Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


I need help with AOB template

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
peddroelm
Advanced Cheater
Reputation: 0

Joined: 03 Oct 2014
Posts: 55

PostPosted: Fri Dec 29, 2017 4:51 am    Post subject: I need help with AOB template Reply with quote

Context:

I want to (log) print Attacker's Attack Power stat (and entity memory address lacking Name info) each time it performs an attack. (The actual damage logging is performed by a different similar LUA function triggered by another AOB scan .. )

My current problem is:
- all attacks start doing only 1 damage with this script Enabled (printed AP value in Lua function is OK)
- it turns the game unstable and relatively quickly crashes it


Script bellow:

Code:

[ENABLE]

loadlibrary(luaclient-x86_64.dll)
luacall(openLuaServer('CELUASERVER'))

CELUA_ServerName:
db 'CELUASERVER',0

{$lua}

if syntaxcheck then return end

print("iz on");

function logAttack(params)

local AP = readFloat(params);

print(string.format("Attacker's AP: %5.2f", AP));
end

{$asm}


aobscan(ReadAPBeforeAttack,F3 0F 10 81 D4 00 00 00 F3 0F 5A C0 F2 0F 5A E8 F3 0F 11 AD) // should be unique
alloc(newmem,$1000,38E49064)
alloc(LUA_attackScript,$1000)
alloc(logParams,$1000) // some memory space to pass parameters to lua function

label(code)
label(return)

LUA_attackScript:
 db 'logAttack(parameter)',0

newmem:

push r8 // save off all recegisters we might muck up
push r9
push r10
push r11
push rbx
push rcx
push rdx
push rax

movss xmm0,[rcx+000000D4]  // original instruction

mov r8, [rcx+000000D4]
mov [logParams], r8 //  value about to be written
mov [logParams+100], rcx // pointer to Entity Data structure

mov rcx, LUA_attackScript  // our custom lua function
mov rdx, logParams // parameters to be read by lua function

sub rsp, 0x28 // win 10 stack aligment something
call CELUA_ExecuteFunction // the Lua function call
add rsp, 0x28

pop rax
pop rdx
pop rcx
pop rbx
pop r11
pop r10
pop r9
pop r8

code:
  jmp return


ReadAPBeforeAttack:
  jmp newmem
  nop
  nop
  nop


return:
registersymbol(ReadAPBeforeAttack)

[DISABLE]

ReadAPForAttack:
  db F3 0F 10 81 D4 00 00 00

unregistersymbol(ReadAPBeforeAttack)
dealloc(LUA_attackScript)
dealloc(logParams)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 38E49064

""+38E4903B: 48 8B 85 E0 F6 FF FF           -  mov rax,[rbp-00000920]
""+38E49042: 83 38 00                       -  cmp dword ptr [rax],00
""+38E49045: 48 8B 85 E0 F6 FF FF           -  mov rax,[rbp-00000920]
""+38E4904C: 48 8B 40 18                    -  mov rax,[rax+18]
""+38E49050: 48 8B 4E 18                    -  mov rcx,[rsi+18]
""+38E49054: 48 8B D1                       -  mov rdx,rcx
""+38E49057: 83 3A 00                       -  cmp dword ptr [rdx],00
""+38E4905A: 48 8B 49 18                    -  mov rcx,[rcx+18]
""+38E4905E: 48 8B D1                       -  mov rdx,rcx
""+38E49061: 83 3A 00                       -  cmp dword ptr [rdx],00
// ---------- INJECTING HERE ----------
""+38E49064: F3 0F 10 81 D4 00 00 00        -  movss xmm0,[rcx+000000D4]
// ---------- DONE INJECTING  ----------
""+38E4906C: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+38E49070: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+38E49074: F3 0F 11 AD A4 F6 FF FF        -  movss [rbp-0000095C],xmm5
""+38E4907C: F3 0F 10 85 A4 F6 FF FF        -  movss xmm0,[rbp-0000095C]
""+38E49084: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+38E49088: 48 8B C8                       -  mov rcx,rax
""+38E4908B: BA 40 12 C4 2E                 -  mov edx,2EC41240
""+38E49090: F2 0F 10 D0                    -  movsd xmm2,xmm0
""+38E49094: F2 0F 5A D2                    -  cvtsd2ss xmm2,xmm2
""+38E49098: 48 83 EC 20                    -  sub rsp,20
}
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 352

Joined: 09 May 2003
Posts: 20511
Location: The netherlands

PostPosted: Fri Dec 29, 2017 5:04 am    Post subject: Reply with quote

first replace
Code:

alloc(newmem,$1000,38E49064)

with
Code:

alloc(newmem,$1000,ReadAPBeforeAttack)


are you sure it's sub rsp,28 there ? I see from the original code that the stack is already aligned, and you have an even number of pushes , so I think sub rsp,20 / add rsp,20 is better here

