Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


This JiT compiled game drives me crazy

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
ionut_baluca
Newbie cheater
Reputation: 0

Joined: 08 Jan 2016
Posts: 23
PostPosted: Fri Jan 30, 2026 10:57 am    Post subject: This JiT compiled game drives me crazy Reply with quote
Hi guys I'm a casual CE user and I'm having difficulties in a game that is making me go crazy.

So I'm trying to find a stable AoB for this browser game that use a JiT (just in time) compiler every time it generates a sandbox battle. So basically in the battle is pretty easy to find the address (double, same value as showed on screen) and editing it works just fine.

I've went and saw what writes to this address to find the current HP (global shared) function and is something like [rdx+03],xmm1 . Pretty simple right? But after reload it becomes [rax+03],xmm0 or [rdi+03],xmm1 .

So I've tried to AoB somehow this function and even by using (??) on the AoB for the registers that usually changes I find way too many addresses like 20+.

I'm trying to find a stable AoB to directly hook on the current HP function in the hopes of creating an 1hit script.

Example of the code:


Code:
7FFFB3BDC15C - 75 0B                 - jne 7FFFB3BDC169
7FFFB3BDC15E - D1 FA                 - sar edx,1
7FFFB3BDC160 - C5832ACA              - vcvtsi2sd xmm1,r15d,edx
7FFFB3BDC164 - E9 16000000           - jmp 7FFFB3BDC17F
7FFFB3BDC169 - 44 8B 52 FF           - mov r10d,[rdx-01]
7FFFB3BDC16D - 41 81 FA 15050000     - cmp r10d,00000515 { 1301 }
7FFFB3BDC174 - 0F85 79040000         - jne 7FFFB3BDC5F3
7FFFB3BDC17A - C5FB104A 03           - vmovsd xmm1,[rdx+03]
7FFFB3BDC17F - C5FB58C1              - vaddsd xmm0,xmm0,xmm1
7FFFB3BDC183 - C5FB1140 03           - vmovsd [rax+03],xmm0
7FFFB3BDC188 - C5F957C0              - vxorpd xmm0,xmm0,xmm0
7FFFB3BDC18C - E9 86010000           - jmp 7FFFB3BDC317


vmovsd [rax+03],xmm0 this is the current health function in this case, offset is the only thing that is always the same (03), but if xmm register is xmm1 for example, the function above that's vaddsd xmm0,xmm0,xmm1 also changes to something like xmm1,xmm1,xmm2.

What's constant so far is that xmm is always 0 or 1. Offset is always 03.

Other values like energy, shield, heals, damage are also stored in similar functions and everytime I try an AoB even with wildcards, I get 20+ results. Any idea on how I could create an AoB that specifically target the function of current HP?

This is how it changed after a reload wich is quite lucky considering it kept same xmm register and rax register. Now how do I make and AoB that consider the possibility of rax changing indo rdi or else, and xmm be 1 or 0. I mean even 2 aob's would work (1 for xmm1 and 1 for xmm0).

Code:
7FFFB2EED6E4 - E9 16000000           - jmp 7FFFB2EED6FF
7FFFB2EED6E9 - 44 8B 52 FF           - mov r10d,[rdx-01]
7FFFB2EED6ED - 41 81 FA 15050000     - cmp r10d,00000515 { 1301 }
7FFFB2EED6F4 - 0F85 79040000         - jne 7FFFB2EEDB73
7FFFB2EED6FA - C5FB104A 03           - vmovsd xmm1,[rdx+03]
7FFFB2EED6FF - C5FB58C1              - vaddsd xmm0,xmm0,xmm1
7FFFB2EED703 - C5FB1140 03           - vmovsd [rax+03],xmm0
7FFFB2EED708 - C5F957C0              - vxorpd xmm0,xmm0,xmm0
7FFFB2EED70C - E9 86010000           - jmp 7FFFB2EED897



EDIT: SOLVED

Solution for newbies that might find the same problem sometimes:

After few hours I managed to find the fact that a part of the functions never change, so i took advantage of that in my script (did not even know you can do that before) to make 2 aob scans. The initial function for me looks like this:

Code:
7FFFB334B7E4 - E9 16000000           - jmp 7FFFB334B7FF
7FFFB334B7E9 - 44 8B 52 FF           - mov r10d,[rdx-01]
7FFFB334B7ED - 41 81 FA 15050000     - cmp r10d,00000515 { 1301 }
7FFFB334B7F4 - 0F85 79040000         - jne 7FFFB334BC73
7FFFB334B7FA - C5FB104A 03           - vmovsd xmm1,[rdx+03]
7FFFB334B7FF - C5FB58C1              - vaddsd xmm0,xmm0,xmm1
7FFFB334B803 - C5FB1140 03           - vmovsd [rax+03],xmm0
7FFFB334B808 - C5F957C0              - vxorpd xmm0,xmm0,xmm0



So I noticed that
Code:
7FFFB334B7E9 - 44 8B 52 FF           - mov r10d,[rdx-01]
7FFFB334B7ED - 41 81 FA 15050000     - cmp r10d,00000515 { 1301 }


Does not change, so i made my script do 2 aobscans. First one will get us to the memory area where our Health is stored by aobscanning for.
"44 8B 52 FF 41 81 FA 15 05 00 00 0F 85 ?? ?? ?? ?? C5 ?? ?? ?? 03" Then the second aobscan will go to "C5 F? ?? ?? 03 C5 F? ?? ??" . I then managed to find the offset of my team and enemy team and made an 1hit script.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites