 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Luantic
How do I cheat?
![]() Reputation: 0
Joined: 20 Jan 2025
Posts: 2
|
 Posted: Mon Jan 20, 2025 9:27 pm Post subject: Crashes and Weird Behavior When Manipulating Cooldown Func |
 |
|
Hello everyone,
I'm at a complete loss here. Every time I try to manipulate a certain function to modify in-game values, it either causes a crash or results in extremely weird and random behavior. Here's what I'm dealing with:
The Problematic Function:
7FF6F41A0C68 - 8B C7 - mov eax, edi
7FF6F41A0C6A - 33 C2 - xor eax, edx
7FF6F41A0C6C - 89 47 08 - mov [rdi+08], eax <<
7FF6F41A0C6F - 48 8B 84 24 C0000000 - mov rax, [rsp+000000C0]
7FF6F41A0C77 - 33 10 - xor edx, [rax]
What I Understand So Far:
This function seems to handle multiple important in-game values (e.g., MP, HP, Cooldown).
The values these addresses hold are often unusual or appear encrypted/recalculated.
For example:
Cooldown values might look like 6.46E27, which doesn't make sense.
If I freeze the cooldown value to keep it at what it is:
The first skill usage works (no cooldown).
On the second usage, the cooldown skyrockets to an absurd number like 38274623846.
Sometimes, the game crashes outright instead.
What I've Tried:
Freezing Values:
Freezing specific addresses works momentarily but eventually causes the game to crash or results in nonsensical values.
NOP-ing the Function:
When I NOP the function, all related values (MP, HP, Cooldown) start changing randomly and rapidly in the game.
This also ends in a crash.
Analyzing the Function:
From what I can tell, edi and edx seem to be inputs to some transformation logic (e.g., XOR).
The result of this transformation is stored in [rdi+08], which appears to be part of a larger structure.
What I Need Help With:
What is this function really doing?
Is it encrypting values? Or is it just a form of obfuscation for important data?
How can I manipulate only the cooldown without affecting MP or HP?
Since this function handles multiple values, changes to it seem to destabilize the game entirely.
What should I look for to better understand this behavior?
Any advice or guidance would be greatly appreciated. This is driving me crazy, and I feel like I’m missing something fundamental here.
Thanks in advance for your help!
_________________
Beginner |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Mon Jan 20, 2025 10:01 pm Post subject: |
|
|
Based on this just before the write, I'd guess the game is obfuscating values with a simple xor key.
Read the assembly code around each instruction that accesses those addresses to figure out how to modify it. If the relevant values are contiguous in memory, you could write a custom type.
If mono features are available (i.e. there's a "Mono" menu at the top of the main CE window when attached to the process), then enable mono features, dissect mono, and find the relevant class. Just the names of the members and methods can give you a lot of information. The code that accesses the values (enable mono features; show symbols in disassembler) can probably point you in a good direction.
More specific help would require you to provide more information. Show more instructions around the instructions that read and write to your value. Also the data around the value could give good information too: right click -> "Browse this memory region", scroll up a little to show the data both before and after that address. Display the data as hexadecimal integers- size isn't important.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Luantic
How do I cheat?
![]() Reputation: 0
Joined: 20 Jan 2025
Posts: 2
|
| Posted: Wed Jan 22, 2025 8:01 am Post subject: |
|
|
Thanks for your reply!
Unfortunately, there are no mono features available. Or I am legally blind.
