Page 1 of 1

Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:37 pm
by Kalas
So I'm having an issue with this one, I'm at the Step 9 of the Tutorial, I know how to cmp shared instructions with Player and Enemy.

But for some reason there is no group difference in the Dissect Data:

So Dave+Eric and Hak+Kitt

In the Dissect Data Dave+Eric+Kitt has the same value of 4 but Hal is with 3, there is nothing else which is group difference.

My Code is also included an ohk which I'm not sure I've set up correctly so if someone could tell me If I wrote it right:

Code: Select all

[ENABLE]
alloc(newmem,2048,"Tutorial-x86_64.exe"+2E0B7) 
label(returnhere)
label(ohk)
label(originalcode)
label(exit)

newmem:
cmp [rbx+18],4 // Offset and Value is not right It's just for demonstration.
jne originalcode
mov [rbx+08],(float)100

ohk:
cmp [rbx+18],3 // Offset and Value is not right It's just for demonstration.
jne originalcode
xorps xmm0,xmm0
movss [rbx+08],xmm0

originalcode:
movss [rbx+08],xmm0

exit:
jmp returnhere

"Tutorial-x86_64.exe"+2E0B7:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-x86_64.exe"+2E0B7:
movss [rbx+08],xmm0
//Alt: db F3 0F 11 43 08
If someone could go over the Tutorial to Step 9 and see what I mean in the Dissect Data, And Is there any other way of making the Script work so Group 1 (Me) Won't die?


[The extension png has been deactivated and can no longer be displayed.]


Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:41 pm
by ++METHOS
The structure that CE creates is dynamic, based on various data, and is basically a best-guess result. If you notice, offset 4 isn't even showing up. Furthermore, the strings for each name are shown, and those can be used for your compare.

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:42 pm
by Kalas
Could you explain what you mean, Is there any specific thing I should try ?

EDIT: I'm going to try something.

Although my ohk Is right?

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:43 pm
by ++METHOS
You edited your post, so I edited mine. :D

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:46 pm
by Kalas
If I wanted to make a standalone Script for ohk, could I just do that:

Code: Select all

[ENABLE]
alloc(newmem,2048,"Tutorial-x86_64.exe"+2E0B7) 
label(returnhere)
label(originalcode)
label(exit)

newmem:
cmp [rbx+18],3
jne originalcode
xorps xmm0,xmm0
movss [rbx+08],xmm0

originalcode:
movss [rbx+08],xmm0

exit:
jmp returnhere

"Tutorial-x86_64.exe"+2E0B7:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-x86_64.exe"+2E0B7:
movss [rbx+08],xmm0
//Alt: db F3 0F 11 43 08

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:46 pm
by Kalas
++METHOS wrote:
Fri Mar 03, 2017 10:41 pm
The structure that CE creates is dynamic, based on various data, and is basically a best-guess result. If you notice, offset 4 isn't even showing up. Furthermore, the strings for each name are shown, and those can be used for your compare.
Could you post the code with the suggestion you made, how could I use Strings with my Script, I'm not familiar with these kind of stuff.

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:51 pm
by Kalas
Looks like I was on 64 bit of the Tutorial for some reason, I relaunched it and skipped to the 9th step again and this is my code:

Code: Select all

[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
cmp [ebx+10],1 // Offset of 10 and Value of 1 - Value 1 Is for Group 1 and Value 2 is Group 2
jne originalcode
nop
nop
nop
jmp exit

originalcode:
mov [ebx+04],eax
fldz 

exit:
jmp returnhere

"Tutorial-i386.exe"+26537:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+26537:
mov [ebx+04],eax
fldz 
//Alt: db 89 43 04 D9 EE
This is a Script for ohk, Is that the right format or I missed something?:

Code: Select all

[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
cmp [ebx+10],2
jne originalcode
mov [ebx+04],(float)0
jmp exit

originalcode:
mov [ebx+04],eax
fldz 

exit:
jmp returnhere

"Tutorial-i386.exe"+26537:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+26537:
mov [ebx+04],eax
fldz 
//Alt: db 89 43 04 D9 EE

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:57 pm
by ++METHOS
In this case, your instruction is this:

movss [rbx+08],xmm0

rbx = base address of structure, which is why you have -8 after all of your addresses (health value is stored at [rbx+08]).

The ID strings are stored at [base+19], or [rbx+19].

That being the case:
newmem:
cmp dword ptr [rbx+19],'Dave' //you can also compare against hex value
je dave
cmp dword ptr [rbx+19],'Eric'
je Eric
cmp dword ptr [rbx+19],'HAL'
je HAL
cmp dword ptr [rbx+19],'KITT'
je KITT
jmp originalcode
There are many ways to do this.

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 10:59 pm
by ++METHOS
One-hit kill scripts can be done many different ways, depending on how the code is being handled.

I have not looked at the CE tutorial in a long time, so I do not know how the data is being handled. If you are working from a write instruction, then you'll probably want to set your values to 0. If you are working from a read instruction, then you want to check if value is 1 or greater, if not, set to 1...if 1, jmp to originalcode.

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 11:01 pm
by Kalas
Yea so I found that offset of 10 + value of 2 Is the Enemy

So I simply did mov [ebx+04],(float)0.

But first I went to newmem:

cmp [ebx+10],2
jne originalcode
mov [ebx+04],(float)0
jmp exit


I just hope that It's the right way to do even if I have another script above with Infinite Health, I just hope It wont conflict you know, It's not just for the Tutorial It's more in general game hacking.

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 11:18 pm
by ++METHOS
I wrote a table for you as an example:

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 11:21 pm
by Kalas
Oh so simply keep writing 0 to eax, and eax writes back to [ebx+04].

Am I right?, but yea I understand what you did there.

What's the dd for? Oh I understand never mind

Re: Cheat Engine Tutorial

Posted: Fri Mar 03, 2017 11:34 pm
by ++METHOS
As previously stated, scripts may vary, depending on how the data is being handled. For example, some games have a death sequence that must happen after or right before the health value becomes 0, and some games require weird values for certain events to actually happen.
newmem:
cmp [eax+04],(float)1.0
jge @f
mov [eax+04],(float)1.0
jmp originalcode

originalcode:
//code here
In this case, assuming that you are injecting using a read instruction (or any instruction that is constantly accessing health values), instead of forcing the health to be nothing, you are setting it to almost nothing, allowing the originalcode to execute, in the case where a flag needs to be set in order for the death sequence to occur. Also, for some games, you may not want instant death (as that will cause all characters to die, even if you do not attack them), which will defeat the purpose of the one-hit kill cheat.