 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
ZeiD.
Newbie cheater
![]() Reputation: 0
Joined: 20 Jan 2019
Posts: 14
Location: Earth
|
 Posted: Sat Jul 25, 2020 3:25 pm Post subject: Teleport hack saves player location only once |
 |
|
Hello everyone! The last two days I've been trying to make a teleport hack for the "Shadow of the Tomb raider" that stores the player's position and then teleports the player at the saved location when specific hotkeys are pressed. (Full script will be at the bottom). I've watched some videos and read some things to understand how to do it but i have some complications
It all works fine the first time. I can press my hotkey (Numpad 1) and save the current position. This is the part that I use for saving the position:
| Code: | saveCurrentPos:
mov [savePos],0
mov [setPosition],1
push rax
mov rax,[rdi+0C] // X position
mov [XcharPos],rax
mov rax,[rdi+10] // Y position
mov [YcharPos],rax
mov rax,[rdi+14] // Z position
mov [ZcharPos],rax
pop rax
jmp code
|
When I press the hotkey (Numpad 2) to load the saved positions and pass them to the player it works just fine. This is the code for the loading part
| Code: |
loadCurrentPos: //get each value from the stored area above and pass them to the game as the new coordinates
mov [loadPos],0
cmp [setPosition],0
je code
push rax
mov rax,[XcharPos]
mov [rdi+0C],rax
mov rax,[YcharPos]
mov [rdi+10],rax
mov rax,[ZcharPos]
mov [rdi+14],rax
pop rax
jmp code
|
My problems:
1) I can only save the player's location once. I can spam my save hotkey 10 times but the only place i will be able to teleport is wherever I first pressed the save hotkey. The load hotkey works all the time without any issues.
2) Even though i do : mov [savePos],0 this only works once when I press the hotkey the first time. All the other times it's stuck with a value of "1" in the address list. I have no idea why especially when the loading part is essentially the same and it works all the time.
What I've tried:
1) To deal with the value stuck at "1" in the address list I've tried to do the mov [savePos],0 on the loading part like:
| Code: |
...
mov [loadPos],0
mov [savePos],0
...
|
I had issues with the teleport coordinates afterwards and I was teleported to a weird place inside a ceiling and I kept dying. I have no idea why such thing would happen. I only change a flag, right?
2) As you will see at the bottom. I use a lot of compares. I thought there might be an issue with the compare flag. So I tried pushf / popf but the game was crashing afterwards (I think when it was reaching the popf part). There must have been an issue that i am not aware of or I just used them wrong.
3) I have added the savePos and loadPos addresses to the list and i tried finding out what accesses the savePos address. The fist compare is always accessed and this is what's coming up to the window:
| Code: |
cmp dword ptr [15A1D100C],01
|
Then when i press Numpad 1( my hotkey) this turns up:
| Code: |
cmp dword ptr [15A1D100C],01
mov [15A1D100C],00000000
mov [15A1D1008],rax
|
the [15A1D1008]
If I'm not mistaken is the ZcharPos.
After that the only thing getting accessed is the first compare and only whenever I press the hotkey to load the position (Numpad 2) I get another instruction from which the counter increases with every key press
The final window looks like this:
| Code: |
cmp dword ptr [15A1D100C],01 //count constantly increases
mov [15A1D100C],00000000 // count increases only once
mov [15A1D1008],rax // count increases only once
mov rax,[15A1D1008] //count increases everytime I press Numpad 2
|
Also, this is what wrights to that address:
| Code: |
mov [15A1D100C],00000000
mov [15A1D1008],rax
|
Final notes:
I can't remember if I did anything else trying to resolve that issue. I cannot understand why something works for one part of the script and not for something else. Any help would be appreciated. I would really like to know what's causing this
So this is the full script that I'm using and I hope that I am not wasting your time with a stupid mistake...
| Code: |
[ENABLE]
aobscanmodule(teleport,SOTTR.exe,0F 10 77 10 48 89 D9) // should be unique
alloc(newmem,$1000,"SOTTR.exe"+721E02D)
alloc(storePlayerCurrentPos,256)
label(code)
label(return)
label(XcharPos)
label(YcharPos)
label(ZcharPos)
label(savePos)
label(loadPos)
label(saveCurrentPos)
label(loadCurrentPos)
label(setPosition) //just to make sure we have saved some position before //loading
registersymbol(teleport)
registersymbol(savePos)
registersymbol(loadPos)
storePlayerCurrentPos:
XcharPos:
dd 0
YcharPos:
dd 0
ZcharPos:
dd 0
savePos:
dd 0
loadPos:
dd 0
setPosition:
dd 0
newmem:
cmp [savePos],1
je saveCurrentPos
cmp [loadPos],1
je loadCurrentPos
jmp code
saveCurrentPos:
mov [savePos],0
mov [setPosition],1
push rax
mov rax,[rdi+0C] // X position
mov [XcharPos],rax
mov rax,[rdi+10] // Y position
mov [YcharPos],rax
mov rax,[rdi+14] // Z position
mov [ZcharPos],rax
pop rax
jmp code
loadCurrentPos: //get each value from the stored area above and pass them to the game as the new coordinates
mov [loadPos],0
cmp [setPosition],0
je code
push rax
mov rax,[XcharPos]
mov [rdi+0C],rax
mov rax,[YcharPos]
mov [rdi+10],rax
mov rax,[ZcharPos]
mov [rdi+14],rax
pop rax
jmp code
code:
movups xmm6,[rdi+10]
mov rcx,rbx
jmp return
teleport:
jmp newmem
nop 2
return:
[DISABLE]
teleport:
db 0F 10 77 10 48 89 D9
unregistersymbol(teleport)
dealloc(newmem)
dealloc(storePlayerCurrentPos,256)
unregistersymbol(savePos)
unregistersymbol(loadPos)
|
_________________
I find pleasure in cheating  |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Sat Jul 25, 2020 7:37 pm Post subject: |
|
|
rax is 8 bytes. You want eax instead.
If "mov rcx,rbx" is part of the original code, just use ecx instead. No need to push/pop any registers then (the game isn't using it).
e.g.:
| Code: | saveCurrentPos:
mov [savePos],0
mov [setPosition],1
mov ecx,[rdi+0C] // X position
mov [XcharPos],ecx
mov ecx,[rdi+10] // Y position
mov [YcharPos],ecx
mov ecx,[rdi+14] // Z position
mov [ZcharPos],ecx
jmp code |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ZeiD.
Newbie cheater
![]() Reputation: 0
Joined: 20 Jan 2019
Posts: 14
Location: Earth
|
| Posted: Sun Jul 26, 2020 5:16 am Post subject: |
|
|
Thank you so much "ParkourPenguin". Using the ecx register without pushing anything solved my problems. In case anyone wonders i used it both in the saving and the loading part of the script and yes, the "mov rcx,rbx" instruction was part of the original code.
To be honest i am not sure why using ecx instead of rax worked. What was happening during the execution that I was not aware of? Could anyone help me understand?
Anyway, these are the saving and loading parts of the script now:
Saving:
| Code: |
saveCurrentPos:
mov [savePos],0
mov [setPosition],1
mov ecx,[rdi+0C] // X position
mov [XcharPos],ecx
mov ecx,[rdi+10] // Y position
mov [YcharPos],ecx
mov ecx,[rdi+14] // Z position
mov [ZcharPos],ecx
jmp code
|
Loading:
| Code: |
mov [loadPos],0
cmp [setPosition],0
je code
mov ecx,[XcharPos]
mov [rdi+0C],ecx
mov ecx,[YcharPos]
mov [rdi+10],ecx
mov ecx,[ZcharPos]
mov [rdi+14],ecx
jmp code
|
_________________
I find pleasure in cheating |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Sun Jul 26, 2020 10:52 am Post subject: |
|
|
Look at, say, this instruction:
rax is an 8 byte register. When you move rax, you're moving 8 bytes. ZcharPos contains a 4 byte value (dd = define doubleword = 4 bytes). So, when you move 8 bytes into some memory location that was only suppose to have a 4 byte value, whatever lies after that memory location also gets overwritten (i.e. savePos also gets overwritten by the above mov). Depending on how stuff is laid out, this can get messy fast and generally leads to undefined behaviour.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ZeiD.
Newbie cheater
![]() Reputation: 0
Joined: 20 Jan 2019
Posts: 14
Location: Earth
|
| Posted: Sun Jul 26, 2020 3:57 pm Post subject: |
|
|
Of course. This makes perfect sense. I didn't think of that at all... I will be more mindful about the bytes of the registers and the memory addresses from now on for sure! Thanks for all your help, have a good day/night!
_________________
I find pleasure in cheating |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