I just found out that this is the WHOLE function:
x2.exe+300AF0 - 4C 89 4C 24 20 - mov [rsp+20],r9
x2.exe+300AF5 - 4C 89 44 24 18 - mov [rsp+18],r8
x2.exe+300AFA - 53 - push rbx
x2.exe+300AFB - 55 - push rbp
x2.exe+300AFC - 56 - push rsi
x2.exe+300AFD - 57 - push rdi
x2.exe+300AFE - 41 54 - push r12
x2.exe+300B00 - 41 55 - push r13
x2.exe+300B02 - 41 56 - push r14
x2.exe+300B04 - 41 57 - push r15
x2.exe+300B06 - 48 83 EC 68 - sub rsp,68
x2.exe+300B0A - 48 8B 41 08 - mov rax,[rcx+08]
x2.exe+300B0E - 44 8B D2 - mov r10d,edx
x2.exe+300B11 - 44 33 52 08 - xor r10d,[rdx+08]
x2.exe+300B15 - 48 8B FA - mov rdi,rdx
x2.exe+300B18 - 41 0FB6 D2 - movzx edx,r10b
x2.exe+300B1C - 45 33 C9 - xor r9d,r9d
x2.exe+300B1F - 45 0FB6 E2 - movzx r12d,r10b
x2.exe+300B23 - 4C 8B E9 - mov r13,rcx
x2.exe+300B26 - 44 33 A4 90 00050000 - xor r12d,[rax+rdx*4+00000500]
x2.exe+300B2E - 45 33 E2 - xor r12d,r10d
x2.exe+300B31 - 45 8B F4 - mov r14d,r12d
x2.exe+300B34 - 41 83 FC 01 - cmp r12d,01
x2.exe+300B38 - 72 1F - jb x2.exe+300B59
x2.exe+300B3A - 48 8B 41 30 - mov rax,[rcx+30]
x2.exe+300B3E - 48 2B 41 28 - sub rax,[rcx+28]
x2.exe+300B42 - 48 B9 ABAAAAAAAAAAAAAA - mov rcx,AAAAAAAAAAAAAAAB
x2.exe+300B4C - 48 C1 F8 03 - sar rax,03
x2.exe+300B50 - 48 0FAF C1 - imul rax,rcx
x2.exe+300B54 - 4C 3B F0 - cmp r14,rax
x2.exe+300B57 - 72 0D - jb x2.exe+300B66
x2.exe+300B59 - 49 8B 45 28 - mov rax,[r13+28]
x2.exe+300B5D - 44 89 48 08 - mov [rax+08],r9d
x2.exe+300B61 - 66 44 89 48 0E - mov [rax+0E],r9w
x2.exe+300B66 - 49 8B 45 28 - mov rax,[r13+28]
x2.exe+300B6A - 49 8D 75 10 - lea rsi,[r13+10]
x2.exe+300B6E - 4B 8D 0C 64 - lea rcx,[r12+r12*2]
x2.exe+300B72 - 48 89 74 24 40 - mov [rsp+40],rsi
x2.exe+300B77 - 4C 8D 04 C8 - lea r8,[rax+rcx*8]
x2.exe+300B7B - 4C 89 74 24 48 - mov [rsp+48],r14
x2.exe+300B80 - 4C 89 84 24 B0000000 - mov [rsp+000000B0],r8
x2.exe+300B88 - 49 39 38 - cmp [r8],rdi
x2.exe+300B8B - 74 16 - je x2.exe+300BA3
x2.exe+300B8D - 49 8B 4D 28 - mov rcx,[r13+28]
x2.exe+300B91 - 49 8D 5D 10 - lea rbx,[r13+10]
x2.exe+300B95 - 41 8B 40 08 - mov eax,[r8+08]
x2.exe+300B99 - 89 41 08 - mov [rcx+08],eax
x2.exe+300B9C - 66 44 89 49 0E - mov [rcx+0E],r9w
x2.exe+300BA1 - EB 03 - jmp x2.exe+300BA6
x2.exe+300BA3 - 48 8B DE - mov rbx,rsi
x2.exe+300BA6 - 65 48 8B 04 25 58000000 - mov rax,gs:[00000058]
x2.exe+300BAF - 4C 8B DE - mov r11,rsi
x2.exe+300BB2 - B9 0C000000 - mov ecx,0000000C
x2.exe+300BB7 - 48 8B 00 - mov rax,[rax]
x2.exe+300BBA - 44 38 0C 01 - cmp [rcx+rax],r9b
