|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Fri Dec 29, 2017 4:51 am Post subject: I need help with AOB template |
|
|
Context:
I want to (log) print Attacker's Attack Power stat (and entity memory address lacking Name info) each time it performs an attack. (The actual damage logging is performed by a different similar LUA function triggered by another AOB scan .. )
My current problem is:
- all attacks start doing only 1 damage with this script Enabled (printed AP value in Lua function is OK)
- it turns the game unstable and relatively quickly crashes it
Script bellow:
Code: |
[ENABLE]
loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))
CELUA_ServerName:
db 'CELUASERVER',0
{$lua}
if syntaxcheck then return end
print("iz on");
function logAttack(params)
local AP = readFloat(params);
print(string.format("Attacker's AP: %5.2f", AP));
end
{$asm}
aobscan(ReadAPBeforeAttack,F3 0F 10 81 D4 00 00 00 F3 0F 5A C0 F2 0F 5A E8 F3 0F 11 AD) // should be unique
alloc(newmem,$1000,38E49064)
alloc(LUA_attackScript,$1000)
alloc(logParams,$1000) // some memory space to pass parameters to lua function
label(code)
label(return)
LUA_attackScript:
db 'logAttack(parameter)',0
newmem:
push r8 // save off all recegisters we might muck up
push r9
push r10
push r11
push rbx
push rcx
push rdx
push rax
movss xmm0,[rcx+000000D4] // original instruction
mov r8, [rcx+000000D4]
mov [logParams], r8 // value about to be written
mov [logParams+100], rcx // pointer to Entity Data structure
mov rcx, LUA_attackScript // our custom lua function
mov rdx, logParams // parameters to be read by lua function
sub rsp, 0x28 // win 10 stack aligment something
call CELUA_ExecuteFunction // the Lua function call
add rsp, 0x28
pop rax
pop rdx
pop rcx
pop rbx
pop r11
pop r10
pop r9
pop r8
code:
jmp return
ReadAPBeforeAttack:
jmp newmem
nop
nop
nop
return:
registersymbol(ReadAPBeforeAttack)
[DISABLE]
ReadAPForAttack:
db F3 0F 10 81 D4 00 00 00
unregistersymbol(ReadAPBeforeAttack)
dealloc(LUA_attackScript)
dealloc(logParams)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 38E49064
""+38E4903B: 48 8B 85 E0 F6 FF FF - mov rax,[rbp-00000920]
""+38E49042: 83 38 00 - cmp dword ptr [rax],00
""+38E49045: 48 8B 85 E0 F6 FF FF - mov rax,[rbp-00000920]
""+38E4904C: 48 8B 40 18 - mov rax,[rax+18]
""+38E49050: 48 8B 4E 18 - mov rcx,[rsi+18]
""+38E49054: 48 8B D1 - mov rdx,rcx
""+38E49057: 83 3A 00 - cmp dword ptr [rdx],00
""+38E4905A: 48 8B 49 18 - mov rcx,[rcx+18]
""+38E4905E: 48 8B D1 - mov rdx,rcx
""+38E49061: 83 3A 00 - cmp dword ptr [rdx],00
// ---------- INJECTING HERE ----------
""+38E49064: F3 0F 10 81 D4 00 00 00 - movss xmm0,[rcx+000000D4]
// ---------- DONE INJECTING ----------
""+38E4906C: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
""+38E49070: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0
""+38E49074: F3 0F 11 AD A4 F6 FF FF - movss [rbp-0000095C],xmm5
""+38E4907C: F3 0F 10 85 A4 F6 FF FF - movss xmm0,[rbp-0000095C]
""+38E49084: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
""+38E49088: 48 8B C8 - mov rcx,rax
""+38E4908B: BA 40 12 C4 2E - mov edx,2EC41240
""+38E49090: F2 0F 10 D0 - movsd xmm2,xmm0
""+38E49094: F2 0F 5A D2 - cvtsd2ss xmm2,xmm2
""+38E49098: 48 83 EC 20 - sub rsp,20
} |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Fri Dec 29, 2017 5:04 am Post subject: |
|
|
first replace
Code: |
alloc(newmem,$1000,38E49064)
|
with
Code: |
alloc(newmem,$1000,ReadAPBeforeAttack)
|
are you sure it's sub rsp,28 there ? I see from the original code that the stack is already aligned, and you have an even number of pushes , so I think sub rsp,20 / add rsp,20 is better here _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Fri Dec 29, 2017 5:48 am Post subject: |
|
|
the sub rsp,28 is time tested over many hours of testing over multiple machines and testers .. 28 For win 10 20 for win 7.
