Exclude pointer from script

[daninthemix]

I'm trying to make a super damage / one hit kill script but I've not been able to identify any structure values that allow me to distinguish between the player and enemies.

However I do know the pointer location of the player health.

Can I compare the address against that, and do nothing if it's the player?

My current Super Damage script, which affects the player as well:

Code: Select all

sub [eax+0C],#199
mov eax,[esp+40]
jmp exit

The is the pointer location of the player health:

Code: Select all

[fallen.exe+2B5DC8+24+C]

How I can say, effectively "if we're writing to this address, don't do anything. Otherwise, run this code" ?

Thanks

[Rhark]

Try this:

Code: Select all

push ecx
lea ecx,[fallen.exe+2B5DC8]
mov ecx,[ecx+24]
cmp eax,ecx
pop ecx
jne @f
cmp [health],1
jne code
sub [eax+C],0
mov eax,[esp+40]
jmp code

@@:
cmp [ohk],1
jne @f
sub [eax+0C],#199
mov eax,[esp+40]
jmp return

code:
sub [eax+0C],??? // Leave the original register that is being subtracted here
mov eax,[esp+40]
jmp return

There's a way to simplify the code but since you didn't provide much of the script information I cannot do it.
Also if you didn't want to have the health part for player then you can just remove the code starting with "cmp [health]..." And just before the "@@:"

[daninthemix]

Try this:

Code: Select all

push ecx
lea ecx,[fallen.exe+2B5DC8]
mov ecx,[ecx+24]
cmp eax,ecx
pop ecx
jne @f
cmp [health],1
jne code
sub [eax+C],0
mov eax,[esp+40]
jmp code

@@:
cmp [ohk],1
jne @f
sub [eax+0C],#199
mov eax,[esp+40]
jmp return

code:
sub [eax+0C],??? // Leave the original register that is being subtracted here
mov eax,[esp+40]
jmp return

There's a way to simplify the code but since you didn't provide much of the script information I cannot do it.
Also if you didn't want to have the health part for player then you can just remove the code starting with "cmp [health]..." And just before the "@@:"

I'm having issues compiling it.

Here's the entire Auto Assemble script:

Code: Select all

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048)
label(returnhere)
label(code)
label(newmem)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push ecx
lea ecx,[fallen.exe+2B5DC8]
mov ecx,[ecx+24]
cmp eax,ecx
pop ecx
jne @f
cmp [health],1
jne code
sub [eax+C],0
mov eax,[esp+40]
jmp code

@@:
cmp [ohk],1
jne @f
sub [eax+0C],#200
mov eax,[esp+40]
jmp returnhere

code:
sub [eax+0C],dx // Leave the original register that is being subtracted here
mov eax,[esp+40]
jmp returnhere

"fallen.exe"+111B7:
jmp newmem
nop 3
returnhere:
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
"fallen.exe"+111B7:
sub [eax+0C],dx
mov eax,[esp+40]

I'm getting

Error in line 17 (cmp [health], 1)

Sorry if I'm missing the obvious here!

[Rhark]

This should work afaik, I have never made a script like you're doing. I typically use "AOB Injection" Templates.

Code: Select all

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048)
label(returnhere)
label(code)
label(newmem)
label(health) // health label
label(ohk) // ohk label

registersymbol(health) // health symbol registered
registersymbol(ohk) // ohk symbol registered

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push ecx
lea ecx,[fallen.exe+2B5DC8]
mov ecx,[ecx+24]
cmp eax,ecx
pop ecx
jne @f
cmp [health],1
jne code
sub [eax+C],0
mov eax,[esp+40]
jmp code

@@:
cmp [ohk],1
jne @f
sub [eax+0C],#200
mov eax,[esp+40]
jmp returnhere

code:
sub [eax+0C],dx // Leave the original register that is being subtracted here
mov eax,[esp+40]
jmp returnhere

health: // defining health symbol
  dd 0

ohk: // defining ohk symbol
  dd 0

"fallen.exe"+111B7:
jmp newmem
nop 3
returnhere:
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
"fallen.exe"+111B7:
sub [eax+0C],dx
mov eax,[esp+40]

dealloc(newmem)
unregistersymbol(health) // unregister health symbol
unregistersymbol(ohk) // unregister ohk symbol

Then you would have two separate extra scripts that go like this:

Inf Health:

Code: Select all

[ENABLE]
health:
 dd 1
 
[DISABLE]
health:
  dd 0

One Hit Kill:

Code: Select all

[ENABLE]
ohk:
 dd 1
 
[DISABLE]
ohk:
  dd 0

[daninthemix]

Hmm, not sure what's wrong but it says "Not all instructions could be injected"

[Rhark]

Hmm, not sure what's wrong but it says "Not all instructions could be injected"

Do an AOB Injection template, they're easier and more reliable. If you paste the template here (without any modified code) I can edit it for you to show you how it should be.

