Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
CyanicDream
Noobzor
Noobzor
Posts: 6
Joined: Tue Oct 31, 2017 2:05 pm
Reputation: 0

Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by CyanicDream »

I'm very new when it comes to actually using Cheat Engine. Meaning I've done the bare minimum basic things like finding, changing and freezing values as well as using tables for years, but I'm finally diving into properly making my own scripts and learning how to make these tables myself and I decided AC Valhalla was a good starting point but I'm finding that to be less and less true as I go about things. Here's a recent problem I'm having while experimenting.

I'm trying to make something akin to aSwedishMagyar's Damage Multiplier viewtopic.php?f=4&t=14392

in where it multiplies Stun Damage instead. First I set my damage multiplier in his table to 0 that way I could keep my target from dying. I was using a boss enemy with a large amount of Defense as to give myself the most amount of time. Using unknown initial value and subsequent decreased value scans with some unchanged value scans thrown in to widdle it down, I finally found the enemy's Defense address and through that found the opcode, via the debugger for what accesses the address, that handles how much damage is being dealt to it per hit.

This is what I have so far.

Image

I'm multiplying the amount subtracted from the enemy's Defense by an integer value and it works. My stun damage is multiplied according to whatever I change the attached value to. r8d is storing it as an integer but what I want to do is convert that integer to a float with fild, use fmul to multiply it by my variable, then fist it back into an integer before it goes through the normal process. It is not letting me do this as it says unable to compile when attempting and my assumption here is that I cannot convert values stored in any of the r# areas. That's just my immediate assumption though.

Here is the memory view location:
Image

The "mov r8d,edx" opcode near the top is storing my stun damage as well so I tried making my script there instead and it did allow me to compile the script via converting to float, multiply, convert to integer but it would crash the moment I hit anything in testing.

Here is the test script:
Image

Now am I just missing something incredibly simple here? Any help would be greatly appreciated.

aSwedishMagyar
Table Makers
Table Makers
Posts: 394
Joined: Mon Jul 06, 2020 3:19 am
Reputation: 455

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by aSwedishMagyar »

You are treating edx as a pointer, it is actually holding an integer so when you reference the address it crashes.
Try and see if this works:

Code: Select all

push edx
fild [esp]
fmul [multVal]
fistp [esp]
pop edx
Alternatively you can make a temp variable to store the value like this:

Code: Select all

mov [tempVar],edx
fild [tempVar]
fmul [multVal]
fistp [tempVar]
mov edx,[tempVar]

CyanicDream
Noobzor
Noobzor
Posts: 6
Joined: Tue Oct 31, 2017 2:05 pm
Reputation: 0

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by CyanicDream »

aSwedishMagyar wrote:
Wed Mar 03, 2021 6:41 am
You are treating edx as a pointer, it is actually holding an integer so when you reference the address it crashes.
Try and see if this works:

Code: Select all

push edx
fild [esp]
fmul [multVal]
fistp [esp]
pop edx

That worked beautifully, and I definitely didn't expect the man himself to respond. I still have a question as to how this is actually working though if you wouldn't mind answering. How have you determined that esp is the one that needs to be multiplied if edx is holding the value? Is the fistp storing that into edx and that is why we are pushing edx before using esp in the first place, then popping it so the rest of the code can use it as normal? Or is the pop itself storing whatever the esp value ends up being into edx?



Also with the pointer thing, does that mean I was essentially multiplying the address itself or? Sorry, I just started learning this stuff like 3 or so days ago so if these questions seem stupid, that's why.

aSwedishMagyar
Table Makers
Table Makers
Posts: 394
Joined: Mon Jul 06, 2020 3:19 am
Reputation: 455

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by aSwedishMagyar »

CyanicDream wrote:
Wed Mar 03, 2021 8:01 am
That worked beautifully, and I definitely didn't expect the man himself to respond. I still have a question as to how this is actually working though if you wouldn't mind answering. How have you determined that esp is the one that needs to be multiplied if edx is holding the value? Is the fistp storing that into edx and that is why we are pushing edx before using esp in the first place, then popping it so the rest of the code can use it as normal? Or is the pop itself storing whatever the esp value ends up being into edx?



Also with the pointer thing, does that mean I was essentially multiplying the address itself or? Sorry, I just started learning this stuff like 3 or so days ago so if these questions seem stupid, that's why.
The reason why is that esp holds an address and what is in that address is the last thing pushed onto the stack.

Pushing edx onto the stack would be the same thing as this:

Code: Select all

sub rsp,8
mov [rsp],edx
The reason why it would crash as soon as you tried to do fild [edx] because edx held an integer value which was not within the valid address range.

