Current Value Script

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 385
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 69

Current Value Script

Post by Kalas » Fri Mar 17, 2017 10:16 pm

I want to make a Script where It will display my current value, Is there another way rather then using Lea?

Code: Select all

[ENABLE]

aobscan(aobTime,48 89 48 28 48 8B 46 20 48 8B C8)
alloc(newmem,$1000,17CBF9837)

label(code)
label(return)

newmem:

code:
  mov [rax+28],rcx
  mov rax,[rsi+20]
  jmp return

aobTime:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(aobTime)

[DISABLE]

aobTime:
  db 48 89 48 28 48 8B 46 20

unregistersymbol(aobTime)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 17CBF9837

17CBF980F: 48 8B 46 20                    -  mov rax,[rsi+20]
17CBF9813: 48 8B C8                       -  mov rcx,rax
17CBF9816: 48 8B D1                       -  mov rdx,rcx
17CBF9819: 83 3A 00                       -  cmp dword ptr [rdx],00
17CBF981C: 48 8B 89 C0 00 00 00           -  mov rcx,[rcx+000000C0]
17CBF9823: 48 8B 49 28                    -  mov rcx,[rcx+28]
17CBF9827: 48 63 D7                       -  movsxd  rdx,edi
17CBF982A: 48 03 CA                       -  add rcx,rdx
17CBF982D: 83 38 00                       -  cmp dword ptr [rax],00
17CBF9830: 48 8B 80 C0 00 00 00           -  mov rax,[rax+000000C0]
// ---------- INJECTING HERE ----------
17CBF9837: 48 89 48 28                    -  mov [rax+28],rcx
17CBF983B: 48 8B 46 20                    -  mov rax,[rsi+20]
// ---------- DONE INJECTING  ----------
17CBF983F: 48 8B C8                       -  mov rcx,rax
17CBF9842: 83 39 00                       -  cmp dword ptr [rcx],00
17CBF9845: 48 8B 80 C0 00 00 00           -  mov rax,[rax+000000C0]
17CBF984C: 48 8B 50 28                    -  mov rdx,[rax+28]
17CBF9850: 48 8B CE                       -  mov rcx,rsi
17CBF9853: 48 83 EC 20                    -  sub rsp,20
17CBF9857: 49 BB 30 9B BF 7C 01 00 00 00  -  mov r11,000000017CBF9B30
17CBF9861: 41 FF D3                       -  call r11
17CBF9864: 48 83 C4 20                    -  add rsp,20
17CBF9868: 48 8B 04 25 C0 8E 82 08        -  mov rax,[08828EC0]
}

User avatar
TheyCallMeTim13
Cheater
Cheater
Posts: 31
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 1

Re: Current Value Script

Post by TheyCallMeTim13 » Sat Mar 18, 2017 2:18 am

Kalas wrote:
Fri Mar 17, 2017 10:16 pm
I want to make a Script where It will display my current value, Is there another way rather then using Lea?
Not sure what you mean with displaying a value with LEA, but if you just want to be able to add a value on the table then use 'registorSymbol'.

Code: Select all

[ENABLE]

aobscan(aobTime,48 89 48 28 48 8B 46 20 48 8B C8)
alloc(newmem,$1000,17CBF9837)

label(SomeSymboolName)

label(code)
label(return)

newmem:
  mov [SomeSymboolName],rcx

code:
  mov [rax+28],rcx
  mov rax,[rsi+20]
  jmp return

aobTime:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(aobTime)
registersymbol(SomeSymboolName)

[DISABLE]

aobTime:
  db 48 89 48 28 48 8B 46 20

unregistersymbol(aobTime)
unregistersymbol(SomeSymboolName)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 17CBF9837

