Hello, I am currently learning how to write scripts myself and am stuck on doing a xp(runes in this case) multiplier. I used the Rune Multiplier from Gideon as a reference but I can't seem to replicate it. I found out what the Rune Address is, found out what accesses/writes to that address but none of them show instructions/addresses that are being used in Gideon's script.
Here are the instructions that have access to the Rune Address (rcx+6c in this case).
Code: Select all
7FF66813BCC0 - 44 8B 49 6C - mov r9d,[rcx+6C]
7FF66813BCFA - 89 41 6C - mov [rcx+6C],eax
7FF66813BD4E - 8B 41 6C - mov eax,[rcx+6C]
7FF66896C3F5 - 8B 7B 6C - mov edi,[rbx+6C]
7FF66863314E - 8B 47 6C - mov eax,[rdi+6C]
7FF668689DBD - 41 8B 46 6C - mov eax,[r14+6C]
However in Gideon's script, he uses the xmm registers for the multiplier, though these are not showing up when looking for what accesses/writes to the Rune address. How do I find out myself that xmm registers are being used for Runes? Are there other methods than "find out what accesses/writes to this address"?
Here is the script as reference. It seems a value moves from edi to xmm1 then gets multiplied by xmm0 and lastly gets converted back to edi to be used later.
Code: Select all
[ENABLE]
aobscanmodule(rune_multiplier,eldenring.exe,f3 0f 59 c1 f3 0f 2c f8 48 8b 8b) // should be unique
alloc(newmem,$1000,rune_multiplier)
label(code)
label(return)
label(rn_mult)
registersymbol(rn_mult)
newmem:
movss xmm0, [rn_mult]
code:
mulss xmm0,xmm1
cvttss2si edi,xmm0
jmp return
rn_mult:
dd (float)2
rune_multiplier:
jmp newmem
nop 3
return:
registersymbol(rune_multiplier)
[DISABLE]
rune_multiplier:
db F3 0F 59 C1 F3 0F 2C F8
unregistersymbol(*)
dealloc(*)
{
// ORIGINAL CODE - INJECTION POINT: eldenring.exe+630CB3
eldenring.exe+630C90: 74 37 - je eldenring.exe+630CC9
eldenring.exe+630C92: E8 29 B8 DB FF - call eldenring.exe+3EC4C0
eldenring.exe+630C97: 84 C0 - test al,al
eldenring.exe+630C99: 74 2E - je eldenring.exe+630CC9
eldenring.exe+630C9B: 40 84 F6 - test sil,sil
eldenring.exe+630C9E: 74 1B - je eldenring.exe+630CBB
eldenring.exe+630CA0: 48 8B 8B 78 01 00 00 - mov rcx,[rbx+00000178]
eldenring.exe+630CA7: E8 64 83 EB FF - call eldenring.exe+4E9010
eldenring.exe+630CAC: 66 0F 6E CF - movd xmm1,edi
eldenring.exe+630CB0: 0F 5B C9 - cvtdq2ps xmm1,xmm1
// ---------- INJECTING HERE ----------
eldenring.exe+630CB3: F3 0F 59 C1 - mulss xmm0,xmm1
// ---------- DONE INJECTING ----------
eldenring.exe+630CB7: F3 0F 2C F8 - cvttss2si edi,xmm0
eldenring.exe+630CBB: 48 8B 8B 70 05 00 00 - mov rcx,[rbx+00000570]
eldenring.exe+630CC2: 8B D7 - mov edx,edi
eldenring.exe+630CC4: E8 37 77 C2 FF - call AddSoul_Call
eldenring.exe+630CC9: 48 8B 5C 24 30 - mov rbx,[rsp+30]
eldenring.exe+630CCE: 48 8B 74 24 38 - mov rsi,[rsp+38]
eldenring.exe+630CD3: 48 83 C4 20 - add rsp,20
eldenring.exe+630CD7: 5F - pop rdi
eldenring.exe+630CD8: C3 - ret
eldenring.exe+630CD9: CC - int 3
}