|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
embas10 How do I cheat? Reputation: 0
Joined: 26 Nov 2024 Posts: 4
|
Posted: Thu Nov 28, 2024 12:16 pm Post subject: Crashing using compare command ASM (cmp [rbp+rcx]) |
|
|
So recently im trying to split between team 1 & team 2 for damage multiplier using scan commonalities. Ended up only got 2 register, RSP and Base Address (probably because using emulator). Scanning the RSP got nothing, so i use the Base Address instead. According to the instruction that im debugging, i believe the Base Address must be [rbp+rcx], and scan then i found the differences between them.
I seperate them with cmp command, and here how it looks:
Code: |
[ENABLE]
aobScanRegion(INJECT_Damage, 7FF000000000, 7FFFFFFFFFFFFFFF, 29 FE 48 63 F6 89 D9 83 C1 20 89 74 0D 00 90 48 89 35)
alloc(newmem,$1000,INJECT_Damage)
label(code)
label(return)
label(team2)
alloc(Team1DamageMultiplier,10,INJECT_Damage)
Team1DamageMultiplier:
dd (float)1
alloc(Team2DamageMultiplier,10,INJECT_Damage)
Team2DamageMultiplier:
dd (float)1
newmem:
cmp [rbp+rcx+4AC],1
jne team2
cvtsi2ss xmm7,edi
mulss xmm7,[Team1DamageMultiplier]
cvttss2si edi,xmm7
jmp code
team2:
cvtsi2ss xmm7,edi
mulss xmm7,[Team2DamageMultiplier]
cvttss2si edi,xmm7
code:
sub esi,edi
movsxd rsi,esi
jmp return
INJECT_Damage:
jmp newmem
return:
registersymbol(Team1DamageMultiplier)
registersymbol(Team2DamageMultiplier)
registersymbol(INJECT_Damage)
[DISABLE]
INJECT_Damage:
db 29 FE 48 63 F6 89 D9 83 C1 20 89 74 0D 00 90 48 89 35
unregistersymbol(*)
dealloc(*)
|
And, it crashed the game just when anyone about to hit someone. couldn't barely think any solution so ended up add dword ptr and qword ptr on cmp command but didn't work.
And here how the memory viewer looks like around the substraction and writing health value.
Code: |
7FF659BC97E6 - 48 98 - cdqe
7FF659BC97E8 - 48 89 05 31A6E6BB - mov [pcsx2-qt.exe+2C83E20],rax
7FF659BC97EF - 48 63 D2 - movsxd rdx,edx
7FF659BC97F2 - 48 89 15 17A6E6BB - mov [pcsx2-qt.exe+2C83E10],rdx
7FF659BC97F9 - 29 FE - sub esi,edi //Script start and replace here
7FF659BC97FB - 48 63 F6 - movsxd rsi,esi //And replace here
7FF659BC97FE - 89 D9 - mov ecx,ebx
7FF659BC9800 - 83 C1 20 - add ecx,20
7FF659BC9803 - 89 74 0D 00 - mov [rbp+rcx+00],esi //Instruction to write the health value
7FF659BC9807 - 90 - nop
7FF659BC9808 - 48 89 35 31A4E6BB - mov [pcsx2-qt.exe+2C83C40],rsi
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4548
|
Posted: Thu Nov 28, 2024 12:57 pm Post subject: |
|
|
Hard to say why it crashes. Maybe `[rbp+rcx+4AC]` accesses unmapped memory. Maybe xmm7 held an important value you didn't back up. Maybe there was a branch into the middle of the injection point (i.e. something jumps to `movsxd rsi,esi`).
I'd set a breakpoint at the jump to the code injection and step through it to see what happens. Enable the script, go to INJECT_Damage in the disassembler, set a breakpoint on the `jmp`, attack something, "step into" until you get through your code or something bad happens. You can suspend the game using the pause button in the "Advanced Options" window (bottom left main window) if something could cause your code injection to run between enabling the script and setting the breakpoint.
