 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
 Posted: Sun Apr 13, 2014 2:22 pm Post subject: |
 |
|
| ++METHOS wrote: | | Two things...either change the update/freeze interval in settings |
That requires some heavy-duty updating, I tested 1 ms freeze interval and 100 update interval and it still didn't look too good.
Like I've said that script with three NOPs works for me well with the highest 4 byte value but messes the npcs serve. With one nop using mov and the highest 4 byte value makes the gauge start full and then empties. Just NOP'ing the instruction keeps the gauge empty. If you have suggestions, what to write before/after "mov [esi+254],#1065353216" so that the gauge doesn't get empty I'd be happy to see it.
Since there seems to be a misunderstanding how those instructions are being accessed I'll post a picture. Instructions that write are: fst dword ptr [esi+00000254] and fstp dword ptr [esi+00000254] and movss [esi+00000254],xmm0 and movdqa [edi+50],xmm5 and movss [esi+00000254],xmm0
The instruction I like best is movss xmm0,[edi+00000254] and that's what I've been referring to when I've said that using 4 byte values, I get serves that are below correct maximum speed. Using other 4 byte offsets did not help, and what I said about the values still changing in my last post wasn't true. I don't know what I was looking at.
You might find it curious why I haven't been using fstp dword ptr [esi+00000254]. That's because even when I use it in all the suggested ways, the gauge comes up when I'm getting ready to serve and then it fills up and empties. I need it to do that only when I'm serving.
| Description: |
|
| Filesize: |
16.66 KB |
| Viewed: |
7510 Time(s) |
|
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Apr 13, 2014 5:09 pm Post subject: |
|
|
Just looking at the instructions, it seems that your value should actually be float or double. Have you tried that? 
(decimal) 1065353216 = (float) 1.0
Anyway, I have a feeling that you are doing something wrong...no offense, such as a newbie mistake...and maybe this is the problem. Anyway, to find out what exactly you are doing wrong, would be easier if I can look myself...but I cannot find the game.
This is probably why the update/freeze interval is not functioning properly for you.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Apr 13, 2014 11:31 pm Post subject: |
|
|
| ++METHOS wrote: | | Just looking at the instructions, it seems that your value should actually be float or double. |
Agreed, except for the double part (the float instructions would use qword instead of dword for doubles).
@Dlve:2 more scripts you could try (don't use both at the same time):
A freezer at "VT3.exe"+8D89E: | Code: | [ENABLE]
define(FULL_GAUGE,1.0)
alloc(MyCode,100)
//code locations
label(Logger)
label(Logger_Return)
label(GaugeWriter)
label(GaugeWriter_Exit)
label(GaugeWriter_Return)
//variable
label(BaseAddressOfMyVariable)
MyCode:
Logger:
mov dword [BaseAddressOfMyVariable],eax //store gauge address-0x254 into BaseAddressOfMyVariable
movss xmm0,dword [eax+254] //original code
jmp Logger_Return
GaugeWriter:
fstp dword [esi+254] //original code
cmp esi, dword [BaseAddressOfMyVariable]
jne short GaugeWriter_Exit //jump if esi is not gauge address-0x254
mov dword [esi+254],(float)FULL_GAUGE //overwrite gauge with 1.0
GaugeWriter_Exit:
jmp GaugeWriter_Return
BaseAddressOfMyVariable:
dd 0
/////////////////////////////////////
"VT3.exe"+1C320C:
jmp Logger
nop
nop
nop
Logger_Return:
"VT3.exe"+8D89E:
jmp GaugeWriter
nop
GaugeWriter_Return:
[DISABLE]
dealloc(MyCode)
"VT3.exe"+1C320C:
movss xmm0,dword [eax+254]
"VT3.exe"+8D89E:
fstp dword [esi+254] |
The "VT3.exe"+8D89E freezer+No addition: | Code: | [ENABLE]
define(FULL_GAUGE,1.0)
alloc(MyCode,100)
//code locations
label(Logger)
label(Logger_Return)
label(GaugeWriter)
label(GaugeWriter_Exit)
label(GaugeWriter_Return)
label(NoAddition)
label(NoAddition_Normal)
label(NoAddition_Return)
//variables
label(BaseAddressOfMyVariable)
label(MaxedOutGauge)
MyCode:
Logger:
mov dword [BaseAddressOfMyVariable],eax //store gauge address-0x254 into BaseAddressOfMyVariable
movss xmm0,dword [eax+254] //original code
jmp Logger_Return
GaugeWriter:
fstp dword [esi+254] //original code
cmp esi, dword [BaseAddressOfMyVariable]
jne short GaugeWriter_Exit //jump if esi is not gauge address-0x254 (ie:not our gauge)
mov dword [esi+254],(float)FULL_GAUGE //overwrite gauge with 1.0
