 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
 Posted: Sat Mar 07, 2026 6:12 am Post subject: Romestead demo code injection |
 |
|
I'm trying to make my character immortal in the demo of this new game "Romestead".
I started by looking for the addresses that hold my HP value by taking damage and scanning. Of course the HP value is a float because all shit developers make things that should be ints into floats.
But even after freezing ALL addresses that hold my HP value my character would die if he accumulated damage equal of exceeding his max HP.
I tried scanning for a value holding some sort of "damage to be applied" or something but had no success.
Then I found out what writes to one of the addresses which looks to be the most promising and found the assembly instruction(s) which subtract damage from health
| Code: | | vsubss xmm0,xmm0,xmm1 |
but replacing that one with no op makes everything immortal, including enemies and doodads.
I thought the rcx register holds the information what should be damaged - player or other.
I put a breakpoint at the above instruction and hit an enemy and made note of the rcx value.
It seems the rcx value isn't just a flag or something but a pointer to a struct and the player and enemy structs are close together in memory, so I opened the memory viewer and tried to find something that I can distinguish them by.
I think I found a clear difference at rcx+10. Decided to try auto assemble:
| Code: | [ENABLE]
alloc(immortalCave, 256)
label(doSubtract)
label(skipSubtract)
label(return)
immortalCave:
push rax
mov rax, 00007FF877733E28 // player vtable value at [rcx-10]
cmp [rcx-10], rax // is this the player's HP struct?
pop rax
je skipSubtract // yes - skip the damage subtraction
doSubtract:
vsubss xmm0,xmm0,xmm1 // original instruction
jmp return
skipSubtract:
jmp return
return:
7FF8793E1860:
jmp immortalCave
nop
nop
[DISABLE]
7FF8793E1860:
vsubss xmm0,xmm0,xmm1
dealloc(immortalCave)
|
executing that crashed the game (but at least no errors from CE). Restarting the game and trying again CE gave me an error that the code can't be injected (I forget what exactly).
So I modified the code:
| Code: | [ENABLE]
aobscanmodule(INJECT,Romestead.exe,C5 FA 5C C1 C5 FA 11 01)
alloc(immortalCave,256)
alloc(savedRAX,8)
label(doSubtract)
label(skipSubtract)
label(return)
immortalCave:
mov [savedRAX],rax
mov rax,[rcx-10] // read qword before the HP field
shr rax,48 // isolate top 16 bits
test rax,rax // zero = valid, pointer = player vtable
mov rax,[savedRAX] // restore rax (does not affect flags)
jne doSubtract // non-zero = enemy, apply damage
skipSubtract:
jmp return // player, skip both instructions
doSubtract:
vsubss xmm0,xmm0,xmm1 // original subtract
vmovss [rcx],xmm0 // original write-back (stolen byte)
jmp return
return:
INJECT:
jmp immortalCave
nop
nop
nop
[DISABLE]
INJECT:
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0
dealloc(immortalCave)
dealloc(savedRAX)
|
but for this I got
| Code: | Error while scanning AOB's: inject
Error: not all results found
|
and at this point I gave up and decided to ask for help on here.
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
| Posted: Sat Mar 07, 2026 2:42 pm Post subject: |
|
|
| HotfogOwner wrote: | I think I found a clear difference at rcx+10. Decided to try auto assemble:
... |
That's rcx-10 in the AA script.
| HotfogOwner wrote: | | ...executing that crashed the game |
Maybe rcx isn't a valid pointer in some cases, or RFLAGS is in use and shouldn't be clobbered. I could give more information if you provide the code around the injection point.
| HotfogOwner wrote: | | Code: | Error while scanning AOB's: inject
Error: not all results found |
|
The AOB pattern doesn't exist in the module you provided. It could be there was already an active code injection using that same injection point. Or maybe you weren't attached to the game, the code isn't in the main exe, or there was a typo when transcribing the aob pattern.
Use the "AOB Injection" template. Don't remove or change something if you don't know what it does.
Use a more unique symbol name than "INJECT". If more than one script tries to define the same registered symbol to different addresses, bad things will happen.
