Cheat Engine

[x1337]

Hello! I need you a little! Is there any possibility that through this assembly script (AOB) I can reach the fixed pointer? Because when I call (float) 3 for example, it changes my attack speed, but I would like to find the fixed address from the pointer that reaches the attack speed

test.exe
Version:
Date : 2025-09-07
Author : Administrator

This script does blah blah blah
}

define(address,"test.exe"+326360)
define(bytes,D9 81 8C 18 00 00)

[ENABLE]

assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:
mov [ecx+0000188C],(float)2
code:
fld dword ptr [ecx+0000188C]
jmp return

address:
jmp newmem
nop
return:

[DISABLE]

address:
db bytes
// fld dword ptr [ecx+0000188C]

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: test.exe+326360

test.exe+326356: C3 - ret
test.exe+326357: CC - int 3
test.exe+326358: CC - int 3
test.exe+326359: CC - int 3
test.exe+32635A: CC - int 3
test.exe+32635B: CC - int 3
test.exe+32635C: CC - int 3
test.exe+32635D: CC - int 3
test.exe+32635E: CC - int 3
test.exe+32635F: CC - int 3
// ---------- INJECTING HERE ----------
test.exe+326360: D9 81 8C 18 00 00 - fld dword ptr [ecx+0000188C]
// ---------- DONE INJECTING ----------
test.exe+326366: C3 - ret
test.exe+326367: CC - int 3
test.exe+326368: CC - int 3
test.exe+326369: CC - int 3
test.exe+32636A: CC - int 3
test.exe+32636B: CC - int 3
test.exe+32636C: CC - int 3
test.exe+32636D: CC - int 3
test.exe+32636E: CC - int 3
test.exe+32636F: CC - int 3
}

[ParkourPenguin]

Search "injection copy"

Move the value of ecx into some memory you allocated. If the memory wasn't a globalalloc, use registersymbol so you can access the symbol outside the script. Add a new record to the cheat table, check the "pointer" checkbox, base address is the registered symbol, only offset is 188C.

[x1337]