Helping me to get beyond x255 multiplier with mul

[Algester]

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>10544</ID>
      <Description>"Anima Gain Multiplier"</Description>
      <Options moHideChildren="1"/>
      <LastState Activated="1"/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : LOSTEPIC.exe
  Version: 
  Date   : 2022-03-14
  Author : Algester

  This script does blah blah blah
}

[ENABLE]


aobscanmodule(animagain,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(newmem,$1000,animagain)
alloc(animamult,4)

label(animamult)
label(code)
label(return)

newmem:
animamult:
  dd #1

code:
  imul esi,[animamult]
  add [rbx+6C],esi
  mov ecx,[rbx+70]
  jmp return

animagain:
  jmp newmem
  nop
return:
registersymbol(animamult)
registersymbol(animagain)

[DISABLE]

animagain:
  db 01 73 6C 8B 4B 70

unregistersymbol(animagain)
unregistersymbol(animamult)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: animagain

GameAssembly.dll+11CA775: 84 C0                 - test al,al
GameAssembly.dll+11CA777: 74 1E                 - je animagain
GameAssembly.dll+11CA779: 48 8B 0D D8 B2 65 00  - mov rcx,[GameAssembly.dll+1825A58]
GameAssembly.dll+11CA780: E8 9B 42 8D FF        - call GameAssembly.dll+A9EA20
GameAssembly.dll+11CA785: 48 85 C0              - test rax,rax
GameAssembly.dll+11CA788: 74 4B                 - je GameAssembly.dll+11CA7D5
GameAssembly.dll+11CA78A: 45 33 C0              - xor r8d,r8d
GameAssembly.dll+11CA78D: 8B D6                 - mov edx,esi
GameAssembly.dll+11CA78F: 48 8B C8              - mov rcx,rax
GameAssembly.dll+11CA792: E8 39 1B FB FF        - call GameAssembly.dll+117C2D0
// ---------- INJECTING HERE ----------
animagain: 01 73 6C              - add [rbx+6C],esi
// ---------- DONE INJECTING  ----------
GameAssembly.dll+11CA79A: 8B 4B 70              - mov ecx,[rbx+70]
GameAssembly.dll+11CA79D: B8 FF FF FF 7F        - mov eax,7FFFFFFF
GameAssembly.dll+11CA7A2: 2B C6                 - sub eax,esi
GameAssembly.dll+11CA7A4: 3B C8                 - cmp ecx,eax
GameAssembly.dll+11CA7A6: 7D 16                 - jnl GameAssembly.dll+11CA7BE
GameAssembly.dll+11CA7A8: 8D 04 31              - lea eax,[rcx+rsi]
GameAssembly.dll+11CA7AB: 89 43 70              - mov [rbx+70],eax
GameAssembly.dll+11CA7AE: 48 8B 5C 24 30        - mov rbx,[rsp+30]
GameAssembly.dll+11CA7B3: 48 8B 74 24 38        - mov rsi,[rsp+38]
GameAssembly.dll+11CA7B8: 48 83 C4 20           - add rsp,20
}
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>10542</ID>
          <Description>"Multiplier"</Description>
          <DropDownList DescriptionOnly="1" DisplayValueAsItem="1">1:Default
10:x10
100:x100
255:Max Value
</DropDownList>
          <ShowAsSigned>0</ShowAsSigned>
          <VariableType>4 Bytes</VariableType>
          <Address>animamult</Address>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

I have a hunch that I may need to use a push and pop logic

or perhaps I'm playing a game that doesnt like more than 255 or 256 max value?

[GreenHouse]

To begin with, the mult can't be under newmem, because that's not an instruction, and it's where the function will jump into and crash. Move it on top of it.

[Algester]

so its

Code: Select all

animamult:
  dd 1

newmem:
 imul esi,[animamult]

code:
  add [rbx+6C],esi
  mov ecx,[rbx+70]
  jmp return

?

[Messy6666]

hey there
a little response although it's a bit hard by the information you have given

- what game is it ?
- what do you want to archive ?

