Currently, I’m playing Kingdom Two Crowns on the latest version, and since no one has uploaded any pre-made cheats yet, I’m trying to hack the game myself.
I’m learning about pointers but still don’t know much about them.
The current issue is that when I use the Mono Features and find the values I need, a new value keeps appearing and changing constantly. How can I hack this?
For this game, I want to make the Workers build structures quickly. So far, I’ve found this:
When I JIT, I see this value:
Every time I build something, a new value appears, and the values for the same building type are fixed, for example: 10, 30, 60, 75, 90, etc.
10
30
60
75
90
Each time, I have to manually change these values like 9, 29, 59, 74, 89, etc. so that the Worker will finish when it reaches it (if I change it to 10, the Worker will think it’s complete and won’t come to finish it).
I hope someone can help me or guide me in writing a script for this. Thank you!
AOB Script of movss xmm0,[rax+74]
Code: Select all
[ENABLE]
aobscan(WorkerBuildingFaster,F1 48 8B 46 48 48 8B C8 83 39 00 F3 0F 10 40 74) // should be unique
alloc(newmem,$1000,WorkerBuildingFaster)
label(code)
label(return)
newmem:
code:
movss xmm0,[rax+74]
jmp return
WorkerBuildingFaster+0B:
jmp newmem
return:
registersymbol(WorkerBuildingFaster)
[DISABLE]
WorkerBuildingFaster+0B:
db F3 0F 10 40 74
unregistersymbol(WorkerBuildingFaster)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 25EE4E7EAB5
25EE4E7EA98: 00 00 - add [rax],al
25EE4E7EA9A: 00 00 - add [rax],al
25EE4E7EA9C: 00 00 - add [rax],al
25EE4E7EA9E: 00 00 - add [rax],al
25EE4E7EAA0: 48 83 EC 08 - sub rsp,08
25EE4E7EAA4: 48 89 34 24 - mov [rsp],rsi
25EE4E7EAA8: 48 8B F1 - mov rsi,rcx
25EE4E7EAAB: 48 8B 46 48 - mov rax,[rsi+48]
25EE4E7EAAF: 48 8B C8 - mov rcx,rax
25EE4E7EAB2: 83 39 00 - cmp dword ptr [rcx],00
// ---------- INJECTING HERE ----------
25EE4E7EAB5: F3 0F 10 40 74 - movss xmm0,[rax+74]
// ---------- DONE INJECTING ----------
25EE4E7EABA: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
25EE4E7EABE: 48 63 40 68 - movsxd rax,dword ptr [rax+68]
25EE4E7EAC2: F3 0F 2A C8 - cvtsi2ss xmm1,eax
25EE4E7EAC6: F3 0F 5A C9 - cvtss2sd xmm1,xmm1
25EE4E7EACA: 48 33 C0 - xor rax,rax
25EE4E7EACD: 66 0F 2F C8 - comisd xmm1,xmm0
25EE4E7EAD1: 40 0F 97 C0 - seta al
25EE4E7EAD5: 48 8B 34 24 - mov rsi,[rsp]
25EE4E7EAD9: 48 83 C4 08 - add rsp,08
25EE4E7EADD: C3 - ret
}
Code: Select all
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanregion(FastBuild,WorkableBuilding:JobAvailable,WorkableBuilding:JobAvailable+30,83 ** ** 8B ** ** D9 ** ** 8B)
registersymbol(FastBuild)
alloc(newmem,2048)
alloc(check1,4)
label(returnhere)
label(originalcode_FastBuild)
registersymbol(originalcode_FastBuild)
registersymbol(check1)
label(exitR)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [eax+34],(float)1.0
je originalcode_FastBuild
push edx
mov edx,[eax+30]
sub edx,1
cvtsi2ss xmm0,edx
movss [check1],xmm0
mov edx,[check1]
cmp [eax+3C],edx
jge exitR
mov [eax+3C],edx
exitR:
pop edx
originalcode_FastBuild:
fld dword ptr [eax+3C]
mov eax,[eax+30]
exit:
jmp returnhere
///
FastBuild+6: //WorkableBuilding:JobAvailable+9:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
FastBuild+6: //WorkableBuilding:JobAvailable+9:
db D9 40 3C 8B 40 30
unregistersymbol(originalcode_FastBuild)
dealloc(check1)
unregistersymbol(check1)
{
// ORIGINAL CODE - INJECTION POINT: WorkableBuilding:JobAvailable+9
Scaffolding:SetProgress+f9: 8B C0 - mov eax,eax
Scaffolding:SetProgress+fb: E8 0C 97 36 11 - call 1204F6DC
Scaffolding:SetProgress+100: EB A5 - jmp Scaffolding:SetProgress+a7
00CE5FD2: 00 00 - add [eax],al
00CE5FD4: 00 00 - add [eax],al
00CE5FD6: 00 00 - add [eax],al
WorkableBuilding:JobAvailable: 55 - push ebp
WorkableBuilding:JobAvailable+1: 8B EC - mov ebp,esp
WorkableBuilding:JobAvailable+3: 83 EC 08 - sub esp,08
WorkableBuilding:JobAvailable+6: 8B 45 08 - mov eax,[ebp+08]
// ---------- INJECTING HERE ----------
WorkableBuilding:JobAvailable+9: D9 40 3C - fld dword ptr [eax+3C]
// ---------- DONE INJECTING ----------
WorkableBuilding:JobAvailable+c: 8B 40 30 - mov eax,[eax+30]
WorkableBuilding:JobAvailable+f: 50 - push eax
WorkableBuilding:JobAvailable+10: DB 04 24 - fild dword ptr [esp]
WorkableBuilding:JobAvailable+13: D9 1C 24 - fstp dword ptr [esp]
WorkableBuilding:JobAvailable+16: D9 04 24 - fld dword ptr [esp]
WorkableBuilding:JobAvailable+19: 83 C4 04 - add esp,04
WorkableBuilding:JobAvailable+1c: 33 C0 - xor eax,eax
WorkableBuilding:JobAvailable+1e: DF F1 - fcomip st(0),st(1)
WorkableBuilding:JobAvailable+20: DD D8 - fstp st(0)
WorkableBuilding:JobAvailable+22: 0F 97 C0 - seta al
}
