| View previous topic :: View next topic |
| Author |
Message |
Kajih
Cheater
![]() Reputation: 1
Joined: 08 Feb 2021
Posts: 32
|
 Posted: Sat Feb 20, 2021 12:24 pm Post subject: How to ignore damage on only player? |
 |
|
Hi, I am trying to ignore damage to the player however the same operation is called to apply damage to the enemy so I can't just Nop the operations.
The first thing I did was find a hook to the player object, which I did and works just fine in my PlayerHook script:
| Code: |
[ENABLE]
aobscanmodule(playerHook,48 8B 01 FF 90 50 03 00 00 48 8B 0F)
alloc(newmem,$1000,playerHook)
label(code)
label(return)
label(playerPtr)
newmem:
mov [playerPtr], rcx
code:
mov rax,[rcx]
call qword ptr [rax+00000350]
jmp return
playerPtr:
dq 0
playerHook:
jmp newmem
nop 4
return:
registersymbol(playerHook)
registersymbol(playerPtr)
[DISABLE]
playerHook:
db 48 8B 01 FF 90 50 03 00 00
unregistersymbol(playerHook)
dealloc(newmem)
|
I tested this and created a manual address in my cheat table to grab the player health which works using [playerPtr]+EC.
now I found where the damage was applied and what I need to change:
| Code: |
minss xmm0,xmm6
movaps xmm1,xmm0
movss [rbx+000001FC],xmm1
|
Here is my code for my UnlimitedHealth script:
| Code: |
[ENABLE]
aobscanmodule(damageHook,F3 0F 5D C6 0F 28 C8 F3 0F 11 8B) // should be unique
alloc(newmem,$1000,damageHook)
label(code)
label(return)
newmem:
mov rax,playerPtr
mov rax,[rax]
cmp [rax],rbx
je code
minss xmm0,xmm6
code:
movaps xmm1,xmm0
jmp return
damageHook:
jmp newmem
nop 2
return:
registersymbol(damageHook)
[DISABLE]
damageHook:
db F3 0F 5D C6 0F 28 C8
unregistersymbol(damageHook)
dealloc(newmem)
|
The main idea is if the target is the player (playerPtr) then ignore the substract operation. This seemed to be working just fine but then it stopped working all of a sudden and I can't figure out why. Yes, the playerPtr is still valid as I can see the value change in my cheat table using my [playerPtr]+EC. Any idea what I am missing here?
|
|
| Back to top |
|
 |
sbryzl
Master Cheater
![]() Reputation: 6
Joined: 25 Jul 2016
Posts: 252
|
| Posted: Sat Feb 20, 2021 2:26 pm Post subject: |
|
|
| I could only guess. Perhaps the game is using a different player pointer even though the one you have still works. Perhaps there is another instruction accessing the value. It's something you have to debug. Find what accesses the address and trace it to see what's different.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Sat Feb 20, 2021 2:27 pm Post subject: |
|
|
Just a guess based on a quick glance, but it looks like you may be accidentally comparing the actual first 4 bytes of the object rather than the addresses of the objects. (In this case it'd probably be a vtable pointer for the object type which you and other objects probably share.)
May just need to be:
_________________
- Retired. |
|
| Back to top |
|
|
Kajih
Cheater
![]() Reputation: 1
Joined: 08 Feb 2021
Posts: 32
|
| Posted: Sat Feb 20, 2021 3:07 pm Post subject: |
|
|
Ok so I went back to check what writes to my [playerPtr]+EC health value and the only thing that writes to it when damage is applied is the instruction I listed. I went to that instruction again to see what addresses the instruction accesses and it is the exact same address as my [playerPtr]+EC address.
I also tried making the change to the compare to cmp rax, rbx but that did not make any difference.
I know I am in the correct spot, because If I nop it, I don't receive damage. so there is something wrong with the way I am comparing the base addresses.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Sat Feb 20, 2021 3:41 pm Post subject: |
|
|
atom0s is correct: you're accessing a pointer to the vtable with cmp [rax],rbx.
In the structure whose base address you're storing to playerPtr, you say the offset to the player's health is +EC. In the code writing to health, the offset appears to be +1FC. What's the deal with that?
Try accounting for it:
| Code: | mov rax,[playerPtr] // this is fine- mov rax,moffs64 (opcode A1) exists
sub rax,110 // 1FC - EC
cmp rax,rbx
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kajih
Cheater
![]() Reputation: 1
Joined: 08 Feb 2021
Posts: 32
|
| Posted: Sat Feb 20, 2021 4:07 pm Post subject: |
|
|
Yuuuup... I was in the process of checking rbx's address when I was getting hit and of course it didn't match. The final piece I was missing though was the difference between 1FC and EC offsets.
I didn't take into account that rbx had a different offset. ugh I need more practice! lol
Thanks guys, the changes seemed to have worked. I will test further to make sure.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
