 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mgr.inz.Player
I post too much
 Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
 Posted: Fri Jul 19, 2013 8:27 am Post subject: |
 |
|
| DaSpamer wrote: | | [x]+[y]+[Z] = 23.30. |
Nope.
SPEED = SQRT(X*X + Y*Y + Z*Z)
So, no 27.30 or 23.30, it is: 25.0816666.....
(X = 25.00,Y = -2.00,Z = 0.30)
(btw. my keyboard is damaged, typos can occur)
@shadowpt
That will be (pseudo-code):
| Code: | nX = x+dX*multiplier
nY = y+dY*multiplier
nZ = z+dZ*multiplier
NEWSPEED = SQRT(nX*nX + nY*nY + nZ*nZ)
if NEWSPEED > limit then
do nothing
else
dX := dX*multiplier
dY := dY*multiplier
dZ := dZ*multiplier
end |
| Quote: | | This is going to be challenging |
Not at all. My script
http://forum.cheatengine.org/viewtopic.php?p=5485103#5485103
Is almost finished. It works for all axis, etc. Yes it doesn't have limits, I planned to add limitation later.
Then I gave you this (30,34,38 as previously, and 40,44,48):
http://forum.cheatengine.org/viewtopic.php?p=5485144#5485144
You wrote back: "all the vehicles spazz". Still, I didn't added limitation, I focused on other things....
I asked you to test it more: "find out what addresses this .... " on movss xmm0,[eax+30]
I was almost sure that all opcodes you found are used for other objects too. I asked you to dig more, your answer here:
http://forum.cheatengine.org/viewtopic.php?p=5485189#5485189
Then you wrote this:
http://forum.cheatengine.org/viewtopic.php?p=5485210#5485210
| Code: | D0 D4 D8 - Axis velocity (NS, WE, UD)
(...)
E0 E4 E8 - Vehicle tilts |
D0 D4 D8 is accessed by [eax+30] [eax+34] [eax+38]
E0 E4 E8 is accessed by [eax+40] [eax+44] [eax+48]
now I know that we can skip changing tilts (but "driving" may be awkward )
DaSpamer scripts are wrong. Because they don't get deltas (speed delta for every axis, delta vector, acceleration vector, doesn't matter how we call it ) into account. Yes, you learned something from them (about comparing floating point values, the 'easy naive comparing' way). Don't get me wrong. Naive way is good for making cheats like godmode, stamina (floating point value is between 0 and some positive). If value is between -something and +something, we have to use FPU ( fcom ST(X) )
or SSE (xmmX registers - cmpss or comiss or ucomiss).
You say you have pointers. You meant "cheat engine multilevel pointer" ? Post it here, this way:
...[[[modulename+moduleoffset]+offset1]+offset2]+offset3....
You can change modulename to something else, if you don't want to tell which game is this, just give pointer base address instead of modulename+moduleoffset
Note: offset1 is first pointer offset, offset3 is the last. (inside add address/change address window, last offset is at the top)
_________________
|
|
| Back to top |
|
 |
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Fri Jul 19, 2013 11:24 am Post subject: |
|
|
Woow, I feel so stupid now...
Why do you use the sqrt of the sum of squares? I thought final vector is found by the sum of all 3 (2 in case of 2 dimensions) vector components.
Yeah, not changing the eax+40,44 and 48 won't matter much, the goal is the speed of 30 34 and 38 like you said.
And yes, CE mlp (offsets in order of reading, left is offset 1, right is offset 4):
| Code: |
"Game.exe"+02A6F758 ; + ac + 3d8 + 0 + 90 <- N / S
"Game.exe"+02A6F758 ; + ac + 3d8 + 0 + 94 <- U / D
"Game.exe"+02A6F758 ; + ac + 3d8 + 0 + 98 <- W / E
|
And in the format you requested:
| Code: |
[[[[["Game.exe"+02A6F758]+ac]+3d8]+0]+90]
[[[[["Game.exe"+02A6F758]+ac]+3d8]+0]+94]
[[[[["Game.exe"+02A6F758]+ac]+3d8]+0]+98] |
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Jul 19, 2013 11:46 am Post subject: |
 |
|
| Quote: | | And in the format you requested |
This format is an "official format" on CE forum.
