Problem with a script, cannot find a correct function in Memory View, cheat engine

marek1957

Expert Cheater
Dec 16, 2017
81
0
6
#1
Hello People,
In the beggining, thank you all for your mega support and for helping me explaining a lot of functions.

I have a problem with my script, my script when activated is affecting a lot of sectors in game which I don't want to change. How to separate my script from these functions???

I was trying to hack Asphalt 8 game, I tried to reconstruct this hack: https://youtu.be/TekwxFihBCY

I already found that when car is wrecked/damaged, the value is 1, when the car is "new" - value is 0 (4-bytes search).
Also when the "screen" is broken, value is 1, and when the "screen" is not-broken, value is 0.

I made a script for "damaged cars" in Asphalt 8, here is my script:
Code:
[ENABLE]
//DAMAGED CAR - SCRIPT BELOW
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
originalcode:
mov byte ptr [ecx+000001BB],00

exit:
jmp returnhere

"Asphalt8.exe"+A9E634:
jmp newmem
nop
nop
returnhere:

//NO BROKEN SCREEN - SCRIPT BELOW
alloc(newmem2,2048)
label(returnhere2)
label(originalcode2)
label(exit2)

newmem2:
originalcode2:
mov [esi+00000358],00

exit2:
jmp returnhere2

"Asphalt8.exe"+1E583F:
jmp newmem2
nop
returnhere2:
 
[DISABLE]
//DAMAGED CAR - SCRIPT BELOW
dealloc(newmem)
"Asphalt8.exe"+A9E634:
cmp byte ptr [ecx+000001BB],01
//Alt: db 80 B9 BB 01 00 00 00

//NO BROKEN SCREEN - SCRIPT BELOW
dealloc(newmem2)
"Asphalt8.exe"+1E583F:
db 38 86 58 03 00 00 74 7F A1 F4 71 B3 01 38 98 48 02 00 00 74 72 39 9E 5C 03 00 00 75 6A 68 FC 00 00 00 E8 EA 29 A9 00 8B F8 83 C4 04 89 7D E8 89 5D FC 85 FF 74 3C 68 FC 00 00 00 53 57 E8 17 00 10 01 83 C4 0C 89 5D F0
//Alt: db 38 9E 58 03 00 00
My script when activated is working but... is affecting also:
- camera view
- changing gravity
- there are some effects of black clouds appearing and sometimes text WRECKED appearing

How can I separate the above-mentioned things so that they do not activate with my script?

Please, check the following video so that you know exactly what I am talking about:
https://streamable.com/oqfzm

I am waiting for your answers or suggestions,
Best Regardsm
Marek
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
407
44
28
#2
Well, first you inject a single instruction when enabling the "NO BROKEN SCREEN", then inject a lot more when dialing, this make not sense at least without context.

Why write all this when disabling:
Code:
38 86 58 03 00 00 74 7F A1 F4 71 B3 01 38 98 48 02 00 00 74 72 39 9E 5C 03 00 00 75 6A 68 FC 00 00 00 E8 EA 29 A9 00 8B F8 83 C4 04 89 7D E8 89 5D FC 85 FF 74 3C 68 FC 00 00 00 53 57 E8 17 00 10 01 83 C4 0C 89 5D F0
and it doesn't match the original code from "Alt":
Code:
38 9E 58 03 00 00
Other then that it's whats called shared opcode, step 9 in the Cheat Engine tutorial deals with this kind of thing, I would start there.

But that is the best I can do with so little information.
 

sbryzl

Expert Cheater
Mar 4, 2017
97
4
8
#3
Also these all look like byte pointer instructions so your replacement instruction should likely reference a byte pointer.
Code:
newmem2:
originalcode2:
mov byt ptr [esi+00000358],00
And since these instructions being replaced are compares are you certain the address is not accessed between the time the game writes to it and the time your replacement instruction writes to it?
 

marek1957

Expert Cheater
Dec 16, 2017
81
0
6
#4
And since these instructions being replaced are compares are you certain the address is not accessed between the time the game writes to it and the time your replacement instruction writes to it?
Yes, thats true.

SBRYZL, can you help me to separate such things what I mentioned in my first post from my script? Because I don't have any idea how to do that..
 

sbryzl

Expert Cheater
Mar 4, 2017
97
4
8
#5
marek1957 post_id=30200 time=1516279437 user_id=11389 said:
SBRYZL, can you help me to separate such things what I mentioned in my first post from my script? Because I don't have any idea how to do that..
I don't know what's working for you and what's not and I don't have the game. If using a byte pointer doesn't fix it then it's probably a shared opcode as Tim13 said.
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#6
sbryzl post_id=30142 time=1516119532 user_id=592 said:
Also these all look like byte pointer instructions so your replacement instruction should likely reference a byte pointer.
Yeah indeed.
"mov byt ptr [esi+00000358],00" = "mov [esi+00000358],0"
Use brain.exe.

