Lea

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Lea

Post by Kalas » Mon Mar 20, 2017 4:57 pm

Code: Select all

[ENABLE]

// ========================================================//

aobscan(aobModifier,F3 0F 11 AE D8 00 00 00 48 8B)
alloc(newmem,$100,19D22008)

label(code)
label(return)
label(Health)

alloc(Health,4)

registersymbol(Health)

newmem:

Health:
  push rbx
  lea rbx,[rsi+000000D8]
  mov [Health],rbx
  pop rbx

code:
  movss [rsi+000000D8],xmm5
  jmp return

aobModifier:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(aobModifier)

// ========================================================//

aobscan(aobModifierv2,F3 0F 11 AE DC 00 00 00 48)
alloc(newmemv2,$100,19D21836)

label(codev2)
label(returnv2)

alloc(Warm,4)

registersymbol(Warm)

newmemv2:

Warm:
  push ebx
  lea ebx,[rsi+000000DC]
  mov [Warm],ebx
  pop ebx

codev2:
  movss [rsi+000000DC],xmm5
  jmp returnv2

aobModifierv2:
  jmp newmemv2
  nop
  nop
  nop
returnv2:
registersymbol(aobModifierv2)

// ========================================================//

aobscan(aobModifierv3,F3 0F 11 AE E0 00 00 00 48 8B 86)
alloc(newmemv3,$1000,19D525A2)

label(codev3)
label(returnv3)

alloc(Stress,4)

registersymbol(Stress)

newmemv3:

Stress:
  push edi
  lea edi,[rsi+000000E0]
  mov [Stress],edi
  pop edi

codev3:
  movss [rsi+000000E0],xmm5
  jmp returnv3

aobModifierv3:
  jmp newmemv3
  nop
  nop
  nop
returnv3:
registersymbol(aobModifierv3)


[DISABLE]

// ========================================================//

aobModifier:
  db F3 0F 11 AE D8 00 00 00

unregistersymbol(aobModifier)
dealloc(newmem)

dealloc(Health)
unregistersymbol(Health)

// ========================================================//

aobModifierv2:
  db F3 0F 11 AE DC 00 00 00

unregistersymbol(aobModifierv2)
dealloc(newmemv2)

dealloc(Warm)
unregistersymbol(Warm)

// ========================================================//

aobModifierv3:
  db F3 0F 11 AE E0 00 00 00

unregistersymbol(aobModifierv3)
dealloc(newmemv3)

dealloc(Stress)
unregistersymbol(Stress)

I'm trying to make a script where I add address manually for 3 stats, Health - Warm and Stress. they are in a float value so I guess 4 bytes is enough? correct me if I'm wrong.

But for some reason the script wont activate nor show the correct value it will just display ?? in the value tab, I must be doing something wrong here.

User avatar
++METHOS
Administration
Administration
Posts: 160
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 11

Re: Lea

Post by ++METHOS » Mon Mar 20, 2017 5:08 pm

Did you double-check to make sure that your AOB signatures were unique?

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:09 pm

++METHOS wrote:
Mon Mar 20, 2017 5:08 pm
Did you double-check to make sure that your AOB signatures were unique?
Hmm yes, I've made on another Table just Infinite for each thing and the AOB is matches, which means It's fine, I'll try to rescan and check aob again

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:12 pm

Yep just searched for the address again and the AOB is unique.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:19 pm

I tried to make a new Script just using lea on WARM:

Code: Select all

[ENABLE]

aobscan(aobWarm,F3 0F 11 AE DC 00 00 00 48)
alloc(newmem,$100,2B2E09D6)

label(code)
label(return)

alloc(Warm,4)
registersymbol(Warm)

newmem:

Warm:
  push rbx
  lea rbx,[rsi+000000DC]
  mov [Warm],rbx
  pop rbx

code:
  movss [rsi+000000DC],xmm5
  jmp return

aobWarm:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(aobWarm)

[DISABLE]

aobWarm:
  db F3 0F 11 AE DC 00 00 00

unregistersymbol(aobWarm)
dealloc(newmem)

dealloc(Warm,4)
unregistersymbol(Warm)

