FearLess Cheat Engine

Hi



I managed to scrape together a script for PCSX 2 Arc the lad for XP Muliplier. Issue is every time I restart the game the script doesn't work.



The following works but not if I restart the game. I have to find the address again.



I've read AOB Script would help or a Full injection script, what's the easiest workaround?





[CODE][ENABLE]

//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048)

label(returnhere)

label(originalcode)

label(exit)



newmem:

Pushf

//push flags

Mov eax, [ecx]

// mov old xp to eax

Sub edx, eax

// Get difference in xp ->edx

IMul edx, #5

// Difference *= 5

Add edx, eax

// Add original xp to new difference



originalcode:

Mov [ecx], edx //original

Popf



exit:

jmp returnhere



304D3E1D:

jmp newmem

nop 2

returnhere:









[DISABLE]

//code from here till the end of the code will be used to disable the cheat

dealloc(newmem)

304D3E1D:

mov [ecx],edx

mov eax,00000001

//Alt: db 89 11 B8 01 00 00 00[/CODE]

Setup an [URL='https://fearlessrevolution.com/threads/6637/'][U]AOB[/U][/URL], but if the code is jitted then it might not be accesmbled tell certen actions are done (i.e.: XP is recevied).

I've tried AOB all afternoon but it keep crashing my game, I thought it was possible to use full injection with symbols? I've been gong through tutorials but still not sure how to apply it here.





This was my latest attempt at AOB but when I enabled it and my character triggered action to gain XP the game crashed. It's happened very time.



[CODE]{ Game : pcsx2.exe

Version:

Date : 2020-06-05

Author :



This script does blah blah blah

}



[ENABLE]





aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique

alloc(newmem,2048)

alloc(multiplier, 4)

registersymbol(multiplier)

label(returnhere)

label(originalcode)

label(exit)



newmem:

Pushf

//push flags

Mov eax, [ecx]

// mov old xp to eax

Sub edx, eax

// Get difference in xp ->edx

IMul edx, #5

// Difference *= 5

Add edx, eax

// Add original xp to new difference



originalcode:

Mov [ecx], edx //original

Popf



exit:

jmp returnhere



304D3E1D:

jmp newmem

nop 2

returnhere:









[DISABLE]

//code from here till the end of the code will be used to disable the cheat

dealloc(newmem)

304D3E1D:

mov [ecx],edx

mov eax,00000001

//Alt: db 89 11 B8 01 00 00 00



{

// ORIGINAL CODE - INJECTION POINT: 30460CFF



30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]

30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]

30460CE4: 0F 77 - emms

30460CE6: 89 C8 - mov eax,ecx

30460CE8: C1 E8 0C - shr eax,0C

30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]

30460CF2: BB 01 0D 46 30 - mov ebx,30460D01

30460CF7: 01 C1 - add ecx,eax

30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240

// ---------- INJECTING HERE ----------

30460CFF: 89 11 - mov [ecx],edx

30460D01: B8 01 00 00 00 - mov eax,00000001

// ---------- DONE INJECTING ----------

30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00

30460D0D: 72 10 - jb 30460D1F

30460D0F: 77 0C - ja 30460D1D

30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710

30460D1B: 72 02 - jb 30460D1F

30460D1D: 31 C0 - xor eax,eax

30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax

30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F

30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000

}[/CODE]

Your not actually using the AOB symbol, you need to replace the address with the symbol. And you should PUSH and POP the EAX register.

[CODE=cea]{ Game : pcsx2.exe

Version:

Date : 2020-06-05

Author :



This script does blah blah blah

}



[ENABLE]





aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique

registersymbol(INJECT)

alloc(newmem,2048)

alloc(multiplier, 4)

registersymbol(multiplier)

label(returnhere)

label(originalcode)

label(exit)



newmem:

Pushf

push eax

//push flags

Mov eax, [ecx]

// mov old xp to eax

Sub edx, eax

// Get difference in xp ->edx

IMul edx, #5

// Difference *= 5

Add edx, eax

// Add original xp to new difference



originalcode:

Mov [ecx], edx //original

pop eax

Popf



exit:

jmp returnhere



INJECT: // 304D3E1D:

jmp newmem

nop 2

returnhere:









[DISABLE]

