| 
			
				|  | Cheat Engine The Official Site of Cheat Engine
 
 
 |  
 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Wed Feb 03, 2016 4:34 pm    Post subject: [Help] cmp opcode doesn't work ? |   |  
				| 
 |  
				| Hello! 
 I'm trying to make an one hit kill cheat using code injection.
 
 In this game there are total of 8 possible players.
 
 I'm using Player 1 and Player 3
 
 With "find what writes to this address" function of Cheat Engine , I was able to generate a script that subtract some high value instead of normal damage value.
 
 Here is the script :
 
  	  | Code: |  	  | { Game   : game.exe Version:
 Date   : 2016-02-03
 Author : VINCENT
 
 This script does blah blah blah
 }
 
 [ENABLE]
 
 aobscanmodule(LUFFY,game.exe,00 01 14 85 * * * * 8B 84 BE 94 01 00 00 29 88 FC 02 00 00)
 alloc(newmem,$1000)
 
 label(code)
 label(return)
 
 newmem:
 
 code:
 sub [eax+000002FC],61A8
 jmp return
 
 LUFFY+0F:
 jmp code
 nop
 return:
 registersymbol(LUFFY)
 
 [DISABLE]
 
 LUFFY+0F:
 db 29 88 FC 02 00 00
 
 unregistersymbol(LUFFY)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: "game.exe"+2E95C
 
 "game.exe"+2E92B: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E932: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E938: 85 C0                 -  test eax,eax
 "game.exe"+2E93A: 7E 19                 -  jle lf2.exe+2E955
 "game.exe"+2E93C: 83 F8 03              -  cmp eax,03
 "game.exe"+2E93F: 7D 14                 -  jnl lf2.exe+2E955
 "game.exe"+2E941: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E948: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E94E: 01 14 85 60 1B 45 00  -  add [eax*4+lf2.exe+51B60],edx
 "game.exe"+2E955: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 // ---------- INJECTING HERE ----------
 "game.exe"+2E95C: 29 88 FC 02 00 00     -  sub [eax+000002FC],ecx
 // ---------- DONE INJECTING  ----------
 "game.exe"+2E962: B8 55 55 55 55        -  mov eax,55555555
 "game.exe"+2E967: F7 E9                 -  imul ecx
 "game.exe"+2E969: 2B D1                 -  sub edx,ecx
 "game.exe"+2E96B: D1 FA                 -  sar edx,1
 "game.exe"+2E96D: 8B C2                 -  mov eax,edx
 "game.exe"+2E96F: C1 E8 1F              -  shr eax,1F
 "game.exe"+2E972: 03 C2                 -  add eax,edx
 "game.exe"+2E974: 8B D0                 -  mov edx,eax
 "game.exe"+2E976: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E97D: 01 90 00 03 00 00     -  add [eax+00000300],edx
 }
 | 
 
 Like I said , 8 possible players and I'm using 1 & 3.
 In a "versus" mode I ran this script and we were both able to one hit kill each other rather than one of us.
 
 So I compared each players structure and found an offset that is different for each player. The offset is +0BB8. And for Player 1 , it's value is 30 and for Player 3 it's value is 80.
 
 So I wrote a comparison for Player 3 , when eax+0BB8 is 80 it wouldn't decrease my health.
 
 Here is the script :
 
 
  	  | Code: |  	  | { Game   : game.exe Version:
 Date   : 2016-02-03
 Author : VINCENT
 
 This script does blah blah blah
 }
 
 [ENABLE]
 
 aobscanmodule(LUFFY,game.exe,00 01 14 85 * * * * 8B 84 BE 94 01 00 00 29 88 FC 02 00 00)
 alloc(newmem,$1000)
 
 label(code)
 label(return)
 
 newmem:
 
 code:
 cmp dword [eax+0BB8],50
 je return
 
 sub [eax+000002FC],61A8
 jmp return
 
 LUFFY+0F:
 jmp code
 nop
 return:
 registersymbol(LUFFY)
 
 [DISABLE]
 
