I actually took a look at this. I reversed the byte into ASM and updated the Piercing bullets as a test.... When I started up the game and turned on the script, at first appeared to be fine. BUT, then no more enemies spawn. Like start match first enemy is there, you kill him and no more happens. This could just be because I have no unlocked the peircing bullet yet and I am breaking something. Or that I thought I found a good address and did not. I will have to play the game a bit. I was pretty confident I found the correct address for the bullets since the code matched line for line with only a slight offset change from 0x4c4 to 0x494. I will investigate more.
For those that want to work on this their self, if you take the db line from disable(This will be original code (bytes) to be written back on disable. You can turn these back into ASM. for instance in one of the old scripts for this game, you find a option to set damage to 100m. It looks like this in script
Code: Select all
[ENABLE]
"FutureWar_W8.Windows.exe"+6AB0B7:
db 3D 00 00 C8 43 77 0A 89 45 F4 F3 0F 10 45 F4 EB 24 C7 45 F4 20 BC BE 4C F3 0F 10 45 F4 EB 16
[DISABLE]
"FutureWar_W8.Windows.exe"+6AB0B7:
db F3 0F 10 01 89 45 F4 8B 41 08 8B 49 04 F3 0F 11 45 F8 33 45 F8 F3 0F 10 45 F4 D3 C8 89 45 F8
But if you reverse these bytes back into ASM(Cheat engine language) it is actually:
Code: Select all
3D 00 00 C8 43 77 0A 89 45 F4 F3 0F 10 45 F4 EB 24 C7 45 F4 20 BC BE 4C F3 0F 10 45 F4 EB 16
is actually this
Code: Select all
0: 3d 00 00 c8 43 cmp eax,0x43c80000
5: 77 0a ja 0x11
7: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
a: f3 0f 10 45 f4 movss xmm0,DWORD PTR [ebp-0xc]
f: eb 24 jmp 0x35
11: c7 45 f4 20 bc be 4c mov DWORD PTR [ebp-0xc],0x4cbebc20
18: f3 0f 10 45 f4 movss xmm0,DWORD PTR [ebp-0xc]
1d: eb 16 jmp 0x35
And the disable that looks like this
Code: Select all
F3 0F 10 01 89 45 F4 8B 41 08 8B 49 04 F3 0F 11 45 F8 33 45 F8 F3 0F 10 45 F4 D3 C8 89 45 F8
In the Disable is actually this.
Code: Select all
0: f3 0f 10 01 movss xmm0,DWORD PTR [ecx]
4: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
7: 8b 41 08 mov eax,DWORD PTR [ecx+0x8]
a: 8b 49 04 mov ecx,DWORD PTR [ecx+0x4]
d: f3 0f 11 45 f8 movss DWORD PTR [ebp-0x8],xmm0
12: 33 45 f8 xor eax,DWORD PTR [ebp-0x8]
15: f3 0f 10 45 f4 movss xmm0,DWORD PTR [ebp-0xc]
1a: d3 c8 ror eax,cl
1c: 89 45 f8 mov DWORD PTR [ebp-0x8],eax
Remember that the disable is the bytes to be written back when you turn the cheat off. SO, these bytes are usually the original bytes.
Ok, now in the enable the writer does a compare, he actually compares another address? to eax and if it is above it does a jump 11 bytes down to,
Code: Select all
c7 45 f4 20 bc be 4c mov DWORD PTR [ebp-0xc],0x4cbebc20
18: f3 0f 10 45 f4 movss xmm0,DWORD PTR [ebp-0xc]
Then jumps down 35 bytes to run as normal, I assume.
When comparing this to the original script you will see that he does a mov 0x4cbebc20 into ebp at offset -C, changing it from eax. This kind of lets me assume that eax at this point has the value for bullets?He then does a scaler mov from that address into xmm0. Using a Hex calculator you can see that 0x4cbebc20 is 1287568416 in decimal. So what is actually happening is that they are moving 1287568416 into ebp-0xc and then using a scaler mov to mov that value into xmm0 as a floating point.
This makes me think that 1287568416 is the number of "Health" its giving you. Since I am not playing the game I cannot check. Now to reverse the script to get a good address you can take several methods. You could find new addresses by scanning and then finding the pointer path to it. Update the addresses and offsets in the existing code. What I am trying to do. Create a Mask for the variables that may have changed. In the original bytes I usually just mask out anything that holds an address or offset, scan for the new AOB with mask. Once I find the new place in the code I would update the array to match new address and offsets(if needed).
Sorry I was not able to update the script. I spent the better part of my day trying to figure out why my app store wouldn't download the game! I did get it downloaded and will work on this in the AM.
I did not write the script! It belongs to someone on this forum.
disclaimer: I am noob programmer and recently found an interest in x86. I am self taught and my methods may not be the "approved" method and they are surely not the easiest or quickest. Take anything I say with a boat load of salt, or it's liable to taste like dookie. I learn as I need.
