 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Brookthesoul
How do I cheat?
![]() Reputation: 0
Joined: 03 Sep 2019
Posts: 8
|
 Posted: Mon Apr 22, 2024 10:53 am Post subject: comparing in auto assemble script |
 |
|
Hello, i need some help with comparing in assemble code so that i can ask cheat engine to lookup the address every time i restart the game.
i got a share address that pointing to my 5 different tools and i got the offset [rsi+318] which i got 0,1,2,4,5,6 being the different value for each tools in the dissect data/structure.
my question is how can i compare each and every tools in 1 AOB injection script?
i try this but its only do the 1st compare that is :-
cmp [rsi+318],0
it didn't compare the other code after the 1st compare.
can anyone help me on how to write the code correctly?
| Code: |
[ENABLE]
aobscanmodule(tools_dura,ArkAscended.exe,F3 0F 10 86 F4 06 00 00) // should be unique
alloc(newmem,$1000,tools_dura)
label(code)
label(return)
alloc(axe1,4)
alloc(pick1,4)
alloc(sword1,4)
alloc(bow1,4)
alloc(rifle1,4)
alloc(club1,4)
registersymbol(axe1)
registersymbol(pick1)
registersymbol(sword1)
registersymbol(bow1)
registersymbol(rifle1)
registersymbol(club1)
newmem:
cmp [rsi+318],0
jne code
push rbx
lea rbx,[rsi+000006F4]
mov [axe1],rbx
pop rbx
cmp [rsi+318],1
jne code
push rbx
lea rbx,[rsi+000006F4]
mov [pick1],rbx
pop rbx
cmp [rsi+318],2
jne code
push rbx
lea rbx,[rsi+000006F4]
mov [sword1],rbx
pop rbx
cmp [rsi+318],4
jne code
push rbx
lea rbx,[rsi+000006F4]
mov [bow1],rbx
pop rbx
cmp [rsi+318],5
jne code
push rbx
lea rbx,[rsi+000006F4]
mov [rifle1],rbx
pop rbx
cmp [rsi+318],6
jne code
push rbx
lea rbx,[rsi+000006F4]
mov [club1],rbx
pop rbx
code:
movss xmm0,[rsi+000006F4]
jmp return
dealloc(axe1)
dealloc(pick1)
dealloc(sword1)
dealloc(bow1)
dealloc(rifle1)
dealloc(club1)
tools_dura:
jmp newmem
nop 3
return:
registersymbol(tools_dura)
[DISABLE]
tools_dura:
db F3 0F 10 86 F4 06 00 00
unregistersymbol(tools_dura)
unregistersymbol(axe1)
unregistersymbol(pick1)
unregistersymbol(sword1)
unregistersymbol(bow1)
unregistersymbol(rifle1)
unregistersymbol(club1)
dealloc(newmem)
|
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Mon Apr 22, 2024 2:08 pm Post subject: |
|
|
`rsi` is an 8-byte register. Make all of those allocs 8 bytes instead of 4.
All those `dealloc`s are in the [ENABLE] section. Move them under the line that says `dealloc(newmem)`.
Instead of all those `jne code` instructions, make a new label for all but the first `cmp` instructions and `jne` to the next one. If it's not 0, then check if it's 1; if it's not 1, check if it's 2; etc. The last check can remain as `jne code` since there's nothing left to check.
That's a lot of superfluous `push` / `pop` instructions. Just push the registers you use once at the beginning, and pop them at the end.
You don't have to `lea` to the actual address either- you can just copy rsi. The memory record in the address list should be a pointer, base address is the registered symbol, and the only offset would be the offset used by the game- i.e. 6F4. This way, if there's some other value in the same struct that you want, you can just reuse the same symbol and put in a different offset.
Keep the comment at the bottom showing the code around the injection point. It's important if the game ever updates and the aobscan starts to fail.
You could make an array of pointers instead and copy them into that array:
| Code: | [ENABLE]
aobscanmodule(tools_dura,ArkAscended.exe,F3 0F 10 86 F4 06 00 00)
alloc(newmem,$1000,tools_dura)
alloc(pointers,64)
label(code)
label(return)
label(axe1)
label(pick1)
label(sword1)
label(unknown1)
label(bow1)
label(rifle1)
label(club1)
registersymbol(axe1)
registersymbol(pick1)
registersymbol(sword1)
registersymbol(bow1)
registersymbol(rifle1)
registersymbol(club1)
pointers: // [rsi+318]
axe1: // 0
dq 0
pick1: // 1
dq 0
sword1: // 2
dq 0
unknown1: // 3
dq 0
bow1: // 4
dq 0
rifle1: // 5
dq 0
club1: // 6
dq 0
newmem:
push rcx
mov ecx,[rsi+318]
cmp ecx,6
ja code
push rdx
lea rdx,[pointers]
mov [rdx+rcx*8],rsi
pop rdx
code:
pop rcx
movss xmm0,[rsi+000006F4]
jmp return
tools_dura:
jmp newmem
nop 3
return:
registersymbol(tools_dura)
[DISABLE]
tools_dura:
db F3 0F 10 86 F4 06 00 00
unregistersymbol(*)
dealloc(*) |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Brookthesoul
How do I cheat?
![]() Reputation: 0
Joined: 03 Sep 2019
Posts: 8
|
| Posted: Wed Apr 24, 2024 10:59 am Post subject: |
|
|
Thank you for the help. will try it soon.
i try to understand the script that you post but i got some line that i dont understand. if available can you please explain the functions? or if you have any videos recommendation for me to understand this i'll be greatful.
the 1st one is this line
| Code: |
push rcx
mov ecx,[rsi+318]
cmp ecx,6
ja code
|
the "ja" is jump on above right? it means that if ecx is above 6 then it will jump to the "code". is my understanding correct?
the 2nd one is this line
i lookup the opcode in the memory view of the instruction above and below the one that i used to make the auto assembler that there is a line of instruction that using rdx(i think a few instruction above the one that i used) so my question is can i really use rdx in my code?
i see some videos on youtube that says you cannot use a registry that is show in a few instruction above or below the code that you want to use to make the auto assembler code. i dont know about it so i follow the instruction and i found that "rbx" is used far above the code that i want to used.
please correct me if im wrong.
and the last one is this
| Code: |
mov [rdx+rcx*8],rsi
|
i dont understand why you need to write like this. (anyway, i recently discovered how to calculate those complax looking registry so my understanding of the assembly is not that good sorry.
i really hope that you can help me with this. sorry my english is not my main language so if you dont understand any words from me i will try my best to rephrase it to your understanding. thanks again. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Wed Apr 24, 2024 2:19 pm Post subject: |
|
|
| Brookthesoul wrote: | | the "ja" is jump on above right? it means that if ecx is above 6 then it will jump to the "code". is my understanding correct? |
Yes. More specifically, when used after a `cmp` instruction, it's an unsigned comparison. If ecx was something like -1 (0xFFFFFFFF), a `jg` instruction (jump if greater: signed comparison) would cause the next code to write to invalid memory.
| Brookthesoul wrote: | | i lookup the opcode in the memory view of the instruction above and below the one that i used to make the auto assembler that there is a line of instruction that using rdx(i think a few instruction above the one that i used) so my question is can i really use rdx in my code? |
`push rdx` saves the value of rdx to the stack. `pop rdx` restores that saved value. This is safe: the value that rdx had before the code injection is the same value it has after the code injection. rdx remains unchanged.
| Brookthesoul wrote: | | Code: | | mov [rdx+rcx*8],rsi |
i dont understand why you need to write like this. |
This is complicated.
Basically, instructions that directly access an address are weird in 64-bit code. They don't work all the time.
| Code: | // this works when the address `myaddress` is close to the address of this instruction (within +-2GiB)
// this also works when the address `myaddress` is less than 0x100000000
mov [myaddress],rsi
// this always works
mov rdx,myaddress
mov [rdx],rsi
// this only works when the address `myaddress` is less than 0x100000000
mov [myaddress+rcx*8],rsi
// this always works
mov rdx,myaddress
mov [rdx+rcx*8],rsi |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Brookthesoul
How do I cheat?
![]() Reputation: 0
Joined: 03 Sep 2019
Posts: 8
|
| Posted: Thu Apr 25, 2024 1:03 pm Post subject: |
|
|
I tried the script that you wrote but the pointer that every label shows was the same value and the value is not matching at all like the axe durability shows was 53/55 but the all the pointer shows was 1.307596921E13
here the code that i copy from you and completed the pointer numbers and the unregistersymbol .
| Code: |
[ENABLE]
aobscanmodule(tools_dura,ArkAscended.exe,F3 0F 10 86 F4 06 00 00) // should be unique
alloc(newmem,$1000,tools_dura)
alloc(pointer,64)
label(code)
label(return)
label(axe1)
label(pick1)
label(sword1)
label(unknown1)
label(bow1)
label(rifle1)
label(club1)
registersymbol(axe1)
registersymbol(pick1)
registersymbol(sword1)
registersymbol(bow1)
registersymbol(rifle1)
registersymbol(club1)
pointer: // [rsi+318]
axe1: // 0
dd 0
pick1: // 1
dd 1
sword1: // 2
dd 2
unknown1: // 3
dd 3
bow1: // 4
dd 4
rifle1: // 5
dd 5
club1: // 6
dd 6
newmem:
push rcx
mov ecx,[rsi+318]
cmp ecx,6
ja code
push rdx
lea rdx,[pointer]
mov [rdx+rcx*8],rsi
pop rdx
code:
pop rcx
movss xmm0,[rsi+000006F4]
jmp return
tools_dura:
jmp newmem
nop 3
return:
registersymbol(tools_dura)
[DISABLE]
tools_dura:
db F3 0F 10 86 F4 06 00 00
unregistersymbol(tools_dura)
unregistersymbol(axe1)
unregistersymbol(pick1)
unregistersymbol(sword1)
unregistersymbol(bow1)
unregistersymbol(rifle1)
unregistersymbol(club1)
dealloc(newmem)
dealloc(pointer)
|
is there anything that i miss or wrong? |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Thu Apr 25, 2024 1:10 pm Post subject: |
|
|
What do the memory records look like? They should be like this:
| ParkourPenguin wrote: | | The memory record in the address list should be a pointer, base address is the registered symbol, and the only offset would be the offset used by the game- i.e. 6F4. |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Brookthesoul
How do I cheat?
![]() Reputation: 0
Joined: 03 Sep 2019
Posts: 8
|
| Posted: Fri Apr 26, 2024 5:43 pm Post subject: |
|
|
I apologize if I don't understand what you mean.
| Quote: | What do the memory records look like?
|
are you referring to the address that pop up in the debugger like this?
| Code: |
7FF7F4FCAED9 - 0F2F 83 F4060000 - comiss xmm0,[rbx+000006F4]
7FF7F4FD9F12 - F3 0F10 87 F4060000 - movss xmm0,[rdi+000006F4]
7FF7F4FCE417 - 0F2F 86 F4060000 - comiss xmm0,[rsi+000006F4]
|
by "registered symbol "do you mean the "rsi" and only the offset used by the game is referring to the offset in this case it's 000006F4 right? |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4706
|
| Posted: Fri Apr 26, 2024 6:44 pm Post subject: |
|
|
The bottom half of the main window is the "address list". Inside the address list are "memory records"- lines with "Description", "Address", "Type", and "Value".
Double click on the address of a memory record. This shows the "Change address" window.
You can also click "Add Address Manually" on the right.
Check the "Pointer" checkbox.
The bottom field (the base address) should be the registered symbol- e.g. axe1, pick1, sword1...
The field above that (the offset) should be 6F4.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Brookthesoul
How do I cheat?
![]() Reputation: 0
Joined: 03 Sep 2019
Posts: 8
|
| Posted: Fri Apr 26, 2024 7:36 pm Post subject: |
|
|
Oh you mean my cheat table right argh!! i'm so slow sorry for that.
yeah!! finally thanks a lot. it did work after i add the offset above the registered symbols.
i will try to apply the script to auto find my character stats as well.
Once again, I appreciate your help and time. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