//code from here till the end of the code will be used to disable the cheat

INJECT: // 304D3E1D:

mov [ecx],edx

mov eax,00000001

//Alt: db 89 11 B8 01 00 00 00

unregistersymbol(INJECT)

unregistersymbol(multiplier)

dealloc(newmem)

{

// ORIGINAL CODE - INJECTION POINT: 30460CFF



30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]

30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]

30460CE4: 0F 77 - emms

30460CE6: 89 C8 - mov eax,ecx

30460CE8: C1 E8 0C - shr eax,0C

30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]

30460CF2: BB 01 0D 46 30 - mov ebx,30460D01

30460CF7: 01 C1 - add ecx,eax

30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240

// ---------- INJECTING HERE ----------

30460CFF: 89 11 - mov [ecx],edx

30460D01: B8 01 00 00 00 - mov eax,00000001

// ---------- DONE INJECTING ----------

30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00

30460D0D: 72 10 - jb 30460D1F

30460D0F: 77 0C - ja 30460D1D

30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710

30460D1B: 72 02 - jb 30460D1F

30460D1D: 31 C0 - xor eax,eax

30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax

30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F

30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000

}[/CODE]

Thank you



I appreciate your help, I amended my script to the one above the game still crashes when it triggers ?



Even if I just enable then disable the script it still crashes.

You can right click the instruction and "see what address accesses this instruction". And see if other address are accessed because that might be the problem. That or check to see if any thing jumps to the second line of code it the injection point (0x30460D01), because that can definently casue a crash as the jump will be in the middle of the injected hook.

Hi



Thanks again for trying, I haven't given up, was up too late trying this.



Image of finding out what addresses accessed

[MEDIA=imgur]ggnj26Z[/MEDIA]





[MEDIA=imgur]nZHepZD[/MEDIA]



There are 3 addresses in there, these are the characters of my party and their individual XP stat. I hope I'm looking at what you suggested



Sorry I'm unclear how to " check to see if any thing jumps to the second line of code it the injection point (0x30460D01)"



This is memory viewer when I enable the script



[MEDIA=imgur]yQCEz1E[/MEDIA]

I didn't notice the first time but you didn't have the original code in your script. You can try this and see if it crashes.

[CODE=cea]{ Game : pcsx2.exe

Version:

Date : 2020-06-05

Author :



This script does blah blah blah

}



[ENABLE]





aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique

registersymbol(INJECT)

alloc(newmem,2048)

alloc(multiplier, 4)

registersymbol(multiplier)

label(returnhere)

label(originalcode)

label(exit)



newmem:

Pushf

//push flags

Mov eax, [ecx]

// mov old xp to eax

Sub edx, eax

// Get difference in xp ->edx

IMul edx, #5

// Difference *= 5

Add edx, eax

// Add original xp to new difference



originalcode:

Mov [ecx], edx //original

mov eax,00000001

Popf



exit:

jmp returnhere



INJECT: // 304D3E1D:

jmp newmem

nop 2

returnhere:









[DISABLE]

//code from here till the end of the code will be used to disable the cheat

INJECT: // 304D3E1D:

// mov [ecx],edx

// mov eax,00000001

db 89 11 B8 01 00 00 00

unregistersymbol(INJECT)

unregistersymbol(multiplier)

dealloc(newmem)

{

// ORIGINAL CODE - INJECTION POINT: 30460CFF



30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]

30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]

30460CE4: 0F 77 - emms

30460CE6: 89 C8 - mov eax,ecx

30460CE8: C1 E8 0C - shr eax,0C

30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]

30460CF2: BB 01 0D 46 30 - mov ebx,30460D01

30460CF7: 01 C1 - add ecx,eax

30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240

// ---------- INJECTING HERE ----------

30460CFF: 89 11 - mov [ecx],edx

30460D01: B8 01 00 00 00 - mov eax,00000001

// ---------- DONE INJECTING ----------

30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00

30460D0D: 72 10 - jb 30460D1F

30460D0F: 77 0C - ja 30460D1D

30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710

30460D1B: 72 02 - jb 30460D1F

30460D1D: 31 C0 - xor eax,eax

30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax

30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F

30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000

}[/CODE]



You can also try just the redirection and not change the code to see if that crashes, but as far a looking for a jump to the second line you'd just have to scroll around and see if you can find a jump to that address.

[CODE=cea]{ Game : pcsx2.exe

Version:

Date : 2020-06-05

Author :



This script does blah blah blah

}



[ENABLE]





aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique

registersymbol(INJECT)

alloc(newmem,2048)

alloc(multiplier, 4)

registersymbol(multiplier)

label(returnhere)

label(originalcode)

label(exit)



newmem:

originalcode:

Mov [ecx], edx //original

mov eax,00000001



exit:

jmp returnhere



INJECT: // 304D3E1D:

jmp newmem

nop 2

returnhere:









[DISABLE]

//code from here till the end of the code will be used to disable the cheat

INJECT: // 304D3E1D:

// mov [ecx],edx

// mov eax,00000001

db 89 11 B8 01 00 00 00

unregistersymbol(INJECT)

unregistersymbol(multiplier)

dealloc(newmem)

{

// ORIGINAL CODE - INJECTION POINT: 30460CFF



30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]

30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]

30460CE4: 0F 77 - emms

30460CE6: 89 C8 - mov eax,ecx

30460CE8: C1 E8 0C - shr eax,0C

30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]

30460CF2: BB 01 0D 46 30 - mov ebx,30460D01

30460CF7: 01 C1 - add ecx,eax

30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240

// ---------- INJECTING HERE ----------

30460CFF: 89 11 - mov [ecx],edx

30460D01: B8 01 00 00 00 - mov eax,00000001

// ---------- DONE INJECTING ----------

30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00

30460D0D: 72 10 - jb 30460D1F

30460D0F: 77 0C - ja 30460D1D

30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710

30460D1B: 72 02 - jb 30460D1F

30460D1D: 31 C0 - xor eax,eax

30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax

30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000

30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F

30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000

[/CODE]

Hi



Before enabling script from 1st code (with code changed)



[MEDIA=imgur]8A9Hb15[/MEDIA]



After enabling code



[MEDIA=imgur]pbo7IPE[/MEDIA]



Doesn't look right? I can't find any jumps





I ran a simple AOB injection with no modification, enabled it and no crash



I ran the 2nd method with just redirect crashes the game





I think I'm making some very obvious mistakes here , here is the recent template for AOB without modifications



[CODE]{ Game : pcsx2.exe

Version:

Date : 2020-06-05

Author : Freeware Sys



This script does blah blah blah

}



[ENABLE]



aobscan(INJECT,09 F2 D2 8B 01 99 A3 30 9B 5C 01) // should be unique

alloc(newmem,$1000)



label(code)

label(return)



newmem:



code:

mov eax,[ecx]

cdq

mov [pcsx2.exe+839B30],eax

jmp return



INJECT+03:

jmp newmem

nop 3

return:

registersymbol(INJECT)



[DISABLE]



INJECT+03:

db 8B 01 99 A3 30 9B 5C 01



unregistersymbol(INJECT)

dealloc(newmem)



{

// ORIGINAL CODE - INJECTION POINT: 3007075E



3007072E: 2B 05 80 7E 5B 01 - sub eax,[pcsx2.exe+827E80]

30070734: 0F 88 92 FC FF FF - js 300703CC

3007073A: E9 C1 28 FA D2 - jmp pcsx2.exe+2283000

3007073F: 8B 0D 10 9C 5C 01 - mov ecx,[pcsx2.exe+839C10]

30070745: 89 C8 - mov eax,ecx

30070747: C1 E8 0C - shr eax,0C

3007074A: 8B 04 85 30 80 E9 15 - mov eax,[eax*4+15E98030]

30070751: BB 60 07 07 30 - mov ebx,30070760

30070756: 01 C1 - add ecx,eax

30070758: 0F 88 22 09 F2 D2 - js pcsx2.exe+2201080

// ---------- INJECTING HERE ----------

3007075E: 8B 01 - mov eax,[ecx]

30070760: 99 - cdq

30070761: A3 30 9B 5C 01 - mov [pcsx2.exe+839B30],eax

// ---------- DONE INJECTING ----------

30070766: 89 15 34 9B 5C 01 - mov [pcsx2.exe+839B34],edx

3007076C: A1 20 9B 5C 01 - mov eax,[pcsx2.exe+839B20]