GaugeWriter_Exit:
jmp GaugeWriter_Return
NoAddition:
cmp esi, dword [BaseAddressOfMyVariable]
jne short NoAddition_Normal //jump if esi is not gauge address-0x254 (ie:not our gauge)
fstp st(0) //discard the float being handled
fld dword [MaxedOutGauge] //and replace it by a full gauge
jmp NoAddition_Return
NoAddition_Normal:
fadd dword [esi+254]
jmp NoAddition_Return
BaseAddressOfMyVariable:
dd 0
MaxedOutGauge:
dd (float)FULL_GAUGE
/////////////////////////////////////
"VT3.exe"+1C320C:
jmp Logger
nop
nop
nop
Logger_Return:
"VT3.exe"+8D89E:
jmp GaugeWriter
nop
GaugeWriter_Return:
"VT3.exe"+8d907:
jmp NoAddition
nop
NoAddition_Return:
/////////////////////////////////////
[DISABLE]
dealloc(MyCode)
"VT3.exe"+1C320C:
movss xmm0,dword [eax+254]
"VT3.exe"+8D89E:
fstp dword [esi+254]
"VT3.exe"+8d907:
fadd dword [esi+254] |
If they crash the game check if I haven't done a stupid mistake, I don't have your game so I couldn't test them.
Since the instructions I hooked access 2 addresses (probably the opponent's gauge too) I used my way to differentiate, before noticing you already used cmp [esi+0],0 , so if the scripts above do not seem to do anything, replace the "cmp esi, dword [BaseAddressOfMyVariable]"s with "cmp [esi],0" and you can wipe anything related to the logger.
Also if the gauge locks, but not at the right value tune the FULL_GAUGE parameter.
You see that fadd dword ptr [esi+00000254] immediately followed by fst dword ptr [esi+00000254] ? I'm thinking they take gauge variation (positive when the gauge fills up, negative otherwise), fadd current gauge state to it, and update (fst) gauge state there. But since fst is not fstp they're keeping the result for something else... The No Addition variant aims at forcefully loading a full gauge there.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Tue Apr 15, 2014 5:45 am Post subject: |
|
|
| ++METHOS wrote: | Just looking at the instructions, it seems that your value should actually be float or double. Have you tried that?
(decimal) 1065353216 = (float) 1.0
Anyway, I have a feeling that you are doing something wrong...no offense, such as a newbie mistake...and maybe this is the problem. Anyway, to find out what exactly you are doing wrong, would be easier if I can look myself...but I cannot find the game.
This is probably why the update/freeze interval is not functioning properly for you. |
Oh, no offence taken.
Tried double value but it wasn't quite getting the job done for me like 8 byte value did so I ignored it.
I think the gauge just moves too fast, updating just can't keep up.
About not finding the game is weird because the first link I found had a valid link to download the game. Anyways you don't need to bother anymore.
You see the value that determines the maximum serve isn't actually connected to the gauge, well sort of. Why I didn't notice this before was because the value which is at offset 27D was hidden. I started to uncover more offsets and realized that, with my script, this offset was always what it is normally when the gauge is full (#117440514). When the gauge is moving it needs to be #117440513. This always gives me the max serve.
Well the script is still not 100% perfect because it somehow messes up the aiming of the serve. This is not a big issue though.
Gniarf thanks for those scripts. I'm gonna test them anyway, they look interresting.
Edit:
Both of those scripts worked pretty much like this one. | Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+0],0
jne originalcode
mov [esi+254],#1065353216
jmp exit
originalcode:
fstp dword ptr [esi+00000254]
exit:
jmp returnhere
"VT3.exe"+8D89E:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
"VT3.exe"+8D89E:
fstp dword ptr [esi+00000254] |
Meaning the gauge comes up when I'm in position to serve and fills up and then empties. It stays empty when I start serving, so not very useful.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Apr 15, 2014 9:45 am Post subject: |
|
|
You should have tried float...not double. I mentioned double in my post because I didn't really look that closely at your instructions...as Gniarf pointed out. Anyway, I didn't find good links for the game for the hosts that I need, however, if you tell me which search engine and query you used, I may be able to find it. If the link is a torrent link or a problematic host, I won't even bother with it.