Don't remove the comment at the bottom showing the code around the injection point. If the game updates or you need help with the script for any reason, that comment contains valuable information.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
| Posted: Sat Mar 07, 2026 4:52 pm Post subject: |
|
|
| ParkourPenguin wrote: | | That's rcx-10 in the AA script. |
Yeah, my mistake, rcx-10 is the correct one.
| ParkourPenguin wrote: | | Maybe rcx isn't a valid pointer in some cases, or RFLAGS is in use and shouldn't be clobbered. I could give more information if you provide the code around the injection point. |
When I scan for what writes to the address two instructions pop up:
| Code: | 7FF8793D5828 - C5FA1111 - vmovss [rcx],xmm2
7FF8793D5834 - C5FA1101 - vmovss [rcx],xmm0 |
Here is what CE shows up for each:
7FF8793E1858:
7FF8793E1852 - 7D F6 - jnl 7FF8793E184A
7FF8793E1854 - C5F828D0 - vmovaps xmm2,xmm0
7FF8793E1858 - C5FA1111 - vmovss [rcx],xmm2
7FF8793E185C - C5FA1001 - vmovss xmm0,[rcx]
7FF8793E1860 - C5FA5CC1 - vsubss xmm0,xmm0,xmm1
RAX=000001C154D3E618
RBX=0000018153373350
RCX=00000181475CDAF0
RDX=0000000000000001
RSI=0000000000000001
RDI=00000181533733E0
RSP=0000002C68D7D858
RBP=0000002C68D7D980
RIP=00007FF8793E185C
R8=0000000000000001
R9=000001C144C00000
R10=0000018153373B08
R11=0000018143976780
R12=000000000000004C
R13=00000181475CDAF0
R14=00000181475A9920
R15=0000000000000000
First seen:23:55:12
Last seen:23:55:13
7FF8793E1864:
7FF8793E185C - C5FA1001 - vmovss xmm0,[rcx]
7FF8793E1860 - C5FA5CC1 - vsubss xmm0,xmm0,xmm1
7FF8793E1864 - C5FA1101 - vmovss [rcx],xmm0
7FF8793E1868 - C5FA1001 - vmovss xmm0,[rcx]
7FF8793E186C - C5E857D2 - vxorps xmm2,xmm2,xmm2
RAX=000001C154D3E618
RBX=0000018153373350
RCX=00000181475CDAF0
RDX=0000000000000001
RSI=0000000000000001
RDI=00000181533733E0
RSP=0000002C68D7D858
RBP=0000002C68D7D980
RIP=00007FF8793E1868
R8=0000000000000001
R9=000001C144C00000
R10=0000018153373B08
R11=0000018143976780
R12=000000000000004C
R13=00000181475CDAF0
R14=00000181475A9920
R15=0000000000000000
First seen:23:55:12
Last seen:23:55:13
I apologize I probably should have mentioned I'm not a full expert, I know this and that but have some holes in my knowledge, so I hope I gave you something useful.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
| Posted: Sat Mar 07, 2026 7:26 pm Post subject: |
|
|
Select the instruction `vsubss xmm0,xmm0,xmm1` in the disassembler (top half of memory viewer), in the top menu of the memory viewer select Tools -> Auto Assemble, in the top menu of the AA window select Template -> AOB Injection, the selected address should be correct, enter a unique symbol name for the injection point (not INJECT, maybe inject_decrease_health), and let CE generate a template for you. I wanted to know what the comment at the bottom says, but I don't think it's particularly important now. If you still can't get it to work after this, then yes, post it.
I missed this the first time:
| HotfogOwner wrote: | | Code: | immortalCave:
...
jmp return
return: |
|
You put the return label inside the memory for your code injection. It should be after the injection point. Use the template instead of writing your own script from scratch.
Try the first code again with the template CE generates. Slightly shorter version:
| Code: | newmem:
push rax
mov rax, 00007FF877733E28
cmp [rcx-10], rax
pop rax
je skipSubtract
vsubss xmm0,xmm0,xmm1
skipSubtract:
jmp return |
The number you're using to compare against, 00007FF877733E28, might change when the game is restarted. See if the address is in a module and use `modulename.exe+offset` instead.