If that doesn't yield anything interesting, try enabling Memory Viewer -> Debug -> Break on unexpected exceptions -> Always. The debugger might need to be attached first (try to set a breakpoint anywhere).
embas10 wrote: | According to the instruction that im debugging, i believe the Base Address must be [rbp+rcx]... | If it's an emulator, one of rbp or rcx is probably the base of the entire emulated memory space and the other is the offset into that memory space (i.e. an address in the emulated architecture). It's hard to determine the base address of whatever structure that value is in. You could try a lower base address (e.g. rbp+rcx-100) and see what happens.
embas10 wrote: | Code: | alloc(Team1DamageMultiplier,10,INJECT_Damage) |
| If you're storing a float, allocate 4 bytes of memory.
Allocating weird amounts of memory could lead to unaligned memory accesses. This isn't really a problem most of the time on x86 / x86-64 architectures, but you shouldn't do that regardless.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
embas10 How do I cheat? Reputation: 0
Joined: 26 Nov 2024 Posts: 4
|
Posted: Fri Nov 29, 2024 4:31 am Post subject: |
|
|
ParkourPenguin wrote: | I'd set a breakpoint at the jump to the code injection and step through it to see what happens. Enable the script, go to INJECT_Damage in the disassembler, set a breakpoint on the `jmp`, attack something, "step into" until you get through your code or something bad happens. You can suspend the game using the pause button in the "Advanced Options" window (bottom left main window) if something could cause your code injection to run between enabling the script and setting the breakpoint. |
Ok, this breakpoint thing kinda new to me, so i set a breakpoint on INJECT_Damage, attack another player and the game freeze/suspended. Back to CE dissambler, i choose "step into" and it lead me to the "cmp" command that i write on "newmem" Code: | 7FF7FFFF0000 - 83 BC 29 AC040000 01 - cmp dword ptr [rcx+rbp+000004AC],01
| And "step into" again, it crashed the game.
So i tried another one but without "cmp", and the script just run fine. while breakpointing, all "step into" from "jmp newmem" to the end of my script code goes well. And when i choose "step out" the game become unfreeze from the breakpointing state.
ParkourPenguin wrote: | Hard to say why it crashes. Maybe `[rbp+rcx+4AC]` accesses unmapped memory. Maybe xmm7 held an important value you didn't back up. Maybe there was a branch into the middle of the injection point (i.e. something jumps to `movsxd rsi,esi`). |
I'm not quite sure with your first and third statement. And well the script goes fine with xmm7 (if without using cmp command), but to make sure i've also tried xmm8/9, got the same results as xmm7.
ParkourPenguin wrote: | If it's an emulator, one of rbp or rcx is probably the base of the entire emulated memory space and the other is the offset into that memory space (i.e. an address in the emulated architecture). It's hard to determine the base address of whatever structure that value is in. You could try a lower base address (e.g. rbp+rcx-100) and see what happens. |
You right, the rbp holding the base address of entire emulated thing. And the rcx is the offset to every player stats. And rbp & rcx always change every time the emulator restarted.
ParkourPenguin wrote: | Code: | alloc(Team1DamageMultiplier,10,INJECT_Damage) | If you're storing a float, allocate 4 bytes of memory.
Allocating weird amounts of memory could lead to unaligned memory accesses. This isn't really a problem most of the time on x86 / x86-64 architectures, but you shouldn't do that regardless. |
This is new to me, thanks for reminding.
Update:
Ok, So i just solved it just right now, here the conclusion. During debugging the sub command with breakpoint, i figure out that rcx was different with the one from the write instruction. Here's how it looks:
Code: |
7FF659BC97F9 - 29 FE - sub esi,edi //(RCX:5)(RBX:70C300)
7FF659BC97FB - 48 63 F6 - movsxd rsi,esi //(RCX:5)(RBX:70C300)
7FF659BC97FE - 89 D9 - mov ecx,ebx //(RCX:5)(RBX:70C300)
7FF659BC9800 - 83 C1 20 - add ecx,20 //(RCX:70C300)(RBX:70C300)
7FF659BC9803 - 89 74 0D 00 - mov [rbp+rcx+00],esi //(RCX:70C320)(RBX:70C300)
|
so instead [rbp+rcx+4AC], i replace it with [rbp+rbx+4CC], and it work really well. this breakpoint stuff new to me and seems usefull for finding out corresponding value, tysm ParkourPenguin.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|