I need help with reading partial data from RAX without crashing the game.

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

I need help with reading partial data from RAX without crashing the game.

Post by TheByteSize »

I'm trying to copy [rax+04] which is where it contains 4 bytes of new EXP value then subtract it against [rbx+08] where it contains original EXP value so I can make multiplier for EXP gain. The below code is where the game write new EXP. This same line manipulate both character EXP and skill EXP.
At this position of code, rdx has all F and r8 and r15 are 0 so I can safely use any of those internal register if need be.
So far, I can read rax into a symbol and view the break down of data but when I try to copy [rax+04], the game crash.

Code: Select all

mov rax,[r14]
mov [rbx+04], rax

User avatar
seikur0
Code Alchemist
Code Alchemist
Posts: 440
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 339

Re: I need help with reading partial data from RAX without crashing the game.

Post by seikur0 »

For clarification, before your first line, does [rax+04] contains the new xp value?
You say this is where the game writes new xp, but it gets written into [rbx+04]?
So are rax and rbx the same before your first line?
And is [r14] the new xp, which was just calculated?

TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

Re: I need help with reading partial data from RAX without crashing the game.

Post by TheByteSize »

seikur0 wrote:
Wed Sep 13, 2017 4:11 pm
For clarification, before your first line, does [rax+04] contains the new xp value?
You say this is where the game writes new xp, but it gets written into [rbx+04]?
So are rax and rbx the same before your first line?
And is [r14] the new xp, which was just calculated?
Before the first line, there is a Call statement and [r14] seems to contain the address of which point to location where it has new calculated EXP. I did not verify rax and [rbx+04] between the two lines.

User avatar
seikur0
Code Alchemist
Code Alchemist
Posts: 440
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 339

Re: I need help with reading partial data from RAX without crashing the game.

Post by seikur0 »

Ah I think I can guess, what's the problem here...

So do it like this:

Code: Select all

mov rax,[r14]
sub rax,[rbx+04]

push rax
fild qword ptr [esp]
fld qword ptr [p_xpmod] // Add a label for p_xpmod and register it as symbol and initialize it to (float)1.0
fmulp
fist dword ptr [esp]
pop rax

add rax,[rbx+04]
mov [rbx+04], rax
Or the simple way:

Code: Select all

mov rax,[r14]
sub rax,[rbx+04]

imul rax,10 //meaning the xp gets multiplied by 10

add rax,[rbx+04]
mov [rbx+04], rax
First of all the xp should be 8 byte, at least according to your source code?
Your problem is, that [rax+04] isn't the address of the 4 byte xp value, but it's rax itself, so no pointer here. The brackets make the game crash, because of a null pointer exception.

Or is it like 8 byte: XXXX YYYY and the XXXX bytes are something else, while YYYY is the xp?

TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

Re: I need help with reading partial data from RAX without crashing the game.

Post by TheByteSize »

The thing is that at position [rbx+04] has 2 bytes of Level, and rax has 2 bytes of Level as header. I don't have access to the game right now. I'll make two symbols and will add screen shot of their data break down later today.

Maybe I should just capture [rbx+04] before and after change on two separated symbol and use those to apply the math of their differences.

Btw, the reason I believe EXP is 4 bytes because when I do scan for "What accessing this address", one of the 3 result has cmp [rbx+08](iirc).

User avatar
seikur0
Code Alchemist
Code Alchemist
Posts: 440
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 339

Re: I need help with reading partial data from RAX without crashing the game.

Post by seikur0 »

So more like this: (UUUU XXXX)

Code: Select all

mov eax,[r14+4]
sub eax,[rbx+08]
imul eax,10 //meaning the xp gets multiplied by 10
mov [r14+4],eax

mov rax,[r14]
mov [rbx+04], rax
Or if it's really 2 bytes: (UUUU XXUU)

Code: Select all

mov ax,[r14+4]
sub ax,[rbx+08]
imul ax,10 //meaning the xp gets multiplied by 10
mov [r14+4],ax

mov rax,[r14]
mov [rbx+04], rax
And replace the imul by the float multiplication, if needed. That should do the trick.

TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

Re: I need help with reading partial data from RAX without crashing the game.

Post by TheByteSize »

Thanks for the idea. I was able to manipulate value without crashing the game. Though EXP keep getting reset to certain value so looks like I need to find another spot for injection or do nop at where it's validating new exp value.

Post Reply

Who is online

Users browsing this forum: No registered users