Making a script for a double value

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
User avatar
Tahtawy
Expert Cheater
Expert Cheater
Posts: 58
Joined: Fri Mar 03, 2017 7:36 pm
Reputation: 28

Making a script for a double value

Post by Tahtawy » Wed Jan 30, 2019 1:57 am

I can't seem to make a working script for health which is a double value.

the original code at the injection point is this:

Code: Select all

movsd xmm0,[esi]
movsd [edi],xmm0
[edi] is the address where the value of health is stored in double

anytime I try to move a value into xmm0 or try to use the fld and fstp commands to set the value for [edi] to 1000 after the code, the game crashes.

can someone please help me understand what I should do?

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1616
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 581

Re: Making a script for a double value

Post by TheyCallMeTim13 » Wed Jan 30, 2019 2:40 am

As far as the crash, hard to say but sounds like there may be a stack alignment issue.
But just going with a basic move should work. So you'll need to create an address to move the value from, an immediate value is ASM can't be more than 4 bytes.

Code: Select all

//...
// In some allocated memory
label(value) // alloc(value, 8)
value:
  dq (double)1000
//...
/// In the injected code.
movsd xmm0,[value]
movsd [esi],xmm0
movsd [edi],xmm0
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

User avatar
Tahtawy
Expert Cheater
Expert Cheater
Posts: 58
Joined: Fri Mar 03, 2017 7:36 pm
Reputation: 28

Re: Making a script for a double value

Post by Tahtawy » Wed Jan 30, 2019 11:45 am

TheyCallMeTim13 wrote:
Wed Jan 30, 2019 2:40 am
As far as the crash, hard to say but sounds like there may be a stack alignment issue.
But just going with a basic move should work. So you'll need to create an address to move the value from, an immediate value is ASM can't be more than 4 bytes.

Code: Select all

//...
// In some allocated memory
label(value) // alloc(value, 8)
value:
  dq (double)1000
//...
/// In the injected code.
movsd xmm0,[value]
movsd [esi],xmm0
movsd [edi],xmm0
Thank you, I really appreciate your help but the game crashed again. I always have problem with the xmm registers and double values, maybe I'm injecting it incorrectly or simplifying the process. I'm really new to this and I rarely had problems with code injections and scripts for 4 bytes but once I fined the xmm registers, the issues start.

Thanks anyway.

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 11:48 am

..perhaps the address you put your value in needs to be 16-bytes aligned (does the game use any movaps instruction before your code?). Can you dump the game .exe with Task Explorer, upload it somewhere and send me a link? PM, if you wish. Can better take a look at it that way.

[ ntcore.com; download Explorer Suite; install it; run game, Start > Task Explorer (64-bit); scroll the list till you find your game .exe; right-click > Dump PE; upload it someplace; send me link ]

User avatar
Tahtawy
Expert Cheater
Expert Cheater
Posts: 58
Joined: Fri Mar 03, 2017 7:36 pm
Reputation: 28

Re: Making a script for a double value

Post by Tahtawy » Wed Jan 30, 2019 12:26 pm

SunBeam wrote:
Wed Jan 30, 2019 11:48 am
..perhaps the address you put your value in needs to be 16-bytes aligned (does the game use any movaps instruction before your code?). Can you dump the game .exe with Task Explorer, upload it somewhere and send me a link? PM, if you wish. Can better take a look at it that way.

[ ntcore.com; download Explorer Suite; install it; run game, Start > Task Explorer (64-bit); scroll the list till you find your game .exe; right-click > Dump PE; upload it someplace; send me link ]
I honestly never used or dealt with the movaps command before.

but I uploaded the dumped exe file for the game. Thank you so much for your help. I just want to understand why moving a value into or from xmm registers always crashes my games.

http://www.mediafire.com/file/t1d5sutz9 ... d.rar/file

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 1:05 pm

Also.. you might as well indicate where exactly in memory is that piece of code:

Code: Select all

movsd xmm0,[esi]
movsd [edi],xmm0
I can't guess where it is.. So.. open the game, open CE, go to that address in Memory View, then View > [enable] Show module addresses and View > [disable] Show symbols. Then post a screenshot here.

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 1:11 pm

..anyway, I think I know why your game crashes, with or without any edits :D It's because of this: https://www.indiedb.com/games/synthetik. The game's engine is GameMaker Studio, which is known to be a trouble-some engine, as 98% of the functionality uses shared functions. Are you 100% sure that spot you hook and want to change isn't used for any other form of processing and is only hit when you do the action you want? Or does it break even when you move around, jump, open menu, etc.? I have a feeling you want to hook some generic calculation function and you fuck it up for the rest of the processing..

Do post the screenshot I requested though; will see what I can learn from the ASM.

User avatar
Tahtawy
Expert Cheater
Expert Cheater
Posts: 58
Joined: Fri Mar 03, 2017 7:36 pm
Reputation: 28

Re: Making a script for a double value

Post by Tahtawy » Wed Jan 30, 2019 1:23 pm

Image

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 1:25 pm

See what you can make out of this :P
Attachments
list_up.zip
(5.23 KiB) Downloaded 35 times

User avatar
Tahtawy
Expert Cheater
Expert Cheater
Posts: 58
Joined: Fri Mar 03, 2017 7:36 pm
Reputation: 28

Re: Making a script for a double value

Post by Tahtawy » Wed Jan 30, 2019 1:26 pm

SunBeam wrote:
Wed Jan 30, 2019 1:11 pm
..anyway, I think I know why your game crashes, with or without any edits :D It's because of this: https://www.indiedb.com/games/synthetik. The game's engine is GameMaker Studio, which is known to be a trouble-some engine, as 98% of the functionality uses shared functions. Are you 100% sure that spot you hook and want to change isn't used for any other form of processing and is only hit when you do the action you want? Or does it break even when you move around, jump, open menu, etc.? I have a feeling you want to hook some generic calculation function and you fuck it up for the rest of the processing..

Do post the screenshot I requested though; will see what I can learn from the ASM.
I'm pretty sure you're right. that's why I said I am simplifying the process, I think it accesses way more than just the health as sometimes instead of crashing the game menu would just get jumbled.

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 1:28 pm

That address you're showing is part of a function CALL-ed from 33 locations (perhaps more, as I cannot run the game to find any dynamic calls; e.g.: call qword ptr [rax+230] -> Synthetik_dumped.exe+192DE00). That's what I meant earlier :) So you're pretty much fucked :P

User avatar
Tahtawy
Expert Cheater
Expert Cheater
Posts: 58
Joined: Fri Mar 03, 2017 7:36 pm
Reputation: 28

Re: Making a script for a double value

Post by Tahtawy » Wed Jan 30, 2019 1:31 pm

SunBeam wrote:
Wed Jan 30, 2019 1:28 pm
That address you're showing is part of a function CALL-ed from 33 locations (perhaps more, as I cannot run the game to find any dynamic calls; e.g.: call qword ptr [rax+230] -> Synthetik_dumped.exe+192DE00). That's what I meant earlier :) So you're pretty much fucked :P
:D I knew it was way above my level to even try to mess with a game maker game. the minute I saw the menus get jumbled, I knew it was way more complicated than I initially thought. thanks anyway @SunBeam I really appreciate :D

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 1:36 pm

Hold up, I'm not done yet ;) The function is a case function. What that means is depending on the input value, the function will execute a certain portion. See the explanation below:

