Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[HELP] Having some trouble with AOB Injection Copies

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
bismult
Cheater
Reputation: 0

Joined: 09 Mar 2022
Posts: 27
PostPosted: Sun Mar 16, 2025 9:50 pm    Post subject: [HELP] Having some trouble with AOB Injection Copies Reply with quote
How would I go about doing an AOB injection copy for a more complex opcode? The issue is in the "codeboundingRadius" section. I'm not sure how to multiply the address by 4, then move it into the base used for the pointer.

Code:
aobscanmodule(boundingRadius,game_module.dll,F3 43 0F 59 74 93 0C) // should be unique
alloc(newmemboundingRadius,$1000,boundingRadius)
alloc(boundingRadiusBase,8)
registersymbol(boundingRadiusBase)
label(codeboundingRadius)
label(returnboundingRadius)

newmemboundingRadius:

codeboundingRadius:
  mov [boundingRadiusBase],r11
  add [boundingRadiusBase],r10
  mulss xmm6,[r11+r10*4+0C]
  jmp returnboundingRadius

boundingRadius:
  jmp newmemboundingRadius
  nop 2
returnboundingRadius:
registersymbol(boundingRadius)
[/code]
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4706
PostPosted: Sun Mar 16, 2025 11:02 pm    Post subject: Reply with quote
Code:
push rax
lea rax,[r11+r10*4+0C]
mov [boundingRadiusBase],rax
pop rax
mulss xmm6,[r11+r10*4+0C]  // original code
jmp return

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
bismult
Cheater
Reputation: 0

Joined: 09 Mar 2022
Posts: 27
PostPosted: Mon Mar 17, 2025 8:19 pm    Post subject: Reply with quote
ParkourPenguin wrote:
Code:
push rax
lea rax,[r11+r10*4+0C]
mov [boundingRadiusBase],rax
pop rax
mulss xmm6,[r11+r10*4+0C]  // original code
jmp return


Thanks! Is rax the register I would always use? Doing this for other addresses sometimes results in the pointer address being null (a bunch of zeros)
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4706
PostPosted: Tue Mar 18, 2025 1:22 am    Post subject: Reply with quote
No, you can use any general-purpose 64-bit register, including ones used in the address calculation itself (as long as you backup / restore it with push / pop)

`rax` does have one particular use over other registers in avoiding the limitations of RIP-relative addressing (see `mov` opcode A3), but that's not relevant in this case. Both `newmemboundingRadius` (your code) and `boundingRadiusBase` (accessed address) are allocated in the same script, so they'll be close by to each other.

bismult wrote:
Doing this for other addresses sometimes results in the pointer address being null (a bunch of zeros)
`boundingRadiusBase` is initialized to 0 when the script is activated. After the script is activated, the game will run the code injection when it was suppose to run the original code. Activating the script doesn't mean the code injection will be run in that instant as well. If the game doesn't run the original code periodically, then you'll need to perform whatever action required to make it run in order for the address to be assigned correctly- e.g. press a button, open a menu, attack something, get hit... whatever made the instruction access the address originally.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
bismult
Cheater
Reputation: 0

Joined: 09 Mar 2022
Posts: 27
PostPosted: Sat Mar 22, 2025 8:58 pm    Post subject: Reply with quote
ParkourPenguin wrote:
No, you can use any general-purpose 64-bit register, including ones used in the address calculation itself (as long as you backup / restore it with push / pop)

`rax` does have one particular use over other registers in avoiding the limitations of RIP-relative addressing (see `mov` opcode A3), but that's not relevant in this case. Both `newmemboundingRadius` (your code) and `boundingRadiusBase` (accessed address) are allocated in the same script, so they'll be close by to each other.

bismult wrote:
Doing this for other addresses sometimes results in the pointer address being null (a bunch of zeros)
`boundingRadiusBase` is initialized to 0 when the script is activated. After the script is activated, the game will run the code injection when it was suppose to run the original code. Activating the script doesn't mean the code injection will be run in that instant as well. If the game doesn't run the original code periodically, then you'll need to perform whatever action required to make it run in order for the address to be assigned correctly- e.g. press a button, open a menu, attack something, get hit... whatever made the instruction access the address originally.


I see now, this worked perfectly. Thanks for the help!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites