|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
QuarryTen Newbie cheater Reputation: 0
Joined: 25 Aug 2019 Posts: 19
|
Posted: Sun Jul 26, 2020 8:04 pm Post subject: Double Value Scripting |
|
|
Okay, so, here's the orignal code:
Code: |
{
// ORIGINAL CODE - INJECTION POINT: "SGWContracts.exe"+1C6E10D
"SGWContracts.exe"+1C6E0DF: 4C 39 74 24 38 - cmp [rsp+38],r14
"SGWContracts.exe"+1C6E0E4: 74 50 - je SGWContracts.exe+1C6E136
"SGWContracts.exe"+1C6E0E6: F2 0F 11 44 24 38 - movsd [rsp+38],xmm0
"SGWContracts.exe"+1C6E0EC: 4C 39 64 24 38 - cmp [rsp+38],r12
"SGWContracts.exe"+1C6E0F1: 74 43 - je SGWContracts.exe+1C6E136
"SGWContracts.exe"+1C6E0F3: 66 41 0F 2E C5 - ucomisd xmm0,xmm13
"SGWContracts.exe"+1C6E0F8: F2 44 0F 10 74 24 50 - movsd xmm14,[rsp+50]
"SGWContracts.exe"+1C6E0FF: 74 3C - je SGWContracts.exe+1C6E13D
"SGWContracts.exe"+1C6E101: 66 45 0F 2E F1 - ucomisd xmm14,xmm9
"SGWContracts.exe"+1C6E106: 48 8B 8F D8 00 00 00 - mov rcx,[rdi+000000D8]
// ---------- INJECTING HERE ----------
"SGWContracts.exe"+1C6E10D: 48 8B 46 18 - mov rax,[rsi+18]
"SGWContracts.exe"+1C6E111: 48 89 41 08 - mov [rcx+08],rax
// ---------- DONE INJECTING ----------
"SGWContracts.exe"+1C6E115: 74 07 - je SGWContracts.exe+1C6E11E
"SGWContracts.exe"+1C6E117: 66 41 0F 2F C2 - comisd xmm0,xmm10
"SGWContracts.exe"+1C6E11C: 76 08 - jna SGWContracts.exe+1C6E126
"SGWContracts.exe"+1C6E11E: 41 0F 28 C1 - movaps xmm0,xmm9
"SGWContracts.exe"+1C6E122: 45 0F 28 F3 - movaps xmm14,xmm11
"SGWContracts.exe"+1C6E126: 44 0F 28 E8 - movaps xmm13,xmm0
"SGWContracts.exe"+1C6E12A: EB 11 - jmp SGWContracts.exe+1C6E13D
"SGWContracts.exe"+1C6E12C: 49 BE 00 00 00 00 00 00 F0 FF - mov r14,FFF0000000000000
"SGWContracts.exe"+1C6E136: F2 44 0F 10 74 24 50 - movsd xmm14,[rsp+50]
"SGWContracts.exe"+1C6E13D: 0F B6 86 E0 00 00 00 - movzx eax,byte ptr [rsi+000000E0]
}
|
And here's everything that I've tried doing:
Code: |
aobscanmodule(health,SGWContracts.exe,48 8B 46 18 48 89 41 08) // should be unique
alloc(newmem,$1000,"SGWContracts.exe"+1C6E10D)
alloc(maxhlt,16)
label(code)
label(return _hlt)
registersymbol(_hlt)
newmem:
//pushf
mov rax,[rsi+18]
cmp [rcx+C00],0
jne code
cmp [rcx+C30],0
jne code
cmp [rcx+C34],0
jne code
mov [_hlt],rcx
//movsd xmm4,[maxhlt]
//movsd [rax],xmm4
//movsd [rcx+08],xmm7
//xorps xmm4,xmm4
fld qword ptr [maxhlt]
fstp qword ptr [_hlt+08]
//popf
// mov [rcx+08],rax
code:
//popf
mov [rcx+08],rax
jmp return
_hlt:
dq 0
maxhlt:
dq (double)100
health:
jmp newmem
nop 3
return:
registersymbol(health)
unregistersymbol(_hlt)
[DISABLE]
health:
db 48 8B 46 18 48 89 41 08
unregistersymbol(health)
dealloc(newmem maxhlt)
|
As you can probably guess, the game is Sniper Ghost Warrior--an aggravating 64-bit game that is making me pull my hair out.
My goal is to create an infinite health script. The health value as well as every value that I'm aware of uses double ints. I know there are tables already out there but I want to create the scripts myself (of course, with a bit of guidance).
So, please, PLEASE, tell me why everything I searched for and tried doesn't seem to work.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sun Jul 26, 2020 9:49 pm Post subject: |
|
|
I'm assuming rcx+8 is the address of your health.
"alloc(maxhlt,16)" should use a third parameter with the same argument as the newmem alloc. Maybe CE does the right thing, but you shouldn't rely on that in general.
"label(return _hlt)" - no clue if this is valid syntax, but it's wrong. Use two separate label(...) declarations.
_hlt and maxhlt are inconsistent: one is a label and the other is its own alloc. Both approaches are valid, but pick one and be consistent.
Change those three "jne code" instructions to be "jne short code" (very minor optimization)
What's at rcx+C00 / +C30 / +C34? xmm7? Why zero xmm4?
"movsd [rax],xmm4" doesn't make sense. rax is a value, not an address. Use "movq rax,xmm4" instead.
Or even simpler "mov rax,[maxhlt]" - no need to use xmm4 as an intermediary.
"fstp qword ptr [_hlt+08]" writes to empty space in newmem just after _hlt. Use rcx instead of _hlt in the square brackets.
The original code "mov [rcx+08],rax" is run unconditionally after your code. It'll always overwrite whatever changes you make to the value at the health address. Unless you modify rax itself (see above), it won't work.
_hlt should be aligned (not terribly important in this case):
Code: | ...
jmp return
align 8 CC
_hlt:
dq 0
... | As long as allocs are defined in descending powers of 2 sizes, they'll always be aligned (i.e. the maxhlt alloc is aligned).
"unregistersymbol(_hlt)" is in the enable section. Move it somewhere under [DISABLE].
"dealloc(newmem maxhlt)" - again, no clue if this is valid syntax, but make this 2 deallocs anyway.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
QuarryTen Newbie cheater Reputation: 0
Joined: 25 Aug 2019 Posts: 19
|
Posted: Mon Jul 27, 2020 12:42 am Post subject: |
|
|
Thanks, Penguin. You are correct about that particular opcode being my code of interest.
I'll admit, I was adding and removing a bunch of stuff that didn't work. Some if it I left there because my morale was shrinking and I was not even concerned about cleaning it up. I'm a noob who barely skated by the tutorial, thanks to YouTube. That's also another reason why a lot of it doesn't make sense haha.
Regarding the registersymbol and label having multiple params as well as unregistersymbol being in the enabled section, I got all of these practices from a Youtuber who stated that with CE's 7.1 update, doing all of these things is fine.
When I get a chance, I'll tackle it again and report back with my findings if all goes wrong. Thanks.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|