{
// ORIGINAL CODE - INJECTION POINT: 2B2E09D6

""+2B2E09A7: F3 0F 10 45 F4                 -  movss xmm0,[rbp-0C]
""+2B2E09AC: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+2B2E09B0: F3 0F 10 8E DC 00 00 00        -  movss xmm1,[rsi+000000DC]
""+2B2E09B8: F3 0F 5A C9                    -  cvtss2sd xmm1,xmm1
""+2B2E09BC: F2 0F 5C C1                    -  subsd xmm0,xmm1
""+2B2E09C0: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
""+2B2E09C4: F3 0F 11 6D F0                 -  movss [rbp-10],xmm5
""+2B2E09C9: F3 0F 10 45 F4                 -  movss xmm0,[rbp-0C]
""+2B2E09CE: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+2B2E09D2: F2 0F 5A E8                    -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+2B2E09D6: F3 0F 11 AE DC 00 00 00        -  movss [rsi+000000DC],xmm5
// ---------- DONE INJECTING  ----------
""+2B2E09DE: 48 8B 86 80 00 00 00           -  mov rax,[rsi+00000080]
""+2B2E09E5: 48 85 C0                       -  test rax,rax
""+2B2E09E8: 0F 84 3D 00 00 00              -  je 2B2E0A2B
""+2B2E09EE: 48 8B 86 80 00 00 00           -  mov rax,[rsi+00000080]
""+2B2E09F5: F3 0F 10 86 DC 00 00 00        -  movss xmm0,[rsi+000000DC]
""+2B2E09FD: F3 0F 5A C0                    -  cvtss2sd xmm0,xmm0
""+2B2E0A01: F3 0F 10 4D F0                 -  movss xmm1,[rbp-10]
""+2B2E0A06: F3 0F 5A C9                    -  cvtss2sd xmm1,xmm1
""+2B2E0A0A: 48 8B C8                       -  mov rcx,rax
""+2B2E0A0D: F2 0F 10 D1                    -  movsd xmm2,xmm1
}
This seems to crash my game when activating, I might be doing something wrong, but either way the first script which includes all the 3 of them wont activate at all.

User avatar
++METHOS
Administration
Administration
Posts: 160
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 11

Re: Lea

Post by ++METHOS » Mon Mar 20, 2017 5:30 pm

Make sure that you are letting CE build your scripts for you. If you are able to use AOBScanModule, use that instead.

Anyway, try setting it up like this:
[ENABLE]

aobscan(aobWarm,F3 0F 11 AE DC 00 00 00 48)
alloc(newmem,$1000,2B2E09D6)

label(Warm)
label(code)
label(return)

registersymbol(Warm)
registersymbol(aobWarm)

newmem:
push rbx
lea rbx,[rsi+000000DC]
mov [Warm],rbx
pop rbx

code:
movss [rsi+000000DC],xmm5
jmp return

Warm:
dq 0

aobWarm:
jmp newmem
nop
nop
nop
return:

[DISABLE]
dealloc(newmem)

aobWarm:
db F3 0F 11 AE DC 00 00 00

unregistersymbol(aobWarm)
unregistersymbol(Warm)

{
// ORIGINAL CODE - INJECTION POINT: 2B2E09D6

""+2B2E09A7: F3 0F 10 45 F4 - movss xmm0,[rbp-0C]
""+2B2E09AC: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
""+2B2E09B0: F3 0F 10 8E DC 00 00 00 - movss xmm1,[rsi+000000DC]
""+2B2E09B8: F3 0F 5A C9 - cvtss2sd xmm1,xmm1
""+2B2E09BC: F2 0F 5C C1 - subsd xmm0,xmm1
""+2B2E09C0: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0
""+2B2E09C4: F3 0F 11 6D F0 - movss [rbp-10],xmm5
""+2B2E09C9: F3 0F 10 45 F4 - movss xmm0,[rbp-0C]
""+2B2E09CE: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
""+2B2E09D2: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+2B2E09D6: F3 0F 11 AE DC 00 00 00 - movss [rsi+000000DC],xmm5
// ---------- DONE INJECTING ----------
""+2B2E09DE: 48 8B 86 80 00 00 00 - mov rax,[rsi+00000080]
""+2B2E09E5: 48 85 C0 - test rax,rax
""+2B2E09E8: 0F 84 3D 00 00 00 - je 2B2E0A2B
""+2B2E09EE: 48 8B 86 80 00 00 00 - mov rax,[rsi+00000080]
""+2B2E09F5: F3 0F 10 86 DC 00 00 00 - movss xmm0,[rsi+000000DC]
""+2B2E09FD: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
""+2B2E0A01: F3 0F 10 4D F0 - movss xmm1,[rbp-10]
""+2B2E0A06: F3 0F 5A C9 - cvtss2sd xmm1,xmm1
""+2B2E0A0A: 48 8B C8 - mov rcx,rax
""+2B2E0A0D: F2 0F 10 D1 - movsd xmm2,xmm1
}

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:35 pm

Now it works, that was odd.

so basically adding this:

Warm:
dq 0

And yea moving all that push rbx form to newmem. ill try with the whole three scripts now :P

Schnitzelmaker
Novice Cheater
Novice Cheater
Posts: 23
Joined: Fri Mar 03, 2017 6:18 pm
Reputation: 4

Re: Lea

Post by Schnitzelmaker » Mon Mar 20, 2017 5:35 pm

I would suggest the same, but save rsi instead and use Warm as pointer.

Also this could save time and scripts since Warm is now you base pointer for player and you could use it with offsets for the 3 options.