x2.exe+300BBE - 75 10 - jne x2.exe+300BD0
x2.exe+300BC0 - E8 73291703 - call x2.exe+3473538
x2.exe+300BC5 - 4C 8B 84 24 B0000000 - mov r8,[rsp+000000B0]
x2.exe+300BCD - 4C 8B DB - mov r11,rbx
x2.exe+300BD0 - 65 48 8B 04 25 58000000 - mov rax,gs:[00000058]
x2.exe+300BD9 - 4C 8D 4F 10 - lea r9,[rdi+10]
x2.exe+300BDD - 0F28 44 24 40 - movaps xmm0,[rsp+40]
x2.exe+300BE2 - BA 10000000 - mov edx,00000010
x2.exe+300BE7 - 66 0F7F 44 24 50 - movdqa [rsp+50],xmm0
x2.exe+300BED - 48 8B 08 - mov rcx,[rax]
x2.exe+300BF0 - 49 8D 45 40 - lea rax,[r13+40]
x2.exe+300BF4 - 48 33 04 11 - xor rax,[rcx+rdx]
x2.exe+300BF8 - 49 8B CE - mov rcx,r14
x2.exe+300BFB - 48 89 84 24 B8000000 - mov [rsp+000000B8],rax
x2.exe+300C03 - 48 03 C9 - add rcx,rcx
x2.exe+300C06 - 48 8B 06 - mov rax,[rsi]
x2.exe+300C09 - 4C 8B 54 C8 08 - mov r10,[rax+rcx*8+08]
x2.exe+300C0E - B8 FFFF0000 - mov eax,0000FFFF
x2.exe+300C13 - 4D 85 C9 - test r9,r9
x2.exe+300C16 - 74 13 - je x2.exe+300C2B
x2.exe+300C18 - 45 0FB7 39 - movzx r15d,word ptr [r9]
x2.exe+300C1C - 66 41 F7 D7 - not r15w
x2.exe+300C20 - 66 41 D1 C7 - rol r15w,1
x2.exe+300C24 - 66 45 33 79 02 - xor r15w,[r9+02]
x2.exe+300C29 - EB 03 - jmp x2.exe+300C2E
x2.exe+300C2B - 44 8B F8 - mov r15d,eax
x2.exe+300C2E - 48 8B 9C 24 C8000000 - mov rbx,[rsp+000000C8]
x2.exe+300C36 - 4B 8D 0C 52 - lea rcx,[r10+r10*2]
x2.exe+300C3A - 48 8B 44 24 50 - mov rax,[rsp+50]
x2.exe+300C3F - 66 44 89 7C 24 40 - mov [rsp+40],r15w
x2.exe+300C45 - 8B 6B 08 - mov ebp,[rbx+08]
x2.exe+300C48 - 48 8B 40 18 - mov rax,[rax+18]
x2.exe+300C4C - 48 8D 14 C8 - lea rdx,[rax+rcx*8]
x2.exe+300C50 - 49 8B 45 08 - mov rax,[r13+08]
x2.exe+300C54 - 48 89 54 24 20 - mov [rsp+20],rdx
x2.exe+300C59 - 8B D5 - mov edx,ebp
x2.exe+300C5B - 81 E2 00FFFFFF - and edx,FFFFFF00
x2.exe+300C61 - 40 0FB6 CD - movzx ecx,bpl
x2.exe+300C65 - 33 14 88 - xor edx,[rax+rcx*4]
x2.exe+300C68 - 8B C7 - mov eax,edi
x2.exe+300C6A - 33 C2 - xor eax,edx
x2.exe+300C6C - 89 47 08 - mov [rdi+08],eax
x2.exe+300C6F - 48 8B 84 24 C0000000 - mov rax,[rsp+000000C0]
x2.exe+300C77 - 33 10 - xor edx,[rax]
x2.exe+300C79 - 41 89 11 - mov [r9],edx
x2.exe+300C7C - 48 8B 13 - mov rdx,[rbx]
x2.exe+300C7F - 4C 8B 4B 08 - mov r9,[rbx+08]
x2.exe+300C83 - 49 8B DB - mov rbx,r11
x2.exe+300C86 - 48 89 54 24 28 - mov [rsp+28],rdx
x2.exe+300C8B - 4C 89 4C 24 30 - mov [rsp+30],r9
x2.exe+300C90 - 48 8B 42 18 - mov rax,[rdx+18]
x2.exe+300C94 - 4B 8D 0C 49 - lea rcx,[r9+r9*2]
x2.exe+300C98 - 48 8D 0C C8 - lea rcx,[rax+rcx*8]
x2.exe+300C9C - 41 8B 40 08 - mov eax,[r8+08]
x2.exe+300CA0 - 48 89 8C 24 C0000000 - mov [rsp+000000C0],rcx
x2.exe+300CA8 - 89 41 08 - mov [rcx+08],eax
x2.exe+300CAB - 4C 39 5C 24 50 - cmp [rsp+50],r11
x2.exe+300CB0 - 75 5E - jne x2.exe+300D10
x2.exe+300CB2 - 4D 85 D2 - test r10,r10
x2.exe+300CB5 - 74 59 - je x2.exe+300D10
x2.exe+300CB7 - 4D 8B 03 - mov r8,[r11]
x2.exe+300CBA - 49 8D 5D 10 - lea rbx,[r13+10]
x2.exe+300CBE - 45 8B D2 - mov r10d,r10d
x2.exe+300CC1 - 45 8B CA - mov r9d,r10d
x2.exe+300CC4 - 49 C1 E1 04 - shl r9,04
x2.exe+300CC8 - 4D 03 C8 - add r9,r8
x2.exe+300CCB - 49 8B 11 - mov rdx,[r9]
x2.exe+300CCE - 49 8B 49 08 - mov rcx,[r9+08]
x2.exe+300CD2 - 48 8B C2 - mov rax,rdx
x2.exe+300CD5 - 48 03 C0 - add rax,rax
x2.exe+300CD8 - 49 89 4C C0 08 - mov [r8+rax*8+08],rcx
x2.exe+300CDD - 48 03 C9 - add rcx,rcx
x2.exe+300CE0 - 49 8B 03 - mov rax,[r11]
x2.exe+300CE3 - 48 89 14 C8 - mov [rax+rcx*8],rdx
x2.exe+300CE7 - 49 8B 13 - mov rdx,[r11]
x2.exe+300CEA - 48 8B 0A - mov rcx,[rdx]
x2.exe+300CED - 48 8B C1 - mov rax,rcx
x2.exe+300CF0 - 48 03 C0 - add rax,rax
x2.exe+300CF3 - 4C 89 54 C2 08 - mov [rdx+rax*8+08],r10
x2.exe+300CF8 - 49 89 09 - mov [r9],rcx
x2.exe+300CFB - 4C 89 12 - mov [rdx],r10
x2.exe+300CFE - 48 8B 54 24 28 - mov rdx,[rsp+28]
x2.exe+300D03 - 49 C7 41 08 00000000 - mov qword ptr [r9+08],00000000
x2.exe+300D0B - 4C 8B 4C 24 30 - mov r9,[rsp+30]
x2.exe+300D10 - 48 3B D3 - cmp rdx,rbx
x2.exe+300D13 - 75 59 - jne x2.exe+300D6E
x2.exe+300D15 - 48 3B F2 - cmp rsi,rdx
x2.exe+300D18 - 75 05 - jne x2.exe+300D1F
x2.exe+300D1A - 4D 3B F1 - cmp r14,r9
x2.exe+300D1D - 74 4F - je x2.exe+300D6E
x2.exe+300D1F - 4C 8B 03 - mov r8,[rbx]
x2.exe+300D22 - 4C 8B DD - mov r11,rbp
x2.exe+300D25 - 49 C1 E3 04 - shl r11,04
x2.exe+300D29 - 4D 03 D8 - add r11,r8
x2.exe+300D2C - 45 8B CC - mov r9d,r12d
x2.exe+300D2F - 4D 03 C9 - add r9,r9
x2.exe+300D32 - 45 8B D4 - mov r10d,r12d
x2.exe+300D35 - 49 8B 13 - mov rdx,[r11]
x2.exe+300D38 - 49 8B 4B 08 - mov rcx,[r11+08]
x2.exe+300D3C - 48 8B C2 - mov rax,rdx
x2.exe+300D3F - 48 03 C0 - add rax,rax
x2.exe+300D42 - 49 89 4C C0 08 - mov [r8+rax*8+08],rcx
x2.exe+300D47 - 48 03 C9 - add rcx,rcx
x2.exe+300D4A - 48 8B 03 - mov rax,[rbx]
x2.exe+300D4D - 48 89 14 C8 - mov [rax+rcx*8],rdx
x2.exe+300D51 - 4C 8B 03 - mov r8,[rbx]
x2.exe+300D54 - 4B 8B 14 C8 - mov rdx,[r8+r9*8]
x2.exe+300D58 - 48 8B C2 - mov rax,rdx
x2.exe+300D5B - 48 03 C0 - add rax,rax
x2.exe+300D5E - 49 89 6C C0 08 - mov [r8+rax*8+08],rbp
