 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Archezuli
Advanced Cheater
 Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
 Posted: Thu Nov 14, 2019 6:32 pm Post subject: |
 |
|
| What 2 addresses? the Maaximum and Current HP ones? |
|
| Back to top |
|
 |
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Thu Nov 14, 2019 6:35 pm Post subject: |
|
|
| Yes, i mean those, and the reason that crashes is probably because the address pointed by EBX is not accessible for reading |
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Thu Nov 14, 2019 6:47 pm Post subject: |
|
|
Is there any way I could make them so?
This is my PC only and I utterly hate being blocked from anything in it... even if it's critical stuff like system files. |
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Thu Nov 14, 2019 7:12 pm Post subject: |
|
|
| I've already written to you, from the window of the structure dissection in the upper right there is an option called "File" and from there click on "Save values" but obviously you must first generate the structure and then save it |
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Thu Nov 14, 2019 9:03 pm Post subject: |
|
|
No not like that lol
I already got that part.
I meant have all the registers' values addresses|values readable normally like any other address|value in the memory browser. being able to see|use them at any time. even just from the memory browser or in that code. without having to actually find their value|address from the structure dissector and stuff.
I think I'd need to like... change the memory region where they are to have write|read permissions from somewhere? I think CE can do that from somewhere... can't it? |
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Fri Nov 15, 2019 1:46 am Post subject: |
|
|
| Quote: | | change the memory region where they are to have write|read permissions from somewhere? |
you can, from the disassembler in the lower half, right click and you should find an option like "Change protection" (it has the image of a key). |
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Fri Nov 15, 2019 5:49 am Post subject: |
|
|
Here's the struc. is this right?
https://www.dropbox.com/s/llopcie9a6gk2oz/HPStrucs.txt?dl=0
Also, the "change protection" from disassembler did not work...? ;-;
There's still many memories that I can't read and memories that I can't even write to... ;-; |
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Fri Nov 15, 2019 8:04 am Post subject: |
|
|
I forgot to tell you some things, if the values on the structure change the code will not work properly.
You should need to change the JNE to JE if the saved value is reversed, and it would have been useful if you had given me the addresses you have dissected, but for now try these:
1) | Code: | [ENABLE]
aobScan(targetCode,01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24)
alloc(cheatArea,$1000)
alloc(alphaHPAddress,8)
registerSymbol(cheatArea)
registerSymbol(alphaHPAddress)
label(origCode)
label(return)
cheatArea:
cmp [rdx + r13 + C0], 0
jne origCode
mov [alphaHPAddress],ebx
jmp origCode
origCode:
mov ebx,[r13+rdx+84]
bswap ebx
jmp return
targetCode+7:
jmp cheatArea
nop
nop
nop
nop
return:
registerSymbol(targetCode)
[DISABLE]
targetCode:
db 01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24
dealloc(cheatArea)
dealloc(alphaHPAddress)
unregisterSymbol(targetCode)
unregisterSymbol(cheatArea)
unregisterSymbol(alphaHPAddress) |
2) | Code: | [ENABLE]
aobScan(targetCode,01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24)
alloc(cheatArea,$1000)
alloc(alphaHPAddress,8)
registerSymbol(cheatArea)
registerSymbol(alphaHPAddress)
label(origCode)