Btw.
[[modulename+moduleoffset]+50]+60 - address
[[[modulename+moduleoffset]+50]+60] - value stored at address
OK. We can use those to filter out other addresses (other structures, other objects, vehicles).
I don't like to use pointers for that. Because, it almost always crash if pointer isn't stable. Of course, we can try....
https://en.wikipedia.org/wiki/Euclidean_vector#Length
_________________
|
|
| Back to top |
|
|
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Fri Jul 19, 2013 11:55 am Post subject: |
|
|
Wasn't aware of the official format, pardon me for that.
And those pointers have been stable since I found them, they are always there pointing to the right address everytime I am using a vehicle.
I'm glad they can be used to filter the other addresses, although I do not know how.
Also there is a twist, those are (how can I say this...) unique velocity addresses, the addresses that are present in any vehicle that I use.
But some vehicles carry more addresses if they are bigger and others less if they are smaller.
For example: A car only has 3 velocity addresses for each NS, UD and WE but a tank has 6 for each. These addresses are always coupled together. (I suspect that they are related to parts of the vehicle model which are responsible for physics effects, ie: tank hits a wall but his turret moves further due to cinetic energy, etc)
But that is not very important for now since the main address is sufficient as a starting point for all this adventure. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Jul 19, 2013 12:25 pm Post subject: |
|
|
| shadowpt wrote: | | And those pointers have been stable since I found them, they are always there pointing to the right address everytime I am using a vehicle. |
Great, pointer is stable in general (macro).
But what with micro (very short period of time).
What happens when you
- leave vehicle,
- you are a passenger
Can you launch game in window mode? If yes, go to CE settings, general settings, found address list update interval, and change it to 1. Place CE window so you can see "N / S" pointer (especially address and value columns ), go to game and use vehicle, leave vehicle, change map, go to main menu.
What you see? Does 'address' columns change very fast while entering to vehicle. Value is ?? while in main menu?
Example, if piece of code we hooked is called very often, like 300Hz (300 per second) and we use pointer which is 999 out of 1'000 good, our AA script can crash game after ~3,33 seconds.
_________________
|
|
| Back to top |
|
|
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Fri Jul 19, 2013 12:37 pm Post subject: |
|
|
Nop, the address columns never change once I spawn a vehicle. I tried all you asked and no change.
And a few additional notes:
If I change map I lose my vehicle
If I exit the vehicle I can still control it like an RC car, using CE of course
If my vehicle is beyond the map rendering range then I cannot control it (basically once this happens the game is telling me that the vehicle does not exist anymore until it enters my rendering range again)
So does this mean that it is also stable in micro?
EDIT: It's as if once the vehicle is spawned and within range I can control it however I want with CE, even if I am not in the driver seat. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Jul 19, 2013 12:42 pm Post subject: |
|
|
OK, last question. If you are in main menu, pointer just points to 00000000?
And just after map is loaded, it still points to 00000000 ?
_________________
|
|
| Back to top |
|
|
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Fri Jul 19, 2013 12:45 pm Post subject: |
|
|
| mgr.inz.Player wrote: | OK, last question. If you are in main menu, pointer just points to 00000000?
And just after map is loaded, it still points to 00000000 ? |
If I am in main menu and I have a vehicle that belongs to me then it still points to the correct address (not 00000000)
After the map is loaded I have no vehicle so it points to 00000000 |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Jul 19, 2013 1:00 pm Post subject: |
|
|
I meant: in main menu just after you launch game, not the options/pause/inventory menu.
Never mind. I can try to make another AA script, today or tomorrow. I think, I'll use FPU.
_________________
|
|
| Back to top |
|
|
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Fri Jul 19, 2013 1:06 pm Post subject: |
|
|
Oh I understand where you are trying to get, you want to see if it targets any other address that might cause conflict when being modified.
The answer is the same, from game launch till I get in it it always points to 00000000 |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Fri Jul 19, 2013 3:38 pm Post subject: |
|
|
OK, see you tomorrow.