x2.exe+300D63 - 49 89 13 - mov [r11],rdx
x2.exe+300D66 - 4B 89 2C C8 - mov [r8+r9*8],rbp
x2.exe+300D6A - 4D 89 53 08 - mov [r11+08],r10
x2.exe+300D6E - 48 83 C7 10 - add rdi,10
x2.exe+300D72 - 74 13 - je x2.exe+300D87
x2.exe+300D74 - 44 0FB7 37 - movzx r14d,word ptr [rdi]
x2.exe+300D78 - 66 41 F7 D6 - not r14w
x2.exe+300D7C - 66 41 D1 C6 - rol r14w,1
x2.exe+300D80 - 66 44 33 77 02 - xor r14w,[rdi+02]
x2.exe+300D85 - EB 06 - jmp x2.exe+300D8D
x2.exe+300D87 - 41 BE FFFF0000 - mov r14d,0000FFFF
x2.exe+300D8D - 4C 8B 9C 24 B8000000 - mov r11,[rsp+000000B8]
x2.exe+300D95 - 48 8B 84 24 C0000000 - mov rax,[rsp+000000C0]
x2.exe+300D9D - 48 8B 8C 24 B0000000 - mov rcx,[rsp+000000B0]
x2.exe+300DA5 - 66 44 89 70 0C - mov [rax+0C],r14w
x2.exe+300DAA - 0FB7 79 10 - movzx edi,word ptr [rcx+10]
x2.exe+300DAE - 0FB7 71 0E - movzx esi,word ptr [rcx+0E]
x2.exe+300DB2 - 0FB7 C7 - movzx eax,di
x2.exe+300DB5 - 66 41 33 C7 - xor ax,r15w
x2.exe+300DB9 - 0FB7 E8 - movzx ebp,ax
x2.exe+300DBC - 48 8B 44 24 20 - mov rax,[rsp+20]
x2.exe+300DC1 - 44 0FB7 50 10 - movzx r10d,word ptr [rax+10]
x2.exe+300DC6 - 0FB7 48 0C - movzx ecx,word ptr [rax+0C]
x2.exe+300DCA - 41 0FB7 D2 - movzx edx,r10w
x2.exe+300DCE - 66 C1 EA 08 - shr dx,08
x2.exe+300DD2 - 44 8B C1 - mov r8d,ecx
x2.exe+300DD5 - 49 C1 E8 08 - shr r8,08
x2.exe+300DD9 - 41 8B C2 - mov eax,r10d
x2.exe+300DDC - 48 33 C1 - xor rax,rcx
x2.exe+300DDF - 45 8B CA - mov r9d,r10d
x2.exe+300DE2 - 0FB6 C8 - movzx ecx,al
x2.exe+300DE5 - 49 C1 E9 08 - shr r9,08
x2.exe+300DE9 - 66 41 33 14 4B - xor dx,[r11+rcx*2]
x2.exe+300DEE - 0FB7 C2 - movzx eax,dx
x2.exe+300DF1 - 4C 33 C0 - xor r8,rax
x2.exe+300DF4 - 66 C1 EA 08 - shr dx,08
x2.exe+300DF8 - 41 0FB6 C0 - movzx eax,r8b
x2.exe+300DFC - 45 0FB7 C7 - movzx r8d,r15w
x2.exe+300E00 - 4D 8B FB - mov r15,r11
x2.exe+300E03 - 49 C1 E8 08 - shr r8,08
x2.exe+300E07 - 66 41 33 14 43 - xor dx,[r11+rax*2]
x2.exe+300E0C - 0FB7 DA - movzx ebx,dx
x2.exe+300E0F - 0FB7 D7 - movzx edx,di
x2.exe+300E12 - 66 C1 EA 08 - shr dx,08
x2.exe+300E16 - 8B C3 - mov eax,ebx
x2.exe+300E18 - 48 33 44 24 40 - xor rax,[rsp+40]
x2.exe+300E1D - 0FB6 C8 - movzx ecx,al
x2.exe+300E20 - 66 C1 EB 08 - shr bx,08
x2.exe+300E24 - 66 41 33 1C 4B - xor bx,[r11+rcx*2]
x2.exe+300E29 - 0FB7 C3 - movzx eax,bx
x2.exe+300E2C - 49 33 C0 - xor rax,r8
x2.exe+300E2F - 66 C1 EB 08 - shr bx,08
x2.exe+300E33 - 0FB6 C8 - movzx ecx,al
x2.exe+300E36 - 66 41 33 1C 4B - xor bx,[r11+rcx*2]
x2.exe+300E3B - 47 0FB6 9C 19 00020000 - movzx r11d,byte ptr [r9+r11+00000200]