Don't try to help if you can not.

@marek1957
1: You must check if the opcode you found is used only for demage or it's shared.
2: In DISABLE section you must use/write the original opcode/instruction
"Asphalt8.exe"+1E583F:
This is not the original instruction/opcode - db 38 86 58 03 00 00 74 7F A1 F4 71 B3 01 38 98 48 02 00 00 74 72 39 9E 5C 03 00 00 75 6A 68 FC 00 00 00 E8 EA 29 A9 00 8B F8 83 C4 04 89 7D E8 89 5D FC 85 FF 74 3C 68 FC 00 00 00 53 57 E8 17 00 10 01 83 C4 0C 89 5D F0

PS:
PM me if you need help.
 

sbryzl

Expert Cheater
Mar 4, 2017
97
4
8
#7
Blayde post_id=30233 time=1516328405 user_id=8084 said:
sbryzl post_id=30142 time=1516119532 user_id=592 said:
Also these all look like byte pointer instructions so your replacement instruction should likely reference a byte pointer.
Yeah indeed.
"mov byt ptr [esi+00000358],00" = "mov [esi+00000358],0"
Use brain.exe.

Don't try to help if you can not.
Try to take your own advice instead of giving it to others.

mov [esi+00000358],0

in 32 bit mode becomes

mov dword ptr [esi+00000358],00000000
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#8
sbryzl post_id=30234 time=1516329890 user_id=592 said:
in 32 bit mode becomes

mov dword ptr [esi+00000358],00000000
Asm is smart enough to undesrstand the instructions.
You don't need this: dword ptr,byte ptr etc.....

Can you help me :?: :?: :?:
00000000=32 bit
0000000000000000=64 bit
Am i right?
 

sbryzl

Expert Cheater
Mar 4, 2017
97
4
8
#9
Blayde post_id=30235 time=1516330854 user_id=8084 said:
sbryzl post_id=30234 time=1516329890 user_id=592 said:
in 32 bit mode becomes

mov dword ptr [esi+00000358],00000000
Asm is smart enough to undesrstand the instructions.
You don't need this: dword ptr,byte ptr etc.....

Can you help me :?: :?: :?:
00000000=32 bit
0000000000000000=64 bit
Am i right?
Try this script for a visual of what happens.
Code:
[ENABLE]
 alloc(BytPtrNotSpecified,500)
 registersymbol(BytPtrNotSpecified)

 BytPtrNotSpecified:
mov [esi+00000358],0
mov byte ptr [esi+00000358],0
mov word ptr [esi+00000358],0
mov dword ptr [esi+00000358],0
mov qword ptr [esi+00000358],0


[DISABLE]
 dealloc(BytPtrNotSpecified)
 unregistersymbol(BytPtrNotSpecified)
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#10
mov qword ptr [esi+00000358],0 - Invalid
qword is 64bit


I mean that if:
mov dword ptr [esi+00000358],0 - is the original opcode
and you what to change it to something like: mov dword ptr [esi+00000358],1
Yoy just write: mov [esi+358],1(dword not needed).
Capish?

Edit:
Can you tell me the result of this:
fild [eax+10]
fstp st(0)
fstp [eax+10]

Edit 2:
you do not need to say what is the size of data you gonna move
If I give you an arbitrary number, there is no way for you to tell me what type of data it is or on what platform it originates on.
99 can be represented in a BYTE, WORD, DWORD, QDWORD, float, double, and a long double.
What the data means to you does not matter to the assembler, just how you want to use it.
 

sbryzl

Expert Cheater
Mar 4, 2017
97
4
8
#11
The issue was how to produce a byte pointer. You need to specify a byte pointer if that's what it is.
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#12
sbryzl post_id=30243 time=1516335376 user_id=592 said:
The issue was how to produce a byte pointer. You need to specify a byte pointer if that's what it is.
NVM.
Btw the issue is bad/not working (as expected) script.
 

sbryzl

Expert Cheater
Mar 4, 2017
97
4
8
#13
If you are attached to a 32bit process then use some common sense and comment the qword instruction.
Code:
[ENABLE]
 alloc(BytPtrNotSpecified,500)
 registersymbol(BytPtrNotSpecified)

 BytPtrNotSpecified:
mov [esi+00000358],0
mov byte ptr [esi+00000358],0
mov word ptr [esi+00000358],0
mov dword ptr [esi+00000358],0
//mov qword ptr [esi+00000358],0


[DISABLE]
 dealloc(BytPtrNotSpecified)
 unregistersymbol(BytPtrNotSpecified)
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
407
44
28
#14
Code:
 Size of data is inferred based on the source or destination register
 mov rax, [L] ; loads 64 bits
 mov eax, [L] ; loads 32 bits
 mov al, [L] ; loads 8 bits
 mov [L], rax ; stores 64 bits
 mov [L], eax ; stores 32 bits
 mov [L], ax ; stores 16 bits
When no registry is given the process default is used, so 64 bit 64 bits, 32 bit 32 bits.

