How to retrieve a count value ?

K

KevinDA

Cheater
Joined
Apr 16, 2020
Messages
26
Hello, in this example I would like to retrieve and modify the value 30. how do I do it ?

 
Dread_Pony_Roberts

Dread_Pony_Roberts

Code Cracker
Table Maker
Joined
Dec 9, 2018
Messages
231
I want to help you but you are jumping strait into the deep end. First off, the game you are cheating in is a 64 bit game and they are usually more complicated to deal with. I assume you are still cheating in WWE2K20, which is a very recent AAA game and is thus much more complicated to deal with. The main issue though is that you seem to have started cheating in real games when you hardly have a basic grasp on how assembly coding works.

I would strongly suggest that you do the tutorial, watch beginner tutorials such as this https://www.youtube.com/watch?v=z_5n6vlVvRU&list=PLszEh0IDMrCl2phD7h8UN_KAkmP0NXz_6
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,496
LOL. Seeing this is the 3rd or 4th time he's blatantly ignoring any advice everyone has given him so far, I too will ignore any common sense and start randomly posting shit in his topics. He's trying to fucking change a COUNTER. That 30 there is a display counter, it tells you how many times your opcdoe was hit when debugging. It's not a memory value. Please start from the beginning, as already several people told you, so you'd stop making a fool of yourself and giving others the opportunity for mockery. I'll start warning your ass if you continue to ignore us and post another topic.
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799


Here you go it's "modify" now.
 
kantoboy69

kantoboy69

Expert Cheater
Table Maker
Joined
Aug 30, 2019
Messages
90
You guys :lol: :lol: :lol: :lol: :lol:

@KevinDA you can't modify that counter but you can check all the registers, and the stack trace (click more info, then the tiny s box]

In xenonauts 2 there is this part of code. This is called by almost any functions that uses the class that inherits it
(e.g. hitpoints, buildpoints, etc). Since the object clone the data, the address of values will always change so
I've found out that it will need to fetch those values somehow and found this.
Code:
<i>
</i>Common:Range:get_Value - 48 83 EC 18           - sub rsp,18 { 24 }
Common:Range:get_Value+4- 48 89 4C 24 08        - mov [rsp+08],rcx
Common:Range:get_Value+9- 48 8B C1              - mov rax,rcx
Common:Range:get_Value+c- F3 0F10 40 14         - movss xmm0,[rax+14]
Common:Range:get_Value+11- F3 0F5A C0            - cvtss2sd xmm0,xmm0
Common:Range:get_Value+15- F2 0F5A E8            - cvtsd2ss xmm5,xmm0
Common:Range:get_Value+19- F3 0F11 2C 24         - movss [rsp],xmm5
Common:Range:get_Value+1e- F3 0F10 04 24         - movss xmm0,[rsp]
Common:Range:get_Value+23- F3 0F5A C0            - cvtss2sd xmm0,xmm0
Common:Range:get_Value+27- F2 0F5A C0            - cvtsd2ss xmm0,xmm0
Common:Range:get_Value+2b- 48 83 C4 18           - add rsp,18 { 24 }
Common:Range:get_Value+2f- C3                    - ret
by analyzing the stack trace and registers I come up with this
[code ]<i>
</i>// Get Value MemCode
GetValuenewmem:
cmp dword [rsp+0], 232 // QUANTITY_ID
jne BuildingPointsCode
cmp dword ptr [isFetchSellItem], 1
jne ICodeEnds
mov dword ptr [isFetchSellItem], 0
mov qword ptr [ValueAddr], rcx
jmp ICodeEnds
BuildingPointsCode:
cmp dword [rsp+0], 1d1 // BUILDINGPOINTS_ID
jne ResearchPointsCode
mov qword ptr [BuildingPointsAddr], rcx
jmp ICodeEnds
ResearchPointsCode:
cmp dword [rsp+0], 246 // RESEARCHPOINTS_ID
jne EngineerPointsCode
mov qword ptr [ResearchPointsAddr], rcx
jmp ICodeEnds
EngineerPointsCode:
cmp dword [rsp+0], 1e7 // ENGINEERINGPOINTS_ID
jne ProgressPointsCode
mov qword ptr [EngineerPointsAddr], rcx
jmp ICodeEnds
ProgressPointsCode:
cmp dword [rsp+0], 22a // PROGRESSPOINTS_ID
jne GeoTimerCode
mov qword ptr [ProgressPointsAddr], rcx
jmp ICodeEnds
GeoTimerCode:
cmp dword [rsp+208], 20a
jne ICodeEnds
EngineerWorkForceCode:
cmp dword [rsp+c0], 1e6 // Engineer work force
je WorkForceCode
ScientistWorkForceCode:
cmp dword [rsp+c0], 245 // Scientist work force
je WorkForceCode
jmp ICodeEnds
WorkForceCode:
mov qword ptr [tmpvar1], rbx
mov ebx, (float)100
mov dword ptr [rcx+14], ebx
mov rbx, qword ptr [tmpvar1]
jmp ICodeEnds
//testcode:
// cmp dword [rsp+0], 2
// jle ICodeEnds
// jmp ICodeEnds
//testcode2:
// nop
ICodeEnds:
GetValuecode:
mov rax,rcx
movss xmm0,[rax+14]
jmp GetValuereturn
[/code]
The // remarks with ID's are values in specific stack that fetch those specific values.

This one [isFetchSellItem] is a registered symbol set from another aa script before that uses get_value
So I set it to 1 every time that specific code will use get_value to modify that address then after it uses it, set it back to 0.
Hence I have now the address of quantity value's base address.

By back-tracking/tracing using stack result on "Following opcode access"
You can check for what to look for in stack that leads to your expected result

Also base on your example, you can use "set breakpoint condition" like this (right click on the debug break point then click that)
RBX == 180CA1ABDA0
Your watched address is 180CA1B4BA0 the code is RBX+8e00 hence RBX-8e00 is 180CA1ABDA0

So you need a lot of patience and basic Assembly language understanding if you really want it :D
Although logic flow in asm is top down then it will also be challenging
 
Top