I barely know what I'm doing, but I can find the value (double) that affects health easy. The mage has 1000 max health, a few quick searches and I have 5 addresses that are doubles and they all reflect health. One of those is always the one that I can directly change the value of, and see the difference in the game. I can even lock the value, and be invincible. What I can't seem to do is move a value into the appropriate register.
I can find the 4-byte value right away, which can help me find the double value easier, but the 4-byte address doesn't control the value.
So then I find the address (double) that controls health, and I clicked "Find what writes to this address," because I want to write 1000 to the address every time my health would normally be changed.
I played the game for a bit, walked into some fire and was hit once, and stopped the debugger. I had four addresses that wrote to the health address over 100 times in half a second. Two addresses only wrote to that address 4 times each. So, I headed over to the disassembler.
Upon right clicking the addresses, I noticed that the addresses that wrote to the Health address only 4 times were being accessed by SOO many other codes. In fact, putting an AOB script into either one of them, and moving a value into an address at that point always caused a crash - as expected. The values that write the Health address over 100 times per second are ONLY accessing that address while I play. So, I thought I was getting closer.
This is the original code for ONE of those addresses (One of the four codes that SOLELY writes to the Health address - all four look similar to me):
Code: Select all
Original Code: ""+FFE682D4: 0F 28 DE - movaps xmm3,xmm6 ""+FFE682D7: F2 0F 5C DB - subsd xmm3,xmm3 ""+FFE682DB: 66 0F 2E DC - ucomisd xmm3,xmm4 ""+FFE682DF: 0F 87 33 7D 03 00 - ja FFEA0018 ""+FFE682E5: 66 0F 2E FE - ucomisd xmm7,xmm6 ""+FFE682E9: 0F 83 2D 7D 03 00 - jae FFEA001C ""+FFE682EF: 83 7A 6C FB - cmp dword ptr [edx+6C],-05 ""+FFE682F3: 75 07 - jne FFE682FC ""+FFE682F5: 81 7A 68 00 A7 A7 1A - cmp [edx+68],1AA7A700 ""+FFE682FC: 0F 85 1E 7D 03 00 - jne FFEA0020 // ---------- INJECTING HERE ---------- ""+FFE68302: F2 0F 11 72 60 - movsd [edx+60],xmm6 // ---------- DONE INJECTING ---------- ""+FFE68307: F6 46 04 04 - test byte ptr [esi+04],04 ""+FFE6830B: 74 13 - je FFE68320 ""+FFE6830D: 80 66 04 FB - and byte ptr [esi+04],-05 ""+FFE68311: 8B 0D 28 A2 A7 04 - mov ecx,[04A7A228] ""+FFE68317: 89 35 28 A2 A7 04 - mov [04A7A228],esi ""+FFE6831D: 89 4E 0C - mov [esi+0C],ecx ""+FFE68320: 83 7A 0C FB - cmp dword ptr [edx+0C],-05 ""+FFE68324: 75 07 - jne FFE6832D ""+FFE68326: 81 7A 08 B0 0C 05 1C - cmp [edx+08],1C050CB0 ""+FFE6832D: 0F 85 F1 7C 03 00 - jne FFEA0024
Code: Select all
[ENABLE] aobscan(INJECT,7D 03 00 F2 0F 11 72 60) // should be unique alloc(newmem,$1000) label(code) label(return) globalalloc(_RedMageHealth,4) newmem: code: mov [_RedMageHealth],edx mov [edx+60],(Int)1000 // movsd [edx+60],xmm6 jmp return INJECT+03: jmp newmem return: registersymbol(INJECT) [DISABLE] INJECT+03: db F2 0F 11 72 60 unregistersymbol(INJECT) dealloc(newmem) dealloc(_RedMageHealth)
Either way, when I run this code in the game, it doesn't cause a crash, but the value is still calculated correctly and displayed correctly, and my code seems all but ignored by the game. I'm assuming there's a cmp somewhere that is making a correction to the value.
How do I figure this out?