Code: Select all

01D1DE00  | 83 EC 08           | SUB ESP,8                          | « prologue
01D1DE03  | 53                 | PUSH EBX                           |
01D1DE04  | 55                 | PUSH EBP                           |
01D1DE05  | 56                 | PUSH ESI                           |
01D1DE06  | 8B 74 24 20        | MOV ESI,DWORD PTR SS:[ESP+20]      | « retrieve a pointer
01D1DE0A  | 57                 | PUSH EDI                           |
01D1DE0B  | 8B 7C 24 1C        | MOV EDI,DWORD PTR SS:[ESP+1C]      | « get pointer to action value
01D1DE0F  | 8B 47 0C           | MOV EAX,DWORD PTR DS:[EDI+C]       | « get value
01D1DE12  | 8B C8              | MOV ECX,EAX                        | « store in ECX
01D1DE14  | 81 E1 FF FF FF 00  | AND ECX,synthetik_dumped.FFFFFF    | « test value
01D1DE1A  | 83 F9 02           | CMP ECX,2                          | « this is where the 'case' starts
01D1DE1D  | 0F 84 FE 01 00 00  | JE synthetik_dumped.1D1E021        |
01D1DE23  | 81 FE 00 00 00 80  | CMP ESI,80000000                   |
01D1DE29  | 0F 85 E9 01 00 00  | JNE synthetik_dumped.1D1E018       |
01D1DE2F  | 48                 | DEC EAX                            | « case processing, decrementing EAX
01D1DE30  | A9 FC FF FF 00     | TEST EAX,synthetik_dumped.FFFFFC   |
01D1DE35  | 0F 85 0F 01 00 00  | JNE synthetik_dumped.1D1DF4A       |
01D1DE3B  | 83 E9 01           | SUB ECX,1                          | « case 1
01D1DE3E  | 0F 84 FA 00 00 00  | JE synthetik_dumped.1D1DF3E        |
01D1DE44  | 83 E9 01           | SUB ECX,1                          | « case 2
01D1DE47  | 74 28              | JE synthetik_dumped.1D1DE71        |
01D1DE49  | 83 E9 01           | SUB ECX,1                          | « case 3
01D1DE4C  | 0F 85 F8 00 00 00  | JNE synthetik_dumped.1D1DF4A       |
So what we need to find is when the exact 'case' you want happens (for which EAX or ECX value?) Continuing:

Code: Select all

01D1DF4A  | 8B 74 24 20           | MOV ESI,DWORD PTR SS:[ESP+20]        | « get ESI
01D1DF4E  | C7 47 08 00 00 00 00  | MOV DWORD PTR DS:[EDI+8],0           |
01D1DF55  | C7 47 0C 05 00 00 00  | MOV DWORD PTR DS:[EDI+C],5           |
01D1DF5C  | C7 07 00 00 00 00     | MOV DWORD PTR DS:[EDI],0             |
01D1DF62  | 8B 46 0C              | MOV EAX,DWORD PTR DS:[ESI+C]         | « get switch value in EAX
01D1DF65  | 89 47 0C              | MOV DWORD PTR DS:[EDI+C],EAX         |
01D1DF68  | 8B 46 08              | MOV EAX,DWORD PTR DS:[ESI+8]         |
01D1DF6B  | 89 47 08              | MOV DWORD PTR DS:[EDI+8],EAX         |
01D1DF6E  | 8B 46 0C              | MOV EAX,DWORD PTR DS:[ESI+C]         | « get it again
01D1DF71  | 25 FF FF FF 00        | AND EAX,synthetik_dumped.FFFFFF      |
01D1DF76  | 83 F8 0E              | CMP EAX,E                            | « check if > 0xE
01D1DF79  | 0F 87 1E 03 00 00     | JA synthetik_dumped.1D1E29D          |
01D1DF7F  | 0F B6 80 C4 E2 A2 01  | MOVZX EAX,BYTE PTR DS:[EAX+1A2E2C4]  |
01D1DF86  | FF 24 85 A8 E2 A2 01  | JMP DWORD PTR DS:[EAX*4+1A2E2A8]     |
01D1DF8D  | 8B 06                 | MOV EAX,DWORD PTR DS:[ESI]           |
01D1DF8F  | 89 07                 | MOV DWORD PTR DS:[EDI],EAX           |
01D1DF91  | 85 C0                 | TEST EAX,EAX                         |
01D1DF93  | 0F 84 04 03 00 00     | JE synthetik_dumped.1D1E29D          |
01D1DF99  | FF 00                 | INC DWORD PTR DS:[EAX]               |
01D1DF9B  | 8B 07                 | MOV EAX,DWORD PTR DS:[EDI]           |
01D1DF9D  | 83 78 08 00           | CMP DWORD PTR DS:[EAX+8],0           |
01D1DFA1  | 0F 85 F6 02 00 00     | JNE synthetik_dumped.1D1E29D         |
01D1DFA7  | 89 78 08              | MOV DWORD PTR DS:[EAX+8],EDI         |
01D1DFAA  | 5F                    | POP EDI                              |
01D1DFAB  | 5E                    | POP ESI                              |
01D1DFAC  | 5D                    | POP EBP                              |
01D1DFAD  | 5B                    | POP EBX                              |
01D1DFAE  | 83 C4 08              | ADD ESP,8                            |
01D1DFB1  | C3                    | RET                                  |
01D1DFB2  | F2 0F 10 06           | MOVSD XMM0,QWORD PTR DS:[ESI]        | « your code; one of the cases
01D1DFB6  | F2 0F 11 07           | MOVSD QWORD PTR DS:[EDI],XMM0        |
01D1DFBA  | 5F                    | POP EDI                              |
01D1DFBB  | 5E                    | POP ESI                              |
01D1DFBC  | 5D                    | POP EBP                              |
01D1DFBD  | 5B                    | POP EBX                              |
01D1DFBE  | 83 C4 08              | ADD ESP,8                            |
01D1DFC1  | C3                    | RET                                  |
01D1DFC2  | 8B 06                 | MOV EAX,DWORD PTR DS:[ESI]           |
01D1DFC4  | 89 07                 | MOV DWORD PTR DS:[EDI],EAX           |
01D1DFC6  | 8B 46 04              | MOV EAX,DWORD PTR DS:[ESI+4]         |
01D1DFC9  | 89 47 04              | MOV DWORD PTR DS:[EDI+4],EAX         |
01D1DFCC  | 5F                    | POP EDI                              |
01D1DFCD  | 5E                    | POP ESI                              |
01D1DFCE  | 5D                    | POP EBP                              |
01D1DFCF  | 5B                    | POP EBX                              |
01D1DFD0  | 83 C4 08              | ADD ESP,8                            |
01D1DFD3  | C3                    | RET                                  |
So what we need to do now is to find the EAX value and use it as a filter :P And to do that, you just check this spot:

Code: Select all

01D1DF7F  | 0F B6 80 C4 E2 A2 01  | MOVZX EAX,BYTE PTR DS:[EAX+1A2E2C4]  |
01D1DF86  | FF 24 85 A8 E2 A2 01  | JMP DWORD PTR DS:[EAX*4+1A2E2A8]     |
So.. we need to get 1 byte from [EAX+1A2E2C4]; then the JMP [EAX*4+1A2E2A8] should take us to 01D1DFB2, 01D1DFC2, etc. Each case is delimited by the piece of code and the RET:

Code: Select all

01D1DFB2  | F2 0F 10 06           | MOVSD XMM0,QWORD PTR DS:[ESI]        | « your code; one of the cases
01D1DFB6  | F2 0F 11 07           | MOVSD QWORD PTR DS:[EDI],XMM0        |
01D1DFBA  | 5F                    | POP EDI                              |
01D1DFBB  | 5E                    | POP ESI                              |
01D1DFBC  | 5D                    | POP EBP                              |
01D1DFBD  | 5B                    | POP EBX                              |
01D1DFBE  | 83 C4 08              | ADD ESP,8                            |
01D1DFC1  | C3                    | RET                                  |
^ That's case 1.

Code: Select all

01D1DFC2  | 8B 06                 | MOV EAX,DWORD PTR DS:[ESI]           |
01D1DFC4  | 89 07                 | MOV DWORD PTR DS:[EDI],EAX           |
01D1DFC6  | 8B 46 04              | MOV EAX,DWORD PTR DS:[ESI+4]         |
01D1DFC9  | 89 47 04              | MOV DWORD PTR DS:[EDI+4],EAX         |
01D1DFCC  | 5F                    | POP EDI                              |
01D1DFCD  | 5E                    | POP ESI                              |
01D1DFCE  | 5D                    | POP EBP                              |
01D1DFCF  | 5B                    | POP EBX                              |
01D1DFD0  | 83 C4 08              | ADD ESP,8                            |
01D1DFD3  | C3                    | RET                                  |
^ That's case 2. And so on.

So..

Code: Select all

Synthetik_dumped.exe+192DF7F - 0FB6 80 C4E2A201      - movzx eax,byte ptr [eax+Synthetik_dumped.exe+163E2C4]
Synthetik_dumped.exe+192DF86 - FF 24 85 A8E2A201     - jmp dword ptr [eax*4+Synthetik_dumped.exe+163E2A8]
The BYTE at "Synthetik_dumped.exe+163E2C4" is 0x4. That's the starting value. You can increase or decrease it, based on EAX's value (eax+0x4) - if positive or negative. Doing several tries + combining it with the [eax*4+Synthetik_dumped.exe+163E2A8] below returns the original EAX as.. 0x1B7F42. Not sure if this is correct, as the dump might've stored some static addresses which show incorrect memory on my end.

You can find this value by putting a break here:

Code: Select all

Synthetik_dumped.exe+192DFB2 - F2 0F10 06            - movsd xmm0,[esi]
When it breaks, check EAX register :P And tell me the value, please.

Also, trace with F8 key till here:

Code: Select all

Synthetik_dumped.exe+192DFC1 - C3                    - ret 
And stop. Then right-click the stack (the bottom-right sub-window of Memory View, while breakpoint hit) and have it show the full stack. Tell me what you see at esp+0 :) Maybe we can use the return address as a filter (hoping the function is not just a wrapper; as in, an intermediary function used in the 33 calculations).

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 8:29 pm

So I eventually downloaded the game and tested stuff out :) GameMaker is pretty simple and straight-forward. Here's the run-down on my .exe (SYNTHETIK.Legion.Rising-GOG):

Code: Select all

00FC2389 | 897424 0C             | MOV DWORD PTR SS:[ESP+C],ESI              |
00FC238D | 890424                | MOV DWORD PTR SS:[ESP],EAX                |
00FC2390 | C74424 08 00000080    | MOV DWORD PTR SS:[ESP+8],80000000         |
00FC2398 | C74424 04 820D0000    | MOV DWORD PTR SS:[ESP+4],D82              |
00FC23A0 | E8 DBC17501           | CALL synthetik.271E580                    |
..   
..   
02713340 | 8B5424 04             | MOV EDX,DWORD PTR SS:[ESP+4]              |
02713344 | 85D2                  | TEST EDX,EDX                              | edx == 0x2111D
02713346 | 78 24                 | JS synthetik.271336C                      |
02713348 | 8B0D EC8A681F         | MOV ECX,DWORD PTR DS:[1F688AEC]           | ecx == 0x000001FF
0271334E | A1 E88A681F           | MOV EAX,DWORD PTR DS:[1F688AE8]           | eax == 0x1FBC6788
02713353 | 23CA                  | AND ECX,EDX                               | ecx == 0x11D
02713355 | 8B04C8                | MOV EAX,DWORD PTR DS:[EAX+ECX*8]          | eax == 0x30A82A90
02713358 | 85C0                  | TEST EAX,EAX                              |
0271335A | 74 10                 | JE synthetik.271336C                      |
0271335C | 0F1F40 00             | NOP DWORD PTR DS:[EAX],EAX                |
02713360 | 3950 08               | CMP DWORD PTR DS:[EAX+8],EDX              | [eax+8] == 0x1F51D
02713363 | 74 0A                 | JE synthetik.271336F                      |
02713365 | 8B40 04               | MOV EAX,DWORD PTR DS:[EAX+4]              | eax == 0x30A6F310
02713368 | 85C0                  | TEST EAX,EAX                              |
0271336A | 75 F4                 | JNE synthetik.2713360                     | loop till equal ([eax+8] == 2111D)
0271336C | 33C0                  | XOR EAX,EAX                               |
0271336E | C3                    | RET   |
0271336F | 8B40 0C               | MOV EAX,DWORD PTR DS:[EAX+C]              | eax == 0x30EE0330
02713372 | C3                    | RET   |
..   
..   
0271E6EA | 8078 68 00            | CMP BYTE PTR DS:[EAX+68],0                |
0271E6EE | 75 2E                 | JNE synthetik.271E71E                     |
0271E6F0 | 8B48 04               | MOV ECX,DWORD PTR DS:[EAX+4]              | ecx == 0x0
0271E6F3 | 85C9                  | TEST ECX,ECX                              |
0271E6F5 | 74 0B                 | JE synthetik.271E702                      |
0271E6F7 | 8B4424 18             | MOV EAX,DWORD PTR SS:[ESP+18]             |
0271E6FB | C1E0 04               | SHL EAX,4                                 |
0271E6FE | 03C1                  | ADD EAX,ECX                               |
0271E700 | EB 0B                 | JMP synthetik.271E70D                     |
0271E702 | FF7424 18             | PUSH DWORD PTR SS:[ESP+18]                | 0xD82
0271E706 | 8BC8                  | MOV ECX,EAX                               |
0271E708 | E8 4305FEFF           | CALL synthetik.26FEC50                    | « go in here
0271E70D | FF7424 1C             | PUSH DWORD PTR SS:[ESP+1C]                |
0271E711 | FF7424 24             | PUSH DWORD PTR SS:[ESP+24]                |
0271E715 | 50                    | PUSH EAX                                  |
0271E716 | E8 45D5FFFF           | CALL synthetik.271BC60                    |
0271E71B | 83C4 0C               | ADD ESP,C                                 |
0271E71E | 5F                    | POP EDI                                   |
0271E71F | 5E                    | POP ESI                                   |
0271E720 | 5D                    | POP EBP                                   |
0271E721 | B0 01                 | MOV AL,1                                  |
0271E723 | 5B                    | POP EBX                                   |
0271E724 | C3                    | RET   |
..   
..   
026FEC50 | 53                    | PUSH EBX                                  |
026FEC51 | 56                    | PUSH ESI                                  |
026FEC52 | 57                    | PUSH EDI                                  |
026FEC53 | 8BF9                  | MOV EDI,ECX                               |
026FEC55 | 837F 60 00            | CMP DWORD PTR DS:[EDI+60],0               | edi == 0x30EE0330
026FEC59 | 75 05                 | JNE synthetik.26FEC60                     |
026FEC5B | E8 90BCFFFF           | CALL synthetik.26FA8F0                    |
026FEC60 | 8B77 60               | MOV ESI,DWORD PTR DS:[EDI+60]             | esi == 0x30F2DC00
026FEC63 | 8D4424 10             | LEA EAX,DWORD PTR SS:[ESP+10]             |
026FEC67 | 8B5C24 10             | MOV EBX,DWORD PTR SS:[ESP+10]             | ebx == 0xD82
026FEC6B | 8BCE                  | MOV ECX,ESI                               |
026FEC6D | 50                    | PUSH EAX                                  |
026FEC6E | 895C24 14             | MOV DWORD PTR SS:[ESP+14],EBX             |
026FEC72 | E8 69F2FFFF           | CALL synthetik.26FDEE0                    | « runs
026FEC77 | 83F8 FF               | CMP EAX,FFFFFFFF                          | eax == 0x183
026FEC7A | 74 16                 | JE synthetik.26FEC92                      |
026FEC7C | 8D0C40                | LEA ECX,DWORD PTR DS:[EAX+EAX*2]          | ecx == 0x489
026FEC7F | 8B46 10               | MOV EAX,DWORD PTR DS:[ESI+10]             | eax == 0x280DFEC8
026FEC82 | 8D0488                | LEA EAX,DWORD PTR DS:[EAX+ECX*4]          | eax == 0x280E10EC
026FEC85 | 83C0 04               | ADD EAX,4                                 | eax == 0x280E10F0
026FEC88 | 74 08                 | JE synthetik.26FEC92                      |
026FEC8A | 8B00                  | MOV EAX,DWORD PTR DS:[EAX]                | eax == 0x298AD040
026FEC8C | 5F                    | POP EDI                                   |
026FEC8D | 5E                    | POP ESI                                   |
026FEC8E | 5B                    | POP EBX                                   |
026FEC8F | C2 0400               | RET 4 |
That "eax == 0x298AD040" is your Health :P

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1024

Re: Making a script for a double value

Post by SunBeam » Wed Jan 30, 2019 11:36 pm

Welp, with a bit of research and debugging I discovered you can pretty much dump room names and globals. Studied this dude's DLL in DELTARUNE -> unknownchats.me/forum/2282204-post1.html (add an "a" to spell "cheats", then access the link). This is what you'd get with the dumper:

room_names: https://pastebin.com/vah69xuS
globals: https://pastebin.com/G8nxDVV3

I'll see if I can adapt the above to SYNTHETIK Legion Rising :P

Post Reply

Who is online

Users browsing this forum: No registered users