I'm certain that the value that you need to change should be float. Typically, most gauges like that are going to be stored as float. We know by your instructions that it should be float. To write that, simply do this (or similar):
| Code: | | mov [esi+254],(float)1.0 |
Also, using the table that I posted earlier should work...just change the value type to float.
Of course, none of this matters if the code isn't working properly. First, test if the value works and is the correct address...if it is, only then should you proceed with injection.
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Tue Apr 15, 2014 11:09 am Post subject: |
|
|
| ++METHOS wrote: | | You should have tried float...not double. |
It is incorrect of you to assume that I haven't tested different types of values, because I tested all of them before I even posted the question about NOPs.
Using 4 byte values or float values makes no difference. Float maximum value is a nicer number though. Using the table that you posted earlier works real well with 8 byte values. Problem using float values in that table is that the speed of the serve is incorrect.
For your information I have now been able to create a script that keeps the gauge full, normal aiming and normal speed.
| ++METHOS wrote: | | Of course, none of this matters if the code isn't working properly. First, test if the value works and is the correct address...if it is, only then should you proceed with injection. |
As I mentioned earlier, I found the correct address. This address determines when the gauge is at maximum.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Apr 15, 2014 11:31 am Post subject: |
|
|
| Dlve wrote: | | Using 4 byte values or float values makes no difference. |
Changing datatypes between 4byte<->float, or 8byte<->double will not affect how effective freezing is.
| Dlve wrote: | | Float maximum value is a nicer number though. |
It's this nicer maximum that we wanted to know.
| Dlve wrote: | | For your information I have now been able to create a script that keeps the gauge full, normal aiming and normal speed. |
*types a post querying more information* Ah... Problem solved...
Out of curiosity, could you post your script? Or are you simply freezing offset +27D's first byte to 2?
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Tue Apr 15, 2014 2:20 pm Post subject: |
|
|
| Gniarf wrote: | | Changing datatypes between...8byte<->double will not affect how effective freezing is |
I know for a fact this isn't true. At least it wasn't when I was just freezing values.
| Gniarf wrote: | | It's this nicer maximum that we wanted to know. |
What do you need it for? As I've said earlier, much earlier I've been testing scripts with different values, and I do not understand how using 4 bytes or float makes a difference. Where exactly does it make a difference that you need it for? If I don't need it, why do you?
| Gniarf wrote: | | Out of curiosity, could you post your script? |
I was expecting this, here's the script:
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+0],0
jne originalcode
mov [esi+254],#1065353216
mov [esi+27D],#117440513
jmp exit
originalcode:
movss xmm0,[esi+00000254]
exit:
jmp returnhere
"VT3.exe"+8D934:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"VT3.exe"+8D934:
movss xmm0,[esi+00000254] |
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Apr 15, 2014 4:43 pm Post subject: |
|
|
| Dlve wrote: | | Gniarf wrote: | | Changing datatypes between...8byte<->double will not affect how effective freezing is |
I know for a fact this isn't true. At least it wasn't when I was just freezing values. |
If you freeze the value, THEN change the datatype while keeping the value frozen you'll get a weird value written over your gauge. But anyway event when you freeze an address, you just rewrite its bytes every xx milliseconds, regardless of if you display them as an integer (CE's "8 bytes" datatype) or a double.
| Dlve wrote: | | Gniarf wrote: | | It's this nicer maximum that we wanted to know. |
What do you need it for? As I've said earlier, much earlier I've been testing scripts with different values, and I do not understand how using 4 bytes or float makes a difference. Where exactly does it make a difference that you need it for? If I don't need it, why do you? |
First seeing a nice human-readable value confirms that the address we're dealing with is not some mangled aggregate of 2 variables (like when you were reading 8 bytes instead of a float) and also that there is no encryption. When I just see 1065353216 I can't tell.
Beside, take for example a variable that seems to vary quickly between 231564315 and 1092599744 (integer). You might take it as is and lock it at 1092599744, but if you know it's actually a float and look at it as a float, you see it's varying between 1.265819995E-30 and 9.984313965 . It could be it's real range of variation, but since programmers are human they probably meant 0 to 10.0 and CE didn't read the variable when it was at its peaks (by default CE only reads every 500 ms).
