Hi
I managed to scrape together a script for PCSX 2 Arc the lad for XP Muliplier. Issue is every time I restart the game the script doesn't work.
The following works but not if I restart the game. I have to find the address again.
I've read AOB Script would help or a Full injection script, what's the easiest workaround?
[CODE][ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
Popf
exit:
jmp returnhere
304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
304D3E1D:
mov [ecx],edx
mov eax,00000001
//Alt: db 89 11 B8 01 00 00 00[/CODE]
Help with changing address
Help with changing address
Setup an [URL='https://fearlessrevolution.com/threads/6637/'][U]AOB[/U][/URL], but if the code is jitted then it might not be accesmbled tell certen actions are done (i.e.: XP is recevied).
Help with changing address
I've tried AOB all afternoon but it keep crashing my game, I thought it was possible to use full injection with symbols? I've been gong through tutorials but still not sure how to apply it here.
This was my latest attempt at AOB but when I enabled it and my character triggered action to gain XP the game crashed. It's happened very time.
[CODE]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
Popf
exit:
jmp returnhere
304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
304D3E1D:
mov [ecx],edx
mov eax,00000001
//Alt: db 89 11 B8 01 00 00 00
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
}[/CODE]
This was my latest attempt at AOB but when I enabled it and my character triggered action to gain XP the game crashed. It's happened very time.
[CODE]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
Popf
exit:
jmp returnhere
304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
304D3E1D:
mov [ecx],edx
mov eax,00000001
//Alt: db 89 11 B8 01 00 00 00
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
}[/CODE]
Last edited by kidalot on Fri Jun 05, 2020 2:25 am, edited 2 times in total.
Help with changing address
Your not actually using the AOB symbol, you need to replace the address with the symbol. And you should PUSH and POP the EAX register.
[CODE=cea]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
registersymbol(INJECT)
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
push eax
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
pop eax
Popf
exit:
jmp returnhere
INJECT: // 304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT: // 304D3E1D:
mov [ecx],edx
mov eax,00000001
//Alt: db 89 11 B8 01 00 00 00
unregistersymbol(INJECT)
unregistersymbol(multiplier)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
}[/CODE]
[CODE=cea]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
registersymbol(INJECT)
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
push eax
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
pop eax
Popf
exit:
jmp returnhere
INJECT: // 304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT: // 304D3E1D:
mov [ecx],edx
mov eax,00000001
//Alt: db 89 11 B8 01 00 00 00
unregistersymbol(INJECT)
unregistersymbol(multiplier)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
}[/CODE]
Help with changing address
Thank you
I appreciate your help, I amended my script to the one above the game still crashes when it triggers ?
Even if I just enable then disable the script it still crashes.
I appreciate your help, I amended my script to the one above the game still crashes when it triggers ?
Even if I just enable then disable the script it still crashes.
Help with changing address
You can right click the instruction and "see what address accesses this instruction". And see if other address are accessed because that might be the problem. That or check to see if any thing jumps to the second line of code it the injection point (0x30460D01), because that can definently casue a crash as the jump will be in the middle of the injected hook.
Help with changing address
Hi
Thanks again for trying, I haven't given up, was up too late trying this.
Image of finding out what addresses accessed
[MEDIA=imgur]ggnj26Z[/MEDIA]
[MEDIA=imgur]nZHepZD[/MEDIA]
There are 3 addresses in there, these are the characters of my party and their individual XP stat. I hope I'm looking at what you suggested
Sorry I'm unclear how to " check to see if any thing jumps to the second line of code it the injection point (0x30460D01)"
This is memory viewer when I enable the script
[MEDIA=imgur]yQCEz1E[/MEDIA]
Thanks again for trying, I haven't given up, was up too late trying this.
Image of finding out what addresses accessed
[MEDIA=imgur]ggnj26Z[/MEDIA]
[MEDIA=imgur]nZHepZD[/MEDIA]
There are 3 addresses in there, these are the characters of my party and their individual XP stat. I hope I'm looking at what you suggested
Sorry I'm unclear how to " check to see if any thing jumps to the second line of code it the injection point (0x30460D01)"
This is memory viewer when I enable the script
[MEDIA=imgur]yQCEz1E[/MEDIA]
Help with changing address
I didn't notice the first time but you didn't have the original code in your script. You can try this and see if it crashes.