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
peddroelm
Advanced Cheater
Reputation: 0

Joined: 03 Oct 2014
Posts: 55

PostPosted: Fri Dec 29, 2017 5:48 am    Post subject: Reply with quote

the sub rsp,28 is time tested over many hours of testing over multiple machines and testers .. 28 For win 10 20 for win 7.
Code:

{$lua}
   getSettings('andromeda').Value['enableWindows7Compatibility'] = 1;
   writeInteger('stackAlignmentOffset', 0x20);

[DISABLE]
{$lua}
   getSettings('andromeda').Value['enableWindows7Compatibility'] = 0;
   writeInteger('stackAlignmentOffset', 0x28);



I also have this script on the table and it works quite well

Code:
{$asm}

aobscan(DamageOne,F3 0F 11 6E 78 48 8B 75) // should be unique
alloc(newmem,$1000,DamageOne)
alloc(LUA_HP_DamageScript,$1000)
alloc(logHPParams,$1000) // some memory space to pass parameters to lua function

label(code)
label(return)

LUA_HP_DamageScript:
 db 'logHPChange(parameter)',0

newmem:
push r8 // save off all recegisters we might muck up
push r9
push r10
push r11
push rcx
push rdx
push rax

movss [logHPParams], xmm5 // damage value about to be written

mov r8, [rsi+78]
mov [logHPParams+4], r8 // hit point value before damage

mov [logHPParams+100], rsi // pointer to Entity Data structure

//movss [rsi+78],xmm5  // original instruction

mov rcx, LUA_HP_DamageScript  //
mov rdx, logHPParams // parameters to be read by lua function

sub rsp, 0x28 // win 10 stack aligment something
call CELUA_ExecuteFunction // the call
add rsp, 0x28

pop rax
pop rdx
pop rcx
pop r11
pop r10
pop r9
pop r8

code:
  jmp return

DamageOne:
  jmp newmem
return:
registersymbol(DamageOne)

[DISABLE]

DamageOne:
  db F3 0F 11 6E 78

unregistersymbol(DamageOne)
dealloc(newmem)
dealloc(LUA_HP_DamageScript)
dealloc(logHPParams)


{
// ORIGINAL CODE - INJECTION POINT: 23EB0172

""+23EB0145: F3 0F 5A D2                    -  cvtss2sd xmm2,xmm2
""+23EB0149: F2 0F 5A D2                    -  cvtsd2ss xmm2,xmm2
""+23EB014D: F2 0F 5A C9                    -  cvtsd2ss xmm1,xmm1
""+23EB0151: F2 0F 5A C0                    -  cvtsd2ss xmm0,xmm0
""+23EB0155: 48 83 EC 20                    -  sub rsp,20
""+23EB0159: 49 BB A0 6B 8F 06 00 00 00 00  -  mov r11,00000000068F6BA0
""+23EB0163: 41 FF D3                       -  call r11
""+23EB0166: 48 83 C4 20                    -  add rsp,20
""+23EB016A: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+23EB016E: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+23EB0172: F3 0F 11 6E 78                 -  movss [rsi+78],xmm5
// ---------- DONE INJECTING  ----------
""+23EB0177: 48 8B 75 F8                    -  mov rsi,[rbp-08]
""+23EB017B: C9                             -  leave
""+23EB017C: C3                             -  ret
""+23EB017D: 00 00                          -  add [rax],al
""+23EB017F: 00 00                          -  add [rax],al
""+23EB0181: 00 00                          -  add [rax],al
""+23EB0183: 00 6D 00                       -  add [rbp+00],ch
""+23EB0186: 00 00                          -  add [rax],al
""+23EB0188: 7C 00                          -  jl 23EB018A
""+23EB018A: 00 00                          -  add [rax],al
}
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 352

Joined: 09 May 2003
Posts: 20511
Location: The netherlands

PostPosted: Fri Dec 29, 2017 8:28 am    Post subject: Reply with quote

that script with the uneven pushes will require 28 yes, but with 8 it should be 20
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
peddroelm
Advanced Cheater
Reputation: 0

Joined: 03 Oct 2014
Posts: 55

PostPosted: Fri Dec 29, 2017 9:10 am    Post subject: Reply with quote

both scrips have even number of pushes

somebody suggested my script might perhaps somehow alter one of the xmm registers .. So I should maybe try and back and restore them too ?
How ?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 352

Joined: 09 May 2003
Posts: 20511
Location: The netherlands

PostPosted: Sat Dec 30, 2017 3:32 am    Post subject: Reply with quote

use movaps to store the previous xmm registers.

Also, try stepping over the call and check which xmm registers change so you can save only those

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
peddroelm
Advanced Cheater
Reputation: 0

Joined: 03 Oct 2014
Posts: 55

PostPosted: Sat Dec 30, 2017 7:59 am    Post subject: Reply with quote

I will try that when I get back to it (hopefully) in a few days ..
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites