| 
			
				|  | Cheat Engine The Official Site of Cheat Engine
 
 
 |  
 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| NanoByte Expert Cheater
 
 ![]() Reputation: 1 
 Joined: 13 Sep 2013
 Posts: 222
 
 
 | 
			
				|  Posted: Fri May 30, 2014 9:05 am    Post subject: Need Advice :D Help Me WouldYouKindly |   |  
				| 
 |  
				| i'm trying to make godmode but the problem is that code is shared with everyone so i give it to me every(npc) gets it too and there is no id that seperates them from you, so this is what i came up with 
 // health address stays the same until you die and get another one
 
 i want to find the first address(or value) that get edited by the code (movss [rcx+18],xmm1) and validate it with that,  dmg youself and get godmode.
 
 just point me into the right dirrection thx
 any sort of advice is appreciated
   
 this is my old code
 
 
  	  | Code: |  	  | memxm: dq (float)0
 newmem: //this is allocated memory, you have read,write,execute access
 //place your code here
 //cmp [rcx+1C],(float)100
 cmp [rcx+1C],(float)100 //i'm validating with maximum health but some npc have the same amount of maximum health as you so they get gm also
 je pl
 jmp en
 
 en: //1hit kill
 cmp [hkval],0
 je originalcode
 movss xmm1,[memxm]
 
 jmp exit
 
 pl: //godmode
 cmp [rcx+40],0 //trying to filter out enemy
 je en
 cmp [rcx+A2C],(float)0 //trying to filter out enemy
 je en
 cmp [gmval],1
 je exit
 
 originalcode:
 movss [rcx+18],xmm1
 
 | 
 |  |  
		| Back to top |  |  
		|  |  
		| justa_dude Grandmaster Cheater
 
  Reputation: 23 
 Joined: 29 Jun 2010
 Posts: 893
 
 
 | 
			
				|  Posted: Fri May 30, 2014 11:14 am    Post subject: |   |  
				| 
 |  
				| You could try something like this (untested): 
  	  | Code: |  	  | cmp [memxm],0
 jne @f
 push rax
 lea rax,[rcx+18]
 mov [memxm],rax
 pop rax
 jmp originalcode
 @@:
 push rax
 lea rax,[rcx+18]
 cmp rax,[memxm]
 pop rax
 je p1
 jmp en
 
 | 
 _________________
 
 A nagy kapu mellett, mindig van egy kis kapu.
----------------------
 Come on...
 |  |  
		| Back to top |  |  
		|  |  
		| NanoByte Expert Cheater
 
 ![]() Reputation: 1 
 Joined: 13 Sep 2013
 Posts: 222
 
 
 | 
			
				|  Posted: Fri May 30, 2014 1:59 pm    Post subject: Main man :D |   |  
				| 
 |  
				| Thx alot man it works but i if u got some time to explain your code to me, its better to know why instead of just copy past   
 
  	  | Code: |  	  | push rax //could i have used any register here? eax,esi r10d etc? lea rax,[rcx+18] // why lea instead of mov? what did the lea command store in rax,, address or value?
 mov [vali],rax
 pop rax
 jmp newmem
 @@:
 push rax
 lea rax,[rcx+18]
 cmp rax,[vali]
 pop rax
 | 
 |  |  
		| Back to top |  |  
		|  |  
		| justa_dude Grandmaster Cheater
 
  Reputation: 23 
 Joined: 29 Jun 2010
 Posts: 893
 
 
 | 
			
				|  Posted: Fri May 30, 2014 2:41 pm    Post subject: |   |  
				| 
 |  
				|  	  | justa_dude wrote: |  	  | You could try something like this (untested): 
  	  | Code: |  	  | cmp [memxm],0 - have we already recorded an address (that we presume is the player)?
 jne @f - if we have, skip to @@
 -- save first-time address
 push rax - we don't see enough of your code to guess which registers might be free for us to use, so save rax and use it for temp
 lea rax,[rcx+18] - save a ptr to health or damage or whatever it is you're hacking
 mov [memxm],rax - move ptr into alloc space
 pop rax - restore rax
 jmp originalcode - done
 @@:
 -- already have saved address, compare new one against it
 push rax
 lea rax,[rcx+18]
 cmp rax,[memxm]
 pop rax
 je p1
 jmp en
 
 | 
 | 
 
 
  	  | NanoByte wrote: |  	  | could i have used any register here? eax,esi r10d etc? | 
 I wouldn't use eip or esp or whatever, but most are fine.  If we saw more of your code, we could probably find one or more registers guaranteed to be written before being read and therefore safe to overwrite.  Since we're moving a qword around, you're going to want to stick to the 64-bit registers (rax vs eax, rsi vs esi, etc).
 
