| View previous topic :: View next topic |
| Author |
Message |
danpuz
Newbie cheater
![]() Reputation: 0
Joined: 29 Mar 2015
Posts: 18
|
 Posted: Tue Sep 29, 2015 10:39 am Post subject: Change a specific amount to a float Value in assembly |
 |
|
in the game "Hammer Heads Deluxe" i want to add to the score
(which is a double type) 1000 points every time i hit a gnome.
here's the code:
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
fstp qword ptr [eax+ecx*8] //here i want to add 1000
call HammerHeads.exe+2D570
exit:
jmp returnhere
"HammerHeads.exe"+2F2DC:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"HammerHeads.exe"+2F2DC:
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
//Alt: db DD 1C C8 E8 8C E2 FF FF |
how can i add 1000 points to the score?
also the script run every time i hit a gnome
|
|
| Back to top |
|
 |
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Tue Sep 29, 2015 11:38 am Post subject: |
|
|
You'll have to find the score's accessor and reference it to this script.
So, find what accesses your score, then allocated some memory to a variable like "[score]"; then copy over the address of the score over to [score].
Go back to this script and now you can reference your score by copying the address where the score is located to a register and modifying the value of that register.
|
|
| Back to top |
|
|
danpuz
Newbie cheater
![]() Reputation: 0
Joined: 29 Mar 2015
Posts: 18
|
| Posted: Tue Sep 29, 2015 12:04 pm Post subject: |
|
|
my question is how to do it.
because when i try this code: | Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
fadd qword ptr #1000 // this is what i tried to do
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
exit:
jmp returnhere
"HammerHeads.exe"+2F2DC:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"HammerHeads.exe"+2F2DC:
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
//Alt: db DD 1C C8 E8 8C E2 FF FF |
It says that the code can not be injected
what can i write Instead?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Tue Sep 29, 2015 2:45 pm Post subject: |
|
|
Floating point numbers work differently from normal integers. In this case, you have to push the double value 1000 onto the FPU register stack, then add it to the next thing on the stack (I'm assuming this is the score), pop 1000 off of the stack (faddp does this automatically), then store the score back into its address (what the original code did w/ fstp).
I also cleaned up your code a bit. Hope you don't mind.
| Code: | [ENABLE]
alloc(newmem,2048)
alloc(num,8)
label(returnhere)
num:
dq (double)1000
newmem:
fld qword ptr [num]
faddp
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
jmp returnhere
"HammerHeads.exe"+2F2DC:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(num)
"HammerHeads.exe"+2F2DC:
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
//Alt: db DD 1C C8 E8 8C E2 FF FF |
If this doesn't work, please post the assembly around "HammerHeads.exe"+2F2DC, preferably starting 10-20 lines before it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
danpuz
Newbie cheater
![]() Reputation: 0
Joined: 29 Mar 2015
Posts: 18
|
| Posted: Tue Sep 29, 2015 3:13 pm Post subject: |
|
|
it worked but after a few hits the game crashed
here's the assembly: | Code: | HammerHeads.exe+2F2AE - CC - int 3
HammerHeads.exe+2F2AF - CC - int 3
HammerHeads.exe+2F2B0 - 8B 01 - mov eax,[ecx]
HammerHeads.exe+2F2B2 - DB 44 24 08 - fild dword ptr [esp+08]
HammerHeads.exe+2F2B6 - 8B 4C 24 04 - mov ecx,[esp+04]
HammerHeads.exe+2F2BA - 8D 04 C8 - lea eax,[eax+ecx*8]
HammerHeads.exe+2F2BD - DC 00 - fadd qword ptr [eax]
HammerHeads.exe+2F2BF - 6A 00 - push 00
HammerHeads.exe+2F2C1 - DD 18 - fstp qword ptr [eax]
HammerHeads.exe+2F2C3 - E8 A8E2FFFF - call HammerHeads.exe+2D570
HammerHeads.exe+2F2C8 - 59 - pop ecx
HammerHeads.exe+2F2C9 - C2 0800 - ret 0008
HammerHeads.exe+2F2CC - CC - int 3
HammerHeads.exe+2F2CD - CC - int 3
HammerHeads.exe+2F2CE - CC - int 3
HammerHeads.exe+2F2CF - CC - int 3
HammerHeads.exe+2F2D0 - 8B 01 - mov eax,[ecx]
HammerHeads.exe+2F2D2 - DB 44 24 08 - fild dword ptr [esp+08]
HammerHeads.exe+2F2D6 - 8B 4C 24 04 - mov ecx,[esp+04]
HammerHeads.exe+2F2DA - 6A 00 - push 00
HammerHeads.exe+2F2DC - DD 1C C8 - fstp qword ptr [eax+ecx*8]
HammerHeads.exe+2F2DF - E8 8CE2FFFF - call HammerHeads.exe+2D570
HammerHeads.exe+2F2E4 - 59 - pop ecx
HammerHeads.exe+2F2E5 - C2 0800 - ret 0008
HammerHeads.exe+2F2E8 - CC - int 3
HammerHeads.exe+2F2E9 - CC - int 3
HammerHeads.exe+2F2EA - CC - int 3
HammerHeads.exe+2F2EB - CC - int 3
HammerHeads.exe+2F2EC - CC - int 3
HammerHeads.exe+2F2ED - CC - int 3
HammerHeads.exe+2F2EE - CC - int 3
HammerHeads.exe+2F2EF - CC - int 3
HammerHeads.exe+2F2F0 - 8B 01 - mov eax,[ecx]
HammerHeads.exe+2F2F2 - 8B 4C 24 04 - mov ecx,[esp+04]
HammerHeads.exe+2F2F6 - DD 04 C8 - fld qword ptr [eax+ecx*8]
|
EDIT: also I forgot to mention that every time i hit a gnome, i get different points depending on the type of the gnome i hit.
that code you gave me gives 1000+the points of type of the gnome i hit.
i wanted to get 1000 points for every type of gnome i hit.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4703
|
| Posted: Tue Sep 29, 2015 4:11 pm Post subject: |
|
|
That instruction (fstp qword ptr [eax+ecx*8]) is probably accessing other addresses besides the one that has your score.
To verify this, right click on that instruction in the memory view and select "Find out what addresses this instruction accesses". Play around in the game for a bit and see if any addresses besides your score come up.
If other addresses do pop up, then you'd need a way of distinguishing when this is modifying your score vs when it's modifying the other random addresses. A static reference to your score would be great since you could simply compare the addresses.
If you can find one, please post the base pointer's address as well as its offsets in order from the closest to the pointer's address to the closest to the score's address. If you can't find a static reference, then step 9 of the CE tutorial is where you should look next.
EDIT: Oh. This script should do that:
| Code: | [ENABLE]
alloc(newmem,2048)
alloc(num,8)
label(returnhere)
num:
dq (double)1000
newmem:
fstp st(0)
fld qword ptr [num]
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
jmp returnhere
"HammerHeads.exe"+2F2DC:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(num)
"HammerHeads.exe"+2F2DC:
fstp qword ptr [eax+ecx*8]
call HammerHeads.exe+2D570
//Alt: db DD 1C C8 E8 8C E2 FF FF |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
