How to registersymbol?

[SilverRabbit90]

The game is Carcassonne.

I tried to make a registersymbol but the line of code:
movsxd rdx,dword ptr [rsi+18]

it is inverted how do I make registersymbol in this case?


here's what I tried to do:

Spoiler

Code: Select all

{ Game   : Carcassonne.exe

[ENABLE]

//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)

label(code)
label(return)

//alloc(setPoints,8)
label(setPoints)
registersymbol(setPoints)

newmem:

mov rdx,[setPoints]

code:
  movsxd  rdx,dword ptr [rsi+18]
  mov rcx,rax
  jmp return

  setPoints:
  dd (int)100

HUDScreen:OnPlayerScoreModified+62:
  jmp newmem
  nop 2
return:
//registersymbol(PointsA)

[DISABLE]

HUDScreen:OnPlayerScoreModified+62:
  db 48 63 56 18 48 8B C8

unregistersymbol(*)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: HUDScreen:OnPlayerScoreModified+62

HUDScreen:OnPlayerScoreModified+37: 41 FF D3                       - call r11
HUDScreen:OnPlayerScoreModified+3a: 85 C0                          - test eax,eax
HUDScreen:OnPlayerScoreModified+3c: 0F 84 37 00 00 00              - je HUDScreen:OnPlayerScoreModified+79
HUDScreen:OnPlayerScoreModified+42: 49 8B 87 18 02 00 00           - mov rax,[r15+00000218]
HUDScreen:OnPlayerScoreModified+49: 48 8B C8                       - mov rcx,rax
HUDScreen:OnPlayerScoreModified+4c: 48 8B D7                       - mov rdx,rdi
HUDScreen:OnPlayerScoreModified+4f: 83 38 00                       - cmp dword ptr [rax],00
HUDScreen:OnPlayerScoreModified+52: 49 BB A0 58 CE 26 61 02 00 00  - mov r11,System.Collections.Generic.Dictionary`2[TKey_REF,TValue_REF]:get_Item
HUDScreen:OnPlayerScoreModified+5c: 41 FF D3                       - call r11
HUDScreen:OnPlayerScoreModified+5f: 83 3E 00                       - cmp dword ptr [rsi],00
// ---------- INJECTING HERE ----------
HUDScreen:OnPlayerScoreModified+62: 48 63 56 18                    - movsxd  rdx,dword ptr [rsi+18]
// ---------- DONE INJECTING  ----------
HUDScreen:OnPlayerScoreModified+66: 48 8B C8                       - mov rcx,rax
HUDScreen:OnPlayerScoreModified+69: 83 38 00                       - cmp dword ptr [rax],00
HUDScreen:OnPlayerScoreModified+6c: 49 BB 40 51 63 2D 61 02 00 00  - mov r11,HUDPlayer:SetPoints
HUDScreen:OnPlayerScoreModified+76: 41 FF D3                       - call r11
HUDScreen:OnPlayerScoreModified+79: 48 8B 75 E8                    - mov rsi,[rbp-18]
HUDScreen:OnPlayerScoreModified+7d: 48 8B 7D F0                    - mov rdi,[rbp-10]
HUDScreen:OnPlayerScoreModified+81: 4C 8B 7D F8                    - mov r15,[rbp-08]
HUDScreen:OnPlayerScoreModified+85: 48 8D 65 00                    - lea rsp,[rbp+00]
HUDScreen:OnPlayerScoreModified+89: 5D                             - pop rbp
HUDScreen:OnPlayerScoreModified+8a: C3                             - ret
}

Normally I do this:

Spoiler

Code: Select all

{ Game   : Carcassonne.exe

[ENABLE]

//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)

label(code)
label(return)


label(setPoints)
registersymbol(setPoints)

newmem:

mov rdx,[setPoints]

code:
mov [rsi+18],rdx

  //movsxd  rdx,dword ptr [rsi+18]
  
  mov rcx,rax
  jmp return

  setPoints:
  dd (int)100

HUDScreen:OnPlayerScoreModified+62:
  jmp newmem
  nop 2
return:
//registersymbol(PointsA)

[DISABLE]

HUDScreen:OnPlayerScoreModified+62:
  db 48 63 56 18 48 8B C8

unregistersymbol(*)
dealloc(newmem)

But in this game it doesn't work

thx

[BabyGroot]

Code: Select all

newmem:
mov rdx,[setPoints]

Try this

Code: Select all

newmem:
mov [setPoints],rsi

[SilverRabbit90]

Code: Select all

newmem:
mov rdx,[setPoints]

Try this

Code: Select all

newmem:
mov [setPoints],rsi

With this method the registersymbol becomes a sort of pointer but, I wanted to do something a little bit more difficult.