 lea = load effective address.  I don't want the value inside [ecx+18] (the health or whatever), I want the address (pointer) it is stored in because although the value isn't unique to the player the address probably is. 	  | NanoByte wrote: |  	  | why lea instead of mov? what did the lea command store in rax,, address or value? | 
 
 Again, I haven't tested this and I'm exceedingly ignorant when it comes to x64, but that's the basic idea.  It really would be better if you could find a unique identifier (perhaps using the dissect structure tool, eg step 9 in the tutorial).  It may be as simple as just looking at the value of [rcx].
 _________________
 
 A nagy kapu mellett, mindig van egy kis kapu.
----------------------
 Come on...
 |  |  
		| Back to top |  |  
		|  |  
		| NanoByte Expert Cheater
 
 ![]() Reputation: 1 
 Joined: 13 Sep 2013
 Posts: 222
 
 
 | 
			
				|  Posted: Fri May 30, 2014 3:54 pm    Post subject: |   |  
				| 
 |  
				| Yeah dissect data/structure was the first place i went but there were few addresses that had different group value
 
 like this:
 
 pl             en1  en2  en3  en4
 
 High number      0     0     0      0
 
 but still it was very buggy some npc still got gm
 
 
  	  | Code: |  	  | label(_valih)
 registersymbol(_valih)
 aobscan(vali,70 17 AF F6 FF 7F 00 00 ?? ?? ?? ?? 00 00 00 00 13 23 DA CE 01 00 00 00 ?? ?? ?? 42 00 00 C8 42)
 
 vali:
 _valih:
 [DISABLE]
 unregistersymbol(_valih)
 | 
 
 this code gives me the new health value, but i have to reactivate the code each time when i die to get the new value, trying to intergrate this with the other code somehow brain storming this shit
   |  |  
		| Back to top |  |  
		|  |  
		| justa_dude Grandmaster Cheater
 
  Reputation: 23 
 Joined: 29 Jun 2010
 Posts: 893
 
 
 | 
			
				|  Posted: Fri May 30, 2014 5:12 pm    Post subject: |   |  
				| 
 |  
				| Yup.  Writing code is a left brain + right brain process, so to then hacking must be. _________________
 
 A nagy kapu mellett, mindig van egy kis kapu.
----------------------
 Come on...
 |  |  
		| Back to top |  |  
		|  |  
		| Daijobu Master Cheater
 
  Reputation: 13 
 Joined: 05 Feb 2013
 Posts: 301
 Location: the Netherlands
 
 | 
			
				|  Posted: Fri May 30, 2014 7:30 pm    Post subject: |   |  
				| 
 |  
				| When the player dies in Watch Dogs the [rcx+18] value is set to 0 during loading. You could use this to reset the [memxm] stored value to 0 and have it load the renewed address. 
 When the God Mode is enabled the value will always be 100. When scripted events kill the player the value is set to 0.
 _________________
 
 |  |  
		| Back to top |  |  
		|  |  
		| NanoByte Expert Cheater
 
 ![]() Reputation: 1 
 Joined: 13 Sep 2013
 Posts: 222
 
 
 | 
			
				|  Posted: Sat May 31, 2014 5:08 am    Post subject: |   |  
				| 
 |  
				| Good idea Daijobu but i must finder another place to hook because [rcx+18] only triggers when u get dmg or do dmg to others |  |  
		| Back to top |  |  
		|  |  
		| Daijobu Master Cheater
 
  Reputation: 13 
 Joined: 05 Feb 2013
 Posts: 301
 Location: the Netherlands
 
 | 
			
				|  Posted: Sat May 31, 2014 9:12 am    Post subject: |   |  
				| 
 |  
				| There are other places where [rcx+18] for player health is continiously accessed by the game. You could add a second hook to such an address and grab the player health address from there to match with [rcx+18],xmm1.
 
