 |
Cheat Engine The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mgr.inz.Player I post too much
Reputation: 222
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sun Jul 21, 2013 2:53 am Post subject: |
|
|
movlhps xmm2,xmm2 doesn't assemble correctly, have to use db 0F 16 D2
| Code: | [ENABLE]
alloc(UserValues,1024)
alloc(hack,1024)
label(retHere)
label(multiplyBy)
label(skip)
label(doNothing)
label(speedLimit)
UserValues:
multiplyBy:
dd (float)1.10 // speed multiplier
speedLimit:
dd (float)150.0 // speed limit
hack:
push ebx
mov ebx,[Game.exe+02A6F758]
test ebx,ebx
jz skip
mov ebx,[ebx+AC]
test ebx,ebx
jz skip
mov ebx,[ebx+3D8]
test ebx,ebx
jz skip
mov ebx,[ebx+0]
lea ebx,[ebx+60] // we compare ebx+90 with eax+30, we can compare ebx+60 with eax as well
cmp eax,ebx
jne skip // not our vehicle
sub esp,20 // prepare space
movdqu [esp],xmm1 // store xmm1
movdqu [esp+10],xmm2 // store xmm2
// now we can use xmm0,xmm1 and xmm2
movss xmm0,[multiplyBy] // get multiply factor
shufps xmm0,xmm0,00
movups xmm1,[esi+00000094] // get current delta vector
mulps xmm0,xmm1 // multiply delta vector by user value
// xmm0 keeps buffed delta vector
movups xmm1,[eax+30] // get current speed vector
mulps xmm1,xmm1 // compute squares
movss xmm2,xmm1 // \
shufps xmm1,xmm1,09 // \
addss xmm2,xmm1 // calculate vector length
shufps xmm1,xmm1,09 // /
addss xmm2,xmm1 // /
sqrtss xmm2,xmm2 ///
//movlhps xmm2,xmm2 // store in high
//instruction doesn't assemble, CE needs to be fixed
db 0F 16 D2
movups xmm1,[eax+30] // get current speed vector
addps xmm1,xmm0 // and add buffed delta vector
mulps xmm1,xmm1 // compute squares
movss xmm2,xmm1 // \
shufps xmm1,xmm1,09 // \
addss xmm2,xmm1 // calculate vector length
shufps xmm1,xmm1,09 // /
addss xmm2,xmm1 // /
sqrtss xmm1,xmm2 ///
movhlps xmm2,xmm2
// xmm1 (low) keeps buffed scalar speed
// xmm2 (low) keeps original scalar speed
comiss xmm1,xmm2 // compare new buffed speed with original speed
jb doNothing // if buffed is smaller, vehicle is slowing down. Do normally - do nothing!
comiss xmm1,[speedLimit] // compare with limit
ja doNothing
movq [esi+00000094],xmm0 // store new delta
movhlps xmm0,xmm0
movss [esi+0000009C],xmm0
doNothing:
movdqu xmm1,[esp] // restore xmm1
movdqu xmm2,[esp+10] // restore xmm2
add esp,20
skip:
pop ebx
movss xmm0,[eax+30] //original code
jmp retHere
Phys_x86.dll+1D7C48:
jmp hack
retHere:
[DISABLE]
Phys_x86.dll+1D7C48:
db F3 0F 10 40 30
dealloc(hack)
dealloc(UserValues) |
_________________
|
|
| Back to top |
|
 |
shadowpt Advanced Cheater
Reputation: 0
Joined: 04 Jun 2011 Posts: 82
|
Posted: Sun Jul 21, 2013 7:42 am Post subject: |
|
|
That one doesn't crash but it doesn't do anything special too.
I changed the values to higher ones so I could notice a change and all I could tell was the vehicle getting higher? It is as if the suspension got buffed or something like that or the vertical movements got exagerated a bit.
But so far no speed increase, vehicle still drives like before.
EDIT: I tried with another vehicle that has higher speed and it does something after a certain speed is reached, it switches the velocity faster but the overall final velocity is still the same.
