Help with managing 3 sets of code to ultimately do 1 thing in Akiba's Trip 1

[Algester]

so in Akiba's Trip 1/Hellbound and Debriefed you essentially have 3 sets of codes controlling your PC's HP

movw xmm0,[rax+20]
movsd xmm0,[rax+2C]
movsd xmm0,[rax+38]

right now I have an AoB scanning value to point to the PC's dress HPs starting with the head meaning for the combat values to start to update the player has to get smacked in the head but for my needs I want the pointers to generate regardless where the PC gets hit

so right now my AoBscan code looks like this

Code: Select all

{ Game   : AkibaHD.exe
  Version: 
  Date   : 2021-08-21
  Author : Algester

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(Combat,GameAssembly.dll,F2 0F 10 40 20 F2 0F 11 44 24 60 83) // should be unique
alloc(newmem2,$1000,Combat)

label(code2)
label(return2)
label(CombatAoB)
registersymbol(CombatAoB)

newmem2:

code2:
  mov [CombatAoB],rax
  movsd xmm0,[rax+20]
  jmp return2

CombatAoB:
dq 0

Combat:
  jmp newmem2
return2:
registersymbol(Combat)

[DISABLE]

Combat:
  db F2 0F 10 40 20

unregistersymbol(Combat)
dealloc(newmem2)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+17AD17F

GameAssembly.dll+17AD153: F7 79 34              - idiv [rcx+34]
GameAssembly.dll+17AD156: EB 7F                 - jmp GameAssembly.dll+17AD1D7
GameAssembly.dll+17AD158: 48 8B 4B 18           - mov rcx,[rbx+18]
GameAssembly.dll+17AD15C: 48 85 C9              - test rcx,rcx
GameAssembly.dll+17AD15F: 0F 84 16 03 00 00     - je GameAssembly.dll+17AD47B
GameAssembly.dll+17AD165: 48 8B 81 C0 00 00 00  - mov rax,[rcx+000000C0]
GameAssembly.dll+17AD16C: 48 85 C0              - test rax,rax
GameAssembly.dll+17AD16F: 0F 84 00 03 00 00     - je GameAssembly.dll+17AD475
GameAssembly.dll+17AD175: 83 78 18 00           - cmp dword ptr [rax+18],00
GameAssembly.dll+17AD179: 0F 86 C2 02 00 00     - jbe GameAssembly.dll+17AD441
// ---------- INJECTING HERE ----------
GameAssembly.dll+17AD17F: F2 0F 10 40 20        - movsd xmm0,[rax+20]
// ---------- DONE INJECTING  ----------
GameAssembly.dll+17AD184: F2 0F 11 44 24 60     - movsd [rsp+60],xmm0
GameAssembly.dll+17AD18A: 83 78 28 00           - cmp dword ptr [rax+28],00
GameAssembly.dll+17AD18E: 0F 84 5A 01 00 00     - je GameAssembly.dll+17AD2EE
GameAssembly.dll+17AD194: 48 85 C9              - test rcx,rcx
GameAssembly.dll+17AD197: 0F 84 D2 02 00 00     - je GameAssembly.dll+17AD46F
GameAssembly.dll+17AD19D: 33 D2                 - xor edx,edx
GameAssembly.dll+17AD19F: E8 5C 0E 2C 00        - call AKBP.GameSystem.Character.CharacterParameter.GetLifeUp
GameAssembly.dll+17AD1A4: 48 8B 4B 18           - mov rcx,[rbx+18]
GameAssembly.dll+17AD1A8: 48 85 C9              - test rcx,rcx
GameAssembly.dll+17AD1AB: 0F 84 B8 02 00 00     - je GameAssembly.dll+17AD469
}

this is the second code generated by CT for what I call 'Upper Dress HP'

Code: Select all

{ Game   : AkibaHD.exe
  Version: 
  Date   : 2021-08-21
  Author : Algester

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,GameAssembly.dll,F2 0F 10 40 2C F2 0F 11 44 24 28 48 85) // should be unique
alloc(newmem,$1000,INJECT)

label(code)
label(return)

newmem:

code:
  movsd xmm0,[rax+2C]
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F2 0F 10 40 2C

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+17718FE

GameAssembly.dll+17718D2: 0F 86 17 01 00 00     - jbe GameAssembly.dll+17719EF
GameAssembly.dll+17718D8: 8B 44 24 2C           - mov eax,[rsp+2C]
GameAssembly.dll+17718DC: 89 43 20              - mov [rbx+20],eax
GameAssembly.dll+17718DF: F6 C1 02              - test cl,02
GameAssembly.dll+17718E2: 75 3F                 - jne GameAssembly.dll+1771923
GameAssembly.dll+17718E4: 48 8B 87 C0 00 00 00  - mov rax,[rdi+000000C0]
GameAssembly.dll+17718EB: 48 85 C0              - test rax,rax
GameAssembly.dll+17718EE: 0F 84 51 01 00 00     - je GameAssembly.dll+1771A45
GameAssembly.dll+17718F4: 83 78 18 01           - cmp dword ptr [rax+18],01
GameAssembly.dll+17718F8: 0F 86 02 01 00 00     - jbe GameAssembly.dll+1771A00
// ---------- INJECTING HERE ----------
GameAssembly.dll+17718FE: F2 0F 10 40 2C        - movsd xmm0,[rax+2C]
// ---------- DONE INJECTING  ----------
GameAssembly.dll+1771903: F2 0F 11 44 24 28     - movsd [rsp+28],xmm0
GameAssembly.dll+1771909: 48 85 DB              - test rbx,rbx
GameAssembly.dll+177190C: 0F 84 2D 01 00 00     - je GameAssembly.dll+1771A3F
GameAssembly.dll+1771912: 83 7B 18 01           - cmp dword ptr [rbx+18],01
GameAssembly.dll+1771916: 0F 86 01 01 00 00     - jbe GameAssembly.dll+1771A1D
GameAssembly.dll+177191C: 8B 44 24 2C           - mov eax,[rsp+2C]
GameAssembly.dll+1771920: 89 43 24              - mov [rbx+24],eax
GameAssembly.dll+1771923: F6 C1 08              - test cl,08
GameAssembly.dll+1771926: 75 3F                 - jne GameAssembly.dll+1771967
GameAssembly.dll+1771928: 48 8B 87 C0 00 00 00  - mov rax,[rdi+000000C0]
}

[ShyTwig16]

In both mov rax,[r??+000000C0] is where the base is read. You might be able to find something that accesses it more reliably or you might have to backtrace it more to see where that base gets set.

[Algester]

I tried to look into the r??+000000C0 this seems to handle everything (IE its the general combat code) which means it could be a potential lead I just need to know how to trace to get it to point to the PC

I wonder since the game runs on Unity I found in the Memory Viewer
AKBP.GameSystem.Character.CharacterParameter.GetLifeUp
AKBP.GameSystem.Character.CharacterParameter.GetLifeMd
AKBP.GameSystem.Character.CharacterParameter.GetLifeLw

these might be the answers I'm looking for... MAYBE since my issue is that they can't be found in mono dissector

ok still the issue is the same it will point to the latest character smacked in the head I may just merge the codes into 1 that could work I think.... -_-... so close but no cigar

for now Pointers kind of work so I guess until I can wrap my head around getting this table more reliable

[GreenHouse]

...

Do a Break&Trace on any of those functions, do check the previous ones that are executed. And using Mono, seeing their names, you'll know if those are a reliable thing to get from. I would say that all of those should come from the same function, so just before calling those one, the parameters should be what you're looking for.
Otherwise, do look around for functions that do specify where you or the NPC has been hit.

[Algester]

these are the break and trace stuff I got






the only think common in them seems to be the mov rax,[rcx+00000C0]

Code: Select all

[ENABLE]

aobscanmodule(GetLife,GameAssembly.dll,48 83 EC 38 48 8B 81 C0 00 00 00 48 85 C0 74 1F 83 78 18 00) // should be unique
alloc(newmem5,$1000,GetLife)

label(code5)
label(return5)
label(PCLife)
registersymbol(PCLife)

newmem5:
PCLife:
dq 0

code5:
  mov [PCLife],rcx
  sub rsp,38
  mov rax,[rcx+000000C0]
  jmp return5

GetLife:
  jmp newmem5
  nop 6
return5:
registersymbol(GetLife)

//Second HP

aobscanmodule(GetLife2,GameAssembly.dll,48 83 EC 38 48 8B 81 C0 00 00 00 48 85 C0 74 1F 83 78 18 01) // should be unique
alloc(newmem6,$1000,GetLife2)

label(code6)
label(return6)

newmem6:
PCLife:
dq 0

code6:
  mov [PCLife],rcx
  sub rsp,38
  mov rax,[rcx+000000C0]
  jmp return6

GetLife2:
  jmp newmem6
  nop 6
return6:
registersymbol(GetLife2)

//Third HP

aobscanmodule(GetLife3,GameAssembly.dll,48 83 EC 38 48 8B 81 C0 00 00 00 48 85 C0 74 1F 83 78 18 02) // should be unique
alloc(newmem7,$1000,GetLife3)

label(code7)
label(return7)

newmem7:
PCLife:
dq 0

code7:
  mov [PCLife],rcx
  sub rsp,38
  mov rax,[rcx+000000C0]
  jmp return7

GetLife3:
  jmp newmem7
  nop 6
return7:
registersymbol(GetLife3)

[DISABLE]

GetLife:
  db 48 83 EC 38 48 8B 81 C0 00 00 00

unregistersymbol(GetLife)
dealloc(newmem5)

GetLife2:
  db 48 83 EC 38 48 8B 81 C0 00 00 00

unregistersymbol(GetLife2)
dealloc(newmem6)

GetLife3:
  db 48 83 EC 38 48 8B 81 C0 00 00 00

unregistersymbol(GetLife3)
unregistersymbol(PCLife)
dealloc(newmem7)

as a screwy way of making this code not work.... in theory it does kind of work but.... CE doesnt like that I'm using the same label 3 times?

[GreenHouse]

You should check before the calls, there's a point where they will all pass through. So you'll need to inject there, so it's only one injection, not multiple. And then get the value from there. There should be a point where it compares something, and it changes route depending on where you/someone was hit(Up/Mid/Low) and calls that function. Just inject on the point that will bifurcate, and see if you can get what you want from there.

[Algester]

I'm lost...
I break and traced before the call I got this


though there was what I think I found something


fudging anything there however instantly crashes the game

[Algester]

bleh... I give up...

decrypting the mono file led me to a search that has
AKBP.GameSystem.Character.CharacterParameter in it has Wear Parameter in it has MaxLife and Life Value and how many clothes the character is wearing... trying to extract this data or at least hooking an AoBscan assembly leads to crashes