 EDIT:
 
 Addendum, this seems to work perfectly:
 
 
  	  | Code: |  	  | [ENABLE]
 //Allocations
 alloc(_wd64GodMode,256,"Disrupt_b64.dll")
 //Labels
 label(_wd64God_var_1)
 label(_wd64God_var_2)
 //
 label(_wd64GodMode_return)
 label(_wd64GodMode_exit)
 //
 label(_wd64God_Enabled)
 label(_wd64God_Disabled)
 //
 label(_wd64_Godmode_aob_jmp_1)
 label(_wd64_Godmode_aob_jmp_2)
 //
 registersymbol(_wd64_Godmode_aob_jmp_1)
 registersymbol(_wd64_Godmode_aob_jmp_2)
 //
 {This one's gonna break with a game update}
 aobscanmodule(_wd64_Godmode_aob_1,Disrupt_b64.dll,F3 0F 10 41 18 C3 CC CC CC CC CC CC CC CC CC CC F3 0F 10 41 1C)//"Disrupt_b64.dll"+181B510
 aobscanmodule(_wd64_Godmode_aob_2,Disrupt_b64.dll,48 83 79 08 00 F3 0F 11 49 18)//"Disrupt_b64.dll"+184FB9B
 
 _wd64GodMode+0:
 _wd64God_var_1:
 dd 0
 
 _wd64GodMode+8:
 _wd64God_var_2:
 dd 0
 
 {LEA #1 Always Player, load once on activation}
 _wd64GodMode+32:
 movss xmm0,[rcx+18] {Original Code}
 cmp [_wd64God_var_1],0
 jne _wd64GodMode_return
 push eax
 lea eax,[rcx+18]
 mov [_wd64God_var_1],eax
 pop eax
 jmp _wd64GodMode_return
 
 {LEA #2 Active on hit. Player & NPC}
 _wd64GodMode+64:
 push eax
 lea eax,[rcx+18]
 mov [_wd64God_var_2],eax
 {Compare}
 mov eax,[_wd64God_var_1]
 cmp eax,[_wd64God_var_2]
 je _wd64God_Enabled
 jmp _wd64God_Disabled
 
 {Enable of Disable God Mode}
 _wd64God_Enabled:
 pop eax //pop as return from GodModeCheck
 movss [rcx+18],xmm0
 jmp _wd64GodMode_exit
 
 _wd64God_Disabled:
 pop eax //pop as return from GodModeCheck
 movss [rcx+18],xmm1
 jmp _wd64GodMode_exit
 
 {Main Addresses}
 _wd64_Godmode_aob_1:{"Disrupt_b64.dll"+181B510:}
 _wd64_Godmode_aob_jmp_1:
 jmp _wd64GodMode+32
 _wd64GodMode_return:
 
 _wd64_Godmode_aob_2+5: {"Disrupt_b64.dll"+184FBA0:}
 _wd64_Godmode_aob_jmp_2:
 jmp _wd64GodMode+64
 _wd64GodMode_exit:
 
 [DISABLE]
 dealloc(_wd64GodMode)
 _wd64_Godmode_aob_jmp_1: {"Disrupt_b64.dll"+181B510:}
 db F3 0F 10 41 18
 _wd64_Godmode_aob_jmp_2: {"Disrupt_b64.dll"+184FBA0:}
 db F3 0F 11 49 18
 //
 unregistersymbol(_wd64_Godmode_aob_jmp_1)
 unregistersymbol(_wd64_Godmode_aob_jmp_2)
 
 | 
 _________________
 
 |  |  
		| Back to top |  |  
		|  |  
		| NanoByte Expert Cheater
 
 ![]() Reputation: 1 
 Joined: 13 Sep 2013
 Posts: 222
 
 
 | 
			
				|  Posted: Sat May 31, 2014 5:33 pm    Post subject: |   |  
				| 
 |  
				| Holy shit ahahah GrandMaster Cheater!!! now i can finally take a rest from the godmode shit, it was starting to piss me off   |  |  
		| Back to top |  |  
		|  |  
		| Daijobu Master Cheater
 
  Reputation: 13 
 Joined: 05 Feb 2013
 Posts: 301
 Location: the Netherlands
 
 | 
			
				|  Posted: Sat May 31, 2014 5:49 pm    Post subject: |   |  
				| 
 |  
				| I've updated the player reference address. In case you want to add it to your table you can find it in my latest compilation update!   _________________
 
 |  |  
		| Back to top |  |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 You cannot attach files in this forum
 You can download files in this forum
 
 |  |