It is very similar to what I reported here http://forum.cheatengine.org/viewtopic.php?p=5485599#5485599
|
|
| Back to top |
|
 |
mgr.inz.Player I post too much
Reputation: 222
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Mon Jul 22, 2013 12:31 pm Post subject: |
|
|
PM sent.
_________________
|
|
| Back to top |
|
 |
shadowpt Advanced Cheater
Reputation: 0
Joined: 04 Jun 2011 Posts: 82
|
Posted: Tue Jul 23, 2013 10:46 pm Post subject: |
|
|
Hey there just wanted to tell you that I have found a identifier for the esi values!!!
My vehicle always has float -16 @ [ESI+D4], I have compared with other vehicles that aren't mine, enemy and friendly vehicles, they all have 0 and I have -16 at that ESI location.
This is true for the esi+94, 98 and 9C
I have also found the addresses that hold the delta values, changing them does affect my velocity, BIG time so I have to use small values.
Sadly they have no pointers, I went up to 5 levels and zip, nothing. All my other pointers don't go higher than 4 levels so I assume that these addresses are dynamic placeholders for temporary math results which go away once I get a new vehicle.
I am learning so much thanks to your help, guys.
Edit: Corrected esi-d4 to esi+d4 plus more text below
My problem now is, how do I filter it?
Can I do this?
| Code: |
newmem:
cmp dword ptr [esi+d4],-16
jne originalcode
sub esp,04
mov [esp],(float)2.0
movss xmm9,[esi+0000094]
mulss xmm9,(float)1.015
movss [esi+0000094],xmm9
add esp,04
originalcode:
addss xmm0,[esi+00000094]
|
|
|
| Back to top |
|
 |
daspamer Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011 Posts: 1588
|
Posted: Tue Jul 23, 2013 11:12 pm Post subject: |
|
|
it's floa right?
Then use
cmp [esi+d4],(float)-16.00
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
 |
shadowpt Advanced Cheater
Reputation: 0
Joined: 04 Jun 2011 Posts: 82
|
Posted: Tue Jul 23, 2013 11:17 pm Post subject: |
|
|
| DaSpamer wrote: | it's floa right?
Then use
cmp [esi+d4],(float)-16.00 |
That is correct, it is a float value, wasn't sure if I could directly compare it via dword ptr or without.
And the rest, is it right? My intention is to multiply the current value at esi+0000094 before it is used by the original code
Edit: well that didn't work as I expected, I used
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+d4],(float)-16.00
jne originalcode
sub esp,04
mov [esp],(float)1.001
movss xmm2,[esi+00000094]
mulss xmm2,[esp]
movss [esi+00000094],xmm2
add esp,04
originalcode:
addss xmm0,[esi+00000094]
exit:
jmp returnhere
Phys_x86.dll+1D7C4D:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
Phys_x86.dll+1D7C4D:
addss xmm0,[esi+00000094]
|
And when I activate the script, the opcode turns from this
| Code: | | addss xmm0,[esi+00000094] |
to this
| Code: | jmp 06070000
add [eax],al
add bl,dh |
And eventually the game crashes... Why do those 2 lines show up? Am I using wrong sizes somewhere?
|
|
| Back to top |
|
 |
shadowpt Advanced Cheater
Reputation: 0
Joined: 04 Jun 2011 Posts: 82
|
Posted: Sat Jul 27, 2013 10:02 pm Post subject: |
|
|
I think the problem might be that I am replacing the wrong opcode, maybe the best way is to go like this
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+d4],(float)-16.00
jne originalcode
sub esp,04
mov [esp],(float)1.001
movss xmm2,[esi+00000094]
mulss xmm2,[esp]
movss [esi+00000094],xmm2
add esp,04
originalcode:
exit:
jmp returnhere
Phys_x86.dll+1D7C48:
movss xmm0,[eax+30]
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
Phys_x86.dll+1D7C48:
movss xmm0,[eax+30] |
This way I still change the delta before it is used by addss xmm0,[esi+00000094] or at least I think it will, hopefully. Will test it out and see how it goes.
Although I am still confused about the sub esp,04, don't understand how the variables are being accounted for.
|
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|