Currently i'm working on a Blasphemous 2 cheat table. I know this forum has but i prefer to make it. Here's the code, I wanna do a one hit. Whenever i change the register it works for a few screens. Then it turns enemies into god mode. Thanks in advance.
[ENABLE]
aobscanmodule(INJECT,GameAssembly.dll,89 BB 98 00 00 00 48 8B 7C) // should be unique
alloc(newmem,$1000,INJECT)
alloc(tempHealth, 4)
registersymbol(tempHealth)
tempHealth:
dd 4
label(code)
label(return)
label(oneHit)
label(resHealth)
newmem:
code:
cmp [rbx+00000010], 6 // 0x10 singular penitent value
je resHealth
jne oneHit
resHealth:
push rax
mov rax, [rbx+00000064] //0x64 maximum health
mov [tempHealth], rax
mov [rbx+00000098], rax //0x98 current health
pop rax
jmp return
oneHit:
mov [rbx+00000098], edi //if i change this to 0 enemies goes to god mode
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 89 BB 98 00 00 00
unregistersymbol(*)
dealloc(*)
Edit 30/08/23: Well, I was completely wrong, I completely forgot while working with memory that the game has monoadresses because it is made with Unity. I dissected the functions and was able to find the value that applies the damage.
Last edited by xomux on Wed Aug 30, 2023 7:59 am, edited 2 times in total.
^ assuming you have the correct struct/offset, try setting it to '5' (or something). basically you'll have to hit them at least once. (some games do not coop - well - with "instant" death)
=> i'm also guessing that 'resHealth' applies to your player only... ?! AND: there is a good chance that this value changes at some point, adding enemies to that "list". verify by 'find out...' on the ' mov rax, [rbx+64]'...
I don't get why you're moving into rbx+98 a quad word. Since when are integer values in games stored as 8 bytes? Then where do you control or inspect edi.. and why not rdi, if you use quad word above?..
^ assuming you have the correct struct/offset, try setting it to '5' (or something). basically you'll have to hit them at least once. (some games do not coop - well - with "instant" death)
=> i'm also guessing that 'resHealth' applies to your player only... ?! AND: there is a good chance that this value changes at some point, adding enemies to that "list". verify by 'find out...' on the ' mov rax, [rbx+64]'...
I'll check it out thanks, if i put 5 into edi they don't die no matter how much I hit them. Maybe i should look into another structure.
I don't get why you're moving into rbx+98 a quad word. Since when are integer values in games stored as 8 bytes? Then where do you control or inspect edi.. and why not rdi, if you use quad word above?..
You mean why do I use the rax register instead of using eax? Wasn't dd used to declare 4 byte variables?. I could be wrong. Just asking.
tempHealth is a placeholder. As you defined it with dd, you don't do mov [],rax (which is 8 bytes, not 4) and magically let CE handle your alignment. You do mov [],eax because you know for a fact your tempHealth will store 4 bytes, not 8. So it's not only the define you gotta pay attanetion to, but also your ASM.
Another aspect is you moving 8 bytes into a 4 bytes space, you overwrite extra 4 bytes. Then you wonder why is the game behaving abnormally when it runs your code.
And I think your tempHealth would store the address/pointer to health, rather than the health's value. Or did you intend it like this? Point to the matter.. if your health is 4 bytes, at 0x98, then you use eax, not rax in the mov [],reg instruction. If you use rax, then you will overwrite 0x9C as well...
tempHealth is a placeholder. As you defined it with dd, you don't do mov [],rax (which is 8 bytes, not 4) and magically let CE handle your alignment. You do mov [],eax because you know for a fact your tempHealth will store 4 bytes, not 8. So it's not only the define you gotta pay attanetion to, but also your ASM.
Another aspect is you moving 8 bytes into a 4 bytes space, you overwrite extra 4 bytes. Then you wonder why is the game behaving abnormally when it runs your code.
And I think your tempHealth would store the address/pointer to health, rather than the health's value. Or did you intend it like this? Point to the matter.. if your health is 4 bytes, at 0x98, then you use eax, not rax in the mov [],reg instruction. If you use rax, then you will overwrite 0x9C as well...
Gonna test it out later. But you're right I should pay attention at the basics first. I missed those 4 bytes. I'll comment here right below. Thanks mate
