Code Injection - Editable Values

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1144
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 202
Contact:

Code Injection - Editable Values

Post by TheyCallMeTim13 » Mon Apr 23, 2018 5:42 am

https://wiki.cheatengine.org/index.php? ... ableValues
Code Injection - Editable Values
This tutorial builds on the subject of code injection, and starts from a working script. Pleas start here: Code Injection - Full
Any game will work but I will be using Windows Solitaire.
First you will need to find an Integer. If unsure how to find values see: Finding Values - Integers

Finding the injection point
After you have found the address of the score then we can find the injection point. Where this is depends on what we want to do so in Windows Solitaire the score decreases over timer, lets make it increase the score, But here let's make it a value that can be changed from the Cheat table without editing the script.

If you followed along with the Code Injection - Full tutorial you should have a script like this.

Code: Select all

define(address,"solitaire.exe"+396CC)
define(bytes,41 83 43 14 FE)

[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,address) // '$' before a nuber is a short hand for '0x' (hex).

label(code)
label(return)

newmem:
  code:
    add dword ptr [r11+14],02
    jmp return


address:
  jmp newmem
  return:

[DISABLE]
address:
  db bytes
  // add dword ptr [r11+14],-02

dealloc(newmem)
So let's add a value that we can change the value of on the CT.


Adding an Editable Value
So we'll need some memory, which we have some allocated so let's just create a label and register the symbol. We need to register the symbol to be able to access it else where. We can also use align to align the memory because we will just put it at the end of the allocated memory.

Code: Select all

define(address,"solitaire.exe"+396CC)
define(bytes,41 83 43 14 FE)

[ENABLE]
assert(address,bytes)
alloc(newmem,0x400,address)

label(code)
label(return)

label(intScoreAdder) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "int" for integer).
registerSymbol(intScoreAdder)

newmem:
  code:
    push rax // push/save the registory.
    mov eax,[intScoreAdder] // EAX is 32 bits of RAX
    add [r11+14],eax // the size is determinded by the size of the registory.
    pop rax // pop/restore the registory.
    jmp return

  align 10 CC // align the memory to be assebled.
  intScoreAdder:
    dd (int)5 // we could just use 'dd 5' as decimal 5 is equal to hex 5
              // or the short hand for an integer 'dd #5'.


address:
  jmp newmem
  return:

[DISABLE]
address:
  db bytes
  // add dword ptr [r11+14],-02

dealloc(newmem)
So now let's enable the script and add the address to the CT.


Adding the Address a CT

Image

And that gives us a changeable value that is used inside the script.

You can set the address as a child of the script, and right click the address record to enable the Hide children when deactivated option under Group config.
Image


Working with Floats

Health Damage Multiplier
Let's say you have an injection point that looks like this, and it's effecting health, and XMM1 holds the damage value.

Code: Select all

subss xmm0,xmm1
movss [rsi],xmm0
It could even be space apart, all we need is the "subss xmm0,xmm1" in the injection script.

Code: Select all

subss xmm0,xmm1
...
movss [rsi],xmm0
So let's add a damage multiplier.

Code: Select all

define(address, "game.exe"+123ABC)
define(bytes, F3 0F 5C C1 F3 0F 11 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

newmem:
  code:
    subss xmm0,xmm1
    movss [rsi],xmm0
    jmp return


address:
  jmp newmem
  nop
  nop
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)
Starting with a script like above; let's add a float (single precision floating point), and multiply XMM1.

Code: Select all

define(address, "game.exe"+123ABC)
define(bytes, F3 0F 5C C1 F3 0F 11 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)

newmem:
  code:
    mulss xmm1,[fltHealthMultiplier]
    subss xmm0,xmm1
    movss [rsi],xmm0
    jmp return

  align 10 CC // align the memory to be assebled.
  fltHealthMultiplier:
    dd (float)0.25


address:
  jmp newmem
  nop
  nop
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)

Packed Multiplier
Let's say you have an injection point that looks like this, and it's effecting health and shield, and XMM1 holds the damage values for both.

Code: Select all

subps xmm0,xmm1
movaps [rsi],xmm0

Code: Select all

define(address, "game.exe"+123ABC)
define(bytes, 0F 5C C1 0F 29 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

newmem:
  code:
    subss xmm0,xmm1
    movss [rsi],xmm0
    jmp return


address:
  jmp newmem
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)
Starting with a script like above; let's add some floats (single precision floating point), and multiply XMM1 with a packed instruction. For an aligned instruction we need to be at an address ending in 0x0, and for a packed instruction we'll need a value that spans 0x10 bytes (0x0 to 0xF).

