Magicka 2
Posted: Thu Mar 15, 2018 11:28 am
TL;DR: I've got a slight grasp on how to use AOB injections, and how to move values into addresses, but I'm having a hard time understanding everything completely. Please help. Thank you.
Spoiler
It's been out for a while now. I can't find any trainers or ce tables on it, and I'm having a hard time getting my AOB injections to work.
I barely know what I'm doing, but I can find the value (double) that affects health easy. The mage has 1000 max health, a few quick searches and I have 5 addresses that are doubles and they all reflect health. One of those is always the one that I can directly change the value of, and see the difference in the game. I can even lock the value, and be invincible. What I can't seem to do is move a value into the appropriate register.
I can find the 4-byte value right away, which can help me find the double value easier, but the 4-byte address doesn't control the value.
So then I find the address (double) that controls health, and I clicked "Find what writes to this address," because I want to write 1000 to the address every time my health would normally be changed.
I played the game for a bit, walked into some fire and was hit once, and stopped the debugger. I had four addresses that wrote to the health address over 100 times in half a second. Two addresses only wrote to that address 4 times each. So, I headed over to the disassembler.
Upon right clicking the addresses, I noticed that the addresses that wrote to the Health address only 4 times were being accessed by SOO many other codes. In fact, putting an AOB script into either one of them, and moving a value into an address at that point always caused a crash - as expected. The values that write the Health address over 100 times per second are ONLY accessing that address while I play. So, I thought I was getting closer.
This is the original code for ONE of those addresses (One of the four codes that SOLELY writes to the Health address - all four look similar to me):
And this is the code I'm trying to inject:
The other 3 codes that write to the Health Address are either moving xmm6 into [edx+60], or xmm7 into [ebp+60].
Either way, when I run this code in the game, it doesn't cause a crash, but the value is still calculated correctly and displayed correctly, and my code seems all but ignored by the game. I'm assuming there's a cmp somewhere that is making a correction to the value.
How do I figure this out?
I barely know what I'm doing, but I can find the value (double) that affects health easy. The mage has 1000 max health, a few quick searches and I have 5 addresses that are doubles and they all reflect health. One of those is always the one that I can directly change the value of, and see the difference in the game. I can even lock the value, and be invincible. What I can't seem to do is move a value into the appropriate register.
I can find the 4-byte value right away, which can help me find the double value easier, but the 4-byte address doesn't control the value.
So then I find the address (double) that controls health, and I clicked "Find what writes to this address," because I want to write 1000 to the address every time my health would normally be changed.
I played the game for a bit, walked into some fire and was hit once, and stopped the debugger. I had four addresses that wrote to the health address over 100 times in half a second. Two addresses only wrote to that address 4 times each. So, I headed over to the disassembler.
Upon right clicking the addresses, I noticed that the addresses that wrote to the Health address only 4 times were being accessed by SOO many other codes. In fact, putting an AOB script into either one of them, and moving a value into an address at that point always caused a crash - as expected. The values that write the Health address over 100 times per second are ONLY accessing that address while I play. So, I thought I was getting closer.
This is the original code for ONE of those addresses (One of the four codes that SOLELY writes to the Health address - all four look similar to me):
Code: Select all
Original Code:
""+FFE682D4: 0F 28 DE - movaps xmm3,xmm6
""+FFE682D7: F2 0F 5C DB - subsd xmm3,xmm3
""+FFE682DB: 66 0F 2E DC - ucomisd xmm3,xmm4
""+FFE682DF: 0F 87 33 7D 03 00 - ja FFEA0018
""+FFE682E5: 66 0F 2E FE - ucomisd xmm7,xmm6
""+FFE682E9: 0F 83 2D 7D 03 00 - jae FFEA001C
""+FFE682EF: 83 7A 6C FB - cmp dword ptr [edx+6C],-05
""+FFE682F3: 75 07 - jne FFE682FC
""+FFE682F5: 81 7A 68 00 A7 A7 1A - cmp [edx+68],1AA7A700
""+FFE682FC: 0F 85 1E 7D 03 00 - jne FFEA0020
// ---------- INJECTING HERE ----------
""+FFE68302: F2 0F 11 72 60 - movsd [edx+60],xmm6
// ---------- DONE INJECTING ----------
""+FFE68307: F6 46 04 04 - test byte ptr [esi+04],04
""+FFE6830B: 74 13 - je FFE68320
""+FFE6830D: 80 66 04 FB - and byte ptr [esi+04],-05
""+FFE68311: 8B 0D 28 A2 A7 04 - mov ecx,[04A7A228]
""+FFE68317: 89 35 28 A2 A7 04 - mov [04A7A228],esi
""+FFE6831D: 89 4E 0C - mov [esi+0C],ecx
""+FFE68320: 83 7A 0C FB - cmp dword ptr [edx+0C],-05
""+FFE68324: 75 07 - jne FFE6832D
""+FFE68326: 81 7A 08 B0 0C 05 1C - cmp [edx+08],1C050CB0
""+FFE6832D: 0F 85 F1 7C 03 00 - jne FFEA0024
Code: Select all
[ENABLE]
aobscan(INJECT,7D 03 00 F2 0F 11 72 60) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
globalalloc(_RedMageHealth,4)
newmem:
code:
mov [_RedMageHealth],edx
mov [edx+60],(Int)1000
// movsd [edx+60],xmm6
jmp return
INJECT+03:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT+03:
db F2 0F 11 72 60
unregistersymbol(INJECT)
dealloc(newmem)
dealloc(_RedMageHealth)
Either way, when I run this code in the game, it doesn't cause a crash, but the value is still calculated correctly and displayed correctly, and my code seems all but ignored by the game. I'm assuming there's a cmp somewhere that is making a correction to the value.
How do I figure this out?
