Cheat Engine

Turkeychopio · Cheater Reputation: 0 Joined: 06 Aug 2014 Posts: 36

Hey,

I'm working on a walk-through-wall hack of sorts for Resident Evil 2 Remake

In this case, rdi+30 is my X Axis and here is the snippet of how it's updated

re2.exe+F7284C5 - F3 0F11 57 30 - movss [rdi+30],xmm2
re2.exe+F7284CA - F3 0F11 4F 34 - movss [rdi+34],xmm1
re2.exe+F7284CF - F3 0F11 47 38 - movss [rdi+38],xmm0

Elsewhere,

re2.exe+EE0D3DF - 41 8B 06 - mov eax,[r14]
re2.exe+EE0D3E2 - 89 47 30 - mov [rdi+30],eax
re2.exe+EE0D3E5 - 41 8B 46 04 - mov eax,[r14+04]
re2.exe+EE0D3E9 - 89 47 34 - mov [rdi+34],eax
re2.exe+EE0D3EC - 41 8B 46 08 - mov eax,[r14+08]
re2.exe+EE0D3F0 - 89 47 38 - mov [rdi+38],eax

when I nop the 2nd line it allows me to walk through walls (in x axis) presumably as r14 must be the collision of objects x value

My current script

[ENABLE]

aobscanmodule(INJECT,re2.exe,14 41 8B 06 89 47 30)
alloc(newmem,$1000,"re2.exe"+EE0D3DF)

label(code)
label(return)

newmem:

code:
mov eax,[rdi+30]
//mov eax,[r14]
mov [rdi+30],eax
jmp return

INJECT+01:
jmp newmem
nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+01:
db 41 8B 06 89 47 30

unregistersymbol(INJECT)
dealloc(newmem)

So I can walk through walls fine, but what's happening is the game remember the location of the first x collision I hit in r14, and then when I disable, eax = r14, and rdi+30 = eax so I get teleported back to r14

How can I change my code so that when I disable it I write my current x value of rdi+30 into r14 before it updates eax?

OldCheatEngineUser · Jul 26, 2020

write to r14, or see where it gets the value and do the changes there.

Turkeychopio · Cheater Reputation: 0 Joined: 06 Aug 2014 Posts: 36

How would I go about doing that?

I tried

code:
mov eax,[rdi+30]
mov r14,[rdi+30] //adding this line
//mov eax,[r14]
mov [rdi+30],eax
jmp return

and this crashes it

Busy atm but i'll look into back tracing it

OldCheatEngineUser · Jul 26, 2020

it crash because you changed the address of r14 to hold the value of rdi+30, also moving eax into the value of r14 should not work.

its better to see what writes to the address of r14 and make an injection there.

anyhow, maybe you can use readmem but for now see if this works: (although it should not work)

Turkeychopio · Cheater Reputation: 0 Joined: 06 Aug 2014 Posts: 36

Yeah also no luck with that, teleported back to the first wall I walked though.

I'll do some back tracing now and have a look