Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need Advice :D Help Me WouldYouKindly

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
NanoByte
Expert Cheater
Reputation: 1

Joined: 13 Sep 2013
Posts: 222

PostPosted: Fri May 30, 2014 9:05 am    Post subject: Need Advice :D Help Me WouldYouKindly Reply with quote

i'm trying to make godmode but the problem is that code is shared with everyone so i give it to me every(npc) gets it too and there is no id that seperates them from you, so this is what i came up with

// health address stays the same until you die and get another one

i want to find the first address(or value) that get edited by the code (movss [rcx+18],xmm1) and validate it with that, dmg youself and get godmode.

just point me into the right dirrection thx
any sort of advice is appreciated Very Happy

this is my old code

Code:
memxm:
dq (float)0
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
//cmp [rcx+1C],(float)100
cmp [rcx+1C],(float)100 //i'm validating with maximum health but some npc have the same amount of maximum health as you so they get gm also
je pl
jmp en

en: //1hit kill
cmp [hkval],0
je originalcode
movss xmm1,[memxm]

jmp exit

pl: //godmode
cmp [rcx+40],0 //trying to filter out enemy
je en
cmp [rcx+A2C],(float)0 //trying to filter out enemy
je en
cmp [gmval],1
je exit

originalcode:
movss [rcx+18],xmm1
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 893

PostPosted: Fri May 30, 2014 11:14 am    Post subject: Reply with quote

You could try something like this (untested):
Code:

cmp [memxm],0
jne @f
push rax
lea rax,[rcx+18]
mov [memxm],rax
pop rax
jmp originalcode
@@:
push rax
lea rax,[rcx+18]
cmp rax,[memxm]
pop rax
je p1
jmp en

_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...
Back to top
View user's profile Send private message
NanoByte
Expert Cheater
Reputation: 1

Joined: 13 Sep 2013
Posts: 222

PostPosted: Fri May 30, 2014 1:59 pm    Post subject: Main man :D Reply with quote

Thx alot man it works but i if u got some time to explain your code to me, its better to know why instead of just copy past Very Happy

Code:
push rax //could i have used any register here? eax,esi r10d etc?
lea rax,[rcx+18] // why lea instead of mov? what did the lea command store in rax,, address or value?
mov [vali],rax
pop rax
jmp newmem
@@:
push rax
lea rax,[rcx+18]
cmp rax,[vali]
pop rax
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 893

PostPosted: Fri May 30, 2014 2:41 pm    Post subject: Reply with quote

justa_dude wrote:
You could try something like this (untested):
Code:

cmp [memxm],0 - have we already recorded an address (that we presume is the player)?
jne @f - if we have, skip to @@
-- save first-time address
push rax - we don't see enough of your code to guess which registers might be free for us to use, so save rax and use it for temp
lea rax,[rcx+18] - save a ptr to health or damage or whatever it is you're hacking
mov [memxm],rax - move ptr into alloc space
pop rax - restore rax
jmp originalcode - done
@@:
-- already have saved address, compare new one against it
push rax
lea rax,[rcx+18]
cmp rax,[memxm]
pop rax
je p1
jmp en


NanoByte wrote:
could i have used any register here? eax,esi r10d etc?

I wouldn't use eip or esp or whatever, but most are fine. If we saw more of your code, we could probably find one or more registers guaranteed to be written before being read and therefore safe to overwrite. Since we're moving a qword around, you're going to want to stick to the 64-bit registers (rax vs eax, rsi vs esi, etc).
NanoByte wrote:
why lea instead of mov? what did the lea command store in rax,, address or value?
lea = load effective address. I don't want the value inside [ecx+18] (the health or whatever), I want the address (pointer) it is stored in because although the value isn't unique to the player the address probably is.

Again, I haven't tested this and I'm exceedingly ignorant when it comes to x64, but that's the basic idea. It really would be better if you could find a unique identifier (perhaps using the dissect structure tool, eg step 9 in the tutorial). It may be as simple as just looking at the value of [rcx].

_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...
Back to top
View user's profile Send private message
NanoByte
Expert Cheater
Reputation: 1

Joined: 13 Sep 2013
Posts: 222

PostPosted: Fri May 30, 2014 3:54 pm    Post subject: Reply with quote

Yeah dissect data/structure was the first place i went
but there were few addresses that had different group value

like this:

pl en1 en2 en3 en4

High number 0 0 0 0

but still it was very buggy some npc still got gm

Code:

label(_valih)
registersymbol(_valih)
aobscan(vali,70 17 AF F6 FF 7F 00 00 ?? ?? ?? ?? 00 00 00 00 13 23 DA CE 01 00 00 00 ?? ?? ?? 42 00 00 C8 42)

vali:
_valih:
[DISABLE]
unregistersymbol(_valih)


this code gives me the new health value, but i have to reactivate the code each time when i die to get the new value, trying to intergrate this with the other code somehow brain storming this shit Very Happy
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 893

PostPosted: Fri May 30, 2014 5:12 pm    Post subject: Reply with quote

Yup. Writing code is a left brain + right brain process, so to then hacking must be.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on...
Back to top
View user's profile Send private message
Daijobu
Master Cheater
Reputation: 13

Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands

PostPosted: Fri May 30, 2014 7:30 pm    Post subject: Reply with quote

When the player dies in Watch Dogs the [rcx+18] value is set to 0 during loading. You could use this to reset the [memxm] stored value to 0 and have it load the renewed address.

When the God Mode is enabled the value will always be 100. When scripted events kill the player the value is set to 0.

_________________
Scripts/tables from scratch. Relation to other scripts is coincidental. Use of posted code is credited properly.
Euro Truck Simulator 2 Backwards Compatible Cheat
American Truck Simulator Backwards Compatible Cheat
Back to top
View user's profile Send private message
NanoByte
Expert Cheater
Reputation: 1

Joined: 13 Sep 2013
Posts: 222

PostPosted: Sat May 31, 2014 5:08 am    Post subject: Reply with quote

Good idea Daijobu but i must finder another place to hook because [rcx+18] only triggers when u get dmg or do dmg to others
Back to top
View user's profile Send private message
Daijobu
Master Cheater
Reputation: 13

Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands

PostPosted: Sat May 31, 2014 9:12 am    Post subject: Reply with quote

There are other places where [rcx+18] for player health is continiously accessed by the game.
You could add a second hook to such an address and grab the player health address from there to match with [rcx+18],xmm1.

EDIT:

Addendum, this seems to work perfectly:

Code:

[ENABLE]
//Allocations
alloc(_wd64GodMode,256,"Disrupt_b64.dll")
//Labels
label(_wd64God_var_1)
label(_wd64God_var_2)
//
label(_wd64GodMode_return)
label(_wd64GodMode_exit)
//
label(_wd64God_Enabled)
label(_wd64God_Disabled)
//
label(_wd64_Godmode_aob_jmp_1)
label(_wd64_Godmode_aob_jmp_2)
//
registersymbol(_wd64_Godmode_aob_jmp_1)
registersymbol(_wd64_Godmode_aob_jmp_2)
//
{This one's gonna break with a game update}
aobscanmodule(_wd64_Godmode_aob_1,Disrupt_b64.dll,F3 0F 10 41 18 C3 CC CC CC CC CC CC CC CC CC CC F3 0F 10 41 1C)//"Disrupt_b64.dll"+181B510
aobscanmodule(_wd64_Godmode_aob_2,Disrupt_b64.dll,48 83 79 08 00 F3 0F 11 49 18)//"Disrupt_b64.dll"+184FB9B

_wd64GodMode+0:
_wd64God_var_1:
dd 0

_wd64GodMode+8:
_wd64God_var_2:
dd 0

{LEA #1 Always Player, load once on activation}
_wd64GodMode+32:
movss xmm0,[rcx+18] {Original Code}
cmp [_wd64God_var_1],0
jne _wd64GodMode_return
push eax
lea eax,[rcx+18]
mov [_wd64God_var_1],eax
pop eax
jmp _wd64GodMode_return

{LEA #2 Active on hit. Player & NPC}
_wd64GodMode+64:
push eax
lea eax,[rcx+18]
mov [_wd64God_var_2],eax
{Compare}
mov eax,[_wd64God_var_1]
cmp eax,[_wd64God_var_2]
je _wd64God_Enabled
jmp _wd64God_Disabled

{Enable of Disable God Mode}
_wd64God_Enabled:
pop eax //pop as return from GodModeCheck
movss [rcx+18],xmm0
jmp _wd64GodMode_exit

_wd64God_Disabled:
pop eax //pop as return from GodModeCheck
movss [rcx+18],xmm1
jmp _wd64GodMode_exit

{Main Addresses}
_wd64_Godmode_aob_1:{"Disrupt_b64.dll"+181B510:}
_wd64_Godmode_aob_jmp_1:
jmp _wd64GodMode+32
_wd64GodMode_return:

_wd64_Godmode_aob_2+5: {"Disrupt_b64.dll"+184FBA0:}
_wd64_Godmode_aob_jmp_2:
jmp _wd64GodMode+64
_wd64GodMode_exit:

[DISABLE]
dealloc(_wd64GodMode)
_wd64_Godmode_aob_jmp_1: {"Disrupt_b64.dll"+181B510:}
db F3 0F 10 41 18
_wd64_Godmode_aob_jmp_2: {"Disrupt_b64.dll"+184FBA0:}
db F3 0F 11 49 18
//
unregistersymbol(_wd64_Godmode_aob_jmp_1)
unregistersymbol(_wd64_Godmode_aob_jmp_2)

_________________
Scripts/tables from scratch. Relation to other scripts is coincidental. Use of posted code is credited properly.
Euro Truck Simulator 2 Backwards Compatible Cheat
American Truck Simulator Backwards Compatible Cheat
Back to top
View user's profile Send private message
NanoByte
Expert Cheater
Reputation: 1

Joined: 13 Sep 2013
Posts: 222

PostPosted: Sat May 31, 2014 5:33 pm    Post subject: Reply with quote

Holy shit ahahah GrandMaster Cheater!!! now i can finally take a rest from the godmode shit, it was starting to piss me off Very Happy
Back to top
View user's profile Send private message
Daijobu
Master Cheater
Reputation: 13

Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands

PostPosted: Sat May 31, 2014 5:49 pm    Post subject: Reply with quote

I've updated the player reference address. In case you want to add it to your table you can find it in my latest compilation update! Wink
_________________
Scripts/tables from scratch. Relation to other scripts is coincidental. Use of posted code is credited properly.
Euro Truck Simulator 2 Backwards Compatible Cheat
American Truck Simulator Backwards Compatible Cheat
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites