instruction -> registersymbol -> adress

Apr 2, 2017
26
2
1
#1
Hello there,

I have run into some problems with scripts and AOB's.
In the game that i want to cheat in, I have found the section where all the adresses are stored.
I cannot find a reliable AOB array in the vicinity there.
I found however the instruction that changes shield in this example.
I made a script that stops it from ever going down.

Now my question, is it possible to use that instruction to give me pointer that always points to the shield value ?

Here the code:
Code:
[ENABLE]
aobscan(tits_shield,41 89 48 5? 48 8B 8D 48 FF FF FF)
alloc(newmem,$100)

label(code)
label(return)

newmem:

code:
  mov [r8+58],ecx
  mov rcx,[rbp-000000B8]
  jmp return

tits_shield:
 db 90 90 90 90
return:
registersymbol(tits_shield)

[DISABLE]

tits_shield:
  db 41 89 48 58 48 8B 8D 48 FF FF FF

unregistersymbol(tits_shield)
dealloc(newmem)
Sorry if that code looks butchered or bad, I just pieced that together, since I'm really bad at this.

The [r8+58] part points to the shield value.
Is it possible to assign it a register somehow, so I can build a table around it ?

Thanks in advance :)
 

Rudo

Expert Cheater
Table Maker
Apr 6, 2017
122
16
18
#2
You can do something like this:
Code:
aobscan(tits_shield,41 89 48 5? 48 8B 8D 48 FF FF FF)
alloc(newmem,$100)

label(code)
label(return)
label(shield_ptr)
registersymbol(shield_ptr)

newmem:
shield_ptr:
dd 0

code:
  mov [shield_ptr],r8
  mov [r8+58],ecx
  mov rcx,[rbp-000000B8]
  jmp return
and then manually add an address like this:

activate the script and then it should point to the shield value
 
Apr 2, 2017
26
2
1
#3
Thank you for the response :)

I tried what you suggested, but sadly it only seems to work partially.
This is the code of the script now:
Code:
[ENABLE]
aobscan(tits_shield,41 89 48 5C 48 8B 8D 48 FF FF FF)
alloc(newmem,$100)

label(code)
label(return)
label(shield_ptr)
registersymbol(shield_ptr)

newmem:
shield_ptr:
dd 0

code:
  mov [shield_ptr],r8
  mov [r8+58],ecx
  mov rcx,[rbp-000000B8]
  jmp return

return:

[DISABLE]
dealloc(newmem)
unregistersymbol(shield_ptr)
But the pointer with shield_ptr +58 points to this adress:
2504894C00000058
While the shield adress is located here:
34CE53578AC

Did i perhaps do something wrong ?
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#4
Code:
[ENABLE]
aobscan(tits_shield,41 89 48 5C 48 8B 8D 48 FF FF FF)
alloc(newmem,$100)

label(code)
label(return)
label(shield_ptr)
registersymbol(shield_ptr)
registersymbol(tits_shield)

newmem:
  mov [shield_ptr],r8

code:
  mov [r8+58],ecx
  mov rcx,[rbp-000000B8]
  jmp return
  
shield_ptr:
  dq 0

tits_shield:
  //let cheat engine build the template (AOB Injection) for you to get the correct amount of nops here..
return:

[DISABLE]
dealloc(newmem)
unregistersymbol(shield_ptr)
unregistersymbol(tits_shield)
 
Apr 2, 2017
26
2
1
#5
When I try to add your code, it always tells me "Not all code is injectable."
No further error or something.

The amount of nops that CE gives me with aobinjection is this
Code:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
  nop
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#6
It shouldn't throw any error codes. Did it give you an "Error at line: XX" message? If you let CE build the script for you and add the required lines from the script above it should work just fine. Paste an unmodified AOB Injection template here for the instruction you found.
 
Apr 2, 2017
26
2
1
#7
sorry, you were right. The error was on my part.
Edited your code into a template, and I could add it.

Can activate it, but points somewhere else.
shield_ptr+58 pointer gets adress 000000058

These are the results of the adresses:


This would be the template from CE unaltered
Code:
aobscan(tits_shield,41 89 48 5C 48 8B 8D 48 FF FF FF) // should be unique
alloc(newmem,$1000,3E91E82F817)

label(code)
label(return)

newmem:

code:
  mov [r8+5C],ecx
  mov rcx,[rbp-000000B8]
  jmp return

tits_shield:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(tits_shield)

[DISABLE]

tits_shield:
  db 41 89 48 5C 48 8B 8D 48 FF FF FF

unregistersymbol(tits_shield)
dealloc(newmem)
This is currently the latest one that i have changed.
Code:
aobscan(tits_shield,41 89 48 5C 48 8B 8D 48 FF FF FF)
alloc(newmem,$100)

label(code)
label(return)
label(shield_ptr)
registersymbol(shield_ptr)


newmem:
  mov [shield_ptr],r8
code:
  mov [r8+58],ecx
  mov rcx,[rbp-000000B8]
  jmp return

shield_ptr:
  dq 0

tits_shield:

return:
registersymbol(tits_shield)

[DISABLE]

dealloc(newmem)
unregistersymbol(shield_ptr)
unregistersymbol(tits_shield)
Sorry again if I dont seem to get it, but this is all quite alien to me :(
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#8
Your script needs to have this:
Code:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
  nop
return:

[DISABLE]

tits_shield:
  db 41 89 48 5C 48 8B 8D 48 FF FF FF
Don't take those out of the script.
Also why did you change [r8+5C],ecx to +58? You debugged on current shield value right?
And if you want the pointer to update you'll need to decrease your shield value in game. Get hit or something.
 
Apr 2, 2017
26
2
1
#9
you'll need to decrease your shield value in game. Get hit or something
That was the thing i did not do.
Thank you so much, finally works now :)

Really appreciate the help!
 

Rudo

Expert Cheater
Table Maker
Apr 6, 2017
122
16
18
#10
Oh yeah I was wrong using dd lol, should have been used dq and it should have been placed after code, too.
Ah well it seems you got the problem solved :lol: (thanks, squall8)
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#11
Rudo post_id=9717 time=1495861339 user_id=2048 said:
Oh yeah I was wrong using dd lol, should have been used dq and it should have been placed after code, too.
Ah well it seems you got the problem solved :lol: (thanks, squall8)
No worries. Actually dd/dq/ect can be placed anywhere outside the newmem/code lines.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#12
^^ Yep. I'll only move registersymbol if I'm combining scripts just to keep it organized.
I also forgot to mention if you want your pointers populate immediately after you enable your script, find an instruction that is constantly being accessed.
 
Apr 2, 2017
26
2
1
#13
SunBeam post_id=9857 time=1496009373 user_id=57 said:
..or create a thread that does it for ya ;)
Just out of healthy interest in learning, how would I do that ?
Squall8 post_id=9838 time=1495996062 user_id=240 said:
I also forgot to mention if you want your pointers populate immediately after you enable your script, find an instruction that is constantly being accessed.
I wanted to do that, but the instruction in the posts above is the only one that I found for the actual value.
Other instructions just point towards the visual value, which is nowhere near the actual value.
 

Squall8

RCE Fanatics
Talents
Mar 3, 2017
343
54
28
#14
ArchAngelRC post_id=9887 time=1496068031 user_id=1912 said:
I wanted to do that, but the instruction in the posts above is the only one that I found for the actual value.
Other instructions just point towards the visual value, which is nowhere near the actual value.
Is the instruction shared? If so, filter out the addresses you don't want.
SunBeam post_id=9857 time=1496009373 user_id=57 said:
..or create a thread that does it for ya ;)
I'm also a bit curious about this. I've used it on simple pointers before, but I wasn't sure if it was possible to hook it on to an instruction. And if you could, wouldn't the instruction still have to execute in order for your pointers to update?
 
Top Bottom