One more reason is that it removes that "cryptic" feel of your code. A code that is easier to read is a code that is easier to debug or tweak. Say for example you notice that at some point serving at full gauge makes you shoot too far and you want to serve at 80% gauge:
full gauge: 10.0=1092616192
80% gauge: 8.0=1090519040
but 1092616192*0.8=874092954 (=1.430511531E-7 ie: almost 0)
You see in this case it's a lot easier to write "(float)8.0" in your script than manually doing the int->float->int conversion.
BTW: 117440513=0x7000001 and 117440514=0x7000002, which makes me think this is a collection of flags, ie: each bit of this variable holds whether a given property is on/off.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Tue Apr 15, 2014 5:02 pm Post subject: |
|
|
| Gniarf wrote: | | If you freeze the value, THEN change the datatype while keeping the value frozen you'll get a weird value written over your gauge. |
Umm.. what's this got to do with anything?
I don't quite understand why I need to make you sure that the value I'm using is correct. Would it somehow help you give better advice because I doubt it. I even told you that the value I was using sort of got the job done. The other thing is I told you I tried different values. Besides I think it's common sense to do that.
| Gniarf wrote: | | BTW: 117440513=0x7000001 and 117440514=0x7000002, which makes me think this is a collection of flags, ie: each bit of this variable holds whether a given property is on/off. |
Sorry I'm not a programmer, can you translate that to something anyone can understand?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Apr 15, 2014 5:25 pm Post subject: |
|
|
Oookay, we're taking the trolling track, sorry, not interested, I'm outta here.
I'll just answer your last question before leaving: the 0x prefix is used to denote hexadecimal representation. Right click on a cheat entry->show as hexadecimal to see it. Using this representation can help identify (possible) flag collections or pointers. A flag is a 1-bit (1/8th of a byte) variable that is equal to 0 or 1 and represents whether something is true/on or false/off.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Apr 15, 2014 6:27 pm Post subject: |
|
|
Dlve-
I admit that I do not know everything. I am always learning from people on this forum...from veterans like Gniarf and even newbies. It is not always easy to do, but don't let your ego get in the way of your learning. If I assume anything, it is only to save time. Since people do not always explain things fully or clearly, it is sometimes better to just get to the point and write what is important. Also, any responses that are given on this forum may help others that are reading, and their circumstances may or may not be identical to yours.
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Wed Apr 16, 2014 3:19 am Post subject: |
|
|
| ++METHOS wrote: | Dlve-
I admit that I do not know everything. I am always learning from people on this forum...from veterans like Gniarf and even newbies. It is not always easy to do, but don't let your ego get in the way of your learning. If I assume anything, it is only to save time. Since people do not always explain things fully or clearly, it is sometimes better to just get to the point and write what is important. Also, any responses that are given on this forum may help others that are reading, and their circumstances may or may not be identical to yours. |
I understand your point but one should also read messages posted before because it's quite frustrating to answer same questions. It's understandable when the thread is long. Also I think the way you put your message was quite condescending.
Since Gniarf probably won't answer this, can someone explain how was I trolling? I wasn't trying to, I just seriously wanted to know how things are connected. All I'm saying, I don't think your knowledge is tied to a value.
I understand that you write a message to try different values is needed and it maybe helpful to someone reading this but I don't think it's then necessary to post that "you should have given us the float value". If I had said myself after you told me to try different values that there was something different going on, then the case would be entirely different.
Oh, and Gniarf I humbly thank you for answering my last question. Made it much clearer.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Wed Apr 16, 2014 10:04 am Post subject: |
|
|
| Dlve wrote: | | I understand your point but one should also read messages posted before because it's quite frustrating to answer same questions. |
-I do read them. Care to elaborate?
| Dlve wrote: | | Also I think the way you put your message was quite condescending. |
-How? Which post?
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Wed Apr 16, 2014 10:54 am Post subject: |
|
|
| ++METHOS wrote: | | How? Which post? |
Oh sorry, I was trying to cut corners again. Meant the message about trying float. When It's been obviously said that the value that should be tried is float or double, then another one says that it should be float, assuming that I wouldn't have tried float at that point is just weird. Just relays a message as if you thought the one you are giving an advice to is completely dumb. Well, that's how I felt.
| ++METHOS wrote: | | -I do read them. Care to elaborate? |
Remember telling me to fiddle with different values for a script. Well I had already posted my findings about that. I've also mentioned another thing in recent messages which I do not care to repeat again.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
