View previous topic :: View next topic |
Author |
Message |
thirst for knowledge Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 28 Location: Russia
|
Posted: Tue Jan 09, 2018 1:50 pm Post subject: Company of Heroes 2 Question about the script |
|
|
Hi guys. Help to understand the script, creating a filter "your-enemy" the game gives an error, how to correctly write a script? What am I doing wrong ?
newmem:
code:
push ebx
lea ebx,[esi]
cmp [ebx+1b8],0
pop ebx
jne @f
mov [esp+30],0 //<<Here is the value I need, which I need to change to 0
movss xmm0,[eax+04]
jmp return
@@:
movss xmm0,[eax+04]
jmp return
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
// movss xmm0,[eax+04]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "RelicCoH2.exe"+F75762
"RelicCoH2.exe"+F75741: F3 0F 58 40 1C - addss xmm0,[eax+1C]
"RelicCoH2.exe"+F75746: F3 0F 11 40 1C - movss [eax+1C],xmm0
"RelicCoH2.exe"+F7574B: C2 04 00 - ret 0004
"RelicCoH2.exe"+F7574E: CC - int 3
"RelicCoH2.exe"+F7574F: CC - int 3
"RelicCoH2.exe"+F75750: 8B C1 - mov eax,ecx
"RelicCoH2.exe"+F75752: 8B 4C 24 04 - mov ecx,[esp+04]
"RelicCoH2.exe"+F75756: F3 0F 10 00 - movss xmm0,[eax]
"RelicCoH2.exe"+F7575A: F3 0F 5C 01 - subss xmm0,[ecx]
"RelicCoH2.exe"+F7575E: F3 0F 11 00 - movss [eax],xmm0
// ---------- INJECTING HERE ----------
"RelicCoH2.exe"+F75762: F3 0F 10 40 04 - movss xmm0,[eax+04]
// ---------- DONE INJECTING ----------
"RelicCoH2.exe"+F75767: F3 0F 5C 41 04 - subss xmm0,[ecx+04]
"RelicCoH2.exe"+F7576C: F3 0F 11 40 04 - movss [eax+04],xmm0
"RelicCoH2.exe"+F75771: F3 0F 10 40 08 - movss xmm0,[eax+08]
"RelicCoH2.exe"+F75776: F3 0F 5C 41 08 - subss xmm0,[ecx+08]
"RelicCoH2.exe"+F7577B: F3 0F 11 40 08 - movss [eax+08],xmm0
"RelicCoH2.exe"+F75780: F3 0F 10 40 0C - movss xmm0,[eax+0C]
"RelicCoH2.exe"+F75785: F3 0F 5C 41 0C - subss xmm0,[ecx+0C]
"RelicCoH2.exe"+F7578A: F3 0F 11 40 0C - movss [eax+0C],xmm0
"RelicCoH2.exe"+F7578F: F3 0F 10 40 10 - movss xmm0,[eax+10]
"RelicCoH2.exe"+F75794: F3 0F 5C 41 10 - subss xmm0,[ecx+10]
}
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Tue Jan 09, 2018 4:31 pm Post subject: |
|
|
Code looks mostly OK.
But the "lea ebx,[esi]" would be the same as "mov ebx,esi", is this your intention?
LEA
And you my need to push and pop the flags registry, because of the compare.
_________________
|
|
Back to top |
|
|
thirst for knowledge Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 28 Location: Russia
|
Posted: Wed Jan 10, 2018 4:33 am Post subject: |
|
|
TheyCallMeTim13 wrote: | Code looks mostly OK.
But the "lea ebx,[esi]" would be the same as "mov ebx,esi", is this your intention?
LEA
And you my need to push and pop the flags registry, because of the compare. |
Yes, this is my intention, to push and pop the flags registry, how to do it ?
I get an error when I take the esi register for comparison. How can I fix it?
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Wed Jan 10, 2018 5:20 am Post subject: |
|
|
Code: | pushfd // pushes all eflags (32-bit) registers |
Code: | popfd // pops all eflags (32-bit) registers |
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 10, 2018 5:41 am Post subject: |
|
|
But why use "Load Effective Address" and push and pop the registry when it will be the same value as "ESI", may I ask?
EDIT:
Code: | newmem:
code:
pushfd
cmp [esi+1b8],0
jne @f
mov [esp+30],0 //<<Here is the value I need, which I need to change to 0
@@:
movss xmm0,[eax+04]
popfd
jmp return
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
// movss xmm0,[eax+04]
dealloc(newmem) |
_________________
|
|
Back to top |
|
|
thirst for knowledge Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 28 Location: Russia
|
Posted: Wed Jan 10, 2018 6:22 am Post subject: |
|
|
TheyCallMeTim13 wrote: | But why use "Load Effective Address" and push and pop the registry when it will be the same value as "ESI", may I ask?
EDIT:
Code: | newmem:
code:
pushfd
cmp [esi+1b8],0
jne @f
mov [esp+30],0 //<<Here is the value I need, which I need to change to 0
@@:
movss xmm0,[eax+04]
popfd
jmp return
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
// movss xmm0,[eax+04]
dealloc(newmem) |
|
Sorry, I'm still poorly versed in assembler so I make mistakes. Your option also does not work and gives an error. I expect that if the instruction works with a lot of addresses then you need to write down an additional comparison filter. At the breakpoint breakpoint, you can see that EBX=1
cmp [eax+140],"default" << Can I use this option?
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 10, 2018 7:02 am Post subject: |
|
|
thirst for knowledge wrote: |
...
Sorry, I'm still poorly versed in assembler so I make mistakes. Your option also does not work and gives an error. I expect that if the instruction works with a lot of addresses then you need to write down an additional comparison filter. At the breakpoint breakpoint, you can see that EBX=1
cmp [eax+140],"default" << Can I use this option?
|
If you want to compare "[eax+140]" to the string "default" then just brack it up in 4 byte increments (on 32 bit, or 8 byte increments on 64 bit).
So on 32 bit:
Code: | cmp [eax+140],'defa'
jne @f
cmp [eax+144],'ult'0
jne @f
|
_________________
|
|
Back to top |
|
|
thirst for knowledge Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 28 Location: Russia
|
Posted: Wed Jan 10, 2018 7:16 am Post subject: TheyCallMeTim13 |
|
|
with this option the game does not yet produce an error
cmp [eax+140],"default"
jne @f
cmp ebx,1
jne @f
mov [esp+30],(float)0
@@:
subss xmm0,[ecx]
movss [eax],xmm0
jmp return
But still I want to understand why there is an error when I use the register Esi ? And why there is an error with Pushfd and Popfd ?
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Wed Jan 10, 2018 7:24 am Post subject: |
|
|
debug your code to catch the error.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 10, 2018 7:33 am Post subject: |
|
|
Well the push and pop of the flags, is because you may be in between a compare that sets the flags and a comparative jump that checks the flags.
But the rest you will just have to debug the code to find out.
You can set conditional break points to help.
_________________
|
|
Back to top |
|
|
thirst for knowledge Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 28 Location: Russia
|
Posted: Wed Jan 10, 2018 7:34 am Post subject: OldCheatEngineUser |
|
|
How do I debug the code if I get an error right after the script is activated. The instruction works on access.
How do I write a value on the stack if it does not work on instructions that work for writing?
Here is an example-
//
fstp dword ptr [eax]
cmp ebp,08
jmp return
"mov [esp+30],(float)0" << How can I write down here that he would be handled by the instruction?
If I put access instructions on the dynamic address on the stack, can I get that from this?
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 10, 2018 7:46 am Post subject: |
|
|
Quote: |
How do I debug the code if I get an error right after the script is activated. |
Set a break point be for the injection point then inject and step though the code.
And the rest sounds like you are trying to write to the value before it is written to, and thus gets over-written.
And if this is a One hit Kill cheat then you may need to set the value just above zero.
_________________
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Wed Jan 10, 2018 7:48 am Post subject: |
|
|
thirst for knowledge wrote: | How do I debug the code if I get an error right after the script is activated. |
place a break-point on the instruction before you activate the script.
thirst for knowledge wrote: | The instruction works on access. |
there is limitation for complex games, where different code segments may access the address for multiple reasons.
i would recommend to debug the original code before activating the script (just couple instructions) and see how things behave (conditions, flags) then build your code in a way that dont corrupt the original function.
otherwise go for the simplest way, hook the instruction that write to your address.
one more thing, try to explain your code and whats this and that so others can help or at least have a clue about whats going on.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
thirst for knowledge Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 28 Location: Russia
|
Posted: Wed Jan 10, 2018 8:17 am Post subject: TheyCallMeTim13 and OldCheatEngineUser |
|
|
This instruction works not only with game resources but also with the architecture of the game as a whole. In the stack of this introduction is the price of troops and resources. The problem is I tried to debug the code, but it's going to endless loop right after the breccount activation. To make it so that the instruction worked for me I think it can not be done, only if I go out on it with other instructions
Description: |
|
Filesize: |
206.36 KB |
Viewed: |
6222 Time(s) |
|
|
|
Back to top |
|
|
Csimbi I post too much Reputation: 94
Joined: 14 Jul 2007 Posts: 3110
|
Posted: Thu Jan 11, 2018 12:22 pm Post subject: |
|
|
Instead of debugging, I suggest you run a trace.
You can check everything, even if it crashes.
Good luck!
|
|
Back to top |
|
|
|