First of all GreenHouse replied already
Second, i think you answered your own question:

- you are changing esi.. although it is multiplied by 1 in your script
which is later used here:

Code: Select all

GameAssembly.dll+11CA79D: B8 FF FF FF 7F        - mov eax,7FFFFFFF
GameAssembly.dll+11CA7A2: 2B C6                 - sub eax,esi
GameAssembly.dll+11CA7A4: 3B C8                 - cmp ecx,eax
GameAssembly.dll+11CA7A6: 7D 16                 - jnl GameAssembly.dll+11CA7BE

So yeah it is maybe good to push esi and pop it later, as you said

again.. hard to say with the information you have given to us

[Algester]

I tried to move the

animamult:

above newmem:

the script stops working.... or at least can't be activated in cheat engine (ok so I know the script "works" but I can not fully deactivate nor make the registered symbol show up in this case animamult)

right now I just set the multiplier to 1 but there is a child memory address with a dropdown menu

the game is Lost Epic (what I'll describe as "kawaii" dark souls)

critique me on my stupidity because I can barely scour the youtube videos for push and pop samples but this logic seems to "work"

Code: Select all

[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(animamult,4)
alloc(newmem,$1000,animagainAoB)

label(animamult)
label(code)
label(return)

//I tried to put animamult: here but upon doing so that script would be a tad buggy I can "activate the cheat" but I can not use the registersymbol animamult and it won't be marked as activated on the table
//animamult: 
  //dd #1

newmem:

animamult:
  dd #1

code:
  push esi
  mov esi,[animamult]
  imul esi,[animamult]
  add [rbx+6C],esi
  pop esi
  mov ecx,[rbx+70]
  jmp return

animagainAoB:
  jmp newmem
  nop
return:
registersymbol(animamult)

[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(animamult)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+11CA797

GameAssembly.dll+11CA775: 84 C0                 - test al,al
GameAssembly.dll+11CA777: 74 1E                 - je GameAssembly.dll+11CA797
GameAssembly.dll+11CA779: 48 8B 0D D8 B2 65 00  - mov rcx,[GameAssembly.dll+1825A58]
GameAssembly.dll+11CA780: E8 9B 42 8D FF        - call GameAssembly.dll+A9EA20
GameAssembly.dll+11CA785: 48 85 C0              - test rax,rax
GameAssembly.dll+11CA788: 74 4B                 - je GameAssembly.dll+11CA7D5
GameAssembly.dll+11CA78A: 45 33 C0              - xor r8d,r8d
GameAssembly.dll+11CA78D: 8B D6                 - mov edx,esi
GameAssembly.dll+11CA78F: 48 8B C8              - mov rcx,rax
GameAssembly.dll+11CA792: E8 39 1B FB FF        - call GameAssembly.dll+117C2D0
// ---------- INJECTING HERE ----------
GameAssembly.dll+11CA797: 01 73 6C              - add [rbx+6C],esi
// ---------- DONE INJECTING  ----------
GameAssembly.dll+11CA79A: 8B 4B 70              - mov ecx,[rbx+70]
GameAssembly.dll+11CA79D: B8 FF FF FF 7F        - mov eax,7FFFFFFF
GameAssembly.dll+11CA7A2: 2B C6                 - sub eax,esi
GameAssembly.dll+11CA7A4: 3B C8                 - cmp ecx,eax
GameAssembly.dll+11CA7A6: 7D 16                 - jnl GameAssembly.dll+11CA7BE
GameAssembly.dll+11CA7A8: 8D 04 31              - lea eax,[rcx+rsi]
GameAssembly.dll+11CA7AB: 89 43 70              - mov [rbx+70],eax
GameAssembly.dll+11CA7AE: 48 8B 5C 24 30        - mov rbx,[rsp+30]
GameAssembly.dll+11CA7B3: 48 8B 74 24 38        - mov rsi,[rsp+38]
GameAssembly.dll+11CA7B8: 48 83 C4 20           - add rsp,20
}

[Eric]

I tried to put animamult: here but upon doing so that script would be a tad buggy I can "activate the cheat" but I can not use the registersymbol animamult and it won't be marked as activated on the table

so you can activate the script, but it won't be marked in the table ?

also why can't you use registersymbol? What error is blocking you from doing so ?

