 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
justNOPing
Newbie cheater
![]() Reputation: 0
Joined: 09 Aug 2022
Posts: 11
|
 Posted: Sun Jan 12, 2025 8:09 am Post subject: Problems with merged script and help with shared opcode |
 |
|
Hello. In this particular game I came across fild opcode that loads bunch of values, which include: player's stats, player's current and max hp/stamina, enemies and NPCs max/current hp etc..
This appears to be the only opcode which is constantly being updated and not on damage/actions. First off, I wasn't able to find any reliable comparisons through "scan for commonalities" so I had to compare it to the stack value, which worked but now I'm having issues with merging the scripts and I can't think of a way to separate them to different scripts.
Here's the example:
| Code: | [ENABLE]
aobscanmodule(getstr,TBB.dll,DB 46 18 D8 4C 24 04)
aobscanmodule(addcmp,TBB.dll,47 57 8B D8 E8 3A D1 06 00) //ESP+8 FOR STATS POINTER
alloc(newmem,$1000)
alloc(pexp,4)
label(code)
label(return)
pexp:
dd 0
newmem:
cmp [esp+8],addcmp //cmp with aob
jne code
mov [pexp],esi //mov esi to label
code:
fild dword ptr [esi+18]
fmul dword ptr [esp+04]
jmp return
getstr:
jmp newmem
nop 2
return:
registersymbol(getstr pexp)
[DISABLE]
getstr:
db DB 46 18 D8 4C 24 04
unregistersymbol(newmem pexp)
dealloc(newmem pexp)
{
// ORIGINAL CODE - INJECTION POINT: TBB.dll+1906B1
TBB.dll+19068E: 84 C0 - test al,al
TBB.dll+190690: 75 10 - jne TBB.dll+1906A2
TBB.dll+190692: 68 FC EB 64 04 - push TBB.dll+30EBFC
TBB.dll+190697: 8B CE - mov ecx,esi
TBB.dll+190699: E8 72 FF FF FF - call TBB.dll+190610
TBB.dll+19069E: 84 C0 - test al,al
TBB.dll+1906A0: 74 0F - je TBB.dll+1906B1
TBB.dll+1906A2: A1 B4 DF 6B 04 - mov eax,[TBB.dll+37DFB4]
TBB.dll+1906A7: 8B 88 F0 00 00 00 - mov ecx,[eax+000000F0]
TBB.dll+1906AD: 89 4C 24 04 - mov [esp+04],ecx
// ---------- INJECTING HERE ----------
TBB.dll+1906B1: DB 46 18 - fild dword ptr [esi+18]
// ---------- DONE INJECTING ----------
TBB.dll+1906B4: D8 4C 24 04 - fmul dword ptr [esp+04]
TBB.dll+1906B8: E8 33 CF 10 00 - call TBB.dll+29D5F0
TBB.dll+1906BD: 5E - pop esi
TBB.dll+1906BE: 59 - pop ecx
TBB.dll+1906BF: C2 04 00 - ret 0004
TBB.dll+1906C2: CC - int 3
TBB.dll+1906C3: CC - int 3
TBB.dll+1906C4: CC - int 3
TBB.dll+1906C5: CC - int 3
TBB.dll+1906C6: CC - int 3
} |
(The game is 32-byte, so I'm allocating 4b instead of 8 and using DD instead of DQ for my label)
This one works as expected. I'm using [pexp] label as a pointer for my stats and it always returns the right value upon being triggered (on inventory activation)
Using the same method with different pointer, I created a script for HP/STAM and merged it with the script above
| Code: | [ENABLE]
aobscanmodule(hp,TBB.dll,DB 46 18 D8 4C 24 04)
aobscanmodule(addcmp,TBB.dll,47 57 8B D8 E8 3A D1 06 00)//ESP+8 STATS POINTER
aobscanmodule(hpcmp,TBB.dll,89 44 24 0C DB 44 24 0C 8A)//ESP+8 HP/STAMINA POINTER
alloc(newmem1,$1000)
alloc(newmem,$1000)
alloc(pexp,4)
alloc(t1,4)
label(code)
label(return)
t1:
dd 0
pexp:
dd 0
newmem1:
cmp [esp+8],addcmp
jne newmem
mov [pexp],esi
newmem:
cmp [esp+8],hpcmp
jne code
push ebx //pushing ebx which isn't affected in this function
mov [t1],esi //moving esi value to our label