30070771: 2B 05 00 9C 5C 01 - sub eax,[pcsx2.exe+839C00]

30070777: 99 - cdq

30070778: A3 60 9B 5C 01 - mov [pcsx2.exe+839B60],eax

3007077D: 89 15 64 9B 5C 01 - mov [pcsx2.exe+839B64],edx

30070783: A1 30 9B 5C 01 - mov eax,[pcsx2.exe+839B30]

30070788: 2B 05 00 9C 5C 01 - sub eax,[pcsx2.exe+839C00]

3007078E: 99 - cdq

3007078F: A3 50 9B 5C 01 - mov [pcsx2.exe+839B50],eax

}[/CODE]

not exactly an expert on this, but try this.



[SPOILER="expmultiplier"]

[CODE][ENABLE]



aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique

alloc(newmem,$1000)



label(code)

label(return)



newmem:

pushf

push eax

mov eax,[ecx]

sub edx,eax

imul edx,5

add edx,eax

code:

mov [ecx],edx

pop eax

popf

mov eax,00000001

jmp return



expmult:

jmp newmem

nop 2

return:

registersymbol(expmult)



[DISABLE]



expmult:

db 89 11 B8 01 00 00 00



unregistersymbol(expmult)

dealloc(newmem)

//notpikachu[/CODE]

[/SPOILER]



Edit1: The emulator sort of JIT btw. That mean you need to at least earn exp by fighting a monster in order to activate the script.

Thanks for your time notpikachu



Unfortunately the game crashed, happens when a character is about to gain XP



" Edit1: The emulator sort of JIT btw. That mean you need to at least earn exp by fighting a monster in order to activate the script. "



In the game you receive xp just for hitting enemies, I had to do that to find the OP code again.



Not sure if this can help - BEFORE ENABLING SCRIPT



[MEDIA=imgur]1JbiFaZ[/MEDIA]



AFTER ENABLING SCRIPT



[MEDIA=imgur]0aHpDWY[/MEDIA]



DISABLING SCRIPT



[MEDIA=imgur]go7PNXA[/MEDIA]



I can't understand why that keeps happening?

Somehow our picture when enabling script doesn't match. I already tested for the exp part. The assembly script above work as intended and I received x5 exp only a few battles. Didn't test it for a long run though.



Here's mine.



[IMG]https://i.imgur.com/BXTYJI4.png[/IMG]



Just in case, can you follow the js or put a breakpoint on it? just want to see what happen there. bcus usually when a script is enabled, it become jmp.



Edit1: Ah, I forget to put the pop on my script ?. that was careless of me. can you try again with the script above~

I tried again



[MEDIA=imgur]61LOqgQ[/MEDIA]



As soon as I attack the game speeds up (Frame rate is above 130) and then PCSX2 crashes after a few seconds



The code works, I received x 5 EXP now just need to work out why it's speeding up?



Thanks for the AOB signature, I was really struggling with the unique code



If you have exactly the same game why is it behaving different?

Hmmm, there's a lot of factors to consider. How about checking the emulator setting first. There's a frame limiter enabler/disabler, turbo mode, and speedhack(not CE one) settings that can be consider crashable. I try to speedup and tune all of that ? to skip the start lore of this game just for the testing but resulted in 3-4 crashes instead.

Man you're a genius!!! You're code was defiantly the key but I had to modify it for it to be stable for me.



Thank you TheCallmeTim13 and notpikachu





I'm still testing this with all my characters



I don't believe this code is 100% correct but seems to be stable



I think the AOB signature was probably my main issue? Is there a simpler way of producing one? Spent ages on it then realised there were 2 of the same type. I was up all night with this crap.



[

[CODE][ENABLE]



[ENABLE]



aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique

alloc(newmem,$1000)



label(code)

label(returnhere)

label(exit)



newmem:

pushf

push eax

mov eax,[ecx]

sub edx,eax

imul edx,5

add edx,eax

code:

mov [ecx],edx

popf



exit:

jmp returnhere



expmult:

jmp newmem

nop 2

returnhere:



registersymbol(expmult)



[DISABLE]



expmult:

db 89 11 B8 01 00 00 00



unregistersymbol(expmult)

dealloc(newmem)

mov [ecx],edx

mov eax,00000001

[/CODE]