Page 1 of 2
How to registersymbol?
Posted: Tue Nov 28, 2023 2:56 pm
by SilverRabbit90
The game is Carcassonne.
I tried to make a registersymbol but the line of code:
movsxd rdx,dword ptr [rsi+18]
it is inverted how do I make registersymbol in this case?
here's what I tried to do:
Code: Select all
{ Game : Carcassonne.exe
[ENABLE]
//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)
label(code)
label(return)
//alloc(setPoints,8)
label(setPoints)
registersymbol(setPoints)
newmem:
mov rdx,[setPoints]
code:
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
setPoints:
dd (int)100
HUDScreen:OnPlayerScoreModified+62:
jmp newmem
nop 2
return:
//registersymbol(PointsA)
[DISABLE]
HUDScreen:OnPlayerScoreModified+62:
db 48 63 56 18 48 8B C8
unregistersymbol(*)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: HUDScreen:OnPlayerScoreModified+62
HUDScreen:OnPlayerScoreModified+37: 41 FF D3 - call r11
HUDScreen:OnPlayerScoreModified+3a: 85 C0 - test eax,eax
HUDScreen:OnPlayerScoreModified+3c: 0F 84 37 00 00 00 - je HUDScreen:OnPlayerScoreModified+79
HUDScreen:OnPlayerScoreModified+42: 49 8B 87 18 02 00 00 - mov rax,[r15+00000218]
HUDScreen:OnPlayerScoreModified+49: 48 8B C8 - mov rcx,rax
HUDScreen:OnPlayerScoreModified+4c: 48 8B D7 - mov rdx,rdi
HUDScreen:OnPlayerScoreModified+4f: 83 38 00 - cmp dword ptr [rax],00
HUDScreen:OnPlayerScoreModified+52: 49 BB A0 58 CE 26 61 02 00 00 - mov r11,System.Collections.Generic.Dictionary`2[TKey_REF,TValue_REF]:get_Item
HUDScreen:OnPlayerScoreModified+5c: 41 FF D3 - call r11
HUDScreen:OnPlayerScoreModified+5f: 83 3E 00 - cmp dword ptr [rsi],00
// ---------- INJECTING HERE ----------
HUDScreen:OnPlayerScoreModified+62: 48 63 56 18 - movsxd rdx,dword ptr [rsi+18]
// ---------- DONE INJECTING ----------
HUDScreen:OnPlayerScoreModified+66: 48 8B C8 - mov rcx,rax
HUDScreen:OnPlayerScoreModified+69: 83 38 00 - cmp dword ptr [rax],00
HUDScreen:OnPlayerScoreModified+6c: 49 BB 40 51 63 2D 61 02 00 00 - mov r11,HUDPlayer:SetPoints
HUDScreen:OnPlayerScoreModified+76: 41 FF D3 - call r11
HUDScreen:OnPlayerScoreModified+79: 48 8B 75 E8 - mov rsi,[rbp-18]
HUDScreen:OnPlayerScoreModified+7d: 48 8B 7D F0 - mov rdi,[rbp-10]
HUDScreen:OnPlayerScoreModified+81: 4C 8B 7D F8 - mov r15,[rbp-08]
HUDScreen:OnPlayerScoreModified+85: 48 8D 65 00 - lea rsp,[rbp+00]
HUDScreen:OnPlayerScoreModified+89: 5D - pop rbp
HUDScreen:OnPlayerScoreModified+8a: C3 - ret
}
Normally I do this:
Code: Select all
{ Game : Carcassonne.exe
[ENABLE]
//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)
label(code)
label(return)
label(setPoints)
registersymbol(setPoints)
newmem:
mov rdx,[setPoints]
code:
mov [rsi+18],rdx
//movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
setPoints:
dd (int)100
HUDScreen:OnPlayerScoreModified+62:
jmp newmem
nop 2
return:
//registersymbol(PointsA)
[DISABLE]
HUDScreen:OnPlayerScoreModified+62:
db 48 63 56 18 48 8B C8
unregistersymbol(*)
dealloc(newmem)
But in this game it doesn't work
thx
Re: How to registersymbol?
Posted: Tue Nov 28, 2023 3:27 pm
by BabyGroot
Re: How to registersymbol?
Posted: Tue Nov 28, 2023 4:32 pm
by SilverRabbit90
BabyGroot wrote: ↑Tue Nov 28, 2023 3:27 pm
Try this
With this method the registersymbol becomes a sort of pointer but, I wanted to do something a little bit more difficult.
I wanted to create two different scripts, activating the first one will show the pointer. Once the first is active you can activate the second which will set the Points to 100
Example:
First Script
Code: Select all
[ENABLE]
//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)
label(code)
label(return)
label(seePoints)
registersymbol(seePoints)
alloc(setPoints,8)
registersymbol(setPoints)
newmem:
mov [seePoints],rsi
mov rdx,[setPoints]
code:
mov [rsi+18],rdx
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
seePoints:
HUDScreen:OnPlayerScoreModified+62:
jmp newmem
nop 2
return:
//registersymbol(PointsA)
[DISABLE]
HUDScreen:OnPlayerScoreModified+62:
db 48 63 56 18 48 8B C8
unregistersymbol(*)
dealloc(newmem)
Second Script
Code: Select all
[ENABLE]
setPoints:
dd (int)100
[DISABLE]
setPoints:
db 0
Re: How to registersymbol?
Posted: Tue Nov 28, 2023 4:43 pm
by BabyGroot
Do you want to enter 2 aob in 1 script?
Re: How to registersymbol?
Posted: Tue Nov 28, 2023 5:51 pm
by SilverRabbit90
BabyGroot wrote: ↑Tue Nov 28, 2023 4:43 pm
Do you want to enter 2 aob in 1 script?
As far as I know it is useless, the second script has no AoB, if you write "registersymbol" (in First script) you can continue the data in another script.
In the second script I set it to 5000 and it works, but if the second script is not active the points automatically set to 0.
I tried writing "label" instead of "alloc" but with label you have to write all the data in the first script if not the script doesn't work.
Re: How to registersymbol?
Posted: Mon Jan 01, 2024 7:29 pm
by VampTY
Hi,
There ->
viewtopic.php?t=19148 , i've posted on how to make working scripts with what you said you've wanted, read the info provided by me there.
There ->
viewtopic.php?t=10945 , just download the updated table from there, uploaded by me and look inside the script for
Player: Health, game's on
Unity, anyway that won't matter, just to get some idea!
Perhaps you'll get your answer, also i've downloaded some random version and i did only
turns/reward, one is with
movsxd and the other one is without, both with
alloc.Anyway works even if is
movzx or
movsd and more, this was for exemplification only.
Reward will need to be enabled after you've earned something, then earn again and the value will appear.
Turn will need to be activated after you'll use one
turn, then use another point and then you'll see the value.
Edited values will be updated next time you'll
earn points or
turn one tile.I hope it helps!
Re: How to registersymbol?
Posted: Tue Jan 02, 2024 8:55 am
by Paul44
^@SilverRabbit90: I haven't gone through all code/comments here, but since this is a x64 game:
********************** (something in those lines)
alloc(setPoints,4)
setPoints:
dd (int)100
newmem:
push r15 // or any reg you prefer
mov r15,setPoints
mov r15d,dword ptr [r15]
mov edx,r15d
// or: mov [rsi+18],r15d
pop r15
code:
// does not really make sense, unless you overwrite rsi+18
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
**********************
Note: with "certain" x64 games, CE seems to get "confused" about injecting code; sometimes it works and sometimes it does not ?!
=> the "simplest" way to check: jump to your injection location, and then enable your script. Then just dis/re-enable a few times and see if opcode is still restored correctly... ?!
> happens only on win10+ OS
> which is why i've been progressively converting my - x64 - tables to 'jump far' instructions these days
Re: How to registersymbol?
Posted: Wed Jan 03, 2024 6:25 pm
by SilverRabbit90
Paul44 wrote: ↑Tue Jan 02, 2024 8:55 am
^@SilverRabbit90: I haven't gone through all code/comments here, but since this is a x64 game:
********************** (something in those lines)
alloc(setPoints,4)
setPoints:
dd (int)100
newmem:
push r15 // or any reg you prefer
mov r15,setPoints
mov r15d,dword ptr [r15]
mov edx,r15d
// or: mov [rsi+18],r15d
pop r15
code:
// does not really make sense, unless you overwrite rsi+18
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
**********************
Note: with "certain" x64 games, CE seems to get "confused" about injecting code; sometimes it works and sometimes it does not ?!
=> the "simplest" way to check: jump to your injection location, and then enable your script. Then just dis/re-enable a few times and see if opcode is still restored correctly... ?!
> happens only on win10+ OS
> which is why i've been progressively converting my - x64 - tables to 'jump far' instructions these days
I tried with:
Code: Select all
[ENABLE]
//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)
alloc(setPoints,8)
unregistersymbol(setPoints)
label(code)
label(return)
newmem:
push r15
mov r15,setPoints
mov r15d,dword ptr [r15]
mov [rsi+18],r15d
pop r15
code:
movsxd rdx,dword ptr [rsi+18]
test rdx,rdx
mov rcx,rax
jmp return
setPoints:
dd(int)100
HUDScreen:OnPlayerScoreModified+62:
jmp newmem
nop 2
return:
//registersymbol(PointsA)
[DISABLE]
HUDScreen:OnPlayerScoreModified+62:
db 48 63 56 18 48 8B C8
unregistersymbol(*)
dealloc(newmem)
Everything works perfectly thanks a lot.
Re: How to registersymbol?
Posted: Wed Jan 03, 2024 6:47 pm
by Paul44
^ glad to hear it. and fyi: in 'GENERIC TUTORIALS' section I have posted a doc on how to implement a 'jump far' instruction. Evt you will have to tackle that one for sure...
Re: How to registersymbol?
Posted: Wed Jan 03, 2024 9:18 pm
by SilverRabbit90
Paul44 wrote: ↑Wed Jan 03, 2024 6:47 pm
^ glad to hear it. and fyi: in 'GENERIC TUTORIALS' section I have posted a doc on how to implement a 'jump far' instruction. Evt you will have to tackle that one for sure...
I state I have both Windows 10 and Windows 11, I generally use Windows 10 for Cheats.
For this specific game I used Windows 10, but trying to use cheats on Windows 11 they work without any problem.
I tried to make a "jump far" but the game blocks.
This is what I tried to do:
Code: Select all
[ENABLE]
aobscan(PointsTest,41 FF D3 85 C0 0F 84 37 00 00 00 49 8B 87 18 02 00 00 48 8B C8 48 8B D7 83 38 00 49 BB ?? ?? ?? ?? ?? ?? 00 00 41 FF D3 83 3E 00 48 63 56 18 48 8B C8 83 38 00 49 BB ?? ?? ?? ?? ?? ?? 00 00 41 FF D3 48 8B 75 E8 48 8B 7D F0 4C 8B 7D F8 48 8D 65 00 5D C3) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
mov [rsi+18],(int)100
code:
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
PointsTest+2B:
jmp far newmem
nop 2
return:
registersymbol(PointsTest)
[DISABLE]
PointsTest+2B:
db 48 63 56 18 48 8B C8
unregistersymbol(PointsTest)
dealloc(newmem)
If I take away "far" from "jmp far newmem" the cheat works norlmally (also on Windows 11).
I think I need an example to understand...
Re: How to registersymbol?
Posted: Wed Jan 03, 2024 9:49 pm
by Eric
a jmp far is 14 bytes long so the code that gets relocated to the script needs to be longer as well, and disabling the script and restoring the bytes will require at least 14 bytes as well
Also, in cheat engine you can check as template 14 byte jmp and then generate the script, and it'll do most of the bytecounting for you
(or use the jmp1 instruction in 7.5 which is just 1 byte long)
Re: How to registersymbol?
Posted: Wed Jan 03, 2024 10:45 pm
by Tuuuup!
Eric wrote: ↑Wed Jan 03, 2024 9:49 pm
(or use the jmp1 instruction in 7.5 which is just 1 byte long)
Is that one of those hidden instructions that not a lot of people know about? And does it work when you have trouble allocation for jump and need to use jump 14 or different work around? Can't remember a game where I can test it.
I did a quick test what Eric posted about the
jmp1 in a different game.
Here is the last part of your code. It should work?
Code: Select all
//////////
PointsTest+2B:
jmp1 newmem // need to test this more. This is new for me to
nop 6 // Don't forget to adjust it when using jmp1
return:
registersymbol(PointsTest)
[DISABLE]
PointsTest+2B:
db 48 63 56 18 48 8B C8
unregistersymbol(PointsTest)
dealloc(newmem)
Re: How to registersymbol?
Posted: Thu Jan 04, 2024 2:12 am
by SilverRabbit90
Well thanks guys, now I think I understand.
I make a small guide for those like me who are still inexperienced.
Once you are in the "Memory Viewer" and clicked on "Tools"
after which "Auto Assemble" has opened to make the way in which "Jump" is used automatically to Cheat Engine, you have to click on " Template "
As you can see normally it is set on 5 bytes
Now from what I understand for Windows 11 it is better to set it on 14 bytes
Now if we create an AOB script, always clicking on "Template" and then on "Aob Injection" we give him a name and generous something like this:
Code: Select all
[ENABLE]
aobscan(TestA,48 63 56 18 48 8B C8 83 38 00 49 BB 4A 27 E7 E2 6D 01 00 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
cmp dword ptr [rax],00
mov r11,0000016DE2E7274A
jmp return
TestA:
jmp far newmem
nop 6
return:
registersymbol(TestA)
[DISABLE]
TestA:
db 48 63 56 18 48 8B C8 83 38 00 49 BB 4A 27 E7 E2 6D 01 00 00
unregistersymbol(TestA)
dealloc(newmem)
which can be changed at will.
For a script with a "jump1" just click in "Template" on "1byte exception jmp" and a check will appear on the latter
Here is an example based on "5 byte jmp" and "1byte exception jmp" activated:
Code: Select all
[ENABLE]
aobscan(TestB,48 63 56 18 48 8B C8 83 38 00 49 BB 4A) // should be unique
alloc(newmem,$1000,TestB)
label(code)
label(return)
newmem:
code:
movsxd rdx,dword ptr [rsi+18]
jmp return
TestB:
jmp1 newmem
nop 3
return:
registersymbol(TestB)
[DISABLE]
TestB:
db 48 63 56 18
unregistersymbol(TestB)
dealloc(newmem)
I hope it's useful...
Re: How to registersymbol?
Posted: Thu Jan 04, 2024 9:03 am
by Paul44
^ as i stated, tut on 'jmp far' convertion here: [
viewtopic.php?f=11&t=19793 ].
To summarize:
a. use 14 bytes (instead of 5), to always handle mem_boundaries just fine
b. trampoline: not all opcodes allow "proper" 14_byte-injection (basically avoiding any opcode_offsets andwhatnot). in these cases, one can use a 'trampoline' to inject a 'jmp short' initially...
OR: to "keep" all your jmp short instructions, you can implement trampolines for each and everyone of them.
ps: I've encountered these 'offset too big ~ etc' issues on both v10 & v11 (well, my users did). Pure assumption here, but me think chances to encounter this increase by the amount of RAM ?!
ps2: i did not know about the 1byte-jmp? interesting...
Re: How to registersymbol?
Posted: Fri Jan 05, 2024 12:42 am
by SilverRabbit90
BabyGroot wrote: ↑Tue Nov 28, 2023 4:43 pm
Do you want to enter 2 aob in 1 script?
I finally made it. What I wanted to do was:
By activating the first script you can see the points (in this game only when they get)
First Script:
Code: Select all
[ENABLE]
//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)
alloc(infPoints,8)
registersymbol(infPoints)
infPoints:
dd 0
label(code)
label(return)
Disabilitando il secondo script si tornerà semplicemente a vedere il valore "Punti"
Example:
[spoiler=][img]https://i.postimg.cc/R0m10LCq/Pic-First-Second-Script.png[/img][/spoiler]
label(seePoints)
registersymbol(seePoints)
label(SetPoints)
registersymbol(SetPoints)
newmem:
mov [seePoints],rsi
cmp [infPoints],1
jne code
push r15
mov r15,SetPoints
mov r15d,dword ptr [r15]
mov [rsi+18],r15d
pop r15
movsxd rdx,dword ptr [rsi+18]
test rdx,rdx
mov rcx,rax
jmp return
code:
movsxd rdx,dword ptr [rsi+18]
test rdx,rdx
mov rcx,rax
jmp return
SetPoints:
dd (int)100
seePoints:
dq 0
HUDScreen:OnPlayerScoreModified+62:
jmp newmem
nop 2
return:
//registersymbol(PointsA)
[DISABLE]
HUDScreen:OnPlayerScoreModified+62:
db 48 63 56 18 48 8B C8
unregistersymbol(*)
dealloc(*)
After that by activating the second script you can change the value to your liking.
(or if you have set a predefined value in the first script CE will use that
Code: Select all
[ENABLE]
//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)
alloc(infPoints,8)
registersymbol(infPoints)
infPoints:
dd 0
label(code)
label(return)
label(seePoints)
registersymbol(seePoints)
label(SetPoints)
registersymbol(SetPoints)
newmem:
mov [seePoints],rsi
cmp [infPoints],1
jne code
mov [rsi+18],(int)100
movsxd rdx,dword ptr [rsi+18]
test rdx,rdx
mov rcx,rax
jmp return
code:
movsxd rdx,dword ptr [rsi+18]
test rdx,rdx
mov rcx,rax
jmp return
SetPoints:
dd (int)100
seePoints:
dq 0
HUDScreen:OnPlayerScoreModified+62:
jmp newmem
nop 2
return:
//registersymbol(PointsA)
[DISABLE]
HUDScreen:OnPlayerScoreModified+62:
db 48 63 56 18 48 8B C8
unregistersymbol(*)
dealloc(*)
)
Second Script:
Code: Select all
[ENABLE]
infPoints:
dd 1
[DISABLE]
infPoints:
dd 0
Disabling the second script you will simply return to see the value of "Points".
Example:
This video helped me a lot (I have been trying to do it for a long time):
[Link]