17CBF980F: 48 8B 46 20                    -  mov rax,[rsi+20]
17CBF9813: 48 8B C8                       -  mov rcx,rax
17CBF9816: 48 8B D1                       -  mov rdx,rcx
17CBF9819: 83 3A 00                       -  cmp dword ptr [rdx],00
17CBF981C: 48 8B 89 C0 00 00 00           -  mov rcx,[rcx+000000C0]
17CBF9823: 48 8B 49 28                    -  mov rcx,[rcx+28]
17CBF9827: 48 63 D7                       -  movsxd  rdx,edi
17CBF982A: 48 03 CA                       -  add rcx,rdx
17CBF982D: 83 38 00                       -  cmp dword ptr [rax],00
17CBF9830: 48 8B 80 C0 00 00 00           -  mov rax,[rax+000000C0]
// ---------- INJECTING HERE ----------
17CBF9837: 48 89 48 28                    -  mov [rax+28],rcx
17CBF983B: 48 8B 46 20                    -  mov rax,[rsi+20]
// ---------- DONE INJECTING  ----------
17CBF983F: 48 8B C8                       -  mov rcx,rax
17CBF9842: 83 39 00                       -  cmp dword ptr [rcx],00
17CBF9845: 48 8B 80 C0 00 00 00           -  mov rax,[rax+000000C0]
17CBF984C: 48 8B 50 28                    -  mov rdx,[rax+28]
17CBF9850: 48 8B CE                       -  mov rcx,rsi
17CBF9853: 48 83 EC 20                    -  sub rsp,20
17CBF9857: 49 BB 30 9B BF 7C 01 00 00 00  -  mov r11,000000017CBF9B30
17CBF9861: 41 FF D3                       -  call r11
17CBF9864: 48 83 C4 20                    -  add rsp,20
17CBF9868: 48 8B 04 25 C0 8E 82 08        -  mov rax,[08828EC0]
}
Then you can use 'SomeSymboolName' as an address in the address list, or scripts.

You can even use it as an offset as of CE 6.6.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 385
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 69

Re: Current Value Script

Post by Kalas » Sat Mar 18, 2017 8:58 am

Hmm I see, and I add address manually as an Address or as a Pointer?

Schnitzelmaker
Expert Cheater
Expert Cheater
Posts: 98
Joined: Fri Mar 03, 2017 6:18 pm
Reputation: 49

Re: Current Value Script

Post by Schnitzelmaker » Sat Mar 18, 2017 9:18 am

Kalas wrote:
Sat Mar 18, 2017 8:58 am
Hmm I see, and I add address manually as an Address or as a Pointer?
Depends what is it.
If you store an address in "SomeSymboolName" then use pointer. Example would be "mov [SomeSymboolName], rax", then use as pointer with 28 offset.
This is the recommend method, because it is then possible to change the ingame value.

If it only contains a value (integer/float/...) add it as address. But note that using this is only for showing the value, you can change it but it will have no effect on the ingame value.
Last edited by Schnitzelmaker on Sat Mar 18, 2017 9:26 am, edited 1 time in total.

User avatar
TheyCallMeTim13
Cheater
Cheater
Posts: 31
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 1

Re: Current Value Script

Post by TheyCallMeTim13 » Sat Mar 18, 2017 9:25 am

I assumed that RCX would be an address so you would add 'SomeSymbolName' as a pointer, this would give you the ability to display an editable value, but if RCX is a value then you should add 'SomeSymbolName' as an address, but editing it wouldn't change the game's value.

P.S.: Noticed I missed the label placement.

Code: Select all

[ENABLE]

aobscan(aobTime,48 89 48 28 48 8B 46 20 48 8B C8)
alloc(newmem,$1000,17CBF9837)

label(SomeSymboolName)

label(code)
label(return)

newmem:
  mov [SomeSymboolName],rcx

code:
  mov [rax+28],rcx
  mov rax,[rsi+20]
  jmp return

SomeSymboolName:
  dq 0 // QWORD (dq) for an address in 64 bit mode

aobTime:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(aobTime)
registersymbol(SomeSymboolName)

[DISABLE]

aobTime:
  db 48 89 48 28 48 8B 46 20

unregistersymbol(aobTime)
unregistersymbol(SomeSymboolName)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 17CBF9837