This PDF will lay it out for you:
Code:
http://courses.ics.hawaii.edu/ReviewICS312/morea/DataSizeAndArithmetic/ics312_datasize.pdf
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
407
44
28
#15
sbryzl post_id=30245 time=1516336534 user_id=592 said:
If you are attached to a 32bit process then use some common sense and comment the qword instruction.
And Dude, I mean come on. Read up.
sbryzl is correct.
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#16
TheyCallMeTim13 post_id=30249 time=1516340020 user_id=91 said:
I'm fine thanks
Why the asm put this : dword ptr when x64 reg is in use

QQ-Can you tell me what this means:
fild [eax+10]
fstp st(0)
fstp [eax+10]

I mean come on. ;)
Peace

 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
407
44
28
#17
Blayde post_id=30253 time=1516342733 user_id=8084 said:
TheyCallMeTim13 post_id=30249 time=1516340020 user_id=91 said:
I'm fine thanks
Why the asm put this : dword ptr when x64 reg is in use

QQ-Can you tell me what this means:
fild [eax+10]
fstp st(0)
fstp [eax+10]

I mean come on. ;)
Peace

First off your comparing a memory address with an immediate, you don't declare a source or destination registry. So there is not a 64 bit registry in use.

Second, just read up.
Code:
DF /0	FILD m16int	Valid	Valid	Push m16int onto the FPU register stack.
DB /0	FILD m32int	Valid	Valid	Push m32int onto the FPU register stack.
DF /5	FILD m64int	Valid	Valid	Push m64int onto the FPU register stack.

D9 /2	FST m32fp	Valid	Valid	Copy ST(0) to m32fp.
DD /2	FST m64fp	Valid	Valid	Copy ST(0) to m64fp.
DD D0+i	FST ST(i)	Valid	Valid	Copy ST(0) to ST(i).
D9 /3	FSTP m32fp	Valid	Valid	Copy ST(0) to m32fp and pop register stack.
DD /3	FSTP m64fp	Valid	Valid	Copy ST(0) to m64fp and pop register stack.
DB /7	FSTP m80fp	Valid	Valid	Copy ST(0) to m80fp and pop register stack.
DD D8+i	FSTP ST(i)	Valid	Valid	Copy ST(0) to ST(i) and pop register stack.
And some more on the compare:
CMP r/m32,imm32
CMP r/m64,imm32
https://c9x.me/x86/html/file_module_x86_id_35.html
http://www.felixcloutier.com/x86/CMP.html

This means it only works on 32 bit immediate, try some instructions that actually work on 64 bits. Like what sbryzl showed you.
Code:
mov qword ptr [rax],0
mov dword ptr [rax],0
mov word ptr [rax],0
mov byte ptr [rax],0
Code:
memTest - 48 C7 00 00000000     - mov [rax],00000000 { 0 }
030E0047- C7 00 00000000        - mov [rax],00000000 { 0 }
030E004D- 66 C7 00 0000         - mov word ptr [rax],0000 { 0 }
030E0052- C6 00 00              - mov byte ptr [rax],00 { 0 }
030E0055- C3                    - ret
Here the 48 tells it that this is a qword instruction:
Code:
48 c7 00 00 00 00 00    mov    QWORD PTR [rax],0x0
Just like "mov [player_base],rbx" in your picture. Note the the instruction before it has no 48 because it is working on a DWORD. Cheat Engine doesn't draw either because they are implied.
Better to Remain Silent and Be Thought a Fool than to Speak and Remove All Doubt
- Abraham Lincoln
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#18
TheyCallMeTim13 post_id=30255 time=1516343807 user_id=91 said:
:lol: Gotcha :lol:
This was just a joke.
------------------------
fild [eax+10]
fstp st(0)
Means nothing. Just load and trash.
 

TheyCallMeTim13

Wiki Monster
Talents
Fearless Donors
Mar 3, 2017
407
44
28
#19
This:
Code:
fild [eax+10]
fstp st(0)
fstp [eax+10]
Is not the same as this:
Code:
fild [eax+10]
fstp st(0)
 

Blayde

Expert Cheater
Aug 25, 2017
220
1
16
#20
TheyCallMeTim13 post_id=30259 time=1516346785 user_id=91 said:
This:
Code:
fild [eax+10]
fstp st(0)
fstp [eax+10]
Is not the same as this:
Code:
fild [eax+10]
fstp st(0)

fild [eax+10]
fstp st(0)
means nothing
so...fstp [eax+10] is only valid/usable
 
Top Bottom