 LUFFY+0F:
 db 29 88 FC 02 00 00
 
 unregistersymbol(LUFFY)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: "game.exe"+2E95C
 
 "game.exe"+2E92B: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E932: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E938: 85 C0                 -  test eax,eax
 "game.exe"+2E93A: 7E 19                 -  jle lf2.exe+2E955
 "game.exe"+2E93C: 83 F8 03              -  cmp eax,03
 "game.exe"+2E93F: 7D 14                 -  jnl lf2.exe+2E955
 "game.exe"+2E941: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E948: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E94E: 01 14 85 60 1B 45 00  -  add [eax*4+lf2.exe+51B60],edx
 "game.exe"+2E955: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 // ---------- INJECTING HERE ----------
 "game.exe"+2E95C: 29 88 FC 02 00 00     -  sub [eax+000002FC],ecx
 // ---------- DONE INJECTING  ----------
 "game.exe"+2E962: B8 55 55 55 55        -  mov eax,55555555
 "game.exe"+2E967: F7 E9                 -  imul ecx
 "game.exe"+2E969: 2B D1                 -  sub edx,ecx
 "game.exe"+2E96B: D1 FA                 -  sar edx,1
 "game.exe"+2E96D: 8B C2                 -  mov eax,edx
 "game.exe"+2E96F: C1 E8 1F              -  shr eax,1F
 "game.exe"+2E972: 03 C2                 -  add eax,edx
 "game.exe"+2E974: 8B D0                 -  mov edx,eax
 "game.exe"+2E976: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E97D: 01 90 00 03 00 00     -  add [eax+00000300],edx
 }
 | 
 
 I ran the script again ... results were same. We were still able to one hit kill each other rather than only one of us being able to do so.
 
 I have no idea what the problem is. Can anyone help ?
 Thanks in advance!
 |  |  
		| Back to top |  |  
		|  |  
		| ++METHOS I post too much
 
 ![]() Reputation: 92 
 Joined: 29 Oct 2010
 Posts: 4197
 
 
 | 
			
				|  Posted: Wed Feb 03, 2016 5:06 pm    Post subject: |   |  
				| 
 |  
				| The value has probably changed. That, or you weren't seeing it as a 4 byte value when you checked the structure. 
 You can check your filter inside of memory viewer by following your jump and right-clicking to see what addresses it accesses (or, set a breakpoint).
 
 
  	  | Code: |  	  | code: cmp dword [eax+0BB8],50
 je test
 jmp originalcode
 
 test:
 sub [eax+000002FC],ecx    //Check if filter is good here.
 jmp return
 
 originalcode:
 sub [eax+000002FC],ecx
 jmp return
 | 
 |  |  
		| Back to top |  |  
		|  |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 3:25 am    Post subject: |   |  
				| 
 |  
				|  	  | ++METHOS wrote: |  	  | The value has probably changed. That, or you weren't seeing it as a 4 byte value when you checked the structure. 
 You can check your filter inside of memory viewer by following your jump and right-clicking to see what addresses it accesses (or, set a breakpoint).
 
 
  	  | Code: |  	  | code: cmp dword [eax+0BB8],50
 je test
 jmp originalcode
 
 test:
 sub [eax+000002FC],ecx    //Check if filter is good here.
 jmp return
 
 originalcode:
 sub [eax+000002FC],ecx
 jmp return
 | 
 | 
 
 Hello , thank you so much for your reply! The value I was comparing was indeed not 4 bytes.
 
 Now I have another problem though.
 
 Since I wrote the script to skip sub [eax+000002FC],ecx section , my health doesn't decrease. So It's like godmode+one hit kill.
 
 I only want one hit kill so what's the way around this ?
 