and get rid that that

Code: Select all

mov esi,[animamult]

it will mess up esi

[Algester]

There's no error

But once I put

Code: Select all

animamult:
 Dd #1

Above

Code: Select all

newmem:

Thats where the issue seems to be

In memory view the script will work but the functions tied to that script won't work
That means if I add an address manually pointing to animamult cheat engine will not detect anything named animamult again this might be my stupidity at work

I could remove
The mov [esi] but currently not on my computer right now

[GreenHouse]

Just use another register, like ecx, which won't even need a push/pop, as it will get overwritten at the end of the code. As for there being an error, as Eric said, use registersymbol for animamult and remove its label. And again, it has to be on top of newmem, NEVER under it. Everything under newmem will be interpreted as an instruction and crash the game.

[Algester]

So what I'm getting now is that I shouldnt use registersymbol under return: in this instance?

But I need to put the registersymbol near [ENABLE]?

So the code should look something like this??

Code: Select all

[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(animamult,4)
alloc(newmem,$1000,animagainAoB)

registersymbol(animamult)
label(code)
label(return)

//I tried to put animamult: here but upon doing so that script would be a tad buggy I can "activate the cheat" but I can not use the registersymbol animamult and it won't be marked as activated on the table
animamult: 
  dd #1

newmem:

code:
  //push ?? //
  imul ecx,[animamult]
  add [rbx+6C],esi
  //pop esi //
  mov ecx,[rbx+70]
  jmp return

animagainAoB:
  jmp newmem
  nop
return:


[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(animamult)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+11CA797

GameAssembly.dll+11CA775: 84 C0                 - test al,al
GameAssembly.dll+11CA777: 74 1E                 - je GameAssembly.dll+11CA797
GameAssembly.dll+11CA779: 48 8B 0D D8 B2 65 00  - mov rcx,[GameAssembly.dll+1825A58]
GameAssembly.dll+11CA780: E8 9B 42 8D FF        - call GameAssembly.dll+A9EA20
GameAssembly.dll+11CA785: 48 85 C0              - test rax,rax
GameAssembly.dll+11CA788: 74 4B                 - je GameAssembly.dll+11CA7D5
GameAssembly.dll+11CA78A: 45 33 C0              - xor r8d,r8d
GameAssembly.dll+11CA78D: 8B D6                 - mov edx,esi
GameAssembly.dll+11CA78F: 48 8B C8              - mov rcx,rax
GameAssembly.dll+11CA792: E8 39 1B FB FF        - call GameAssembly.dll+117C2D0
// ---------- INJECTING HERE ----------
GameAssembly.dll+11CA797: 01 73 6C              - add [rbx+6C],esi
// ---------- DONE INJECTING  ----------
GameAssembly.dll+11CA79A: 8B 4B 70              - mov ecx,[rbx+70]
GameAssembly.dll+11CA79D: B8 FF FF FF 7F        - mov eax,7FFFFFFF
GameAssembly.dll+11CA7A2: 2B C6                 - sub eax,esi
GameAssembly.dll+11CA7A4: 3B C8                 - cmp ecx,eax
GameAssembly.dll+11CA7A6: 7D 16                 - jnl GameAssembly.dll+11CA7BE
GameAssembly.dll+11CA7A8: 8D 04 31              - lea eax,[rcx+rsi]
GameAssembly.dll+11CA7AB: 89 43 70              - mov [rbx+70],eax
GameAssembly.dll+11CA7AE: 48 8B 5C 24 30        - mov rbx,[rsp+30]
GameAssembly.dll+11CA7B3: 48 8B 74 24 38        - mov rsi,[rsp+38]
GameAssembly.dll+11CA7B8: 48 83 C4 20           - add rsp,20
}

[Eric]

yes, and also save rdx as imul will change that register as well

[Algester]

though I dont know how to save rdx into imul... unless I'm just being a derp and thats basically

Code: Select all

imul rdx,ecx,[animamult]

but I'm sure thats not it?