17CBF980F: 48 8B 46 20                    -  mov rax,[rsi+20]
17CBF9813: 48 8B C8                       -  mov rcx,rax
17CBF9816: 48 8B D1                       -  mov rdx,rcx
17CBF9819: 83 3A 00                       -  cmp dword ptr [rdx],00
17CBF981C: 48 8B 89 C0 00 00 00           -  mov rcx,[rcx+000000C0]
17CBF9823: 48 8B 49 28                    -  mov rcx,[rcx+28]
17CBF9827: 48 63 D7                       -  movsxd  rdx,edi
17CBF982A: 48 03 CA                       -  add rcx,rdx
17CBF982D: 83 38 00                       -  cmp dword ptr [rax],00
17CBF9830: 48 8B 80 C0 00 00 00           -  mov rax,[rax+000000C0]
// ---------- INJECTING HERE ----------
17CBF9837: 48 89 48 28                    -  mov [rax+28],rcx
17CBF983B: 48 8B 46 20                    -  mov rax,[rsi+20]
// ---------- DONE INJECTING  ----------
17CBF983F: 48 8B C8                       -  mov rcx,rax
17CBF9842: 83 39 00                       -  cmp dword ptr [rcx],00
17CBF9845: 48 8B 80 C0 00 00 00           -  mov rax,[rax+000000C0]
17CBF984C: 48 8B 50 28                    -  mov rdx,[rax+28]
17CBF9850: 48 8B CE                       -  mov rcx,rsi
17CBF9853: 48 83 EC 20                    -  sub rsp,20
17CBF9857: 49 BB 30 9B BF 7C 01 00 00 00  -  mov r11,000000017CBF9B30
17CBF9861: 41 FF D3                       -  call r11
17CBF9864: 48 83 C4 20                    -  add rsp,20
17CBF9868: 48 8B 04 25 C0 8E 82 08        -  mov rax,[08828EC0]
}

User avatar
FreeER
Cheater
Cheater
Posts: 48
Joined: Fri Mar 10, 2017 7:11 pm
Reputation: 5
Contact:

Re: Current Value Script

Post by FreeER » Sat Mar 18, 2017 3:18 pm

Assuming rax+28 is the address you would find by searching then I'd do it like this (assuming I needed to and a pointer wasn't easily found)

Code: Select all

[ENABLE]
aobscan(aobTime,48 89 48 28 48 8B 46 20 48 8B C8)
alloc(newmem,$1000,17CBF9837)

globalalloc(_base,8) // only 4 needed for a 32 bit game
// globalalloc is the same as alloc + registersymbol except
// that dealloc ignores it because other script can be using it too
// simply by using the same name and size, CE will return
// any existing memory address instead of allocating new mem.

label(code)
label(return)

newmem:
  mov [_base], rax
code:
  mov [rax+28],rcx
  mov rax,[rsi+20]
  jmp return

aobTime:
  jmp newmem
  db 90 90 90 // I prefer nops on 1 line, just personal preference mostly, but it's also shorter
return:
registersymbol(aobTime)

[DISABLE]
aobTime:
  db 48 89 48 28 48 8B 46 20
unregistersymbol(aobTime)
dealloc(newmem)
// snipping extra info since it's not really useful for example
And then you can add an address using _base as a pointer with an offset of 28 to reach that value. If you know that there aren't any other interesting values at other offsets then you could use something like this to get the exact address

Code: Select all

mov [_base], rax
add [_base], 28
or

Code: Select all

// rax gets overwritten after rcx is stored so it's ok to overwrite it ourselves
lea rax, [rax+28] // essentially the above code in one line
mov [_base], rax

mov [rax], rcx // we need to store rcx differently now though
If rax was used later so you didn't want to overwrite it you could try to find another register that gets overwritten (and thus doesn't need to be saved) to store the address in or use push rax before and pop rax afterwards to save and restore it's value on the stack.

Code: Select all

push rax // save value to stack
lea rax, [rax+28] // essentially the above code in one line
mov [_base], rax
pop rax // restore value now that we don't need it

If on the other hand that address was on the stack or something and wasn't stable and all you had access to was the register at that point in memory but changing it's value would give the desired result then you could allocate 2 spots in memory the same size as the register, one called value and one called knownValue and let the user change value, then you'd compare value and knownValue and update the register to value if they were different otherwise update the two memory locations to the (current) value in the register. Assuming you wanted the game to be able to change it normally. If you just wanted to set it to a constant value all the time then you'd just do that lol

It's possible there's a simpler way but that's the first method that I thought of :)

Here's some examples on step 2 of the tutorial program (6.6's tutorial v3.3):
Tutorial-i386 - saving address example.CT
(13.79 KiB) Downloaded 71 times

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 385
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 69

Re: Current Value Script

Post by Kalas » Sat Mar 18, 2017 3:30 pm

Thx both, sorry for later reply the site had issues I had to change the link :P

Post Reply

Who is online

Users browsing this forum: No registered users