 Thanks!
 |  |  
		| Back to top |  |  
		|  |  
		| hhhuut Grandmaster Cheater
 
  Reputation: 6 
 Joined: 08 Feb 2015
 Posts: 607
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 3:47 am    Post subject: |   |  
				| 
 |  
				| Taking your script from above: 
  	  | Code: |  	  | { Game   : game.exe Version:
 Date   : 2016-02-03
 Author : VINCENT
 
 This script does blah blah blah
 }
 
 [ENABLE]
 
 aobscanmodule(LUFFY,game.exe,00 01 14 85 * * * * 8B 84 BE 94 01 00 00 29 88 FC 02 00 00)
 alloc(newmem,$1000)
 
 label(code)
 label(return)
 
 newmem:
 cmp dword [eax+0BB8],50   //your comparison
 je code
 mov ecx,61A8
 
 code:
 sub [eax+000002FC],ecx   //Original instruction
 jmp return
 
 LUFFY+0F:
 jmp newmem
 nop
 
 return:
 registersymbol(LUFFY)
 
 [DISABLE]
 
 LUFFY+0F:
 db 29 88 FC 02 00 00
 
 unregistersymbol(LUFFY)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: "game.exe"+2E95C
 
 "game.exe"+2E92B: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E932: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E938: 85 C0                 -  test eax,eax
 "game.exe"+2E93A: 7E 19                 -  jle lf2.exe+2E955
 "game.exe"+2E93C: 83 F8 03              -  cmp eax,03
 "game.exe"+2E93F: 7D 14                 -  jnl lf2.exe+2E955
 "game.exe"+2E941: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E948: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E94E: 01 14 85 60 1B 45 00  -  add [eax*4+lf2.exe+51B60],edx
 "game.exe"+2E955: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 // ---------- INJECTING HERE ----------
 "game.exe"+2E95C: 29 88 FC 02 00 00     -  sub [eax+000002FC],ecx
 // ---------- DONE INJECTING  ----------
 "game.exe"+2E962: B8 55 55 55 55        -  mov eax,55555555
 "game.exe"+2E967: F7 E9                 -  imul ecx
 "game.exe"+2E969: 2B D1                 -  sub edx,ecx
 "game.exe"+2E96B: D1 FA                 -  sar edx,1
 "game.exe"+2E96D: 8B C2                 -  mov eax,edx
 "game.exe"+2E96F: C1 E8 1F              -  shr eax,1F
 "game.exe"+2E972: 03 C2                 -  add eax,edx
 "game.exe"+2E974: 8B D0                 -  mov edx,eax
 "game.exe"+2E976: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E97D: 01 90 00 03 00 00     -  add [eax+00000300],edx
 }
 | 
 |  |  
		| Back to top |  |  
		|  |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 4:39 am    Post subject: |   |  
				| 
 |  
				|  	  | hhhuut wrote: |  	  | Taking your script from above: 
  	  | Code: |  	  | { Game   : game.exe Version:
 Date   : 2016-02-03
 Author : VINCENT
 
 This script does blah blah blah
 }
 
 [ENABLE]
 
 aobscanmodule(LUFFY,game.exe,00 01 14 85 * * * * 8B 84 BE 94 01 00 00 29 88 FC 02 00 00)
 alloc(newmem,$1000)
 
 label(code)
 label(return)
 
 newmem:
 cmp dword [eax+0BB8],50   //your comparison
 je code
 mov ecx,61A8
 
 code:
 sub [eax+000002FC],ecx   //Original instruction
 jmp return
 
 LUFFY+0F:
 jmp newmem
 nop
 
 return:
 registersymbol(LUFFY)
 
 [DISABLE]
 
 LUFFY+0F:
 db 29 88 FC 02 00 00
 
 unregistersymbol(LUFFY)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: "game.exe"+2E95C
 