Based on the sample I know

Code: Select all

[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(animamult,8)
alloc(saveRDX,8)
alloc(newmem,$1000,animagainAoB)


registersymbol(animamult)
label(code)
label(return)

//I tried to put animamult: here but upon doing so that script would be a tad buggy I can "activate the cheat" but I can not use the registersymbol animamult and it won't be marked as activated on the table
animamult: 
  dd #1

newmem:

code:
   mov [saveRDX],rdx
   mov rdx,0
  imul ecx,[animamult]
  add [rbx+6C],esi
  mov ecx,[rbx+70]
  mov rdx,[saveRDX]
  jmp return

animagainAoB:
  jmp newmem
  nop
return:


[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(animamult)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+11CA797

GameAssembly.dll+11CA775: 84 C0                 - test al,al
GameAssembly.dll+11CA777: 74 1E                 - je GameAssembly.dll+11CA797
GameAssembly.dll+11CA779: 48 8B 0D D8 B2 65 00  - mov rcx,[GameAssembly.dll+1825A58]
GameAssembly.dll+11CA780: E8 9B 42 8D FF        - call GameAssembly.dll+A9EA20
GameAssembly.dll+11CA785: 48 85 C0              - test rax,rax
GameAssembly.dll+11CA788: 74 4B                 - je GameAssembly.dll+11CA7D5
GameAssembly.dll+11CA78A: 45 33 C0              - xor r8d,r8d
GameAssembly.dll+11CA78D: 8B D6                 - mov edx,esi
GameAssembly.dll+11CA78F: 48 8B C8              - mov rcx,rax
GameAssembly.dll+11CA792: E8 39 1B FB FF        - call GameAssembly.dll+117C2D0
// ---------- INJECTING HERE ----------
GameAssembly.dll+11CA797: 01 73 6C              - add [rbx+6C],esi
// ---------- DONE INJECTING  ----------
GameAssembly.dll+11CA79A: 8B 4B 70              - mov ecx,[rbx+70]
GameAssembly.dll+11CA79D: B8 FF FF FF 7F        - mov eax,7FFFFFFF
GameAssembly.dll+11CA7A2: 2B C6                 - sub eax,esi
GameAssembly.dll+11CA7A4: 3B C8                 - cmp ecx,eax
GameAssembly.dll+11CA7A6: 7D 16                 - jnl GameAssembly.dll+11CA7BE
GameAssembly.dll+11CA7A8: 8D 04 31              - lea eax,[rcx+rsi]
GameAssembly.dll+11CA7AB: 89 43 70              - mov [rbx+70],eax
GameAssembly.dll+11CA7AE: 48 8B 5C 24 30        - mov rbx,[rsp+30]
GameAssembly.dll+11CA7B3: 48 8B 74 24 38        - mov rsi,[rsp+38]
GameAssembly.dll+11CA7B8: 48 83 C4 20           - add rsp,20
}

[Algester]

I'm confused on what needs to be done now

Code: Select all

[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(animamult,8)
alloc(saveRCX,8)
alloc(newmem,$1000,animagainAoB)

label(code)
label(return)

animamult:
  dd #1

newmem:

code:
  mov [saveRCX],rcx
  imul ecx,[animamult]
  add [rbx+6C],esi
  mov rcx,[saveRCX]
  mov ecx,[rbx+70]
  jmp return

animagainAoB:
  jmp newmem
  nop
return:
registersymbol(animamult)

[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(animamult)
dealloc(newmem)
dealloc(saveRCX)

the code is barely working at this point

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>10550</ID>
      <Description>"Anima Gain Multiplier (test)"</Description>
      <Options moHideChildren="1"/>
      <LastState Activated="1"/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(animamult,4)
alloc(newmem,$1000,animagainAoB)

label(code)
label(return)

animamult:
  dd #1

newmem:

code:
  imul esi,[animamult]
  add [rbx+6C],esi
  mov ecx,[rbx+70]
  jmp return

animagainAoB:
  jmp newmem
  nop
return:
registersymbol(animamult)

[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(animamult)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+11CA797

