notpikachu wrote: ↑Sat Jun 12, 2021 8:41 pm
Mind if I joined the fun and see later if my offset is correct
![Razz :P](./images/smilies/icon_razz.gif)
?
"fifa16.exe"+4E2A9B9 >>> "fifa16.exe"+4B6333D
"fifa16.exe"+50B1FD7 >>> "fifa16.exe"+4DA2DE6
"fifa16.exe"+44A056E >>> "fifa16.exe"+420FDDC
"fifa16.exe"+508A2F0 >>> "fifa16.exe"+4E8BFC0
"fifa16.exe"+4E28612 >>> "fifa16.exe"+4B6107E
"fifa16.exe"+5171C5B >>> "fifa16.exe"+4E5F34E
"fifa16.exe"+44A06A0 >>> "fifa16.exe"+4210410
"fifa16.exe"+4E5B5CC >>> "fifa16.exe"+4B9374C
"fifa16.exe"+4FE3E56 >>> "fifa16.exe"+4D1E206
Sure thing, the more, the merrier
![Smile :)](./images/smilies/icon_e_smile.gif)
Will attempt my version now and confirm.
EDIT: The
FIFA Freestyle 16 1.0.3.5.LUA script lists several hardcoded addresses I could dig out, which match yours, except last 3 which you've probably not seen (they're used 2 times each; see below):
Code: Select all
[line 0792] "fifa16.exe"+4E2A9B9
[line 0816] "fifa16.exe"+50B1FD7
[line 0838] "fifa16.exe"+44A056E
[line 0857] "fifa16.exe"+508A2F0
[line 0881] "fifa16.exe"+4E28612
[line 0907] "fifa16.exe"+5171C5B
[line 0934] "fifa16.exe"+44A06A0
[line 0955] "fifa16.exe"+4E5B5CC
[line 0981] "fifa16.exe"+4FE3E56
[line 1044] 145016183
[line 1066] 145016183
[line 1048] 144D0303B
[line 1070] 144D0303B
[line 1051] 144D044CB
[line 1074] 144D044CB
Then there are also addresses in the table itself.
Byronic wrote: ↑Sat Jun 12, 2021 6:59 pm
...
Do you use the content listed in the table at all?:
Or you only use this?:
Just so I know if I should ignore the cheat table GUI and just update the Lua script and that's that.
@
notPikachu: Whoever did this doesn't know too much about ASM. Here's what I see at the first address: "fifa16.exe"+4E2A9B9:
Now.. whoever designed the table does this:
Code: Select all
globalAlloc(skillmoveOccurs, 64,"fifa16.exe"+4E2A9B9)
globalAlloc(skillmoveID, 4, "fifa16.exe"+4E2A9B9)
label(returnhere)
label(exit)
skillmoveOccurs:
mov r12d,eax
mov [skillmoveID], r12d
test ebp,ebp
exit:
jmp returnhere
"fifa16.exe"+4E2A9B9:
jmp skillmoveOccurs
The problem appears when these lines turn into a JMP:
Code: Select all
fifa16_1_0_0_0_Dumped.exe+4E2A9B9 - 41 89 C4 - mov r12d,eax
fifa16_1_0_0_0_Dumped.exe+4E2A9BC - 85 ED - test ebp,ebp
Apparently, there's no problem, because there are 5 bytes which would turn into a short JMP, also 5 bytes. Correct? But if you look at my picture above, see the green arrow that lands 1 line below the highlighted one? That means when those 5 bytes turn into a JMP, the jump above these lines will land on garbage code. Will land on last 2 bytes of the JMP
![Very Happy :D](./images/smilies/icon_e_biggrin.gif)
Here:
Code: Select all
fifa16_1_0_0_0_Dumped.exe+4E2A9B2 - EB 08 - jmp fifa16_1_0_0_0_Dumped.exe+4E2A9BC
fifa16_1_0_0_0_Dumped.exe+4E2A9B4 - 41 8B 6C D1 04 - mov ebp,[r9+rdx*8+04]
fifa16_1_0_0_0_Dumped.exe+4E2A9B9 - 41 89 C4 - mov r12d,eax
fifa16_1_0_0_0_Dumped.exe+4E2A9BC - 85 ED - test ebp,ebp
"fifa16_1_0_0_0_Dumped.exe+4E2A9B2 - EB 08 - jmp fifa16_1_0_0_0_Dumped.exe+4E2A9BC" that JMPs to "fifa16_1_0_0_0_Dumped.exe+4E2A9BC". If your hook address is "fifa16_1_0_0_0_Dumped.exe+4E2A9B9", then "mov r12d,eax" + "test ebp,ebp" turns into a JMP when you hook it.
e.g.: fifa16_1_0_0_0_Dumped.exe+4E2A9B9 - E9 x1 x2 x3 x4 - JMP hook
So now the JMP @ fifa16_1_0_0_0_Dumped.exe+4E2A9B2 jumps at "x3 x4" bytes
![Very Happy :D](./images/smilies/icon_e_biggrin.gif)
Which overwrite "85 ED", the "test ebp,ebp" line. Which is utter crap. But hey, the request was "fix the script", not "fix the author's logic"...
BR,
Sun