Code: Select all

[ENABLE]

aobscan(aobWarm,F3 0F 11 AE DC 00 00 00 48)
alloc(newmem,$1000,2B2E09D6)

label(Warm)
label(code)
label(return)

registersymbol(Warm)
registersymbol(aobWarm)

newmem:
mov [Warm],rsi

code:
movss [rsi+000000DC],xmm5
jmp return

Warm:
dq 0

aobWarm:
jmp newmem
nop
nop
nop
return:

[DISABLE]
dealloc(newmem)

aobWarm:
db F3 0F 11 AE DC 00 00 00

unregistersymbol(aobWarm)
unregistersymbol(Warm)
Last edited by Schnitzelmaker on Mon Mar 20, 2017 5:40 pm, edited 1 time in total.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:40 pm

Oh I'll try that as well

I ahve another quesiton, can I use rbx in all of that push?

for example I have 3 push, can I use 3 RBX in each one as I poped them each time

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:46 pm

Schnitzelmaker wrote:
Mon Mar 20, 2017 5:35 pm
I would suggest the same, but save rsi instead and use Warm as pointer.

Also this could save time and scripts since Warm is now you base pointer for player and you could use it with offsets for the 3 options.

Code: Select all

[ENABLE]

aobscan(aobWarm,F3 0F 11 AE DC 00 00 00 48)
alloc(newmem,$1000,2B2E09D6)

label(Warm)
label(code)
label(return)

registersymbol(Warm)
registersymbol(aobWarm)

newmem:
mov [Warm],rsi

code:
movss [rsi+000000DC],xmm5
jmp return

Warm:
dq 0

aobWarm:
jmp newmem
nop
nop
nop
return:

[DISABLE]
dealloc(newmem)

aobWarm:
db F3 0F 11 AE DC 00 00 00

unregistersymbol(aobWarm)
unregistersymbol(Warm)


DOesnt seem to work, I get -1 results in the value

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:50 pm

So I'm now using this method:

Code: Select all

aobscan(aobModifier,F3 0F 11 AE D8 00 00 00 48 8B)
alloc(newmem,$1000,19D22008)

label(code)
label(return)
label(Health)

registersymbol(Health)

newmem:
  push rbx
  lea rbx,[rsi+000000D8]
  mov [Health],rbx
  pop rbx

code:
  movss [rsi+000000D8],xmm5
  jmp return

Health:
  dq 0

aobModifier:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(aobModifier)

[DISABLE]

aobModifier:
  db F3 0F 11 AE D8 00 00 00

unregistersymbol(aobModifier)
dealloc(newmem)

unregistersymbol(Health)

For some reason only this one does not show the rest of the values, Warm and Stress shows perfectly.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 5:58 pm

Ok everything works fine, thank you both guys!

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 145
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Lea

Post by Kalas » Mon Mar 20, 2017 6:31 pm

That's the final script just incase you wonder :)
[ENABLE]

// ======================================================== //

aobscan(aobHealthModifier,F3 0F 11 AE D8 00 00 00 48 8B)
alloc(newmemHealthModifier,$1000,2AB01D88)

label(Health)
label(codeHealthModifier)
label(returnHealthModifier)

registersymbol(Health)
registersymbol(aobHealthModifier)

newmemHealthModifier:
push rbx
lea rbx,[rsi+000000D8]
mov [Health],rbx
pop rbx

codeHealthModifier:
movss [rsi+000000D8],xmm5
jmp returnHealthModifier

Health:
dq 0

aobHealthModifier:
jmp newmemHealthModifier
nop
nop
nop
returnHealthModifier:

// ======================================================== //

aobscan(aobWarmModifier,F3 0F 11 AE DC 00 00 00 48)
alloc(newmemWarmModifier,$1000,2AB015B6)

label(Warm)
label(codeWarmModifier)
label(returnWarmModifier)

registersymbol(Warm)
registersymbol(aobWarmModifier)

newmemWarmModifier:
push ebx
lea ebx,[rsi+000000DC]
mov [Warm],ebx
pop ebx

codeWarmModifier:
movss [rsi+000000DC],xmm5
jmp returnWarmModifier

Warm:
dq 0

aobWarmModifier:
jmp newmemWarmModifier
nop
nop
nop
returnWarmModifier:

// ======================================================== //

aobscan(aobStressModifier,F3 0F 11 AE E0 00 00 00 48 8B 86)
alloc(newmemStressModifier,$1000,2C362382)

label(Stress)
label(codeStressModifier)
label(returnStressModifier)

registersymbol(Stress)
registersymbol(aobStressModifier)

newmemStressModifier:
push ecx
lea ecx,[rsi+000000E0]
mov [Stress],ecx
pop ecx

codeStressModifier:
movss [rsi+000000E0],xmm5
jmp returnStressModifier

Stress:
dq 0

aobStressModifier:
jmp newmemStressModifier
nop
nop
nop
returnStressModifier:

[DISABLE]

aobHealthModifier:
db F3 0F 11 AE D8 00 00 00

dealloc(newmemHealthModifier)

unregistersymbol(Health)
unregistersymbol(aobHealthModifier)

// ======================================================== //

aobWarmModifier:
db F3 0F 11 AE DC 00 00 00

dealloc(newmemWarmModifier)

unregistersymbol(Warm)
unregistersymbol(aobWarmModifier)

// ======================================================== //

aobStressModifier:
db F3 0F 11 AE E0 00 00 00

dealloc(newmemStressModifier)

unregistersymbol(Stress)
unregistersymbol(aobStressModifier)

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest