Code Injection - Editable Values
This tutorial builds on the subject of code injection, and starts from a working script. Pleas start here: [Link]
Any game will work but I will be using Windows Solitaire.
First you will need to find an Integer. If unsure how to find values see: [Link]
Finding the injection point
After you have found the address of the score then we can find the injection point. Where this is depends on what we want to do so in Windows Solitaire the score decreases over timer, lets make it increase the score, But here let's make it a value that can be changed from the Cheat table without editing the script.
If you followed along with the Code Injection - Full tutorial you should have a script like this.
Code: Select all
define(address,"solitaire.exe"+396CC)
define(bytes,41 83 43 14 FE)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,address) // '$' before a number is a short hand for '0x' (hex).
label(code)
label(return)
newmem:
code:
add dword ptr [r11+14],02
jmp return
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
// add dword ptr [r11+14],-02
dealloc(newmem)
Adding an Editable Value
So we'll need some memory, which we have some [Link] so let's just create a [Link] and [Link]. We need to register the symbol to be able to access it else where. We can also use [Link] to align the memory because we will just put it at the end of the allocated memory.
Code: Select all
define(address,"solitaire.exe"+396CC)
define(bytes,41 83 43 14 FE)
[ENABLE]
assert(address,bytes)
alloc(newmem,0x400,address)
label(code)
label(return)
label(intScoreAdder) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "int" for integer).
registerSymbol(intScoreAdder)
newmem:
code:
push rax // push/save the registory.
mov eax,[intScoreAdder] // EAX is 32 bits of RAX
add [r11+14],eax // the size is determinded by the size of the registory.
pop rax // pop/restore the registory.
jmp return
align 10 CC // align the memory to be assebled.
intScoreAdder:
dd (int)5 // we could just use 'dd 5' as decimal 5 is equal to hex 5
// or the short hand for an integer 'dd #5'.
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
// add dword ptr [r11+14],-02
dealloc(newmem)
Adding the Address a CT
[Link]
And that gives us a changeable value that is used inside the script.
You can set the address as a child of the script, and right click the address record to enable the Hide children when deactivated option under Group config.
[Link]
Working with Floats
Health Damage Multiplier
Let's say you have an injection point that looks like this, and it's effecting health, and XMM1 holds the damage value.
Code: Select all
subss xmm0,xmm1
movss [rsi],xmm0
Code: Select all
subss xmm0,xmm1
...
movss [rsi],xmm0
Code: Select all
define(address, "game.exe"+123ABC)
define(bytes, F3 0F 5C C1 F3 0F 11 06)
[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)
label(code)
label(return)
newmem:
code:
subss xmm0,xmm1
movss [rsi],xmm0
jmp return
address:
jmp newmem
nop
nop
nop
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
Code: Select all
define(address, "game.exe"+123ABC)
define(bytes, F3 0F 5C C1 F3 0F 11 06)
[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)
label(code)
label(return)
label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)
newmem:
code:
mulss xmm1,[fltHealthMultiplier]
subss xmm0,xmm1
movss [rsi],xmm0
jmp return
align 10 CC // align the memory to be assebled.
fltHealthMultiplier:
dd (float)0.25
address:
jmp newmem
nop
nop
nop
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
Packed Multiplier
Let's say you have an injection point that looks like this, and it's effecting health and shield, and XMM1 holds the damage values for both.
Code: Select all
subps xmm0,xmm1
movaps [rsi],xmm0
Code: Select all
define(address, "game.exe"+123ABC)
define(bytes, 0F 5C C1 0F 29 06)
[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)
label(code)
label(return)
newmem:
code:
subss xmm0,xmm1
movss [rsi],xmm0
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
Code: Select all
define(address, "game.exe"+123ABC)
define(bytes, 0F 5C C1 0F 29 06)
[ENABLE]
assert(address, bytes)
alloc(newmem, 0x400, address)
label(code)
label(return)
label(fltHealthMultiplier) // we need a unque name,
// and I like to indicate the value type in the name (i.e.: "flt" for float).
registerSymbol(fltHealthMultiplier)
newmem:
code:
mulps xmm1,[fltHealthMultiplier]
subps xmm0,xmm1
movaps [rsi],xmm0
jmp return
align 10 CC // align the memory to be assebled. Alignment is required for an aligned instruction.
fltHealthMultiplier:
dd (float)0.25
dd (float)0.35
dd (float)1 // Any values you don't want to change set the multilpier to 1
dd (float)1
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
See also
- [Link]
- [Link]
- [Link]
- [Link]
- [Link]
- [Link]
- [Link]