I'd open the Lua engine window (Memory view -> Tools -> Lua engine) and execute this code while attached to the game:
| Code: | | print(getNameFromAddress(0x00007FF877733E28)) |
If it prints something like "game.exe"+1234, use that in place of the number itself (i.e. `mov rax,"game.exe"+1234`); if it doesn't and that number changes, find some other comparison to use.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
| Posted: Sun Mar 08, 2026 10:06 am Post subject: |
|
|
Used the AOB injection template and named the symbol name to be "immortal" this is the result
| Code: | { Game : Romestead.exe
Version:
Date : 2026-03-08
This script does blah blah blah
}
[ENABLE]
aobscan(immortal,C5 FA 5C C1 C5 FA 11 01) // should be unique
alloc(newmem,$1000,immortal)
alloc(savedRAX,8)
label(doSubtract)
label(return)
newmem:
mov [savedRAX],rax
mov rax,[rcx-10] // read qword before the HP field
shr rax,48 // isolate top 16 bits
test rax,rax // zero = valid, pointer = player vtable
mov rax,[savedRAX] // restore rax (does not affect flags)
je doSubtract // non-zero = enemy, apply damage
doSubtract:
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0
jmp return
immortal:
jmp newmem
nop 3
return:
registersymbol(immortal)
[DISABLE]
immortal:
db C5 FA 5C C1 C5 FA 11 01
unregistersymbol(immortal)
dealloc(newmem)
dealloc(savedRAX)
{
// ORIGINAL CODE - INJECTION POINT: 7FFA8F9D9F60
7FFA8F9D9F42: 7A 10 - jp 7FFA8F9D9F54
7FFA8F9D9F44: C5 F8 2E D0 - vucomiss xmm2,xmm0
7FFA8F9D9F48: 77 0A - ja 7FFA8F9D9F54
7FFA8F9D9F4A: EB 0C - jmp 7FFA8F9D9F58
7FFA8F9D9F4C: C5 F9 7E C0 - vmovd eax,xmm0
7FFA8F9D9F50: 85 C0 - test eax,eax
7FFA8F9D9F52: 7D F6 - jnl 7FFA8F9D9F4A
7FFA8F9D9F54: C5 F8 28 D0 - vmovaps xmm2,xmm0
7FFA8F9D9F58: C5 FA 11 11 - vmovss [rcx],xmm2
7FFA8F9D9F5C: C5 FA 10 01 - vmovss xmm0,[rcx]
// ---------- INJECTING HERE ----------
7FFA8F9D9F60: C5 FA 5C C1 - vsubss xmm0,xmm0,xmm1
// ---------- DONE INJECTING ----------
7FFA8F9D9F64: C5 FA 11 01 - vmovss [rcx],xmm0
7FFA8F9D9F68: C5 FA 10 01 - vmovss xmm0,[rcx]
7FFA8F9D9F6C: C5 E8 57 D2 - vxorps xmm2,xmm2,xmm2
7FFA8F9D9F70: C5 F8 2E C2 - vucomiss xmm0,xmm2
7FFA8F9D9F74: 76 2F - jna 7FFA8F9D9FA5
7FFA8F9D9F76: C5 E8 57 D2 - vxorps xmm2,xmm2,xmm2
7FFA8F9D9F7A: C5 F8 2E CA - vucomiss xmm1,xmm2
7FFA8F9D9F7E: 77 17 - ja 7FFA8F9D9F97
7FFA8F9D9F80: C5 FA 5C 41 04 - vsubss xmm0,xmm0,[rcx+04]
7FFA8F9D9F85: C5 F8 54 05 23 00 00 00 - vandps xmm0,xmm0,[7FFA8F9D9FB0]
} |
I added
| Code: | alloc(savedRAX,8)
...
mov [savedRAX],rax
mov rax,[rcx-10] // read qword before the HP field
shr rax,48 // isolate top 16 bits
test rax,rax // zero = valid, pointer = player vtable
mov rax,[savedRAX] // restore rax (does not affect flags)
je doSubtract // non-zero = enemy, apply damage
...
dealloc(savedRAX)
|
and renamed "code" to "doSubtract". But while it injects fine, it doesn't seem to work. I thought maybe I flipped the check but both "je doSubtract" and "jne doSubtract" don't seem to affect nothing. Checked by adding the script to the cheat table and enabling/disabling it after update.
both "print(getNameFromAddress(0x00007FF877733E28))" and "print(getNameFromAddress(0x7FFA8F9D9F60))" just print the address.