 "game.exe"+2E92B: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E932: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E938: 85 C0                 -  test eax,eax
 "game.exe"+2E93A: 7E 19                 -  jle lf2.exe+2E955
 "game.exe"+2E93C: 83 F8 03              -  cmp eax,03
 "game.exe"+2E93F: 7D 14                 -  jnl lf2.exe+2E955
 "game.exe"+2E941: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E948: 8B 80 44 03 00 00     -  mov eax,[eax+00000344]
 "game.exe"+2E94E: 01 14 85 60 1B 45 00  -  add [eax*4+lf2.exe+51B60],edx
 "game.exe"+2E955: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 // ---------- INJECTING HERE ----------
 "game.exe"+2E95C: 29 88 FC 02 00 00     -  sub [eax+000002FC],ecx
 // ---------- DONE INJECTING  ----------
 "game.exe"+2E962: B8 55 55 55 55        -  mov eax,55555555
 "game.exe"+2E967: F7 E9                 -  imul ecx
 "game.exe"+2E969: 2B D1                 -  sub edx,ecx
 "game.exe"+2E96B: D1 FA                 -  sar edx,1
 "game.exe"+2E96D: 8B C2                 -  mov eax,edx
 "game.exe"+2E96F: C1 E8 1F              -  shr eax,1F
 "game.exe"+2E972: 03 C2                 -  add eax,edx
 "game.exe"+2E974: 8B D0                 -  mov edx,eax
 "game.exe"+2E976: 8B 84 BE 94 01 00 00  -  mov eax,[esi+edi*4+00000194]
 "game.exe"+2E97D: 01 90 00 03 00 00     -  add [eax+00000300],edx
 }
 | 
 | 
 
 Oh , I see. Thanks!
 
 Now I have an even more annoying problem ! ;D
 
 So what I'm trying to do is have seperate 1 Hit kill scripts for each player.
 
 Let's play adventure mode with Player 1 , Player 3 and now with Player 2 as well.
 
 Adventure mode has 8 stages and each stage has 10 or so waves.
 Each wave a set of enemies is sent for fighting our Players.
 Well here is the thing , enemies are players as well.
 
 Enemies in this game are actually hidden "players" in this game.
 Kinda like our player's evil versions. Though their HP's are altered to
 fit the adventure gameplay style of the game every other behavior of them are exactly like players. Which I believe is going to cause me lots of problems later on.
 
 I activate Player 2's one hit kill script and it works.
 But here is the problem , while enemies deal normal damage to Player 2 ... Player 1 and Player 3 gets one hit killed by them.
 
 Any way around this ? Thanks !
 |  |  
		| Back to top |  |  
		|  |  
		| ++METHOS I post too much
 
 ![]() Reputation: 92 
 Joined: 29 Oct 2010
 Posts: 4197
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 8:46 am    Post subject: |   |  
				| 
 |  
				| -Yes...improve your filter. 	  | Aleynacombi wrote: |  	  | Any way around this ? | 
 |  |  
		| Back to top |  |  
		|  |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 9:47 am    Post subject: |   |  
				| 
 |  
				|  	  | ++METHOS wrote: |  	  | -Yes...improve your filter. 	  | Aleynacombi wrote: |  	  | Any way around this ? | 
 | 
 
 What do you mean by "filter" ?
 |  |  
		| Back to top |  |  
		|  |  
		| ++METHOS I post too much
 
 ![]() Reputation: 92 
 Joined: 29 Oct 2010
 Posts: 4197
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 10:05 am    Post subject: |   |  
				| 
 |  
				| You have a conditional jump in your script based on a compare that you perform. Why do you have that? To filter out addresses. That compare checks the value of an address. Improve that check by comparing against a more reliable address/value, or, by expanding on it. 
 Your filter is no good (or, not good enough) because you are not filtering out 'impostor enemies'. You need to find something better to compare against, or, expand on your filter so that enemies and impostor enemies are filtered out (or whatever you want).
 |  |  
		| Back to top |  |  
		|  |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 12:35 pm    Post subject: |   |  
				| 
 |  
				|  	  | ++METHOS wrote: |  	  | You have a conditional jump in your script based on a compare that you perform. Why do you have that? To filter out addresses. That compare checks the value of an address. Improve that check by comparing against a more reliable address/value, or, by expanding on it. 
 Your filter is no good (or, not good enough) because you are not filtering out 'impostor enemies'. You need to find something better to compare against, or, expand on your filter so that enemies and impostor enemies are filtered out (or whatever you want).
 | 
 
 Oh English is not my main soo... now I understand though.
 