x2.exe+300E44 - 44 8B CF - mov r9d,edi
x2.exe+300E47 - 49 C1 E9 08 - shr r9,08
x2.exe+300E4B - 43 0FB7 0C 5F - movzx ecx,word ptr [r15+r11*2]
x2.exe+300E50 - 49 33 CA - xor rcx,r10
x2.exe+300E53 - 0FB6 C1 - movzx eax,cl
x2.exe+300E56 - 46 0FB6 94 38 00020000 - movzx r10d,byte ptr [rax+r15+00000200]
x2.exe+300E5F - 40 0FB6 C5 - movzx eax,bpl
x2.exe+300E63 - 66 41 33 14 47 - xor dx,[r15+rax*2]
x2.exe+300E68 - 0FB7 C2 - movzx eax,dx
x2.exe+300E6B - 49 33 C0 - xor rax,r8
x2.exe+300E6E - 66 C1 EA 08 - shr dx,08
x2.exe+300E72 - 0FB6 C8 - movzx ecx,al
x2.exe+300E75 - 41 0FB7 C6 - movzx eax,r14w
x2.exe+300E79 - 66 41 33 14 4F - xor dx,[r15+rcx*2]
x2.exe+300E7E - 44 0FB7 C2 - movzx r8d,dx
x2.exe+300E82 - 41 0FB7 D6 - movzx edx,r14w
x2.exe+300E86 - 41 8B C8 - mov ecx,r8d
x2.exe+300E89 - 48 C1 EA 08 - shr rdx,08
x2.exe+300E8D - 48 33 C8 - xor rcx,rax
x2.exe+300E90 - 66 41 C1 E8 08 - shr r8w,08
x2.exe+300E95 - 0FB6 C1 - movzx eax,cl
x2.exe+300E98 - 66 45 33 04 47 - xor r8w,[r15+rax*2]
x2.exe+300E9D - 41 0FB7 C0 - movzx eax,r8w
x2.exe+300EA1 - 48 33 D0 - xor rdx,rax
x2.exe+300EA4 - 66 41 C1 E8 08 - shr r8w,08
x2.exe+300EA9 - 0FB6 C2 - movzx eax,dl
x2.exe+300EAC - 43 0FB6 94 39 00020000 - movzx edx,byte ptr [r9+r15+00000200]
x2.exe+300EB5 - 45 0FB7 CB - movzx r9d,r11w
x2.exe+300EB9 - 66 47 33 0C 57 - xor r9w,[r15+r10*2]
x2.exe+300EBE - 41 BB 00FF0000 - mov r11d,0000FF00
x2.exe+300EC4 - 66 45 33 04 47 - xor r8w,[r15+rax*2]
x2.exe+300EC9 - 41 0FB7 0C 57 - movzx ecx,word ptr [r15+rdx*2]
x2.exe+300ECE - 48 33 CF - xor rcx,rdi
x2.exe+300ED1 - 0FB6 C1 - movzx eax,cl
x2.exe+300ED4 - 66 41 C1 E1 08 - shl r9w,08
x2.exe+300ED9 - 42 0FB6 8C 38 00020000 - movzx ecx,byte ptr [rax+r15+00000200]
x2.exe+300EE2 - 0FB7 C3 - movzx eax,bx
x2.exe+300EE5 - 66 41 33 14 4F - xor dx,[r15+rcx*2]
x2.exe+300EEA - 66 41 23 C3 - and ax,r11w
x2.exe+300EEE - 66 44 33 C8 - xor r9w,ax
x2.exe+300EF2 - 66 C1 E2 08 - shl dx,08
x2.exe+300EF6 - 41 0FB7 C2 - movzx eax,r10w
x2.exe+300EFA - 41 80 E4 0F - and r12b,0F
x2.exe+300EFE - 66 33 C3 - xor ax,bx
x2.exe+300F01 - 41 BA FF000000 - mov r10d,000000FF
x2.exe+300F07 - 66 41 23 C2 - and ax,r10w
x2.exe+300F0B - 66 44 0B C8 - or r9w,ax
x2.exe+300F0F - 41 0FB7 C0 - movzx eax,r8w
x2.exe+300F13 - 66 41 23 C3 - and ax,r11w
x2.exe+300F17 - 66 33 D0 - xor dx,ax
x2.exe+300F1A - 0FB7 C1 - movzx eax,cx
x2.exe+300F1D - 66 41 33 C0 - xor ax,r8w
x2.exe+300F21 - 66 41 23 C2 - and ax,r10w
x2.exe+300F25 - 66 0B D0 - or dx,ax