Code: |
{$lua}
getSettings('andromeda').Value['enableWindows7Compatibility'] = 1;
writeInteger('stackAlignmentOffset', 0x20);
[DISABLE]
{$lua}
getSettings('andromeda').Value['enableWindows7Compatibility'] = 0;
writeInteger('stackAlignmentOffset', 0x28); |
I also have this script on the table and it works quite well
Code: | {$asm}
aobscan(DamageOne,F3 0F 11 6E 78 48 8B 75) // should be unique
alloc(newmem,$1000,DamageOne)
alloc(LUA_HP_DamageScript,$1000)
alloc(logHPParams,$1000) // some memory space to pass parameters to lua function
label(code)
label(return)
LUA_HP_DamageScript:
db 'logHPChange(parameter)',0
newmem:
push r8 // save off all recegisters we might muck up
push r9
push r10
push r11
push rcx
push rdx
push rax
movss [logHPParams], xmm5 // damage value about to be written
mov r8, [rsi+78]
mov [logHPParams+4], r8 // hit point value before damage
mov [logHPParams+100], rsi // pointer to Entity Data structure
//movss [rsi+78],xmm5 // original instruction
mov rcx, LUA_HP_DamageScript //
mov rdx, logHPParams // parameters to be read by lua function
sub rsp, 0x28 // win 10 stack aligment something
call CELUA_ExecuteFunction // the call
add rsp, 0x28
pop rax
pop rdx
pop rcx
pop r11
pop r10
pop r9
pop r8
code:
jmp return
DamageOne:
jmp newmem
return:
registersymbol(DamageOne)
[DISABLE]
DamageOne:
db F3 0F 11 6E 78
unregistersymbol(DamageOne)
dealloc(newmem)
dealloc(LUA_HP_DamageScript)
dealloc(logHPParams)
{
// ORIGINAL CODE - INJECTION POINT: 23EB0172
""+23EB0145: F3 0F 5A D2 - cvtss2sd xmm2,xmm2
""+23EB0149: F2 0F 5A D2 - cvtsd2ss xmm2,xmm2
""+23EB014D: F2 0F 5A C9 - cvtsd2ss xmm1,xmm1
""+23EB0151: F2 0F 5A C0 - cvtsd2ss xmm0,xmm0
""+23EB0155: 48 83 EC 20 - sub rsp,20
""+23EB0159: 49 BB A0 6B 8F 06 00 00 00 00 - mov r11,00000000068F6BA0
""+23EB0163: 41 FF D3 - call r11
""+23EB0166: 48 83 C4 20 - add rsp,20
""+23EB016A: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
""+23EB016E: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+23EB0172: F3 0F 11 6E 78 - movss [rsi+78],xmm5
// ---------- DONE INJECTING ----------
""+23EB0177: 48 8B 75 F8 - mov rsi,[rbp-08]
""+23EB017B: C9 - leave
""+23EB017C: C3 - ret
""+23EB017D: 00 00 - add [rax],al
""+23EB017F: 00 00 - add [rax],al
""+23EB0181: 00 00 - add [rax],al
""+23EB0183: 00 6D 00 - add [rbp+00],ch
""+23EB0186: 00 00 - add [rax],al
""+23EB0188: 7C 00 - jl 23EB018A
""+23EB018A: 00 00 - add [rax],al
} |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Fri Dec 29, 2017 8:28 am Post subject: |
|
|
that script with the uneven pushes will require 28 yes, but with 8 it should be 20 _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Fri Dec 29, 2017 9:10 am Post subject: |
|
|
both scrips have even number of pushes
somebody suggested my script might perhaps somehow alter one of the xmm registers .. So I should maybe try and back and restore them too ?
How ? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Sat Dec 30, 2017 3:32 am Post subject: |
|
|
use movaps to store the previous xmm registers.
Also, try stepping over the call and check which xmm registers change so you can save only those _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Sat Dec 30, 2017 7:59 am Post subject: |
|
|
I will try that when I get back to it (hopefully) in a few days .. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|