Resetting a value after disabling script

Fruitpunch

What is cheating?
Sep 9, 2017
15
0
1
#1
Hello,

I have a script which works per se but I am changing a value in an address where nothing writes. I need to reset the value when the script is disabled. Is there a simple way to do this?

I'd prefer the solution is in Assembly and does not involve aobscan unless there is no other way.
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#2
Code:
...
valueAddress:
    dd (int)100
...
Maybe readMem would do it, hard to say with no code posted.
Code:
[Enable]
...
storedValueAddress:
    readMem(valueAddress, 4)
...
[Disable]
...
valueAddress:
    readMem(storedValueAddress, 4)
...
 

FreeER

RCE Fanatics
Talents
Mar 10, 2017
78
0
6
#3
That depends on how the script works. If you have a static address or pointer then you can use the method TheyCallMeTim13 showed, if you have to hook code to get the address then you could have that hook write the address to memory that you could access later when you disable it. If you've created a thread/timer to constantly write to it (unlikely since you said nothing else writes to it) then you'd probably need to modify that to reset the value when it stops.
 

Fruitpunch

What is cheating?
Sep 9, 2017
15
0
1
#4
Thanks for the input.

Yeah, I already stumbled upon readmem but since the examples have been just so, I have not been able to understand how to write one correctly.

Is this anywhere near what is should be?
Code:
[ENABLE]
alloc(newmem,2048)
alloc(storedvalue, 4)
alloc(originalvalue, 4)
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r14],(float)1

originalcode:
comiss xmm6,[r14]

exit:
jmp returnhere

originalvalue:
dd (float)1.4

storedvalue:
readMem(originalvalue, 4)

[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
dealloc(originalvalue)
readMem(storedvalue, 4)
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#5
You have the "newmem" with code but not injection point, if you are only reading and writing to an address that is static or pulled from some other script then it could work. But with that code and the "newmem", it looks like you're trying to inject.

with out knowing the injection point, this is the best I can figure:
Code:
[ENABLE]
alloc(newmem,2048)

alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique

label(returnhere)
label(originalcode)
label(exit)


newmem:
	mov [r14],(float)1
	originalcode:
		comiss xmm6,[r14]
	exit:
		jmp returnhere


storedvalue:
	readMem({ Address or AOB Symbol of the original value}, 4)


some_injection_point:
	jmp newmem
	//any needed nops
	returnhere:


[DISABLE]
some_injection_point:
	db { original bytes }

{ Address or AOB Symbol of the original value}:
	readMem(storedvalue, 4)

dealloc(newmem)
dealloc(storedvalue)

unregisterSymbol(storedvalue)
readMem

But the "some_injection_point" needs to be an address or you will need to set up an AOB and register the symbol.
Code:
aobScanModule(some_injection_point, GAME.exe, F3xxxxxxxxxxxxxxF3xxxxxxxxD9xxxxF3xxxxxxxx0F2F)
registerSymbol(some_injection_point) // must be unique
Code:
[ENABLE]
aobScanModule(some_injection_point, GAME.exe, { injection point AOB })
registerSymbol(some_injection_point) // must be unique
alloc(newmem,2048)

alloc(storedvalue, 4)
registerSymbol(storedvalue) // must be unique

label(returnhere)
label(originalcode)
label(exit)


newmem:
	mov [r14],(float)1
	originalcode:
		comiss xmm6,[r14]
	exit:
		jmp returnhere


storedvalue:
	readMem({ Address or AOB Symbol of the original value}, 4)


some_injection_point:
	jmp newmem
	//any needed nops
	returnhere:


[DISABLE]
some_injection_point:
	db { original bytes }

{ Address or AOB Symbol of the original value}:
	readMem(storedvalue, 4)

dealloc(newmem)
dealloc(storedvalue)

unregisterSymbol(storedvalue)
unregisterSymbol(some_injection_point)
If you are trying to inject then go to the memory view form select some code with the injection point in the middle press Ctrl+C, click Ok on the prompt then post that in a Code Block (</>) and mark the injection point in an understandable way, then people can help a little better.

But this is a trial and error process so just keep trying.

There are some new tutorials on the Cheat Engine Wiki also.
Tutorials
Creating a cheat table - Full guide
 

Fruitpunch

What is cheating?
Sep 9, 2017
15
0
1
#6
Sorry, I left out too much.

The injection is done at the same point where I am doing the modification.
I'm having trouble getting the right address in the readMem, and no the address is not static.

Can't use another script because there doesn't seem to be other instructions accessing this address.
Code:
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
alloc(storedvalue, 4)
registersymbol(storedvalue)
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r14],(float)1

originalcode:
comiss xmm6,[r14]

exit:
jmp returnhere

storedvalue:
readMem(xxxx,4) //if I have understood correctly xxxx should be replaced with the address that is stored in r14


"something.exe"+5000000:
jmp newmem
nop
nop
nop
returnhere:

[DISABLE]
dealloc(newmem)
dealloc(storedvalue)
readMem(storedvalue,4)
"something.exe"+5000000:
comiss xmm6,[r14]
//Alt: db 41 23 7B B6 6E 03 00 00

unregistersymbol(storedvalue)
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#7
In that case, I would try to find where the R14 registry is written, I'd bet there is a base with an offset, and R14 is calculated with those.

EDIT: Then just inject there and store the base for later use, and you may need to store the offset as well.
 

Fruitpunch

What is cheating?
Sep 9, 2017
15
0
1
#8
Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?

I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.
 

jungletek

Reality Bytes
Staff member
Shogun
Oct 17, 2017
156
6
18
#9
Fruitpunch post_id=29309 time=1514811248 user_id=8443 said:
Let me get this straight, so I get the address of R14 when I enable the script but there is no way to write to this address in the disable part?

I mean, I don't really need to go to the trouble of finding the address beforehand just to get the original value because it's static as mentioned earlier.
You don't have it straight, to write to an arbitrary address, use the syntax:
Code:
address:
  db 90 90 90
or:
Code:
address:
  mov r14,#999
where 'address' is the address you're trying to write to, can be a hex address, a label name, etc. The first is writing direct byte values (NOPs in this case), the second is using instructions that get converted to the same thing (moving 999 to r14).
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#10
Not sure if I am understanding correctly but this may be what you are looking for.
Code:
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#11
TheyCallMeTim13 post_id=29326 time=1514834189 user_id=91 said:
Not sure if I am understanding correctly but this may be what you are looking for.
Code:
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#12
Blayde post_id=29328 time=1514835445 user_id=8084 said:
TheyCallMeTim13 post_id=29326 time=1514834189 user_id=91 said:
Not sure if I am understanding correctly but this may be what you are looking for.
Code:
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)

globalAlloc(storedvalue, 8) // must be unique symbol

label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],r14 // strove the value of r14 for later
	cmp  [storedvalue+4],0
	jne @f
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax // store the original value only the first time.
	        pop eax
        @@:
	mov [r14],(float)1 // write the new value to the address

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

dealloc(newmem) // deallocate after restoring the original bytes so a thread doesn't get lost in unallocated memory

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]')) // restore the original value
EDIT: This will only work if the original value is not zero.
! comiss xmm6,[r14] !
Don't forget to push flags. Or use another (empty) reg. instead of r14
Could you elaborate please. Not sure why you're saying this (on insults intended, just curious).
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#13
TheyCallMeTim13 post_id=29331 time=1514836037 user_id=91 said:
Could you elaborate please.
No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".
TheyCallMeTim13 post_id=29331 time=1514836037 user_id=91 said:
Not sure why you're saying this (on insults intended, just curious).
For "security" reasons is better to save the flag(s).
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#14
Blayde post_id=29332 time=1514838477 user_id=8084 said:
TheyCallMeTim13 post_id=29331 time=1514836037 user_id=91 said:
Could you elaborate please.
No problem if the autor send me a snapshot of the original assembly code.
And why he/she want to change "cmp opcode".
TheyCallMeTim13 post_id=29331 time=1514836037 user_id=91 said:
Not sure why you're saying this (on insults intended, just curious).
For "security" reasons is better to save the flag(s).
Which compare is the concern?
Code:
cmp  [storedvalue+4],0
or
Code:
comiss xmm6,[r14]
My thinking was that the original compare would reset the flags. Am I understanding this wrong?