[daninthemix]

OK, if I do AOB injection on that same instruction, I get this:

Code: Select all

{ Game   : fallen.exe
  Version: 
  Date   : 2022-06-09
  Author : Dan

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,fallen.exe,66 29 50 0C 8B 44 24 40) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  sub [eax+0C],dx
  mov eax,[esp+40]
  jmp return

INJECT:
  jmp newmem
  nop 3
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 66 29 50 0C 8B 44 24 40

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: fallen.exe+111B7

fallen.exe+1119C: 74 0E              - je fallen.exe+111AC
fallen.exe+1119E: 85 ED              - test ebp,ebp
fallen.exe+111A0: 74 19              - je fallen.exe+111BB
fallen.exe+111A2: 8B 4D 24           - mov ecx,[ebp+24]
fallen.exe+111A5: 8A 51 0B           - mov dl,[ecx+0B]
fallen.exe+111A8: 84 D2              - test dl,dl
fallen.exe+111AA: 74 0F              - je fallen.exe+111BB
fallen.exe+111AC: F6 40 7E 08        - test byte ptr [eax+7E],08
fallen.exe+111B0: 75 09              - jne fallen.exe+111BB
fallen.exe+111B2: 66 8B 54 24 40     - mov dx,[esp+40]
// ---------- INJECTING HERE ----------
fallen.exe+111B7: 66 29 50 0C        - sub [eax+0C],dx
// ---------- DONE INJECTING  ----------
fallen.exe+111BB: 8B 44 24 40        - mov eax,[esp+40]
fallen.exe+111BF: D1 F8              - sar eax,1
fallen.exe+111C1: 50                 - push eax
fallen.exe+111C2: 56                 - push esi
fallen.exe+111C3: E8 98 06 FF FF     - call fallen.exe+1860
fallen.exe+111C8: 8B 4E 24           - mov ecx,[esi+24]
fallen.exe+111CB: 83 C4 08           - add esp,08
fallen.exe+111CE: 66 83 79 0C 00     - cmp word ptr [ecx+0C],00
fallen.exe+111D3: 0F 8F F4 00 00 00  - jg fallen.exe+112CD
fallen.exe+111D9: 85 ED              - test ebp,ebp
}

[Rhark]

**Edited to fix an error**

Code: Select all

{ Game   : fallen.exe
  Version: 
  Date   : 2022-06-09
  Author : Dan

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,fallen.exe,66 29 50 0C 8B 44 24 40) // should be unique
alloc(newmem,$1000)

label(code)
label(return)
label(health) // health label
label(ohk) // ohk label

registersymbol(health) // health symbol registered
registersymbol(ohk) // ohk symbol registered

newmem:
push ecx
mov ecx,[fallen.exe+2B5DC8]
mov ecx,[ecx+24]
cmp eax,ecx
pop ecx
jne @f
cmp [health],1
jne code
sub [eax+C],0
jmp code+4 // skips "sub [eax+0C],dx"

@@:
cmp [ohk],1
jne @f
sub [eax+0C],#200
jmp code+4 // skips "sub [eax+0C],dx"

code:
  sub [eax+0C],dx
  mov eax,[esp+40]
  jmp return

health: // defined symbol
  dd 0

ohk: // defined symbol
  dd 0

INJECT:
  jmp newmem
  nop 3
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 66 29 50 0C 8B 44 24 40

unregistersymbol(INJECT)
unregistersymbol(health) // unregister health symbol
unregistersymbol(ohk) // unregister ohk symbol
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: fallen.exe+111B7

fallen.exe+1119C: 74 0E              - je fallen.exe+111AC
fallen.exe+1119E: 85 ED              - test ebp,ebp
fallen.exe+111A0: 74 19              - je fallen.exe+111BB
fallen.exe+111A2: 8B 4D 24           - mov ecx,[ebp+24]
fallen.exe+111A5: 8A 51 0B           - mov dl,[ecx+0B]
fallen.exe+111A8: 84 D2              - test dl,dl
fallen.exe+111AA: 74 0F              - je fallen.exe+111BB
fallen.exe+111AC: F6 40 7E 08        - test byte ptr [eax+7E],08
fallen.exe+111B0: 75 09              - jne fallen.exe+111BB
fallen.exe+111B2: 66 8B 54 24 40     - mov dx,[esp+40]
// ---------- INJECTING HERE ----------
fallen.exe+111B7: 66 29 50 0C        - sub [eax+0C],dx
// ---------- DONE INJECTING  ----------
fallen.exe+111BB: 8B 44 24 40        - mov eax,[esp+40]
fallen.exe+111BF: D1 F8              - sar eax,1
fallen.exe+111C1: 50                 - push eax
fallen.exe+111C2: 56                 - push esi
fallen.exe+111C3: E8 98 06 FF FF     - call fallen.exe+1860
fallen.exe+111C8: 8B 4E 24           - mov ecx,[esi+24]
fallen.exe+111CB: 83 C4 08           - add esp,08
fallen.exe+111CE: 66 83 79 0C 00     - cmp word ptr [ecx+0C],00
fallen.exe+111D3: 0F 8F F4 00 00 00  - jg fallen.exe+112CD
fallen.exe+111D9: 85 ED              - test ebp,ebp
}

[daninthemix]

Ok that now activates, but the infinite health doesn't work. The one hit kill works - but also kills the player. And the player infinite health doesn't work with or without the one hit kill.

[Rhark]

Ok that now activates, but the infinite health doesn't work. The one hit kill works - but also kills the player. And the player infinite health doesn't work with or without the one hit kill.

Try changing "lea" to "mov" and seeing if that works.

[daninthemix]

Yes, it works! Thankyou so much!

So for my own understanding, we are comparing fallen.exe+2B5DC8+24 with the eax register - are we basically comparing 2 pointers at this point?

[Rhark]

You are comparing if the address in eax is the same as the one in ecx, if it is then it is the player. If not, it's everything else

[SunBeam]

Which Engine does this game use? Unity?

[daninthemix]

Which Engine does this game use? Unity?

No it's an old game. Actually the source code was released a few years back:

[Link]

[SunBeam]

Which Engine does this game use? Unity?

No it's an old game. Actually the source code was released a few years back:

[Link]

Would you mind ZIP-ing the game folder and uploading it someplace? Link me in PM when you can. No rush.