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Jul 20, 2013 5:21 pm Post subject: |
|
|
Of course, there can be a typo, etc.
Test it. You can edit line 12,15,20.
| Code: | [ENABLE]
alloc(UserValues,1024)
alloc(hack,1024)
label(retHere)
label(multiplyBy)
label(skip)
label(doNothing)
label(speedLimit)
UserValues:
multiplyBy:
dd (float)1.10 // speed multiplier
speedLimit:
dd (float)150.0 // speed limit
hack:
push ebx
mov ebx,[Game.exe+02A6F758]
test ebx,ebx
jz skip
mov ebx,[ebx+AC]
test ebx,ebx
jz skip
mov ebx,[ebx+3D8]
test ebx,ebx
jz skip
mov ebx,[ebx+0]
test ebx,ebx
jz skip
lea ebx,[ebx+60] // we compare ebx+90 with eax+30, we can compare ebx+60 with eax as well
test ebx,ebx
jz skip
cmp eax,ebx
jne skip // not our vehicle
sub esp,20 // prepare space
movdqu [esp],xmm1 // store xmm1
movdqu [esp+10],xmm2 // store xmm2
// now we can use xmm0,xmm1 and xmm2
movss xmm0,[multiplyBy] // get multiply factor
shufps xmm0,xmm0,00
movups xmm1,[esi+00000094] // get current delta vector
mulps xmm0,xmm1 // multiply delta vector by user value
// xmm0 keeps buffed delta vector
movups xmm1,[eax+30] // get current speed vector
mulps xmm1,xmm1 // compute squares
movss xmm2,xmm1 // \
shufps xmm1,xmm1,09 // \
addss xmm2,xmm1 // calculate vector length
shufps xmm1,xmm1,09 // /
addss xmm2,xmm1 // /
sqrtss xmm2,xmm2 ///
movlhps xmm2,xmm2 // store in high
// xmm2 (high) keeps original scalar speed
movups xmm1,[eax+30] // get current speed vector
addps xmm1,xmm0 // and add buffed delta vector
mulps xmm1,xmm1 // compute squares
movss xmm2,xmm1 // \
shufps xmm1,xmm1,09 // \
addss xmm2,xmm1 // calculate vector length
shufps xmm1,xmm1,09 // /
addss xmm2,xmm1 // /
sqrtss xmm1,xmm2 ///
movhlps xmm2,xmm2
// xmm1 (low) keeps buffed scalar speed
// xmm2 (low) keeps original scalar speed
comiss xmm1,xmm2 // compare new buffed speed with original speed
jb doNothing // if buffed is smaller, vehicle is slowing down. Do normally - do nothing!
comiss xmm1,[speedLimit] // compare with limit
ja doNothing
movq [esi+00000094],xmm0 // store new delta
movhlps xmm0,xmm0
movss [esi+0000009C],xmm0
doNothing:
movdqu xmm1,[esp] // restore xmm1
movdqu xmm2,[esp+10] // restore xmm2
add esp,20
skip:
pop ebx
movss xmm0,[eax+30] //original code
jmp retHere
Phys_x86.dll+1D7C55:
jmp hack
retHere:
[DISABLE]
Phys_x86.dll+1D7C55:
db F3 0F 10 40 30
dealloc(hack)
dealloc(UserValues) |
_________________
|
|
| Back to top |
|
|
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Sat Jul 20, 2013 5:55 pm Post subject: |
|
|
That is amazing!
I just tried it and it crashes the game and I did replace the game.exe with the correct one.