 I'm currently working on that but this game is basically like players vs players so I'm having a hard time but I'm pretty sure I'll find something.
 
 Thanks for the reply.
 |  |  
		| Back to top |  |  
		|  |  
		| ++METHOS I post too much
 
 ![]() Reputation: 92 
 Joined: 29 Oct 2010
 Posts: 4197
 
 
 | 
			
				|  Posted: Thu Feb 04, 2016 4:26 pm    Post subject: |     |  
				| 
 |  
				| There are other things that you can try. 
 You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
You can use pointer trees inside of the data structure to find something viable. 
You can shift the data structure (+ or -) and/or expand its size to find something useful.
You can use the structure spider to find workable strings and/or for comparative analysis.
You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
Et al.
 |  |  
		| Back to top |  |  
		|  |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Fri Feb 05, 2016 3:43 am    Post subject: |   |  
				| 
 |  
				|  	  | ++METHOS wrote: |  	  | There are other things that you can try. 
 You can use a pointer address for your filter, inside of your script, for the value that you are trying to manipulate.
You can use pointer trees inside of the data structure to find something viable. 
You can shift the data structure (+ or -) and/or expand its size to find something useful.
You can use the structure spider to find workable strings and/or for comparative analysis.
You can check the register values by attaching the debugger or setting a breakpoint to see if something can be used for your filter.
You can check to see if there are any instructions that are exclusive to the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
You can check to see if there are any instructions that are exclusive to any other address/value inside of the data structure for the address/value that you are trying to manipulate and store the address for your filter by creating a second injection point.
You can analyze assembly code to see if an identifier is being checked or assigned somewhere.
Et al.
 | 
 
 Thanks! Will try them!
 
 Also in another game (Rouge Legacy) I'm making a godmode cheat which basically skips the code that writes my health value.
 
 I have 2 scripts here and only the first one works. Can you check the second one ? I don't know why that one doesn't work.
 
 First one :
 
  	  | Code: |  	  | [ENABLE] 
 aobscan(KUMA,89 96 18 01 00 00 8B 9E)
 alloc(newmem,$1000)
 
 label(code)
 label(return)
 
 newmem:
 
 code:
 cmp byte [esi],A8 //check if player
 je return
 mov [esi+00000118],edx //code that writes my health
 jmp return
 
 KUMA:
 jmp code
 nop
 return:
 registersymbol(KUMA)
 
 [DISABLE]
 
 KUMA:
 db 89 96 18 01 00 00
 
 unregistersymbol(KUMA)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: 054D306F
 
 054D3052: 33 3F                 -  xor edi,[edi]
 054D3054: 00 00                 -  add [eax],al
 054D3056: 00 00                 -  add [eax],al
 054D3058: 14 BE                 -  adc al,-42
 054D305A: C0 04 00 00           -  rol byte ptr [eax+eax],00
 054D305E: 00 00                 -  add [eax],al
 054D3060: 30 BE C0 04 08 0D     -  xor [esi+0D0804C0],bh
 054D3066: 39 05 55 8B EC 56     -  cmp [56EC8B55],eax
 054D306C: 53                    -  push ebx
 054D306D: 8B F1                 -  mov esi,ecx
 // ---------- INJECTING HERE ----------
 054D306F: 89 96 18 01 00 00     -  mov [esi+00000118],edx
 // ---------- DONE INJECTING  ----------
 054D3075: 8B 9E 18 01 00 00     -  mov ebx,[esi+00000118]
 054D307B: 8B CE                 -  mov ecx,esi
 054D307D: 8B 01                 -  mov eax,[ecx]
 054D307F: 8B 40 64              -  mov eax,[eax+64]
 054D3082: FF 50 0C              -  call dword ptr [eax+0C]
 054D3085: 3B D8                 -  cmp ebx,eax
 054D3087: 7E 10                 -  jle 054D3099
 054D3089: 8B CE                 -  mov ecx,esi
 054D308B: 8B 01                 -  mov eax,[ecx]
 054D308D: 8B 40 64              -  mov eax,[eax+64]
 }
 | 
 