Although the script doesn't look quite right to me, this is what the template gave.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
| Posted: Sun Mar 08, 2026 2:37 pm Post subject: |
|
|
| HotfogOwner wrote: | | Code: | newmem:
mov [savedRAX],rax
mov rax,[rcx-10] // read qword before the HP field
shr rax,48 // isolate top 16 bits
test rax,rax // zero = valid, pointer = player vtable
mov rax,[savedRAX] // restore rax (does not affect flags)
je doSubtract // non-zero = enemy, apply damage
doSubtract:
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0
jmp return |
|
The instruction `je doSubtract` does nothing. If rax is 0, it jumps to the next instruction; if rax is not 0, it continues to the next instruction anyway.
There's no need for `savedRAX`. push / pop works fine. The only time you need to be careful with push/pop is when you need to access the stack in the code injection (i.e. [rsp+X]).
| Code: | newmem:
push rax
mov rax,[rcx-10]
shr rax,48
pop rax
je exit
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0 // this can be safely skipped too
exit:
jmp return |
In this code, if rax is 0, the `je exit` instruction will jump to the `exit` label, skipping the subtraction operation. If rax is not 0, then the `je exit` instruction won't jump and instead will continue to the next instruction, running the original code.
Also, this is a micro optimization, but the `shr` instruction sets the ZF according to the result of the operation. The `test rax,rax` instruction is unnecessary in this case.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
| Posted: Sun Mar 08, 2026 3:34 pm Post subject: |
|
|
First of all I wan to thank you for your help, it really is much appreciated!
Secondly, for some reason, now it can't find the bytes with the aobscan. Even when I repeat the process, find the memory address where the subtraction instruction resides and redo the aob template, it still generates the same bytes and still can't find them.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
|
| Back to top |
|
|
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
| Posted: Mon Mar 09, 2026 6:20 am Post subject: |
|
|
lmao, a website dedicated to scripting/hacking thinks it's being hacked when fulfilling the purpose it was created for! 
Tried that, but, again, it finds nothing. 
(made sure to add the script to the cheat table and saved the table, executed it from there)
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
| Posted: Mon Mar 09, 2026 3:01 pm Post subject: |
|
|
CE generates the AOBScan template correctly, you assign the script to the cheat table (don't change the code in the code injection just yet), and CE can't find the bytes it literally just found? There's no reasonable scenario I can think of where that could happen. The only time I've seen something like this is when people first click the "Execute" button instead of assigning the script to the cheat table, or they have two scripts that use the same injection point.
If you restart the game and can't enable the script after attaching to the new process, it could be that the code needs to be JIT compiled. Given that code doesn't appear to be in a module, I'd guess that's the case. This means the code you want to find doesn't exist until that code should be run for the first time: i.e. the code gets compiled just-in-time. There's not much you can do about this other than make sure you do the relevant action in-game before trying to enable the script. Depending on what engine the game uses, mono features might be available, and you can JIT-compile methods from CE using that. Check the top menu of the main CE window and see if there's one called "Mono".
If you don't know for certain what's wrong with an AA script, right click the script in the address list after you try to enable it and check what the error is at the top.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
| Posted: Tue Mar 10, 2026 8:25 am Post subject: |
|
|
| ParkourPenguin wrote: | | If you don't know for certain what's wrong with an AA script, right click the script in the address list after you try to enable it and check what the error is at the top. |
Yes, that error is the one I cited, well at least meant to, when I said it can't find them that is the error.
This is besides the point because, yes, seems I need to take damage in order for the script to be able to find the bytes. Just tested with only opening the game and trying to enable the script vs taking damage and trying to enable the script.
Which tracks with the JIT thing, since it's 100% a C# game. I don't think it's Unity but I can decompile the dll with dnSpy, so...