I am not one to know this or comment the amazing coding you provided but it seems that it is affecting the opcodes that handle the deltas and addss opcodes but not the opcodes that handle the velocity, which are
| Code: | movss [eax+30],xmm0
movss [eax+34],xmm0
movss [eax+38],xmm0 |
And just for the sake of organization I will paste the entire function again here in case it's necessary:
| Code: | je Phys_x86.dll+1D7CB4
mov eax,[esi+40]
movss xmm0,[eax+30]
addss xmm0,[esi+00000094]
movss [eax+30],xmm0 <- This writes to the velocity pointer address that I have (NS)
movss xmm0,[esi+00000098]
addss xmm0,[eax+34]
movss [eax+34],xmm0 <- This writes to the velocity pointer address that I have (UD)
movss xmm0,[esi+0000009C]
addss xmm0,[eax+38]
movss [eax+38],xmm0 <- This writes to the velocity pointer address that I have (WE)
movss xmm0,[esi+000000A0]
addss xmm0,[eax+40]
movss [eax+40],xmm0
movss xmm0,[esi+000000A4]
addss xmm0,[eax+44]
movss [eax+44],xmm0
movss xmm0,[esi+000000A8]
addss xmm0,[eax+48]
movss [eax+48],xmm0
push 30 |
I have been trying to come up with the script for myself too, but... I am literally a noob, I am not aware of 99% of the opcodes that I can use and/or what each one does so I didn't get far.
EDIT: I have followed the jump once the script is activated (following a game crash) and this leads to what I assume to be the script function (game.exe has been edited here by my hand)
| Code: | push ebx
mov ebx,[Game.exe+2A6F758]
test ebx,ebx
je 071E04EA
mov ebx,[ebx+000000AC]
test ebx,ebx
je 071E04EA
mov ebx,[ebx+000003D8]
test ebx,ebx
je 071E04EA
mov ebx,[ebx]
test ebx,ebx
je 071E04EA
lea ebx,[ebx+60]
test ebx,ebx
je 071E04EA
cmp eax,ebx
jne 071E04EA
sub esp,20
movdqu [esp],xmm1
movdqu [esp+10],xmm2
movss xmm0,[071E0000] : [3F8CCCCD]
shufps xmm0,xmm0,00
movups xmm1,[esi+00000094]
mulps xmm0,xmm1
movups xmm1,[eax+30]
mulps xmm1,xmm1
movss xmm2,xmm1
shufps xmm1,xmm1,09
addss xmm2,xmm1
shufps xmm1,xmm1,09
addss xmm2,xmm1
sqrtss xmm2,xmm2
lldt dx
movups xmm1,[eax+30]
addps xmm1,xmm0
mulps xmm1,xmm1
movss xmm2,xmm1
shufps xmm1,xmm1,09
addss xmm2,xmm1
shufps xmm1,xmm1,09
addss xmm2,xmm1
sqrtss xmm1,xmm2
movlps xmm2,xmm2
comiss xmm1,xmm2
jb 071E04DC
comiss xmm1,[071E0004] : [(float)150.0000]
ja 071E04DC
movq [esi+00000094],xmm0
movlps xmm0,xmm0
movss [esi+0000009C],xmm0
movdqu xmm1,[esp]
movdqu xmm2,[esp+10]
add esp,20
pop ebx
movss xmm0,[eax+30]
jmp Phys_x86.dll+1D7C5A
|
And this is the game function once the script is activated
| Code: | je Phys_x86.dll+1D7CB4
mov eax,[esi+40]
movss xmm0,[eax+30]
addss xmm0,[esi+00000094]
jmp 071E0400 <- This is the line being replaced
movss xmm0,[esi+00000098]
addss xmm0,[eax+34]
movss [eax+34],xmm0
movss xmm0,[esi+0000009C]
addss xmm0,[eax+38]
movss [eax+38],xmm0
movss xmm0,[esi+000000A0]
addss xmm0,[eax+40]
movss [eax+40],xmm0
movss xmm0,[esi+000000A4]
addss xmm0,[eax+44]
movss [eax+44],xmm0
movss xmm0,[esi+000000A8]
addss xmm0,[eax+48]
movss [eax+48],xmm0
push 30
|
In case you want to check if it is injecting correctly (if that is the correct term)