x2.exe+300F28 - 48 8B 84 24 C8000000 - mov rax,[rsp+000000C8]
x2.exe+300F30 - 66 44 33 CA - xor r9w,dx
x2.exe+300F34 - 48 8B 94 24 C0000000 - mov rdx,[rsp+000000C0]
x2.exe+300F3C - 66 44 33 CF - xor r9w,di
x2.exe+300F40 - 8B 48 08 - mov ecx,[rax+08]
x2.exe+300F43 - 80 E1 0F - and cl,0F
x2.exe+300F46 - 66 44 89 4A 10 - mov [rdx+10],r9w
x2.exe+300F4B - 66 45 33 CE - xor r9w,r14w
x2.exe+300F4F - 66 41 D3 C1 - rol r9w,cl
x2.exe+300F53 - 41 0FB6 CC - movzx ecx,r12b
x2.exe+300F57 - 66 D3 C5 - rol bp,cl
x2.exe+300F5A - 66 44 89 4A 0E - mov [rdx+0E],r9w
x2.exe+300F5F - 66 3B EE - cmp bp,si
x2.exe+300F62 - 74 21 - je x2.exe+300F85
x2.exe+300F64 - 48 8B 84 24 B0000000 - mov rax,[rsp+000000B0]
x2.exe+300F6C - 66 41 F7 D1 - not r9w
x2.exe+300F70 - 66 44 89 4A 0E - mov [rdx+0E],r9w
x2.exe+300F75 - 49 8B 4D 28 - mov rcx,[r13+28]
x2.exe+300F79 - 8B 40 08 - mov eax,[rax+08]
x2.exe+300F7C - 89 41 08 - mov [rcx+08],eax
x2.exe+300F7F - 33 C0 - xor eax,eax
x2.exe+300F81 - 66 89 41 0E - mov [rcx+0E],ax
x2.exe+300F85 - 48 8B 44 24 20 - mov rax,[rsp+20]
x2.exe+300F8A - 33 C9 - xor ecx,ecx
x2.exe+300F8C - 48 89 08 - mov [rax],rcx
x2.exe+300F8F - 89 48 08 - mov [rax+08],ecx
x2.exe+300F92 - B9 FFFF0000 - mov ecx,0000FFFF
x2.exe+300F97 - 66 89 48 10 - mov [rax+10],cx
x2.exe+300F9B - C7 40 0C FFFFFFFF - mov [rax+0C],FFFFFFFF
x2.exe+300FA2 - 48 83 C4 68 - add rsp,68
x2.exe+300FA6 - 41 5F - pop r15
x2.exe+300FA8 - 41 5E - pop r14
x2.exe+300FAA - 41 5D - pop r13
x2.exe+300FAC - 41 5C - pop r12
x2.exe+300FAE - 5F - pop rdi
x2.exe+300FAF - 5E - pop rsi
x2.exe+300FB0 - 5D - pop rbp
x2.exe+300FB1 - 5B - pop rbx
x2.exe+300FB2 - C3 - ret
I tried skipping the entire function to see what would happen by using the following script:
[ENABLE]
alloc(newskip,2048)
label(skipreturn)
newskip:
jmp skipreturn
x2.exe+300AF0:
jmp newskip
nop
skipreturn:
ret
[DISABLE]
x2.exe+300AF0:
mov [rsp+20], r9
mov [rsp+18], r8
push rbx
push rbp
dealloc(newskip)
What happens when I enable this script?
The game doesn’t crash anymore.
I no longer have cooldowns.
There is no MP (mana points) cost.
My HP (health points) doesn’t decrease.
However, here’s the problem:
I don’t deal any damage to mobs (monsters), so I can’t clear the dungeon.
If I disable the script again, the game freezes and crashes.
What happens if I enable it before entering a dungeon?
The dungeon auto-clears itself.
All mobs are dead upon spawn, including my own character, and I can’t revive.
My question:
Is there something wrong with my code, or is the game crashing because skipping the function causes the game values to become invalid over time?
Why is it that enabling this before entering the dungeon kills everything, including my character?
I don’t understand what I’m looking at. Can someone help me figure this out?
_________________
Beginner |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4695
|
| Posted: Wed Jan 22, 2025 2:14 pm Post subject: |
|
|
That isn't a typical indie dev "let's xor the value with this value right next to it" type of obfuscation. The new value seems to be calculated from at least 2 other sources (first and third parameters to that function), both of which are potentially far away from the address of the value you're interested in.
I haven't really looked at the rest of the function. It reads some stuff from thread-local storage and does a bunch of bitwise operations (perhaps progressing a PRNG or creating a hash).
Maybe a function that just reads from that address would tell a simpler story.
| Luantic wrote: | ...is the game crashing because skipping the function causes the game values to become invalid over time?
Why is it that enabling this before entering the dungeon kills everything, including my character? |
It's not that the values become invalid, but that they were never allowed to be valid in the first place. You skipped over the code that initialized them.
| Luantic wrote: | | Code: | [ENABLE]
alloc(newskip,2048)
label(skipreturn)
newskip:
jmp skipreturn
x2.exe+300AF0:
jmp newskip
nop
skipreturn:
ret
[DISABLE]
x2.exe+300AF0:
mov [rsp+20], r9
mov [rsp+18], r8
push rbx
push rbp
dealloc(newskip) |
|
Your code injection does nothing, the `jmp` to your code at the injection point is a mess, the `ret` is written after the injection point, and the script might not write enough bytes back when disabled. You're lucky you can enable the script and it'll "work", but don't ever disable the script.
Use the "Full injection" template if the code is in a module and you don't want to do an AOB scan.
In this case, most of the code from the "full injection" template can be removed:
| Code: | define(address,x2.exe+300AF0)
define(bytes,4C 89 4C 24 20)
[ENABLE]
assert(address,bytes)
address:
ret
[DISABLE]
address:
db bytes |
PS: if that game is the same game as what a quick search seems to suggest, you should probably stop. Multiplayer games are banned for a reason.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