But it still doesn't work. 😭😭😭
This is the script (taken from clicking the "Change script" button on the right-click context menu of the script entry in the cheat table):
| Code: | { Game : Romestead.exe
Version:
Date : 2026-03-08
This script does blah blah blah
}
[ENABLE]
aobscan(immortal,C5 FA 5C C1 C5 FA 11 01) // should be unique
alloc(newmem,$1000,immortal)
label(return)
newmem:
push rax
mov rax,[rcx-10]
shr rax,48
pop rax
je exit
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0 // this can be safely skipped too
immortal:
jmp newmem
nop 3
return:
registersymbol(immortal)
[DISABLE]
immortal:
db C5 FA 5C C1 C5 FA 11 01
unregistersymbol(immortal)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 7FFA8F9D9F60
7FFA8F9D9F42: 7A 10 - jp 7FFA8F9D9F54
7FFA8F9D9F44: C5 F8 2E D0 - vucomiss xmm2,xmm0
7FFA8F9D9F48: 77 0A - ja 7FFA8F9D9F54
7FFA8F9D9F4A: EB 0C - jmp 7FFA8F9D9F58
7FFA8F9D9F4C: C5 F9 7E C0 - vmovd eax,xmm0
7FFA8F9D9F50: 85 C0 - test eax,eax
7FFA8F9D9F52: 7D F6 - jnl 7FFA8F9D9F4A
7FFA8F9D9F54: C5 F8 28 D0 - vmovaps xmm2,xmm0
7FFA8F9D9F58: C5 FA 11 11 - vmovss [rcx],xmm2
7FFA8F9D9F5C: C5 FA 10 01 - vmovss xmm0,[rcx]
// ---------- INJECTING HERE ----------
7FFA8F9D9F60: C5 FA 5C C1 - vsubss xmm0,xmm0,xmm1
// ---------- DONE INJECTING ----------
7FFA8F9D9F64: C5 FA 11 01 - vmovss [rcx],xmm0
7FFA8F9D9F68: C5 FA 10 01 - vmovss xmm0,[rcx]
7FFA8F9D9F6C: C5 E8 57 D2 - vxorps xmm2,xmm2,xmm2
7FFA8F9D9F70: C5 F8 2E C2 - vucomiss xmm0,xmm2
7FFA8F9D9F74: 76 2F - jna 7FFA8F9D9FA5
7FFA8F9D9F76: C5 E8 57 D2 - vxorps xmm2,xmm2,xmm2
7FFA8F9D9F7A: C5 F8 2E CA - vucomiss xmm1,xmm2
7FFA8F9D9F7E: 77 17 - ja 7FFA8F9D9F97
7FFA8F9D9F80: C5 FA 5C 41 04 - vsubss xmm0,xmm0,[rcx+04]
7FFA8F9D9F85: C5 F8 54 05 23 00 00 00 - vandps xmm0,xmm0,[7FFA8F9D9FB0]
} |
Unless I messed up something while copying your code from two posts up, I suppose rcx-10 isn't the magic value I thought it was?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
| Posted: Tue Mar 10, 2026 12:46 pm Post subject: |
|
|
| HotfogOwner wrote: | | Code: | ...
newmem:
push rax
mov rax,[rcx-10]
shr rax,48
pop rax
je exit
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0 // this can be safely skipped too
immortal:
jmp newmem
nop 3
... |
|
The exit label and `jmp return` was removed.
I understand you're a beginner and a lot of this doesn't make sense to you, but at least read the stuff you copied / pasted to make sure you didn't miss anything.
Also, in the part of the script where the template generated the code `label(return)`, you can put `label(exit)` above that to prevent this in the future. Labels don't have to be explicitly declared, but an explicitly declared label that isn't defined anywhere will generate an error. Errors are a good thing when the alternative is a script doing something other than what you wanted it to do.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
HotfogOwner
How do I cheat?
![]() Reputation: 0
Joined: 26 Aug 2023
Posts: 8
|
| Posted: Tue Mar 10, 2026 1:25 pm Post subject: |
|
|
You're right, that was completely my fault and also very stupid of me.