label(return)
cheatArea:
cmp [rdx + r13 + D0], 0
jne origCode
mov [alphaHPAddress],ebx
jmp origCode
origCode:
mov ebx,[r13+rdx+84]
bswap ebx
jmp return
targetCode+7:
jmp cheatArea
nop
nop
nop
nop
return:
registerSymbol(targetCode)
[DISABLE]
targetCode:
db 01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24
dealloc(cheatArea)
dealloc(alphaHPAddress)
unregisterSymbol(targetCode)
unregisterSymbol(cheatArea)
unregisterSymbol(alphaHPAddress) |
3) | Code: | [ENABLE]
aobScan(targetCode,01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24)
alloc(cheatArea,$1000)
alloc(alphaHPAddress,8)
registerSymbol(cheatArea)
registerSymbol(alphaHPAddress)
label(origCode)
label(return)
cheatArea:
cmp [rdx + r13 + 150], 0
jne origCode
mov [alphaHPAddress],ebx
jmp origCode
origCode:
mov ebx,[r13+rdx+84]
bswap ebx
jmp return
targetCode+7:
jmp cheatArea
nop
nop
nop
nop
return:
registerSymbol(targetCode)
[DISABLE]
targetCode:
db 01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24
dealloc(cheatArea)
dealloc(alphaHPAddress)
unregisterSymbol(targetCode)
unregisterSymbol(cheatArea)
unregisterSymbol(alphaHPAddress) |
4) | Code: | [ENABLE]
aobScan(targetCode,01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24)
alloc(cheatArea,$1000)
alloc(alphaHPAddress,8)
registerSymbol(cheatArea)
registerSymbol(alphaHPAddress)
label(origCode)
label(return)
cheatArea:
cmp [rdx + r13 + 15F], 0
jne origCode
mov [alphaHPAddress],ebx
jmp origCode
origCode:
mov ebx,[r13+rdx+84]
bswap ebx
jmp return
targetCode+7:
jmp cheatArea
nop
nop
nop
nop
return:
registerSymbol(targetCode)
[DISABLE]
targetCode:
db 01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24
dealloc(cheatArea)
dealloc(alphaHPAddress)
unregisterSymbol(targetCode)
unregisterSymbol(cheatArea)
unregisterSymbol(alphaHPAddress) |
5) | Code: | [ENABLE]
aobScan(targetCode,01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24)
alloc(cheatArea,$1000)
alloc(alphaHPAddress,8)
registerSymbol(cheatArea)
registerSymbol(alphaHPAddress)
label(origCode)
label(return)
cheatArea:
cmp [rdx + r13 + 176], 0
jne origCode
mov [alphaHPAddress],ebx
jmp origCode
origCode:
mov ebx,[r13+rdx+84]
bswap ebx
jmp return
targetCode+7:
jmp cheatArea
nop
nop
nop
nop
return:
registerSymbol(targetCode)
[DISABLE]
targetCode:
db 01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24
dealloc(cheatArea)
dealloc(alphaHPAddress)
unregisterSymbol(targetCode)
unregisterSymbol(cheatArea)
unregisterSymbol(alphaHPAddress) |
6) | Code: | [ENABLE]
aobScan(targetCode,01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24)
alloc(cheatArea,$1000)
alloc(alphaHPAddress,8)
registerSymbol(cheatArea)
registerSymbol(alphaHPAddress)
label(origCode)
label(return)
cheatArea:
cmp [rdx + r13 + 240], 0
jne origCode
mov [alphaHPAddress],ebx
jmp origCode
origCode:
mov ebx,[r13+rdx+84]
bswap ebx
jmp return
targetCode+7:
jmp cheatArea
nop
nop
nop
nop
return:
registerSymbol(targetCode)
[DISABLE]
targetCode:
db 01 EA 89 6C 24 04 41 8B 9C 15 84 00 00 00 0F CB 89 54 24
dealloc(cheatArea)
dealloc(alphaHPAddress)
unregisterSymbol(targetCode)
unregisterSymbol(cheatArea)
unregisterSymbol(alphaHPAddress) |
|
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Fri Nov 15, 2019 8:10 am Post subject: |
|
|
Oh my crap I'm so sorry! ;w;
These are the addresses:
Edit:
Why did you change the cmp codes to 0?!? '~'
The code is supposed to go to alphaHPAddress only if it is equal to one... |
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Fri Nov 15, 2019 9:08 am Post subject: |
|
|
Instead of 0 I could have used something else, but I found that and then I used it, plus you made the comparison with RBX, but you didn't disassemble the address contained in RBX.