EDIT:
So cmp sets the CF, OF, SF, ZF, AF, and PF flags in the EFLAGS register according to the result.
And comiss sets the ZF, PF, and CF flags in the EFLAGS register according to the result.

So is it the OF, SF, and AF flags that are the concern?
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#15
Fruitpunch post_id=29269 time=1514733829 user_id=8443 said:
....... there doesn't seem to be other instructions accessing this address.
Because it's only compare reg,mem.
TheyCallMeTim13 post_id=29334 time=1514839197 user_id=91 said:
.................
Keep it simple and stupid:

push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14

Done.
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#16
Blayde post_id=29336 time=1514840838 user_id=8084 said:
Keep it simple and stupid:

push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14

Done.
But if r14 is the registry that holds the address for the game value, why push and pop it, I read that code and the push and pop seem to be pointless?

I read it like this.

push r14 registry to stack
never write to to the registry it self, but write the the address stored at the registry.
compare the address stored at the registry, to the xmm6 registry.
Then pop r14 registry from the stack.

So why the push and pop, and what about the flags in question?
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#17
TheyCallMeTim13 post_id=29339 time=1514842766 user_id=91 said:
I read that code and the push and pop seem to be pointless?
Try without push/pop and you'll see. :rolleyes:
TheyCallMeTim13 post_id=29339 time=1514842766 user_id=91 said:
..... what about the flags in question?
The question is:
Resetting a value after disabling script.

push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14

The value is restored after cmp or disabling the script.
I can not help without the original assembly code.
I'am done here. Peace
 

TheyCallMeTim13

I... am an enchanter.
Talents
Fearless Donors
Mar 3, 2017
345
19
18
#18
Blayde post_id=29347 time=1514847921 user_id=8084 said:
TheyCallMeTim13 post_id=29339 time=1514842766 user_id=91 said:
I read that code and the push and pop seem to be pointless?
Try without push/pop and you'll see. :rolleyes:
TheyCallMeTim13 post_id=29339 time=1514842766 user_id=91 said:
..... what about the flags in question?
The question is:
Resetting a value after disabling script.

push r14
mov [r14],YourValue
comiss xmm6,[r14]
pop r14

The value is restored after cmp or disabling the script.
I can not help without the original assembly code.
I'am done here. Peace
The pop will restore the registry but not the value at the address, and this will do nothing on disabling.

And I don't have the code I was helping the OP, but this works fine with out the push and pop, they do nothing in this case because r14 is never written to.

And you said to push the flags not me. So again what about the flags in question?
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#19
TheyCallMeTim13 post_id=29349 time=1514848470 user_id=91 said:
The pop will restore the registry but not the value at the address, and this will do nothing on disabling.
:eek: :eek: :eek:
I'll keep that in mind. Goodbye.
 

Fruitpunch

What is cheating?
Sep 9, 2017
15
0
1
#20
Code:
[ENABLE]
alloc(newmem,2048,"something.exe"+5000000)
globalAlloc(storedvalue, 8)
label(stored)
label(returnhere)
label(originalcode)
label(exit)

newmem:
	mov [storedvalue],(float)1.4
	cmp  [storedvalue+4],0
	jne stored
	        push eax
	        mov eax,[r14]
        	mov [storedvalue+4],eax
	        pop eax
        stored:
	mov [r14],(float)1

	originalcode:
		comiss xmm6,[r14]

	exit:
	jmp returnhere


"something.exe"+5000000:
	jmp newmem
	nop
	nop
	nop
	returnhere:

[DISABLE]
dealloc(newmem)
"something.exe"+5000000:
	comiss xmm6,[r14]
	//Alt: db 41 23 7B B6 6E 03 00 00

luaCall(writeFloat('[storedvalue]', '[storedvalue+4]'))

Yeah, I think you understood quite right TheyCallMeTim13.

The code looked promising but unfortunately it doesn't work.
Look, if this is not simple to do then just say it and maybe I'll combine scripts to get it working the way I want.