ASMCode Injection - Editable Values

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
https://wiki.cheatengine.org/index.php?title=Tutorial:CodeInjection_EditableValues
Code Injection - Editable Values
This tutorial builds on the subject of code injection, and starts from a working script. Pleas start here: Code Injection - Full
Any game will work but I will be using Windows Solitaire.
First you will need to find an Integer. If unsure how to find values see: Finding Values - Integers

Finding the injection point
After you have found the address of the score then we can find the injection point. Where this is depends on what we want to do so in Windows Solitaire the score decreases over timer, lets make it increase the score, But here let's make it a value that can be changed from the Cheat table without editing the script.

If you followed along with the Code Injection - Full tutorial you should have a script like this.
CEA:
define(bytes,41 83 43 14 FE)

[ENABLE]
alloc(newmem,\$1000,address) // '\$' before a nuber is a short hand for '0x' (hex).

label(code)
label(return)

newmem:
code:
jmp return

jmp newmem
return:

[DISABLE]
db bytes

dealloc(newmem)
So let's add a value that we can change the value of on the CT.

So we'll need some memory, which we have some allocated so let's just create a label and register the symbol. We need to register the symbol to be able to access it else where. We can also use align to align the memory because we will just put it at the end of the allocated memory.
CEA:
define(bytes,41 83 43 14 FE)

[ENABLE]

label(code)
label(return)

label(intScoreAdder) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "int" for integer).

newmem:
code:
push rax // push/save the registory.
mov eax,[intScoreAdder] // EAX is 32 bits of RAX
add [r11+14],eax // the size is determinded by the size of the registory.
pop rax // pop/restore the registory.
jmp return

align 10 CC // align the memory to be assebled.
dd (int)5 // we could just use 'dd 5' as decimal 5 is equal to hex 5
// or the short hand for an integer 'dd #5'.

jmp newmem
return:

[DISABLE]
db bytes

dealloc(newmem)
So now let's enable the script and add the address to the CT.

And that gives us a changeable value that is used inside the script.

You can set the address as a child of the script, and right click the address record to enable the Hide children when deactivated option under Group config.

Working with Floats

Health Damage Multiplier
Let's say you have an injection point that looks like this, and it's effecting health, and XMM1 holds the damage value.
NASM:
subss xmm0,xmm1
movss [rsi],xmm0
It could even be space apart, all we need is the "subss xmm0,xmm1" in the injection script.
NASM:
subss xmm0,xmm1
...
movss [rsi],xmm0
So let's add a damage multiplier.
CEA:
define(bytes, F3 0F 5C C1 F3 0F 11 06)

[ENABLE]

label(code)
label(return)

newmem:
code:
subss xmm0,xmm1
movss [rsi],xmm0
jmp return

jmp newmem
nop
nop
nop
return:

[DISABLE]
db bytes

dealloc(newmem)
Starting with a script like above; let's add a float (single precision floating point), and multiply XMM1.
CEA:
define(bytes, F3 0F 5C C1 F3 0F 11 06)

[ENABLE]

label(code)
label(return)

label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)

newmem:
code:
mulss xmm1,[fltHealthMultiplier]
subss xmm0,xmm1
movss [rsi],xmm0
jmp return

align 10 CC // align the memory to be assebled.
fltHealthMultiplier:
dd (float)0.25

jmp newmem
nop
nop
nop
return:

[DISABLE]
db bytes

dealloc(newmem)

Packed Multiplier
Let's say you have an injection point that looks like this, and it's effecting health and shield, and XMM1 holds the damage values for both.
NASM:
subps xmm0,xmm1
movaps [rsi],xmm0
CEA:
define(bytes, 0F 5C C1 0F 29 06)

[ENABLE]

label(code)
label(return)

newmem:
code:
subss xmm0,xmm1
movss [rsi],xmm0
jmp return

jmp newmem
nop
return:

[DISABLE]
db bytes

dealloc(newmem)
Starting with a script like above; let's add some floats (single precision floating point), and multiply XMM1 with a packed instruction. For an aligned instruction we need to be at an address ending in 0x0, and for a packed instruction we'll need a value that spans 0x10 bytes (0x0 to 0xF).
CEA:
define(bytes, 0F 5C C1 0F 29 06)

[ENABLE]

label(code)
label(return)

label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)

newmem:
code:
mulps xmm1,[fltHealthMultiplier]
subps xmm0,xmm1
movaps [rsi],xmm0
jmp return

align 10 CC // align the memory to be assebled. Alignment is required for an aligned instruction.
fltHealthMultiplier:
dd (float)0.25
dd (float)0.35
dd (float)1 // Any values you don't want to change set the multilpier to 1
dd (float)1

jmp newmem
nop
return:

[DISABLE]
db bytes

dealloc(newmem)
To add the values to a CT just set the value type to float and the address for the first one to fltHealthMultiplier and the address for the second to fltHealthMultiplier+4.

Last edited:

jungletek

Reality Bytes
2 missing/broken image links in the middle of the post, but nice work otherwise!

STN

Pleb
Staff member
The files don't exist on ce wiki

SunBeam

Trouble-Maker
Talents
I recommend always using the PNG direct link to the picture, rather than the short imgur link.

Code:
https://i.imgur.com/Vwg1nmb.png -- NOT -- https://imgur.com/Vwg1nmb

Also, that file you're linking from Wiki doesn't exist:

Attachments

• 85.5 KB Views: 13

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
@SunBeam
With imugr I just lazily copy the links it give, the BBC one or the linked BBC one.
At this point I'm really not sure what is going on. The image shows on the wiki for me, now I'm wondering how many images on the wiki don't show.

EDIT:
Even after re-clearing the browser cashe.

Last edited:

SunBeam

Trouble-Maker
Talents
I checked the source of what I see and this is the link I got:
Code:
https://wiki.cheatengine.org/images/thumb/d/d2/CodeInjectionEditValues.01.png/800px-CodeInjectionEditValues.01.png
A black image. Tried on phone as well with direct connection, just so I rule out the 'proxy' scenario. Same

SunBeam

Trouble-Maker
Talents
I get 404s on those direct links:
Code:
http://wiki.cheatengine.org/images/d/d2/CodeInjectionEditValues.01.png
http://wiki.cheatengine.org/images/9/99/CodeInjectionEditValues.02.png
Ask DB, might have to do with HTTPS.

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Yeah, that's about what I was starting to think (well at lest the ask DB part), as it works on imgur.
Thanks for the help, nice to see the Red SunBeam again.