Damage Multiplier ?

Kalas

Cat'n America!
Fearless Donors
Mar 3, 2017
476
3
18
#1
Ok so I've seen many tables using the Script called Mutlipler, I don't really understand what they do there:

But this is a code that displays my current Damage:
Code:
[ENABLE]

aobscan(aobDamageIncrease,8B 80 CC 00 00 00 89 45 C0)
alloc(newmem,$100,aobDamageIncrease)

label(code)
label(return)

newmem:

code:
  mov eax,[eax+000000CC]
  jmp return

aobDamageIncrease:
  jmp newmem
  nop
return:
registersymbol(aobDamageIncrease)

[DISABLE]

aobDamageIncrease:
  db 8B 80 CC 00 00 00

unregistersymbol(aobDamageIncrease)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 17403352

""+17403333: 83 EC 04           -  sub esp,04
""+17403336: 68 90 BB 3E 55     -  push 553EBB90
""+1740333B: 6A 04              -  push 04
""+1740333D: 50                 -  push eax
""+1740333E: E8 CD DC 84 EE     -  call 05C51010
""+17403343: 83 C4 10           -  add esp,10
""+17403346: 8B 45 BC           -  mov eax,[ebp-44]
""+17403349: 89 45 C4           -  mov [ebp-3C],eax
""+1740334C: 89 45 C8           -  mov [ebp-38],eax
""+1740334F: 8B 47 1C           -  mov eax,[edi+1C]
// ---------- INJECTING HERE ----------
""+17403352: 8B 80 CC 00 00 00  -  mov eax,[eax+000000CC]
// ---------- DONE INJECTING  ----------
""+17403358: 89 45 C0           -  mov [ebp-40],eax
""+1740335B: 83 EC 0C           -  sub esp,0C
""+1740335E: 68 44 8B 1F 02     -  push 021F8B44
""+17403363: E8 48 DC 84 EE     -  call 05C50FB0
""+17403368: 83 C4 10           -  add esp,10
""+1740336B: 8B C8              -  mov ecx,eax
""+1740336D: 8B 45 C4           -  mov eax,[ebp-3C]
""+17403370: 8B 55 C0           -  mov edx,[ebp-40]
""+17403373: 89 51 08           -  mov [ecx+08],edx
""+17403376: 83 EC 04           -  sub esp,04
}

Instead of changing it to 999 can I do some sort of Multiplier for it? and also a way for people to change it via adding manual address.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
313
11
18
#2
You're better off finding the instruction that relates to decreasing enemy health. A SUB or MOV works just fine.

Here is a couple methods I have used.

Set it up like this:

SUB:
Code:
newmem:
  mov XYZ,[yoursymbol]  // I usually just choose an empty register to work with. You can use PUSH/POP here as well.
  imul esi,XYZ
  
code:
  sub [ebx+3C],esi
  jmp return

yoursymbol:
  dd or dq 2 // Depending on whether the target process is 32 or 64 bit
MOV:
Code:
newmem:
  sub edx,dword [rbx+00001884]
  imul edx,[yoursymbol]
  add dword [rbx+00001884],edx
  jmp return

code:
  mov [rbx+00001884],edx
  jmp return
  
yoursymbol:
  dq 2
 

Kalas

Cat'n America!
Fearless Donors
Mar 3, 2017
476
3
18
#3
Oh so like imul just duplicates whatever that's in edx which carries whatever in 1884 ?

So like whatever that's in edx It will multiple it ?

What exactly the dq means? I know It's define q but like why 2?

If I change the value to 10 It will mean like 10x Multiplier pretty much ?
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
313
11
18
#4
Yes. Basically its isolating the last written value with SUB edx,dword [rbx+00001884] (say 50 damage points). Multiplies that by 10 or whatever value. Then adds 500 back. Thinking about it, my SUB and ADD my be wrong because that example was for an EXP multiplier. You may just need to change ADD to SUB. But its the same concept.
Code:
yoursymbol:
  dq 2
You can put whatever number you want there. When you activate the script your multiplier will be that value, in that case 2.
 

Kalas

Cat'n America!
Fearless Donors
Mar 3, 2017
476
3
18
#5
Squall8 post_id=7032 time=1493579364 user_id=240 said:
Yes. Basically its isolating the last written value with SUB edx,dword [rbx+00001884] (say 50 damage points). Multiplies that by 10 or whatever value. Then adds 500 back. Thinking about it, my SUB and ADD my be wrong because that example was for an EXP multiplier. You may just need to change ADD to SUB. But its the same concept.
Code:
yoursymbol:
  dq 2
You can put whatever number you want there. When you activate the script your multiplier will be that value, in that case 2.
I understand, thank you so much.
 

Kalas

Cat'n America!
Fearless Donors
Mar 3, 2017
476
3
18
#6
Code:
[ENABLE]

aobscan(aobXP,89 46 38 83 EC 08)
alloc(newmem,$100,aobXP)

registersymbol(XP_Multiplier)

label(code)
label(return)
label(XP_Multiplier)

newmem:
  sub eax,dword [esi+38]
  imul eax,[XP_Multiplier]
  add dword [esi+38],eax
  jmp return

code:
  mov [esi+38],eax
  sub esp,08
  jmp return

XP_Multiplier:
  dq 2

aobXP:
  jmp newmem
  nop
return:
registersymbol(aobXP)

[DISABLE]

aobXP:
  db 89 46 38 83 EC 08

unregistersymbol(aobXP)
unregistersymbol(XP_Multiplier)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 43CE3235

""+43CE321B: 8B 46 38           -  mov eax,[esi+38]
""+43CE321E: 83 EC 08           -  sub esp,08
""+43CE3221: 50                 -  push eax
""+43CE3222: 53                 -  push ebx
""+43CE3223: 39 1B              -  cmp [ebx],ebx
""+43CE3225: E8 B6 82 FB FF     -  call 43C9B4E0
""+43CE322A: 83 C4 10           -  add esp,10
""+43CE322D: 89 45 F0           -  mov [ebp-10],eax
""+43CE3230: 8B 46 38           -  mov eax,[esi+38]
""+43CE3233: 03 C7              -  add eax,edi
// ---------- INJECTING HERE ----------
""+43CE3235: 89 46 38           -  mov [esi+38],eax
""+43CE3238: 83 EC 08           -  sub esp,08
// ---------- DONE INJECTING  ----------
""+43CE323B: 50                 -  push eax
""+43CE323C: 53                 -  push ebx
""+43CE323D: 39 1B              -  cmp [ebx],ebx
""+43CE323F: E8 9C 82 FB FF     -  call 43C9B4E0
""+43CE3244: 83 C4 10           -  add esp,10
""+43CE3247: 8B F8              -  mov edi,eax
""+43CE3249: 8B C7              -  mov eax,edi
""+43CE324B: 2B 45 F0           -  sub eax,[ebp-10]
""+43CE324E: 89 45 EC           -  mov [ebp-14],eax
""+43CE3251: 85 C0              -  test eax,eax
}
Did It, thank you :)
 
Mar 4, 2017
51
1
8
#7
Hello Squall8, lol

I'm new to CE, also looking for something like this

previously I was using imul for triple xp such as

push eax
mov eax,3
imul edx,eax
pop eax
add [ebx+04],edx //original code adds XP

now im looking for something like getting damage value from the typical health value like "mov [ecx+20],eax" and multiplies it putting back the health

so i found ur two methods for that, now i got few basic questions, look BOLD text below

I can understand your first code, but got little confused in second code below,
Squall8 post_id=7028 time=1493576858 user_id=240 said:
You're better off finding the instruction that relates to decreasing enemy health. A SUB or MOV works just fine.

Here is a couple methods I have used.

Set it up like this:


Let's assume rbx+1884 is the Current Health

MOV:
Code:
newmem:
  sub edx,[b]dword [rbx+00001884][/b]           [b]    <-- what does that mean adding "dword" before [rbx+00001884]? without that it wont pick up the value for subtracting the edx with Current Health? [/b]
  imul edx,[yoursymbol]
  add [b]dword [rbx+00001884],edx[/b]   
  jmp return

code:
  mov [rbx+00001884],edx 
  jmp return
  
yoursymbol:
  dq 2
can you explain this piece of code in math calculation formula? so i can understand how those "sub" and "add" works
im kinda confuse at:

newmem:
sub edx,dword [rbx+00001884] // is this 800-1000 or 1000-800?
imul edx,[yoursymbol]
add dword [rbx+00001884],edx // why is this reverse? does it changes edx or dword [rbx+00001884] ?
jmp return

code:
mov [rbx+00001884],edx
jmp return

thanks :)
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
313
11
18
#8
So I used an Exp Multiplier in that example, but it's the same concept.

Using your instruction above mov [ecx+20],eax, say your enemy has 100 HP and got dealt 20 damage. Now it's just moving 80 into your enemy's health.

I haven't messed around with Damage Multipliers in a while, but this is what I came up with on the spot:
Code:
sub [ecx+20],eax - (100-80=20). This isolates the amount of damage done. New health=20.
push ebx
mov ebx,[ecx+20] - Moves 20 into ebx
imul ebx,[multiplervalue] - Multiples ebx by defined value. Lets just say (20*2=40).
add [ecx+20],eax - Restores the health value to what it was before you dealt damage (20+80=100).
sub [ecx+20],ebx - Subtracts now 40 points from health instead of the initial 20.
pop ebx
I'm pretty sure there is a better way to write this out, but this should work fine.
 
Mar 4, 2017
51
1
8
#9
Squall8 post_id=23442 time=1509837553 user_id=240 said:
So I used an Exp Multiplier in that example, but it's the same concept.

Using your instruction above mov [ecx+20],eax, say your enemy has 100 HP and got dealt 20 damage. Now it's just moving 80 into your enemy's health.

I haven't messed around with Damage Multipliers in a while, but this is what I came up with on the spot:
Code:
sub [ecx+20],eax - (100-80=20). This isolates the amount of damage done. New health=20.
push ebx
mov ebx,[ecx+20] - Moves 20 into ebx
imul ebx,[multiplervalue] - Multiples ebx by defined value. Lets just say (20*2=40).
add [ecx+20],eax - Restores the health value to what it was before you dealt damage (20+80=100).
sub [ecx+20],ebx - Subtracts now 40 points from health instead of the initial 20.
pop ebx
I'm pretty sure there is a better way to write this out, but this should work fine.
oh thanks, :D

so there's many way or writing the code, but works same
 

ByteXavier

What is cheating?
Nov 7, 2017
3
0
1
#10
I'm also trying to write a script to multiply my damage, although when I scan to see what writes to the address that correlates to my enemies health I get this:

https://photos.app.goo.gl/TUmwMYxwX06ACIuA3

Any suggestions?
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
313
11
18
#11
Look no more than 3 lines above that movss for a subss instruction. For example, you find subss xmm0,xmm2.
Code:
newmem:
  mulss xmm2,[multipliervalue] - Add this.
  
code:
  subss xmm0,xmm2 - In this case, xmm0 holds your enemy's current health and xmm2 is the amount of damage done.
  ...