Then deducing the address on which you want to make the injection The life`s address is defined from "R13 + RDX + 84", so since the addresses you have disassembled has an extra offset (+84) to the expression R13 + RDX, so considering R13 + RDX as the base address it was enough to find a different value for both addresses, see the offset marked on the file and add a +84 (But I can't know if those values have now changed) |
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Fri Nov 15, 2019 9:40 am Post subject: |
|
|
| Quote: | | but you didn't disassemble the address contained in RBX. |
I told you. I tried that! >.<
If I use it instead ([r13+rdx+84+a2]) the game doesn't crash, but the code doesn't work either... the alphaHPAddress stays at 0... ;w; |
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Fri Nov 15, 2019 9:44 am Post subject: |
|
|
Have you tried replacing the JNE with the JE?
EDIT: have you checked that the value in the structure has not changed?
And then why are you saving the value of RBX? or I got confused but the address of your life is given by "R13 + RDX + 84".
Try replacing this part here:
| Code: | cheatArea:
cmp [rdx + r13 + 240], 0
jne origCode //JNE
push 84
pop [alphaHPAddress]
add [alphaHPAddress],r13
add [alphaHPAddress],rdx
jmp origCode |
or
| Code: | cheatArea:
cmp [rdx + r13 + 240], 0
je origCode //JE
push 84
pop [alphaHPAddress]
add [alphaHPAddress],r13
add [alphaHPAddress],rdx
jmp origCode |
Last edited by DanyDollaro on Fri Nov 15, 2019 9:51 am; edited 5 times in total |
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Fri Nov 15, 2019 9:46 am Post subject: |
|
|
I have not!
I'll try it...
EDIT: No. the values have not changed yet cuz I'm still in the same session since I woke up. ^-^
(And didn't do anything that makes them change, like switching armor or dying, or some other stuff) |
|
| Back to top |
|
|
Archezuli
Advanced Cheater
Reputation: 0
Joined: 28 Oct 2019
Posts: 58
|
| Posted: Sat Nov 16, 2019 7:47 am Post subject: |
|
|
Okay, so...
After lots and lots of trial and error (And error, and error, and error, and error, and error, and error, and error, and error, and error, and error, and error, and error, and err-ANYWAY)
I finally got to this script. which almost works... but still kinda spazzes between the proper numbers and 0 every now and then...
And then, when I got to this one... it always crashes my PC when I try to run it. And I have no idea why. :D
Is there any chance you would know...?
Also, there's still one thing at least on that code that still puzzles me, and no amount of google search managed to sate my curiosity...
What is that "+7" on the "targetCode+7:"...? What does it do? |
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Sat Nov 16, 2019 8:51 am Post subject: |
|
|
Indicates that the injection starts from the "Cheat code + 7 Byte" address and I will now explain the reason.
The complete code is:
| Code: | add edx, ebp
mov [rsp + 4], ebp
mov ebx, [r13 + rdx + 84]
bswap ebx |
however this part does not interest you:
| Code: | add edx, ebp
mov [rsp + 4], ebp |
but in the AOB these 2 instructions are included, that is:
add edx, ebp = 01 EA
mov [rsp + 4], ebp = 89 6C 24 04
therefore making an injection on the symbol registered by the AOB will start from the instruction "add edx, ebp", while if we add 7 Bytes to the address "targetCode + 7" 7 Byte because the arry: "01 EA - 89 6C 24 04" is composed of 6 Bytes so the seventh Byte will be just the Byte of the instruction "mov ebx, [r13 + rdx + 84]" consequently this instruction will be exchanged with the jump in the allocated area.
Obviously you could also put:
| Code: | | aobScan (targetCode,41 8B 9C 15 84 00 00 00 0F CB 89 54 24) |
but in the AOB template you sent I saw also comments on those instructions and put them to prevent the scan from finding similar codes. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