I apologize, especially since you've been very helpful and patient with me.
Unfortunately, even with that fix, the player character, enemies and doodads still receive damage.
Full script below
| Code: | { Game : Romestead.exe
Version:
Date : 2026-03-08
This script does blah blah blah
}
[ENABLE]
aobscan(immortal,C5 FA 5C C1 C5 FA 11 01) // should be unique
alloc(newmem,$1000,immortal)
label(return)
label(exit)
newmem:
push rax
mov rax,[rcx-10]
shr rax,48
pop rax
je exit
vsubss xmm0,xmm0,xmm1
vmovss [rcx],xmm0 // this can be safely skipped too
exit:
jmp return
immortal:
jmp newmem
nop 3
return:
registersymbol(immortal)
[DISABLE]
immortal:
db C5 FA 5C C1 C5 FA 11 01
unregistersymbol(immortal)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 7FFA8F9D9F60
7FFA8F9D9F42: 7A 10 - jp 7FFA8F9D9F54
7FFA8F9D9F44: C5 F8 2E D0 - vucomiss xmm2,xmm0
7FFA8F9D9F48: 77 0A - ja 7FFA8F9D9F54
7FFA8F9D9F4A: EB 0C - jmp 7FFA8F9D9F58
7FFA8F9D9F4C: C5 F9 7E C0 - vmovd eax,xmm0
7FFA8F9D9F50: 85 C0 - test eax,eax
7FFA8F9D9F52: 7D F6 - jnl 7FFA8F9D9F4A
7FFA8F9D9F54: C5 F8 28 D0 - vmovaps xmm2,xmm0
7FFA8F9D9F58: C5 FA 11 11 - vmovss [rcx],xmm2
7FFA8F9D9F5C: C5 FA 10 01 - vmovss xmm0,[rcx]
// ---------- INJECTING HERE ----------
7FFA8F9D9F60: C5 FA 5C C1 - vsubss xmm0,xmm0,xmm1
// ---------- DONE INJECTING ----------
7FFA8F9D9F64: C5 FA 11 01 - vmovss [rcx],xmm0
7FFA8F9D9F68: C5 FA 10 01 - vmovss xmm0,[rcx]
7FFA8F9D9F6C: C5 E8 57 D2 - vxorps xmm2,xmm2,xmm2
7FFA8F9D9F70: C5 F8 2E C2 - vucomiss xmm0,xmm2
7FFA8F9D9F74: 76 2F - jna 7FFA8F9D9FA5
7FFA8F9D9F76: C5 E8 57 D2 - vxorps xmm2,xmm2,xmm2
7FFA8F9D9F7A: C5 F8 2E CA - vucomiss xmm1,xmm2
7FFA8F9D9F7E: 77 17 - ja 7FFA8F9D9F97
7FFA8F9D9F80: C5 FA 5C 41 04 - vsubss xmm0,xmm0,[rcx+04]
7FFA8F9D9F85: C5 F8 54 05 23 00 00 00 - vandps xmm0,xmm0,[7FFA8F9D9FB0]
} |
I tried flipping to to see if, perhaps, I got the value from rcx-10 on backwards but it changed nothing. Just to be specific - started the game, took damage, enabled the script I have copied fully above - everything still takes damage, disabled the script, right-clicked, chose "Edit", changed "je" to "jne", clicked "OK", enabled the script, still everything takes damage.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 153
Joined: 06 Jul 2014
Posts: 4748
|
| Posted: Tue Mar 10, 2026 2:47 pm Post subject: |
|
|
My bad, I missed this:
Most numbers are parsed as hexadecimal by default. Shifting right by 0x48 (72) is bad: that operand is masked to 6 bits for a 64-bit operand, so it's really doing `shr rax,8`.
Use `shr rax,30` instead. 0x30 = 48
That wouldn't explain why everything takes damage regardless of whether it's `je` or `jne`. One of the two should've had the opposite behaviour if the condition is good. If it still doesn't work, enable the script, go to the address `immortal` in the disassembler (right click menu in the disassembler), set a breakpoint on that `jmp` to your code, do something in-game to run that code, and step into your code to see what happens.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
)