PS: I don't know if it is suppose to work this way but the script replaces
movss [eax+30],xmm0
but in the script the "//original code" line is
movss xmm0,[eax+30]
I just changed the address to the one pointing to movss xmm0,[eax+30] but still didn't work, game crashes once I activate the script. The address for movss xmm0,[eax+30] is Phys_x86.dll+1D7C48
Function with all the data that I can get
| Code: | Phys_x86.dll+1D7C43 - 74 6F - je Phys_x86.dll+1D7CB4
Phys_x86.dll+1D7C45 - 8B 46 40 - mov eax,[esi+40]
Phys_x86.dll+1D7C48 - F3 0F10 40 30 - movss xmm0,[eax+30]
Phys_x86.dll+1D7C4D - F3 0F58 86 94000000 - addss xmm0,[esi+00000094]
Phys_x86.dll+1D7C55 - F3 0F11 40 30 - movss [eax+30],xmm0
Phys_x86.dll+1D7C5A - F3 0F10 86 98000000 - movss xmm0,[esi+00000098]
Phys_x86.dll+1D7C62 - F3 0F58 40 34 - addss xmm0,[eax+34]
Phys_x86.dll+1D7C67 - F3 0F11 40 34 - movss [eax+34],xmm0
Phys_x86.dll+1D7C6C - F3 0F10 86 9C000000 - movss xmm0,[esi+0000009C]
Phys_x86.dll+1D7C74 - F3 0F58 40 38 - addss xmm0,[eax+38]
Phys_x86.dll+1D7C79 - F3 0F11 40 38 - movss [eax+38],xmm0
Phys_x86.dll+1D7C7E - F3 0F10 86 A0000000 - movss xmm0,[esi+000000A0]
Phys_x86.dll+1D7C86 - F3 0F58 40 40 - addss xmm0,[eax+40]
Phys_x86.dll+1D7C8B - F3 0F11 40 40 - movss [eax+40],xmm0
Phys_x86.dll+1D7C90 - F3 0F10 86 A4000000 - movss xmm0,[esi+000000A4]
Phys_x86.dll+1D7C98 - F3 0F58 40 44 - addss xmm0,[eax+44]
Phys_x86.dll+1D7C9D - F3 0F11 40 44 - movss [eax+44],xmm0
Phys_x86.dll+1D7CA2 - F3 0F10 86 A8000000 - movss xmm0,[esi+000000A8]
Phys_x86.dll+1D7CAA - F3 0F58 40 48 - addss xmm0,[eax+48]
Phys_x86.dll+1D7CAF - F3 0F11 40 48 - movss [eax+48],xmm0
Phys_x86.dll+1D7CB4 - 6A 30 - push 30
|
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Jul 20, 2013 6:39 pm Post subject: |
|
|
Ok, we will test pointer only (this script shouldn't change anything)
And of course, replace game.exe
1:50 AM here, I go to sleep.
| Code: | [ENABLE]
alloc(testing,1024)
label(retHere)
label(skip)
testing:
push ebx
mov ebx,[Game.exe+02A6F758]
test ebx,ebx
jz skip
mov ebx,[ebx+AC]
test ebx,ebx
jz skip
mov ebx,[ebx+3D8]
test ebx,ebx
jz skip
mov ebx,[ebx+0]
skip:
pop ebx
movss xmm0,[eax+30] //original code
jmp retHere
Phys_x86.dll+1D7C48:
jmp hack
retHere:
[DISABLE]
Phys_x86.dll+1D7C48:
db F3 0F 10 40 30
dealloc(testing) |
EDIT:
yes, jmp testing
_________________
Last edited by mgr.inz.Player on Sun Jul 21, 2013 2:57 am; edited 1 time in total |
|
| Back to top |
|
|
shadowpt
Advanced Cheater
![]() Reputation: 0
Joined: 04 Jun 2011
Posts: 82
|
| Posted: Sat Jul 20, 2013 7:04 pm Post subject: |
|
|
I modified the "jmp hack" to "jmp testing" because you might have forgot that one. I can activate and deactivate that script and the game doesn't crash so the pointer is correct.
You help if you want and when you can, I got no hurry on this and you have been a great person helping me this far. We will continue this next time.
I have also ran the vector calculations to see which was the correct one and yours is the correct one : sqrt(x^2 +y^2 + z^2) mine isn't. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