Code: Select all

define(address, "game.exe"+123ABC)
define(bytes, 0F 5C C1 0F 29 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)

newmem:
  code:
    mulps xmm1,[fltHealthMultiplier]
    subps xmm0,xmm1
    movaps [rsi],xmm0
    jmp return

  align 10 CC // align the memory to be assebled. Alignment is required for an aligned instruction.
  fltHealthMultiplier:
    dd (float)0.25
    dd (float)0.35
    dd (float)1 // Any values you don't want to change set the multilpier to 1
    dd (float)1


address:
  jmp newmem
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)
To add the values to a CT just set the value type to float and the address for the first one to [ICODE]fltHealthMultiplier[/ICODE] and the address for the second to [ICODE]fltHealthMultiplier+4[/ICODE].


See also External links
Last edited by TheyCallMeTim13 on Tue May 01, 2018 12:29 am, edited 7 times in total.

User avatar
jungletek
Shogun
Shogun
Posts: 176
Joined: Tue Oct 17, 2017 7:31 am
Reputation: 23

Code Injection - Editable Values

Post by jungletek » Mon Apr 23, 2018 7:34 am

2 missing/broken image links in the middle of the post, but nice work otherwise!

User avatar
STN
Founder
Founder
Posts: 3140
Joined: Thu Mar 02, 2017 7:48 pm
Reputation: 482

Code Injection - Editable Values

Post by STN » Mon Apr 23, 2018 8:31 am

The files don't exist on ce wiki
For site updates, follow FRF's official Twitter, Facebook

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1144
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 202
Contact:

Code Injection - Editable Values

Post by TheyCallMeTim13 » Mon Apr 23, 2018 12:43 pm

Fixed
Last edited by TheyCallMeTim13 on Tue Apr 24, 2018 11:18 pm, edited 8 times in total.

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 1577
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 263

Code Injection - Editable Values

Post by SunBeam » Mon Apr 23, 2018 1:38 pm

I recommend always using the PNG direct link to the picture, rather than the short imgur link.



[code]https://i.imgur.com/Vwg1nmb.png -- NOT -- https://imgur.com/Vwg1nmb[/code]





Also, that file you're linking from Wiki doesn't exist:
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 5 times in total.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1144
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 202
Contact:

Code Injection - Editable Values

Post by TheyCallMeTim13 » Mon Apr 23, 2018 1:45 pm

[USER=12587]@SunBeam[/USER]

With imugr I just lazily copy the links it give, the BBC one or the linked BBC one.

At this point I'm really not sure what is going on. The image shows on the wiki for me, now I'm wondering how many images on the wiki don't show.



EDIT:

Even after re-clearing the browser cashe.
Last edited by TheyCallMeTim13 on Tue Apr 24, 2018 11:19 pm, edited 2 times in total.

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 1577
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 263

Code Injection - Editable Values

Post by SunBeam » Mon Apr 23, 2018 1:48 pm

I checked the source of what I see and this is the link I got:

[code]https://wiki.cheatengine.org/images/thumb/d/d2/CodeInjectionEditValues.01.png/800px-CodeInjectionEditValues.01.png[/code]

A black image. Tried on phone as well with direct connection, just so I rule out the 'proxy' scenario. Same
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 2 times in total.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1144
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 202
Contact:

Code Injection - Editable Values

Post by TheyCallMeTim13 » Mon Apr 23, 2018 1:51 pm

Fixed
Last edited by TheyCallMeTim13 on Tue Apr 24, 2018 11:19 pm, edited 2 times in total.

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 1577
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 263

Code Injection - Editable Values

Post by SunBeam » Mon Apr 23, 2018 1:52 pm

I get 404s on those direct links:

[code]

http://wiki.cheatengine.org/images/d/d2/CodeInjectionEditValues.01.png

http://wiki.cheatengine.org/images/9/99/CodeInjectionEditValues.02.png[/code]



Ask DB, might have to do with HTTPS.
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1144
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 202
Contact:

Code Injection - Editable Values

Post by TheyCallMeTim13 » Mon Apr 23, 2018 1:55 pm

Yeah, that's about what I was starting to think (well at lest the ask DB part), as it works on imgur.

Thanks for the help, nice to see the Red SunBeam again.

Post Reply

Who is online

Users browsing this forum: No registered users