 Second one :
 
  	  | Code: |  	  | [ENABLE] 
 aobscan(KUMA,89 96 18 01 00 00 8B 9E)
 alloc(newmem,$1000)
 
 label(code)
 label(return)
 
 newmem:
 cmp byte [esi],A8
 je return
 jmp code
 
 code:
 mov [esi+00000118],edx
 jmp return
 
 KUMA:
 jmp code
 nop
 return:
 registersymbol(KUMA)
 
 [DISABLE]
 
 KUMA:
 db 89 96 18 01 00 00
 
 unregistersymbol(KUMA)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: 054D306F
 
 054D3052: 33 3F                 -  xor edi,[edi]
 054D3054: 00 00                 -  add [eax],al
 054D3056: 00 00                 -  add [eax],al
 054D3058: 14 BE                 -  adc al,-42
 054D305A: C0 04 00 00           -  rol byte ptr [eax+eax],00
 054D305E: 00 00                 -  add [eax],al
 054D3060: 30 BE C0 04 08 0D     -  xor [esi+0D0804C0],bh
 054D3066: 39 05 55 8B EC 56     -  cmp [56EC8B55],eax
 054D306C: 53                    -  push ebx
 054D306D: 8B F1                 -  mov esi,ecx
 // ---------- INJECTING HERE ----------
 054D306F: 89 96 18 01 00 00     -  mov [esi+00000118],edx
 // ---------- DONE INJECTING  ----------
 054D3075: 8B 9E 18 01 00 00     -  mov ebx,[esi+00000118]
 054D307B: 8B CE                 -  mov ecx,esi
 054D307D: 8B 01                 -  mov eax,[ecx]
 054D307F: 8B 40 64              -  mov eax,[eax+64]
 054D3082: FF 50 0C              -  call dword ptr [eax+0C]
 054D3085: 3B D8                 -  cmp ebx,eax
 054D3087: 7E 10                 -  jle 054D3099
 054D3089: 8B CE                 -  mov ecx,esi
 054D308B: 8B 01                 -  mov eax,[ecx]
 054D308D: 8B 40 64              -  mov eax,[eax+64]
 }
 | 
 
 Thanks!
 |  |  
		| Back to top |  |  
		|  |  
		| hhhuut Grandmaster Cheater
 
  Reputation: 6 
 Joined: 08 Feb 2015
 Posts: 607
 
 
 | 
			
				|  Posted: Fri Feb 05, 2016 3:50 am    Post subject: |   |  
				| 
 |  
				| The problem goes with 
  	  | Code: |  	  | KUMA: jmp code
 nop
 return:
 | 
 
 You're jumping directly to the "code"-label although you want to execute the "newmem" block too. So just change your jump to newmem and you should be fine
 
 
  	  | Code: |  	  | KUMA: jmp newmem
 nop
 return:
 | 
 
 By the way: The  instruction at the end of the "newmem"-block is unnecessary, since every code that follows will be executed automatically.
 |  |  
		| Back to top |  |  
		|  |  
		| JohannesJoestar Advanced Cheater
 
 ![]() Reputation: 0 
 Joined: 01 Nov 2015
 Posts: 79
 
 
 | 
			
				|  Posted: Fri Feb 05, 2016 5:17 am    Post subject: |   |  
				| 
 |  
				|  	  | hhhuut wrote: |  	  | The problem goes with 
  	  | Code: |  	  | KUMA: jmp code
 nop
 return:
 | 
 
 You're jumping directly to the "code"-label although you want to execute the "newmem" block too. So just change your jump to newmem and you should be fine
 
 
  	  | Code: |  	  | KUMA: jmp newmem
 nop
 return:
 | 
 
 By the way: The  instruction at the end of the "newmem"-block is unnecessary, since every code that follows will be executed automatically.
 | 
 
 Oh okay I thought they were like "blocks" of code that I needed to jump when I want to execute them. I didn't know they followed when a jump isn't implemented.
 
 Thanks to you guys I've finalized my script which allows users to chose 1hit , godmode or both.
 
 
  	  | Code: |  	  | [ENABLE] 
 aobscan(KUMA,89 96 18 01 00 00 8B 9E)
 alloc(newmem,$1000)
 globalalloc(ohk,4)
 globalalloc(god,4)
 
 label(code)
 label(return)
 label(checkplayer1)
 label(checkplayer2)
 label(onehitcheck)
 label(onehit)
 
 newmem:
 cmp [god],1
 je checkplayer1
 jmp checkplayer2
 checkplayer1:
 cmp byte [esi],A8
 je return
 jmp onehitcheck
 checkplayer2:
 cmp byte [esi],A8
 je code
 onehitcheck:
 cmp dword [ohk],1
 je onehit
 jmp code
 onehit:
 mov [esi+00000118],0
 jmp return
 code:
 mov [esi+00000118],edx
 jmp return
 
 KUMA:
 jmp newmem
 nop
 return:
 registersymbol(KUMA)
 
 [DISABLE]
 
 KUMA:
 db 89 96 18 01 00 00
 
 unregistersymbol(KUMA)
 dealloc(newmem)
 
 {
 // ORIGINAL CODE - INJECTION POINT: 054D306F
 
 054D3052: 33 3F                 -  xor edi,[edi]
 054D3054: 00 00                 -  add [eax],al
 054D3056: 00 00                 -  add [eax],al
 054D3058: 14 BE                 -  adc al,-42
 054D305A: C0 04 00 00           -  rol byte ptr [eax+eax],00
 054D305E: 00 00                 -  add [eax],al
 054D3060: 30 BE C0 04 08 0D     -  xor [esi+0D0804C0],bh
 054D3066: 39 05 55 8B EC 56     -  cmp [56EC8B55],eax
 054D306C: 53                    -  push ebx
 054D306D: 8B F1                 -  mov esi,ecx
 // ---------- INJECTING HERE ----------
 054D306F: 89 96 18 01 00 00     -  mov [esi+00000118],edx
 // ---------- DONE INJECTING  ----------
 054D3075: 8B 9E 18 01 00 00     -  mov ebx,[esi+00000118]
 054D307B: 8B CE                 -  mov ecx,esi
 054D307D: 8B 01                 -  mov eax,[ecx]
 054D307F: 8B 40 64              -  mov eax,[eax+64]
 054D3082: FF 50 0C              -  call dword ptr [eax+0C]
 054D3085: 3B D8                 -  cmp ebx,eax
 054D3087: 7E 10                 -  jle 054D3099
 054D3089: 8B CE                 -  mov ecx,esi
 054D308B: 8B 01                 -  mov eax,[ecx]
 054D308D: 8B 40 64              -  mov eax,[eax+64]
 }
 | 
 
 If you guys can improve my code and give a few tips that would be great, thanks ![/code]
 |  |  
		| Back to top |  |  
		|  |  
		| ++METHOS I post too much
 
 ![]() Reputation: 92 
 Joined: 29 Oct 2010
 Posts: 4197
 
 
 | 
			
				|  Posted: Fri Feb 05, 2016 9:49 am    Post subject: |   |  
				| 
 |  
				| -Yeah, I don't know why DB changed that. I still catch myself missing that sometimes. 	  | hhhuut wrote: |  	  | You're jumping directly to the "code"-label although you want to execute the "newmem" | 
 |  |  
		| Back to top |  |  
		|  |  
		| hhhuut Grandmaster Cheater
 
  Reputation: 6 
 Joined: 08 Feb 2015
 Posts: 607
 
 
 | 
			
				|  Posted: Fri Feb 05, 2016 10:13 am    Post subject: |   |  
				| 
 |  
				| Yeah, me too ... |  |  
		| Back to top |  |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 You cannot attach files in this forum
 You can download files in this forum
 
 |  |