Cheat Engine

shakib187

My English kind of sucks so bear with me,

There is this instruction movss esi+02,xmm1

But whenever I try to add 1 to it([esi+2]) it adds one to my health mana,attack speed etc because that instruction controls multiple things.

Without using pointerscan is there a way to only edit my attack speed without touching my health mana etc

pox911 · Posted: Sat Jun 22, 2013 10:09 pm Post subject:

There are a few diffrent routes you can go. One would be look for differeint functions that use that address and only that one. The other way is to setup a compare so that only on the attack address will it do something. The other option is to find another section of data that is close to your address that will only be focussed on you.

For example say you have a game where you want to get your position data but the calls all reference to poss by any living unit. In said game say you are the only character with a lives counter that happens to be 18 bytes below pos. You could find a function that constantly accesses the life counter and just do a -18 bytes to the pointer to get only your poss data.

Compares are a little harder depending on the game. In my example the life counter could be used as your compare on the position function to make sure that you are getting only the player pos.

Not the best examples but its the best i could think of given your problem. >.> compares are the only reason i still havent gotten god mode in anomoly 2.

shakib187 · Posted: Sat Jun 22, 2013 11:07 pm Post subject:

Thanks for the reply pox, there are no addresses that access only attack speed Sad

Can you give me an example of the second option you mentioned? I didn't understand it lol

And I cant compare because everything changes from (float)1 to below/above but it always starts at 1 so its very hard to make a compare without messing up the life(I think)

Because When I try to do

CMP [esi+2],(float)1
jne original code
mov [esi+2],(float)999

original code:
movss [esi+2],xmm1

the result still doesn't change and modify everything :\

actually I don't even think my code is correct..

Dark Byte · Posted: Sun Jun 23, 2013 3:46 am Post subject:

Alternatively, find out what addresses access movss [esi+02],xmm1 and see if you can find a way to distinguish between your target address and what you need.
The registers and stack may be useful
For the stack i recommend the dissect data or structure spider in combination of a shadow copy.
Tip: in the stackview window rightclick and choose lock and open structure dissect on two different stacks for comparison

If you wish to use the spider rightclick the first address in dissect data and choose spider, but also note the locked address, since you need that for the secondary "compare to" column

shakib187 · Posted: Sun Jun 23, 2013 1:51 pm Post subject:

code still isn't working after comparison the esi+38 changes if its attack speed health or etc

movss [esi+02],xmm1
cmp [esi+38],(float)0.007826805115
je friendly
jmp originalcode

originalcode:
movss [esi+02],xmm1

friendly:
mov [esi+02],(float)9999
jmp returnhere

TsTg · Posted: Mon Jun 24, 2013 6:33 pm Post subject:

did you check the register states for every address accessed by the instruction ??, for example: a value of EAX would equal to 1 if accessing health, or 2 for mana, etc.

shakib187 · Posted: Thu Jun 27, 2013 5:22 pm Post subject:

I checked register states for every address, its 4200 for eax everytime its in attack speed but it still didnt work.

Read geris tutorial that explains encryption and tried to break point my address but it didnt work. And now I cant find the exact location of where my address is being edited because there are almost no ret's inside the code. By the way what use is it checking the stack? to know how many times to go back? I got a bunch of stack addresses in esp and the 4th one esp-0C controls my attack speed value along with others but I dont have a clue on what to do with this.. I tried to see if the address changed but nothing happened lol

++METHOS · Posted: Thu Jun 27, 2013 5:29 pm Post subject:

shakib187 · Posted: Thu Jun 27, 2013 5:38 pm Post subject:

yeah no instruction sorry

++METHOS · Posted: Thu Jun 27, 2013 6:03 pm Post subject:

Have you checked all of the addresses that the instruction accesses, to see if one of them controls the attack speed?

pellik · Posted: Fri Jun 28, 2013 5:32 pm Post subject:

TsTg · Posted: Fri Jun 28, 2013 8:15 pm Post subject:

@shakib187, how about the other registers?, ebx,ecx,edx,etc....

And for the debugging, try using VEH debugger with INT3 breakpoints, or try page exception breakpoints (Cheat Engine v6.3)

shakib187 · Posted: Mon Jul 01, 2013 9:54 pm Post subject:

The registers are different but I am getting confused about writing the code, because I keep getting the idea that I am writing to a whole lot of things instead of one just by using the cmp.

If I edit [esi+2], it changes for all instance instead of one even with a cmp, I am getting super confused about this

If eax is always 00000009 when its the attack speed would the code:

cmp eax,00000009
je attackspeed

attackspeed:
mov [esi+02],(float)999

..Would this code work? it does not work and I keep getting the feeling that I edit everything instead of just the attack speed by moving into esi+2