I wanted to create two different scripts, activating the first one will show the pointer. Once the first is active you can activate the second which will set the Points to 100

Example:

First Script

Code: Select all

[ENABLE]

//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)

label(code)
label(return)

label(seePoints)
registersymbol(seePoints)

alloc(setPoints,8)
registersymbol(setPoints)

newmem:

mov [seePoints],rsi

mov rdx,[setPoints]

code:
mov [rsi+18],rdx
  movsxd  rdx,dword ptr [rsi+18]
  mov rcx,rax
  jmp return

  seePoints:

HUDScreen:OnPlayerScoreModified+62:
  jmp newmem
  nop 2
return:
//registersymbol(PointsA)

[DISABLE]

HUDScreen:OnPlayerScoreModified+62:
  db 48 63 56 18 48 8B C8

unregistersymbol(*)
dealloc(newmem)

Second Script

Code: Select all

[ENABLE]

setPoints:
dd (int)100
 
 
[DISABLE]

setPoints:
db 0

Spoiler

[BabyGroot]

Do you want to enter 2 aob in 1 script?

[SilverRabbit90]

Do you want to enter 2 aob in 1 script?

As far as I know it is useless, the second script has no AoB, if you write "registersymbol" (in First script) you can continue the data in another script.


In the second script I set it to 5000 and it works, but if the second script is not active the points automatically set to 0.
I tried writing "label" instead of "alloc" but with label you have to write all the data in the first script if not the script doesn't work.

[VampTY]

Hi,

There -> viewtopic.php?t=19148 , i've posted on how to make working scripts with what you said you've wanted, read the info provided by me there.

There -> viewtopic.php?t=10945 , just download the updated table from there, uploaded by me and look inside the script for Player: Health, game's on Unity, anyway that won't matter, just to get some idea!

Perhaps you'll get your answer, also i've downloaded some random version and i did only turns/reward, one is with movsxd and the other one is without, both with alloc.Anyway works even if is movzx or movsd and more, this was for exemplification only.Reward will need to be enabled after you've earned something, then earn again and the value will appear.Turn will need to be activated after you'll use one turn, then use another point and then you'll see the value.

Edited values will be updated next time you'll earn points or turn one tile.I hope it helps!

[Paul44]

^@SilverRabbit90: I haven't gone through all code/comments here, but since this is a x64 game:

********************** (something in those lines)
alloc(setPoints,4)

setPoints:
dd (int)100

newmem:
push r15 // or any reg you prefer
mov r15,setPoints
mov r15d,dword ptr [r15]
mov edx,r15d
// or: mov [rsi+18],r15d
pop r15
code:
// does not really make sense, unless you overwrite rsi+18
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
**********************

Note: with "certain" x64 games, CE seems to get "confused" about injecting code; sometimes it works and sometimes it does not ?!
=> the "simplest" way to check: jump to your injection location, and then enable your script. Then just dis/re-enable a few times and see if opcode is still restored correctly... ?!
> happens only on win10+ OS
> which is why i've been progressively converting my - x64 - tables to 'jump far' instructions these days

[SilverRabbit90]

^@SilverRabbit90: I haven't gone through all code/comments here, but since this is a x64 game:

********************** (something in those lines)
alloc(setPoints,4)

setPoints:
dd (int)100

newmem:
push r15 // or any reg you prefer
mov r15,setPoints
mov r15d,dword ptr [r15]
mov edx,r15d
// or: mov [rsi+18],r15d
pop r15
code:
// does not really make sense, unless you overwrite rsi+18
movsxd rdx,dword ptr [rsi+18]
mov rcx,rax
jmp return
**********************

Note: with "certain" x64 games, CE seems to get "confused" about injecting code; sometimes it works and sometimes it does not ?!
=> the "simplest" way to check: jump to your injection location, and then enable your script. Then just dis/re-enable a few times and see if opcode is still restored correctly... ?!
> happens only on win10+ OS
> which is why i've been progressively converting my - x64 - tables to 'jump far' instructions these days

I tried with:

Spoiler

Code: Select all

[ENABLE]

//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)


alloc(setPoints,8)

unregistersymbol(setPoints)

label(code)
label(return)


newmem:

push r15
mov r15,setPoints
mov r15d,dword ptr [r15]
mov [rsi+18],r15d
pop r15

code:
  movsxd  rdx,dword ptr [rsi+18]
    test rdx,rdx
  mov rcx,rax
  jmp return

  setPoints:
  dd(int)100

HUDScreen:OnPlayerScoreModified+62:
  jmp newmem
  nop 2
return:
//registersymbol(PointsA)

[DISABLE]

HUDScreen:OnPlayerScoreModified+62:
  db 48 63 56 18 48 8B C8

unregistersymbol(*)
dealloc(newmem)

Everything works perfectly thanks a lot.

[Paul44]

^ glad to hear it. and fyi: in 'GENERIC TUTORIALS' section I have posted a doc on how to implement a 'jump far' instruction. Evt you will have to tackle that one for sure...

[SilverRabbit90]

^ glad to hear it. and fyi: in 'GENERIC TUTORIALS' section I have posted a doc on how to implement a 'jump far' instruction. Evt you will have to tackle that one for sure...

I state I have both Windows 10 and Windows 11, I generally use Windows 10 for Cheats.
For this specific game I used Windows 10, but trying to use cheats on Windows 11 they work without any problem.