[CODE=cea]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
registersymbol(INJECT)
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
mov eax,00000001
Popf
exit:
jmp returnhere
INJECT: // 304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT: // 304D3E1D:
// mov [ecx],edx
// mov eax,00000001
db 89 11 B8 01 00 00 00
unregistersymbol(INJECT)
unregistersymbol(multiplier)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
}[/CODE]
You can also try just the redirection and not change the code to see if that crashes, but as far a looking for a jump to the second line you'd just have to scroll around and see if you can find a jump to that address.
[CODE=cea]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
registersymbol(INJECT)
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
Mov [ecx], edx //original
mov eax,00000001
exit:
jmp returnhere
INJECT: // 304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT: // 304D3E1D:
// mov [ecx],edx
// mov eax,00000001
db 89 11 B8 01 00 00 00
unregistersymbol(INJECT)
unregistersymbol(multiplier)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
[/CODE]
[CODE=cea]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
registersymbol(INJECT)
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
Pushf
//push flags
Mov eax, [ecx]
// mov old xp to eax
Sub edx, eax
// Get difference in xp ->edx
IMul edx, #5
// Difference *= 5
Add edx, eax
// Add original xp to new difference
originalcode:
Mov [ecx], edx //original
mov eax,00000001
Popf
exit:
jmp returnhere
INJECT: // 304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT: // 304D3E1D:
// mov [ecx],edx
// mov eax,00000001
db 89 11 B8 01 00 00 00
unregistersymbol(INJECT)
unregistersymbol(multiplier)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
}[/CODE]
You can also try just the redirection and not change the code to see if that crashes, but as far a looking for a jump to the second line you'd just have to scroll around and see if you can find a jump to that address.
[CODE=cea]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author :
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,B3 D2 89 11 B8 01 00 00 00) // should be unique
registersymbol(INJECT)
alloc(newmem,2048)
alloc(multiplier, 4)
registersymbol(multiplier)
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
Mov [ecx], edx //original
mov eax,00000001
exit:
jmp returnhere
INJECT: // 304D3E1D:
jmp newmem
nop 2
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT: // 304D3E1D:
// mov [ecx],edx
// mov eax,00000001
db 89 11 B8 01 00 00 00
unregistersymbol(INJECT)
unregistersymbol(multiplier)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 30460CFF
30460CCE: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460CD8: 8B 15 00 9C 5C 01 - mov edx,[pcsx2.exe+839C00]
30460CDE: 8B 0D 30 9C 5C 01 - mov ecx,[pcsx2.exe+839C30]
30460CE4: 0F 77 - emms
30460CE6: 89 C8 - mov eax,ecx
30460CE8: C1 E8 0C - shr eax,0C
30460CEB: 8B 04 85 30 C0 BF 11 - mov eax,[eax*4+11BFC030]
30460CF2: BB 01 0D 46 30 - mov ebx,30460D01
30460CF7: 01 C1 - add ecx,eax
30460CF9: 0F 88 41 05 B3 D2 - js pcsx2.exe+2201240
// ---------- INJECTING HERE ----------
30460CFF: 89 11 - mov [ecx],edx
30460D01: B8 01 00 00 00 - mov eax,00000001
// ---------- DONE INJECTING ----------
30460D06: 83 3D 24 9B 5C 01 00 - cmp dword ptr [pcsx2.exe+839B24],00
30460D0D: 72 10 - jb 30460D1F
30460D0F: 77 0C - ja 30460D1D
30460D11: 81 3D 20 9B 5C 01 10 27 00 00 - cmp [pcsx2.exe+839B20],00002710
30460D1B: 72 02 - jb 30460D1F
30460D1D: 31 C0 - xor eax,eax
30460D1F: A3 20 9B 5C 01 - mov [pcsx2.exe+839B20],eax
30460D24: C7 05 24 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B24],00000000
30460D2E: C7 05 30 9B 5C 01 7F 96 98 00 - mov [pcsx2.exe+839B30],0098967F
30460D38: C7 05 34 9B 5C 01 00 00 00 00 - mov [pcsx2.exe+839B34],00000000
[/CODE]
Help with changing address
Hi
Before enabling script from 1st code (with code changed)
[MEDIA=imgur]8A9Hb15[/MEDIA]
After enabling code
[MEDIA=imgur]pbo7IPE[/MEDIA]
Doesn't look right? I can't find any jumps
I ran a simple AOB injection with no modification, enabled it and no crash
I ran the 2nd method with just redirect crashes the game
I think I'm making some very obvious mistakes here , here is the recent template for AOB without modifications
[CODE]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author : Freeware Sys
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,09 F2 D2 8B 01 99 A3 30 9B 5C 01) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov eax,[ecx]
cdq
mov [pcsx2.exe+839B30],eax
jmp return
INJECT+03:
jmp newmem
nop 3
return:
registersymbol(INJECT)
[DISABLE]
INJECT+03:
db 8B 01 99 A3 30 9B 5C 01
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 3007075E
3007072E: 2B 05 80 7E 5B 01 - sub eax,[pcsx2.exe+827E80]
30070734: 0F 88 92 FC FF FF - js 300703CC
3007073A: E9 C1 28 FA D2 - jmp pcsx2.exe+2283000
3007073F: 8B 0D 10 9C 5C 01 - mov ecx,[pcsx2.exe+839C10]
30070745: 89 C8 - mov eax,ecx
30070747: C1 E8 0C - shr eax,0C
3007074A: 8B 04 85 30 80 E9 15 - mov eax,[eax*4+15E98030]
30070751: BB 60 07 07 30 - mov ebx,30070760
30070756: 01 C1 - add ecx,eax
30070758: 0F 88 22 09 F2 D2 - js pcsx2.exe+2201080
// ---------- INJECTING HERE ----------
3007075E: 8B 01 - mov eax,[ecx]
30070760: 99 - cdq
30070761: A3 30 9B 5C 01 - mov [pcsx2.exe+839B30],eax
// ---------- DONE INJECTING ----------
30070766: 89 15 34 9B 5C 01 - mov [pcsx2.exe+839B34],edx
3007076C: A1 20 9B 5C 01 - mov eax,[pcsx2.exe+839B20]
30070771: 2B 05 00 9C 5C 01 - sub eax,[pcsx2.exe+839C00]
30070777: 99 - cdq
30070778: A3 60 9B 5C 01 - mov [pcsx2.exe+839B60],eax
3007077D: 89 15 64 9B 5C 01 - mov [pcsx2.exe+839B64],edx
30070783: A1 30 9B 5C 01 - mov eax,[pcsx2.exe+839B30]
30070788: 2B 05 00 9C 5C 01 - sub eax,[pcsx2.exe+839C00]
3007078E: 99 - cdq
3007078F: A3 50 9B 5C 01 - mov [pcsx2.exe+839B50],eax
}[/CODE]
Before enabling script from 1st code (with code changed)
[MEDIA=imgur]8A9Hb15[/MEDIA]
After enabling code
[MEDIA=imgur]pbo7IPE[/MEDIA]
Doesn't look right? I can't find any jumps
I ran a simple AOB injection with no modification, enabled it and no crash
I ran the 2nd method with just redirect crashes the game
I think I'm making some very obvious mistakes here , here is the recent template for AOB without modifications
[CODE]{ Game : pcsx2.exe
Version:
Date : 2020-06-05
Author : Freeware Sys
This script does blah blah blah
}
[ENABLE]
aobscan(INJECT,09 F2 D2 8B 01 99 A3 30 9B 5C 01) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov eax,[ecx]
cdq
mov [pcsx2.exe+839B30],eax
jmp return
INJECT+03:
jmp newmem
nop 3
return:
registersymbol(INJECT)
[DISABLE]
INJECT+03:
db 8B 01 99 A3 30 9B 5C 01
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 3007075E
3007072E: 2B 05 80 7E 5B 01 - sub eax,[pcsx2.exe+827E80]
30070734: 0F 88 92 FC FF FF - js 300703CC
3007073A: E9 C1 28 FA D2 - jmp pcsx2.exe+2283000
3007073F: 8B 0D 10 9C 5C 01 - mov ecx,[pcsx2.exe+839C10]
30070745: 89 C8 - mov eax,ecx
30070747: C1 E8 0C - shr eax,0C
3007074A: 8B 04 85 30 80 E9 15 - mov eax,[eax*4+15E98030]
30070751: BB 60 07 07 30 - mov ebx,30070760
30070756: 01 C1 - add ecx,eax
30070758: 0F 88 22 09 F2 D2 - js pcsx2.exe+2201080
// ---------- INJECTING HERE ----------
3007075E: 8B 01 - mov eax,[ecx]
30070760: 99 - cdq
30070761: A3 30 9B 5C 01 - mov [pcsx2.exe+839B30],eax
// ---------- DONE INJECTING ----------
30070766: 89 15 34 9B 5C 01 - mov [pcsx2.exe+839B34],edx
3007076C: A1 20 9B 5C 01 - mov eax,[pcsx2.exe+839B20]
30070771: 2B 05 00 9C 5C 01 - sub eax,[pcsx2.exe+839C00]
30070777: 99 - cdq
30070778: A3 60 9B 5C 01 - mov [pcsx2.exe+839B60],eax
3007077D: 89 15 64 9B 5C 01 - mov [pcsx2.exe+839B64],edx
30070783: A1 30 9B 5C 01 - mov eax,[pcsx2.exe+839B30]
30070788: 2B 05 00 9C 5C 01 - sub eax,[pcsx2.exe+839C00]
3007078E: 99 - cdq
3007078F: A3 50 9B 5C 01 - mov [pcsx2.exe+839B50],eax
}[/CODE]
Last edited by kidalot on Fri Jun 05, 2020 1:46 pm, edited 1 time in total.
-
notpikachu
- Table Makers
- Posts: 311
- Joined: Wed Apr 01, 2020 10:32 am
- Reputation: 337
Help with changing address
not exactly an expert on this, but try this.
[SPOILER="expmultiplier"]
[CODE][ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
pushf
push eax
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
pop eax
popf
mov eax,00000001
jmp return
expmult:
jmp newmem
nop 2
return:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)
//notpikachu[/CODE]
[/SPOILER]
Edit1: The emulator sort of JIT btw. That mean you need to at least earn exp by fighting a monster in order to activate the script.
[SPOILER="expmultiplier"]
[CODE][ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
pushf
push eax
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
pop eax
popf
mov eax,00000001
jmp return
expmult:
jmp newmem
nop 2
return:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)
//notpikachu[/CODE]
[/SPOILER]
Edit1: The emulator sort of JIT btw. That mean you need to at least earn exp by fighting a monster in order to activate the script.
Last edited by notpikachu on Fri Jun 05, 2020 4:59 pm, edited 3 times in total.
Help with changing address
Thanks for your time notpikachu
Unfortunately the game crashed, happens when a character is about to gain XP
" Edit1: The emulator sort of JIT btw. That mean you need to at least earn exp by fighting a monster in order to activate the script. "
In the game you receive xp just for hitting enemies, I had to do that to find the OP code again.
Not sure if this can help - BEFORE ENABLING SCRIPT
[MEDIA=imgur]1JbiFaZ[/MEDIA]
AFTER ENABLING SCRIPT
[MEDIA=imgur]0aHpDWY[/MEDIA]
DISABLING SCRIPT
[MEDIA=imgur]go7PNXA[/MEDIA]
I can't understand why that keeps happening?
Unfortunately the game crashed, happens when a character is about to gain XP
" Edit1: The emulator sort of JIT btw. That mean you need to at least earn exp by fighting a monster in order to activate the script. "
In the game you receive xp just for hitting enemies, I had to do that to find the OP code again.
Not sure if this can help - BEFORE ENABLING SCRIPT
[MEDIA=imgur]1JbiFaZ[/MEDIA]
AFTER ENABLING SCRIPT
[MEDIA=imgur]0aHpDWY[/MEDIA]
DISABLING SCRIPT
[MEDIA=imgur]go7PNXA[/MEDIA]
I can't understand why that keeps happening?
Last edited by kidalot on Fri Jun 05, 2020 4:15 pm, edited 1 time in total.
-
notpikachu
- Table Makers
- Posts: 311
- Joined: Wed Apr 01, 2020 10:32 am
- Reputation: 337
Help with changing address
Somehow our picture when enabling script doesn't match. I already tested for the exp part. The assembly script above work as intended and I received x5 exp only a few battles. Didn't test it for a long run though.
Here's mine.
[IMG]https://i.imgur.com/BXTYJI4.png[/IMG]
Just in case, can you follow the js or put a breakpoint on it? just want to see what happen there. bcus usually when a script is enabled, it become jmp.
Edit1: Ah, I forget to put the pop on my script ?. that was careless of me. can you try again with the script above~
Here's mine.
[IMG]https://i.imgur.com/BXTYJI4.png[/IMG]
Just in case, can you follow the js or put a breakpoint on it? just want to see what happen there. bcus usually when a script is enabled, it become jmp.
Edit1: Ah, I forget to put the pop on my script ?. that was careless of me. can you try again with the script above~
Last edited by notpikachu on Fri Jun 05, 2020 5:01 pm, edited 3 times in total.
Help with changing address
I tried again
[MEDIA=imgur]61LOqgQ[/MEDIA]
As soon as I attack the game speeds up (Frame rate is above 130) and then PCSX2 crashes after a few seconds
The code works, I received x 5 EXP now just need to work out why it's speeding up?
Thanks for the AOB signature, I was really struggling with the unique code
If you have exactly the same game why is it behaving different?
[MEDIA=imgur]61LOqgQ[/MEDIA]
As soon as I attack the game speeds up (Frame rate is above 130) and then PCSX2 crashes after a few seconds
The code works, I received x 5 EXP now just need to work out why it's speeding up?
Thanks for the AOB signature, I was really struggling with the unique code
If you have exactly the same game why is it behaving different?
-
notpikachu
- Table Makers
- Posts: 311
- Joined: Wed Apr 01, 2020 10:32 am
- Reputation: 337
Help with changing address
Hmmm, there's a lot of factors to consider. How about checking the emulator setting first. There's a frame limiter enabler/disabler, turbo mode, and speedhack(not CE one) settings that can be consider crashable. I try to speedup and tune all of that ? to skip the start lore of this game just for the testing but resulted in 3-4 crashes instead.
Last edited by notpikachu on Thu Jan 01, 1970 12:00 am, edited 1 time in total.
Help with changing address
Man you're a genius!!! You're code was defiantly the key but I had to modify it for it to be stable for me.
Thank you TheCallmeTim13 and notpikachu
I'm still testing this with all my characters
I don't believe this code is 100% correct but seems to be stable
I think the AOB signature was probably my main issue? Is there a simpler way of producing one? Spent ages on it then realised there were 2 of the same type. I was up all night with this crap.
[
[CODE][ENABLE]
[ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(returnhere)
label(exit)
newmem:
pushf
push eax
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
popf
exit:
jmp returnhere
expmult:
jmp newmem
nop 2
returnhere:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)
mov [ecx],edx
mov eax,00000001
[/CODE]
Thank you TheCallmeTim13 and notpikachu
I'm still testing this with all my characters
I don't believe this code is 100% correct but seems to be stable
I think the AOB signature was probably my main issue? Is there a simpler way of producing one? Spent ages on it then realised there were 2 of the same type. I was up all night with this crap.
[
[CODE][ENABLE]
[ENABLE]
aobscan(expmult,89 11 B8 01 00 00 00 83 3D ?? ?? ?? 01 00 72 10 77 0C 81 3D ) // should be unique
alloc(newmem,$1000)
label(code)
label(returnhere)
label(exit)
newmem:
pushf
push eax
mov eax,[ecx]
sub edx,eax
imul edx,5
add edx,eax
code:
mov [ecx],edx
popf
exit:
jmp returnhere
expmult:
jmp newmem
nop 2
returnhere:
registersymbol(expmult)
[DISABLE]
expmult:
db 89 11 B8 01 00 00 00
unregistersymbol(expmult)
dealloc(newmem)
mov [ecx],edx
mov eax,00000001
[/CODE]
Last edited by kidalot on Fri Jun 05, 2020 6:23 pm, edited 1 time in total.
Who is online
Users browsing this forum: No registered users