mov ebx,[t1] //now moving it to ebx
mov [ebx+34],#777 //changing max stamina value in ebx
pop ebx
code:
fild dword ptr [esi+18]
fmul dword ptr [esp+04]
jmp return
hp:
jmp newmem
nop 2
return:
registersymbol(hp t1 pexp)
[DISABLE]
hp:
db DB 46 18 D8 4C 24 04
unregistersymbol(*)
dealloc(*)
{
// ORIGINAL CODE - INJECTION POINT: TBB.dll+1906B1
TBB.dll+19068E: 84 C0 - test al,al
TBB.dll+190690: 75 10 - jne TBB.dll+1906A2
TBB.dll+190692: 68 FC EB 77 04 - push TBB.dll+30EBFC
TBB.dll+190697: 8B CE - mov ecx,esi
TBB.dll+190699: E8 72 FF FF FF - call TBB.dll+190610
TBB.dll+19069E: 84 C0 - test al,al
TBB.dll+1906A0: 74 0F - je TBB.dll+1906B1
TBB.dll+1906A2: A1 B4 DF 7E 04 - mov eax,[TBB.dll+37DFB4]
TBB.dll+1906A7: 8B 88 F0 00 00 00 - mov ecx,[eax+000000F0]
TBB.dll+1906AD: 89 4C 24 04 - mov [esp+04],ecx
// ---------- INJECTING HERE ----------
TBB.dll+1906B1: DB 46 18 - fild dword ptr [esi+18]
// ---------- DONE INJECTING ----------
TBB.dll+1906B4: D8 4C 24 04 - fmul dword ptr [esp+04]
TBB.dll+1906B8: E8 33 CF 10 00 - call TBB.dll+29D5F0
TBB.dll+1906BD: 5E - pop esi
TBB.dll+1906BE: 59 - pop ecx
TBB.dll+1906BF: C2 04 00 - ret 0004
TBB.dll+1906C2: CC - int 3
TBB.dll+1906C3: CC - int 3
TBB.dll+1906C4: CC - int 3
TBB.dll+1906C5: CC - int 3
TBB.dll+1906C6: CC - int 3
} |
And here's the catch: This particular script now doesn't return [pexp] value as it used to do. The "newmem" part works as intended, at it sets max stamina value to (int)777 (see attachment)
Here are the two problems I encountered at this point:
1. [pexp] doesn't get any value when merged with stamina script
2. Is it even possible to make the max hp/max stam script optional? Let's say I want to move maximum stamina value to the current stamina value, which is in this case: [t1]+34 = Max Stamina, [t1]+6c = Current Stamina Value. How would I even do that? I want this script to be activated separately, by ticking a checkbox, preferably
Again, there aren't many options, judging by "break and trace" and checking what accesses hp and stam values, this is the only opcode that's constant and isn't being updated on loss/gain of value
| Description: |
|
| Filesize: |
48.93 KB |
| Viewed: |
3878 Time(s) |
|
| Description: |
|
| Filesize: |
44.92 KB |
| Viewed: |
3878 Time(s) |
|
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Sun Jan 12, 2025 3:13 pm Post subject: |
|
|
Looks like nothing jumps to `newmem1`
You don't need two separate allocs `newmem1` and `newmem` if the injection point is the same. Just use 1.
Something like this:
| Code: | alloc(newmem,$1000)
label(original_code)
label(exp_code)
label(hp_code)
...
newmem:
push eax
mov eax,[esp+8]
cmp eax,addcmp
je exp_code
cmp eax,hpcmp
je hp_code
...
// default if nothing matches:
jmp original_code
exp_code:
mov [pexp],esi
jmp original_code
hp_code:
...
original_code:
pop eax
fild dword ptr [esi+18]
fmul dword ptr [esp+04]
jmp return |
| justNOPing wrote: | | Code: | push ebx //pushing ebx which isn't affected in this function
mov [t1],esi //moving esi value to our label
mov ebx,[t1] //now moving it to ebx
mov [ebx+34],#777 //changing max stamina value in ebx
pop ebx |
|
This could be shorter
| Code: | mov [t1],esi
mov [esi+34],#777 // max stamina |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
