Sigan wrote: ↑Fri Oct 26, 2018 7:55 pm
So, I know I have the right location, and my code works fine. In this instance, it's just a code for infinite battery in the game Nimbatus. Very simple, I'll post it below. My problem is that every time I restart the game, I have to re-open dissect Mono, find the specific location, and rewrite the code. Else, when I restart the game and try to rerun the code, the game instantly crashes. Can someone help me, or point me to the forum post that has the answer, please? Thank you.
Code: Select all
{ Game : Nimbatus.exe
Version:
Date : 2018-10-26
Author : Sigan
This script sets battery recharge rate to "9999"
}
define(address,Assets.Nimbatus.Scripts.WorldObjects.Items.DroneParts.Batteries:Battery:GetRechargePerSecond+b)
define(bytes,F3 0F 10 80 9C 01 00 00)
[ENABLE]
{$lua}
LaunchMonoDataCollector()
{$asm}
assert(address,bytes)
alloc(newmem,$1000,29C0001CF2B)
globalalloc(_Battery,4)
label(code)
label(return)
newmem:
code:
mov [_Battery],rax
mov [rax+19C],(float)9999 // offset for battery recharge rate is +19C
movss xmm0,[rax+0000019C]
jmp return
address:
jmp newmem
nop
nop
nop
return:
[DISABLE]
address:
db bytes
// movss xmm0,[rax+0000019C]
dealloc(_Battery)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 29C0001CF2B
29C0001CF15: 00 00 - add [rax],al
29C0001CF17: 00 00 - add [rax],al
29C0001CF19: 00 00 - add [rax],al
29C0001CF1B: 00 00 - add [rax],al
29C0001CF1D: 00 00 - add [rax],al
29C0001CF1F: 00 48 83 - add [rax-7D],cl
29C0001CF22: EC - in al,dx
29C0001CF23: 08 48 89 - or [rax-77],cl
29C0001CF26: 0C 24 - or al,24
29C0001CF28: 48 8B C1 - mov rax,rcx
// ---------- INJECTING HERE ----------
29C0001CF2B: F3 0F 10 80 9C 01 00 00 - movss xmm0,[rax+0000019C]
// ---------- DONE INJECTING ----------
29C0001CF33: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
29C0001CF37: F2 0F 5A C0 - cvtsd2ss xmm0,xmm0
29C0001CF3B: 48 83 C4 08 - add rsp,08
29C0001CF3F: C3 - ret
29C0001CF40: 01 04 01 - add [rcx+rax],eax
29C0001CF43: 00 04 02 - add [rdx+rax],al
29C0001CF46: 00 00 - add [rax],al
29C0001CF48: 00 00 - add [rax],al
29C0001CF4A: 00 00 - add [rax],al
29C0001CF4C: 00 00 - add [rax],al
}
Added some notes to the script, look it over then give it a try; let me know if you have any other questions.
Code: Select all
{ Game : Nimbatus.exe
Version:
Date : 2018-10-26
Author : Sigan
This script sets battery recharge rate to "9999"
}
define(address,Assets.Nimbatus.Scripts.WorldObjects.Items.DroneParts.Batteries:Battery:GetRechargePerSecond+b)
define(bytes,F3 0F 10 80 9C 01 00 00)
[ENABLE]
{$lua}
if syntaxcheck then return end
if process and readInteger(process) ~= 0 then
mono_initialize()
LaunchMonoDataCollector()
else
local msg = 'No process detected.'
print(msg)
error(msg)
end
{$asm}
assert(address,bytes)
alloc(newmem,$1000,address) //// use the address or AOB symbol as the "allocate near address".
label(code)
label(return)
label(_Battery) //// No need to allocate more memory, we can just stick it in the "newmem".
registerSymbol(_Battery) //// registering the symbol will make it accessible elsewhere.
newmem:
code:
mov [_Battery],rax
mov [rax+19C],(float)9999 // offset for battery recharge rate is +19C
movss xmm0,[rax+0000019C]
jmp return
align 10 //// Not required, but looks better and it's setup for any "aligned" instructions.
_Battery: //// No need to allocate more memory, just stick it in the "newmem".
dd 0
//// Injection point
address:
jmp newmem
nop
nop
nop
return:
[DISABLE]
//// Injection point
address:
db bytes
// movss xmm0,[rax+0000019C]
//dealloc(_Battery) //// "dealloc" dosen't work with "globalAlloc", it won't deallocate the memory.
unregisterSymbol(_Battery)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 29C0001CF2B
29C0001CF15: 00 00 - add [rax],al
29C0001CF17: 00 00 - add [rax],al
29C0001CF19: 00 00 - add [rax],al
29C0001CF1B: 00 00 - add [rax],al
29C0001CF1D: 00 00 - add [rax],al
29C0001CF1F: 00 48 83 - add [rax-7D],cl
29C0001CF22: EC - in al,dx
29C0001CF23: 08 48 89 - or [rax-77],cl
29C0001CF26: 0C 24 - or al,24
29C0001CF28: 48 8B C1 - mov rax,rcx
// ---------- INJECTING HERE ----------
29C0001CF2B: F3 0F 10 80 9C 01 00 00 - movss xmm0,[rax+0000019C]
// ---------- DONE INJECTING ----------
29C0001CF33: F3 0F 5A C0 - cvtss2sd xmm0,xmm0
29C0001CF37: F2 0F 5A C0 - cvtsd2ss xmm0,xmm0
29C0001CF3B: 48 83 C4 08 - add rsp,08
29C0001CF3F: C3 - ret
29C0001CF40: 01 04 01 - add [rcx+rax],eax
29C0001CF43: 00 04 02 - add [rdx+rax],al
29C0001CF46: 00 00 - add [rax],al
29C0001CF48: 00 00 - add [rax],al
29C0001CF4A: 00 00 - add [rax],al
29C0001CF4C: 00 00 - add [rax],al
}
You can also try the "AOB template".
And here is a wiki post on the Mono features.
[Link]
EDIT:
Then I'd edit the other scripts, I think the reason for the crashes is the "allocare near address"; just change those to the "address/AOB symbol" so you can keep using 5 byte jumps, or setup the code to use 14 byte jumps.