Also, I forgot but AC Valhalla is a 64 bit game so use [rsp] not [esp] in the code I gave earlier.

CyanicDream
Noobzor
Noobzor
Posts: 6
Joined: Tue Oct 31, 2017 2:05 pm
Reputation: 0

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by CyanicDream »

aSwedishMagyar wrote:
Wed Mar 03, 2021 8:53 am
CyanicDream wrote:
Wed Mar 03, 2021 8:01 am
That worked beautifully, and I definitely didn't expect the man himself to respond. I still have a question as to how this is actually working though if you wouldn't mind answering. How have you determined that esp is the one that needs to be multiplied if edx is holding the value? Is the fistp storing that into edx and that is why we are pushing edx before using esp in the first place, then popping it so the rest of the code can use it as normal? Or is the pop itself storing whatever the esp value ends up being into edx?



Also with the pointer thing, does that mean I was essentially multiplying the address itself or? Sorry, I just started learning this stuff like 3 or so days ago so if these questions seem stupid, that's why.
The reason why is that esp holds an address and what is in that address is the last thing pushed onto the stack.

Pushing edx onto the stack would be the same thing as this:

Code: Select all

sub rsp,8
mov [rsp],edx
The reason why it would crash as soon as you tried to do fild [edx] because edx held an integer value which was not within the valid address range.

Also, I forgot but AC Valhalla is a 64 bit game so use [rsp] not [esp] in the code I gave earlier.
Ohhhh okay, now that makes sense. So by pushing edx onto the stack, rsp would then contain the address associated with edx since, obviously, edx was the last thing pushing onto the stack. Then do said manipulation with rsp, and pop edx back into the register.

Thank you for throwing that bit of code my way as well as answering my questions. I didn't wanna just take the code and yeet off since I wouldn't have learned anything that way lmao. Anyway, thanks again :)

User avatar
SunBeam
Administration
Administration
Posts: 3443
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 2609

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by SunBeam »

I will ask this once: Why are you using FPU in an x64 game? What's so hard about MMX? They follow the same typology any normal ASM follows.

Instead of doing that big ass sequence of instructions: push, fld, whatever-f, fstp, pop.. you can just do:

Code: Select all

movss xmm1,[r64+offset] // read; now you have your float value in lower xmm1: xmm1 <- [r64+offset]
mulss xmm1,[fValue]     // multiply; xmm1 * fValue
movss [r64+offset],xmm1 // write; get it back, updated: xmm1 -> [r64+offset]
Let's "grow up" a bit, shall we? :)

P.S.#1: If xmm1 is used after your hook and you think you're overwriting it, then you have 14 more to pick from: xmm2 .. xmm15 :D

P.S.#2: If you want to convert the value back and forth between float and integer, there are MMX mechanisms for that too. Just gotta find a good example :D But then again, I believe there will be just the same amount of instructions involved or perhaps even more. But hey.. you're learning something extra, how to do it with MMX :P

aSwedishMagyar
Table Makers
Table Makers
Posts: 394
Joined: Mon Jul 06, 2020 3:19 am
Reputation: 455

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by aSwedishMagyar »

SunBeam wrote:
Wed Mar 03, 2021 9:42 pm
I will ask this once: Why are you using FPU in an x64 game? What's so hard about MMX? They follow the same typology any normal ASM follows.

Instead of doing that big ass sequence of instructions: push, fld, whatever-f, fstp, pop.. you can just do:

movss xmm1,[r64+offset] // read; now you have your float value in lower xmm1: xmm1 <- [r64+offset]
mulss xmm1,[fValue] // multiply; xmm1 * fValue
movss [r64+offset],xmm1 // write; get it back, updated: xmm1 -> [r64+offset]

Let's "grow up" a bit, shall we? :)

P.S.: If xmm1 is used after your hook and you think you're overwriting it, then you have 14 more to pick from: xmm2 .. xmm15 :D
Sure sure man, but since its an integer value in edx we'd use cvtsi2ss xmm1,edx and then just multiply normally.
I just like using the FPU as a personal preference, don't opcode-shame me. :D

User avatar
SunBeam
Administration
Administration
Posts: 3443
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 2609

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by SunBeam »

aSwedishMagyar wrote:
Wed Mar 03, 2021 9:50 pm
Sure sure man, but since its an integer value in edx we'd use cvtsi2ss xmm1,edx and then just multiply normally.
I just like using the FPU as a personal preference, don't opcode-shame me. :D
I was asking the OP, man :) There's nothing wrong in using what you like, I am just suggesting leveling up a bit, moving away from that comfort zone and routine. It will become super boring if you do it 2389719237 times. You'll even think how boring it is BEFORE you even get to write a script "bleah, I have to write again that fld, fmul, fstp crap; why can't it be simpler.. or different, even if more lines of code?". But even so, take it as a challenge to learn something new :) We all need a change in our lives, at some point, hehe.

CyanicDream
Noobzor
Noobzor
Posts: 6
Joined: Tue Oct 31, 2017 2:05 pm
Reputation: 0

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by CyanicDream »

SunBeam wrote:
Wed Mar 03, 2021 10:02 pm
aSwedishMagyar wrote:
Wed Mar 03, 2021 9:50 pm
Sure sure man, but since its an integer value in edx we'd use cvtsi2ss xmm1,edx and then just multiply normally.
I just like using the FPU as a personal preference, don't opcode-shame me. :D
I was asking the OP, man :) There's nothing wrong in using what you like, I am just suggesting leveling up a bit, moving away from that comfort zone and routine. It will become super boring if you do it 2389719237 times. You'll even think how boring it is BEFORE you even get to write a script "bleah, I have to write again that fld, fmul, fstp crap; why can't it be simpler.. or different, even if more lines of code?". But even so, take it as a challenge to learn something new :) We all need a change in our lives, at some point, hehe.
It's all I know at the moment and I'm very open to learning how to do it in different ways. Sadly I only have a few hours a day to sit down and learn this kind of stuff so I've only read a handful of tutorials and watched some videos. I want to see if I can dedicate some time to read through the CE documentation to see if that has any useful information as well.

Now the reason why I was using FPU instead of MMX is as of right now, I'm not even sure what either of those really are. I'm assuming FPU are your eax ebx ecx and MMX are the xmm*, is that correct? Or am I not even in the right ball park on that one? Also thank you for adding comments on your code earlier to help explain what each line is doing. I've got a text file I'm keeping a bunch of notes in that I've learned so far lmao

I am 100% willing to "grow up" as I really do want to learn as much as I can on my limited time available to me.

User avatar
SunBeam
Administration
Administration
Posts: 3443
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 2609

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by SunBeam »

CyanicDream wrote:
Thu Mar 04, 2021 3:10 pm
I'm assuming FPU are your eax ebx ecx and MMX are the xmm*, is that correct?
I recommend trying to use a debugger in the real sense of the word that does only that, debug. CE is more of a swiss army knife, it's not aimed at debugging as a major component.

Here: [Link]

Then when you open an executable in the debugger, you will see this:

< x64 registers and flags >

Image

< FPU >

Image

< MMX >

Image

So you have quite a shitload of registers to play with in case you want to save/restore states (yes, you can store the information for normal x64 registers in FPU or MMX) ;) So: x64; FPU; MMX. 3 independent spaces.

BR,
Sun

CyanicDream
Noobzor
Noobzor
Posts: 6
Joined: Tue Oct 31, 2017 2:05 pm
Reputation: 0

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by CyanicDream »

SunBeam wrote:
Thu Mar 04, 2021 3:32 pm
CyanicDream wrote:
Thu Mar 04, 2021 3:10 pm
I'm assuming FPU are your eax ebx ecx and MMX are the xmm*, is that correct?
I recommend trying to use a debugger in the real sense of the word that does only that, debug. CE is more of a swiss army knife, it's not aimed at debugging as a major component.

Here: [Link]

Then when you open an executable in the debugger, you will see this:

< x64 registers and flags >

Image

< FPU >

Image

< MMX >

Image

So you have quite a shitload of registers to play with in case you want to save/restore states (yes, you can store the information for normal x64 registers in FPU or MMX) ;) So: x64; FPU; MMX. 3 independent spaces.

BR,
Sun
Oooo, I'm gonna go play around with that right now. Thank you for taking the time to educate me a bit.

User avatar
PeaceBeUponYou
Cheater
Cheater
Posts: 44
Joined: Sat Dec 12, 2020 8:09 am
Reputation: 54

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by PeaceBeUponYou »

XMM registers are NOT MMX registers, they are SSE registers(128-bit registers used in SSE-SSE_4.2). MMX register are MM0 - MM7 (64bit registers), and they are not supported by CE assembler.(As a matter of fact they are not used by any modern process which are advancing for AVX(YMM: 256-bit) and AVX-512(ZMM: 512-bit))

User avatar
SunBeam
Administration
Administration
Posts: 3443
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 2609

Re: Assassin's Creed Valhalla - Stun Damage Integer to Float Multiplier question

Post by SunBeam »

PeaceBeUponYou wrote:
Thu Mar 04, 2021 5:43 pm
XMM registers are NOT MMX registers
[Link]

Correct. I guess I got used to labeling them wrong like that out of habit :) Thanks.

Post Reply

Who is online

Users browsing this forum: No registered users