GameAssembly.dll+11CA775: 84 C0                 - test al,al
GameAssembly.dll+11CA777: 74 1E                 - je GameAssembly.dll+11CA797
GameAssembly.dll+11CA779: 48 8B 0D D8 B2 65 00  - mov rcx,[GameAssembly.dll+1825A58]
GameAssembly.dll+11CA780: E8 9B 42 8D FF        - call GameAssembly.dll+A9EA20
GameAssembly.dll+11CA785: 48 85 C0              - test rax,rax
GameAssembly.dll+11CA788: 74 4B                 - je GameAssembly.dll+11CA7D5
GameAssembly.dll+11CA78A: 45 33 C0              - xor r8d,r8d
GameAssembly.dll+11CA78D: 8B D6                 - mov edx,esi
GameAssembly.dll+11CA78F: 48 8B C8              - mov rcx,rax
GameAssembly.dll+11CA792: E8 39 1B FB FF        - call GameAssembly.dll+117C2D0
// ---------- INJECTING HERE ----------
GameAssembly.dll+11CA797: 01 73 6C              - add [rbx+6C],esi
// ---------- DONE INJECTING  ----------
GameAssembly.dll+11CA79A: 8B 4B 70              - mov ecx,[rbx+70]
GameAssembly.dll+11CA79D: B8 FF FF FF 7F        - mov eax,7FFFFFFF
GameAssembly.dll+11CA7A2: 2B C6                 - sub eax,esi
GameAssembly.dll+11CA7A4: 3B C8                 - cmp ecx,eax
GameAssembly.dll+11CA7A6: 7D 16                 - jnl GameAssembly.dll+11CA7BE
GameAssembly.dll+11CA7A8: 8D 04 31              - lea eax,[rcx+rsi]
GameAssembly.dll+11CA7AB: 89 43 70              - mov [rbx+70],eax
GameAssembly.dll+11CA7AE: 48 8B 5C 24 30        - mov rbx,[rsp+30]
GameAssembly.dll+11CA7B3: 48 8B 74 24 38        - mov rsi,[rsp+38]
GameAssembly.dll+11CA7B8: 48 83 C4 20           - add rsp,20
}
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>10551</ID>
          <Description>"Multiplier"</Description>
          <LastState Value="1" RealAddress="7FF84ED50000"/>
          <ShowAsSigned>0</ShowAsSigned>
          <VariableType>4 Bytes</VariableType>
          <Address>animamult</Address>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

but this works??

[Messy6666]

Hi Algester
Where are you confused at on this point?

Maybe this can help you
I have put some comments in it.

Code: Select all

[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(newmem,$1000,animagainAoB)

label(code)
label(return)
label(animamult)

newmem:

code:
  
  push edx		// save EDX before the imul, what Eric said
  push esi		// save ESI... to be sure, it's used later in the code
                        // you can always comment it out if not needed
  imul esi,[animamult]
  add [rbx+6C],esi
  pop esi		// restore ESI, remember First IN, last OUT
  pop edx		// restore EDX
  mov ecx,[rbx+70]
  
  jmp return

animamult:		// animult in the space between the newmem and the AOB, because it's allocated already
  dd #1

animagainAoB:
  jmp newmem
  nop
return:
registersymbol(animamult)

[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(newmem)

[Algester]

OHHH so I was already there but as I said there's barely any samples for me to learn for push and pop

so after all of this

Code: Select all

[ENABLE]
aobscanmodule(animagainAoB,GameAssembly.dll,01 73 6C 8B 4B 70) // should be unique
alloc(animamult,4)
alloc(newmem,$1000,animagainAoB)

label(code)
label(return)

animamult:
  dd #1

newmem:

code:
  push edx
  push esi
  imul esi,[animamult]
  add [rbx+6C],esi
  pop edx
  pop esi
  mov ecx,[rbx+70]
  jmp return

animagainAoB:
  jmp newmem
  nop
return:
registersymbol(animamult)

[DISABLE]

animagainAoB:
  db 01 73 6C 8B 4B 70

unregistersymbol(animamult)
dealloc(animagainAoB)
dealloc(animamult)
dealloc(newmem)

is the script

[Messy6666]

oh no m8, remember the push / pop. first in last out ( actually it's called FIFO but i prefer the last out )
so:

Code: Select all

push edx	// last in stack
push esi        // First IN
...
pop esi         // First OUT
pop edx	        // last in stack