. I saw the structure filtering part of the CE tutorial but I am not sure how to proceed or which method to use to pin it down. Are there any tutorials about this specific scenario on the forum? I searched but have not found it yet.
I know if I can find a method for getting an injection on just one of the items (credit for instance) I can dupilicate it for all the other game values I want because that same opcode (and ONLY) that opcode affects everything.
Thanks!
|
|
| Back to top |
|
|
gid2525
Expert Cheater
![]() Reputation: 2
Joined: 21 Oct 2013
Posts: 101
|
| Posted: Sun Feb 19, 2017 6:33 am Post subject: |
|
|
Well Endless Space 2 Pre access uses the SAME methods! Can anyone make a table for Endless Space 2 pre access or Stars in Shadow with just a few options to show me how this is done. Pretty please! Its definitely a skill I need to know but the other tutorials on filtering really don't get into this scenerio.
Thanks!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
