ASM Code Injection - Editable Values

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
405
44
28
#1
https://wiki.cheatengine.org/index.php?title=Tutorial:CodeInjection_EditableValues
Code Injection - Editable Values
This tutorial builds on the subject of code injection, and starts from a working script. Pleas start here: Code Injection - Full
Any game will work but I will be using Windows Solitaire.
First you will need to find an Integer. If unsure how to find values see: Finding Values - Integers

Finding the injection point
After you have found the address of the score then we can find the injection point. Where this is depends on what we want to do so in Windows Solitaire the score decreases over timer, lets make it increase the score, But here let's make it a value that can be changed from the Cheat table without editing the script.

If you followed along with the Code Injection - Full tutorial you should have a script like this.
CEA:
define(address,"solitaire.exe"+396CC)
define(bytes,41 83 43 14 FE)

[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,address) // '$' before a nuber is a short hand for '0x' (hex).

label(code)
label(return)

newmem:
  code:
    add dword ptr [r11+14],02
    jmp return


address:
  jmp newmem
  return:

[DISABLE]
address:
  db bytes
  // add dword ptr [r11+14],-02

dealloc(newmem)
So let's add a value that we can change the value of on the CT.


Adding an Editable Value
So we'll need some memory, which we have some allocated so let's just create a label and register the symbol. We need to register the symbol to be able to access it else where. We can also use align to align the memory because we will just put it at the end of the allocated memory.
CEA:
define(address,"solitaire.exe"+396CC)
define(bytes,41 83 43 14 FE)

[ENABLE]
assert(address,bytes)
alloc(newmem,0x400,address)

label(code)
label(return)

label(intScoreAdder) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "int" for integer).
registerSymbol(intScoreAdder)

newmem:
  code:
    push rax // push/save the registory.
    mov eax,[intScoreAdder] // EAX is 32 bits of RAX
    add [r11+14],eax // the size is determinded by the size of the registory.
    pop rax // pop/restore the registory.
    jmp return

  align 10 CC // align the memory to be assebled.
  intScoreAdder:
    dd (int)5 // we could just use 'dd 5' as decimal 5 is equal to hex 5
              // or the short hand for an integer 'dd #5'.


address:
  jmp newmem
  return:

[DISABLE]
address:
  db bytes
  // add dword ptr [r11+14],-02

dealloc(newmem)
So now let's enable the script and add the address to the CT.


Adding the Address a CT



And that gives us a changeable value that is used inside the script.

You can set the address as a child of the script, and right click the address record to enable the Hide children when deactivated option under Group config.



Working with Floats

Health Damage Multiplier
Let's say you have an injection point that looks like this, and it's effecting health, and XMM1 holds the damage value.
NASM:
subss xmm0,xmm1
movss [rsi],xmm0
It could even be space apart, all we need is the "subss xmm0,xmm1" in the injection script.
NASM:
subss xmm0,xmm1
...
movss [rsi],xmm0
So let's add a damage multiplier.
CEA:
define(address, "game.exe"+123ABC)
define(bytes, F3 0F 5C C1 F3 0F 11 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

newmem:
  code:
    subss xmm0,xmm1
    movss [rsi],xmm0
    jmp return


address:
  jmp newmem
  nop
  nop
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)
Starting with a script like above; let's add a float (single precision floating point), and multiply XMM1.
CEA:
define(address, "game.exe"+123ABC)
define(bytes, F3 0F 5C C1 F3 0F 11 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)

newmem:
  code:
    mulss xmm1,[fltHealthMultiplier]
    subss xmm0,xmm1
    movss [rsi],xmm0
    jmp return

  align 10 CC // align the memory to be assebled.
  fltHealthMultiplier:
    dd (float)0.25


address:
  jmp newmem
  nop
  nop
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)

Packed Multiplier
Let's say you have an injection point that looks like this, and it's effecting health and shield, and XMM1 holds the damage values for both.
NASM:
subps xmm0,xmm1
movaps [rsi],xmm0
CEA:
define(address, "game.exe"+123ABC)
define(bytes, 0F 5C C1 0F 29 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

newmem:
  code:
    subss xmm0,xmm1
    movss [rsi],xmm0
    jmp return


address:
  jmp newmem
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)
Starting with a script like above; let's add some floats (single precision floating point), and multiply XMM1 with a packed instruction. For an aligned instruction we need to be at an address ending in 0x0, and for a packed instruction we'll need a value that spans 0x10 bytes (0x0 to 0xF).
CEA:
define(address, "game.exe"+123ABC)
define(bytes, 0F 5C C1 0F 29 06)

[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)

label(code)
label(return)

label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)

newmem:
  code:
    mulps xmm1,[fltHealthMultiplier]
    subps xmm0,xmm1
    movaps [rsi],xmm0
    jmp return

  align 10 CC // align the memory to be assebled. Alignment is required for an aligned instruction.
  fltHealthMultiplier:
    dd (float)0.25
    dd (float)0.35
    dd (float)1 // Any values you don't want to change set the multilpier to 1
    dd (float)1


address:
  jmp newmem
  nop
  return:

[DISABLE]
address:
  db bytes

dealloc(newmem)
To add the values to a CT just set the value type to float and the address for the first one to fltHealthMultiplier and the address for the second to fltHealthMultiplier+4.


See also
External links
 
Last edited:

jungletek

Reality Bytes
Oct 17, 2017
155
6
18
#2
2 missing/broken image links in the middle of the post, but nice work otherwise!
 

STN

Pleb
Staff member
Administrator
Mar 2, 2017
3,025
58
48
#3
The files don't exist on ce wiki
 

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
553
295
63
#5
I recommend always using the PNG direct link to the picture, rather than the short imgur link.

Code:
https://i.imgur.com/Vwg1nmb.png -- NOT -- https://imgur.com/Vwg1nmb

Also, that file you're linking from Wiki doesn't exist:
 

Attachments

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
405
44
28
#6
@SunBeam
With imugr I just lazily copy the links it give, the BBC one or the linked BBC one.
At this point I'm really not sure what is going on. The image shows on the wiki for me, now I'm wondering how many images on the wiki don't show.

EDIT:
Even after re-clearing the browser cashe.
 
Last edited:

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
553
295
63
#7
I checked the source of what I see and this is the link I got:
Code:
https://wiki.cheatengine.org/images/thumb/d/d2/CodeInjectionEditValues.01.png/800px-CodeInjectionEditValues.01.png
A black image. Tried on phone as well with direct connection, just so I rule out the 'proxy' scenario. Same
 

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
553
295
63
#9
I get 404s on those direct links:
Code:
http://wiki.cheatengine.org/images/d/d2/CodeInjectionEditValues.01.png
http://wiki.cheatengine.org/images/9/99/CodeInjectionEditValues.02.png
Ask DB, might have to do with HTTPS.
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
405
44
28
#10
Yeah, that's about what I was starting to think (well at lest the ask DB part), as it works on imgur.
Thanks for the help, nice to see the Red SunBeam again.
 
Top Bottom