I tried to make a "jump far" but the game blocks.

This is what I tried to do:

Spoiler

Code: Select all

[ENABLE]

aobscan(PointsTest,41 FF D3  85 C0  0F 84 37 00 00 00  49 8B 87 18 02 00 00  48 8B C8  48 8B D7  83 38 00  49 BB ?? ?? ?? ?? ?? ?? 00 00  41 FF D3  83 3E 00      48 63 56 18    48 8B C8  83 38 00  49 BB ?? ?? ?? ?? ?? ?? 00 00  41 FF D3  48 8B 75 E8  48 8B 7D F0  4C 8B 7D F8  48 8D 65 00  5D  C3) // should be unique
alloc(newmem,$1000)


label(code)
label(return)

newmem:

mov [rsi+18],(int)100

code:
  movsxd  rdx,dword ptr [rsi+18]
  mov rcx,rax
  jmp return

PointsTest+2B:
  jmp far newmem
  nop 2
return:
registersymbol(PointsTest)

[DISABLE]

PointsTest+2B:
  db 48 63 56 18 48 8B C8

unregistersymbol(PointsTest)
dealloc(newmem)

If I take away "far" from "jmp far newmem" the cheat works norlmally (also on Windows 11).

I think I need an example to understand...

[Eric]

a jmp far is 14 bytes long so the code that gets relocated to the script needs to be longer as well, and disabling the script and restoring the bytes will require at least 14 bytes as well

Also, in cheat engine you can check as template 14 byte jmp and then generate the script, and it'll do most of the bytecounting for you
(or use the jmp1 instruction in 7.5 which is just 1 byte long)

[Tuuuup!]

(or use the jmp1 instruction in 7.5 which is just 1 byte long)

Is that one of those hidden instructions that not a lot of people know about? And does it work when you have trouble allocation for jump and need to use jump 14 or different work around? Can't remember a game where I can test it.

..

I did a quick test what Eric posted about the jmp1 in a different game.

Here is the last part of your code. It should work?

Code: Select all

//////////
PointsTest+2B:
  jmp1 newmem  // need to test this more. This is new for me to
  nop 6  // Don't forget to adjust it when using jmp1
return:
registersymbol(PointsTest)

[DISABLE]

PointsTest+2B:
  db 48 63 56 18 48 8B C8

unregistersymbol(PointsTest)
dealloc(newmem)

[SilverRabbit90]

Well thanks guys, now I think I understand.
I make a small guide for those like me who are still inexperienced.

Once you are in the "Memory Viewer" and clicked on "Tools"

Spoiler

after which "Auto Assemble" has opened to make the way in which "Jump" is used automatically to Cheat Engine, you have to click on " Template "

Spoiler

As you can see normally it is set on 5 bytes

Spoiler

Now from what I understand for Windows 11 it is better to set it on 14 bytes

Spoiler

Now if we create an AOB script, always clicking on "Template" and then on "Aob Injection" we give him a name and generous something like this:

Spoiler

Code: Select all

[ENABLE]

aobscan(TestA,48 63 56 18 48 8B C8 83 38 00 49 BB 4A 27 E7 E2 6D 01 00 00) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  movsxd  rdx,dword ptr [rsi+18]
  mov rcx,rax
  cmp dword ptr [rax],00
  mov r11,0000016DE2E7274A
  jmp return

TestA:
  jmp far newmem
  nop 6
return:
registersymbol(TestA)

[DISABLE]

TestA:
  db 48 63 56 18 48 8B C8 83 38 00 49 BB 4A 27 E7 E2 6D 01 00 00

unregistersymbol(TestA)
dealloc(newmem)

which can be changed at will.




For a script with a "jump1" just click in "Template" on "1byte exception jmp" and a check will appear on the latter

Spoiler

Here is an example based on "5 byte jmp" and "1byte exception jmp" activated:

Spoiler

Code: Select all

[ENABLE]

aobscan(TestB,48 63 56 18 48 8B C8 83 38 00 49 BB 4A) // should be unique
alloc(newmem,$1000,TestB)

label(code)
label(return)

newmem:

code:
  movsxd  rdx,dword ptr [rsi+18]
  jmp return

TestB:
  jmp1 newmem
  nop 3
return:
registersymbol(TestB)

[DISABLE]

TestB:
  db 48 63 56 18

unregistersymbol(TestB)
dealloc(newmem)

I hope it's useful...

[Paul44]

^ as i stated, tut on 'jmp far' convertion here: [ viewtopic.php?f=11&t=19793 ].

To summarize:
a. use 14 bytes (instead of 5), to always handle mem_boundaries just fine
b. trampoline: not all opcodes allow "proper" 14_byte-injection (basically avoiding any opcode_offsets andwhatnot). in these cases, one can use a 'trampoline' to inject a 'jmp short' initially...
OR: to "keep" all your jmp short instructions, you can implement trampolines for each and everyone of them.

ps: I've encountered these 'offset too big ~ etc' issues on both v10 & v11 (well, my users did). Pure assumption here, but me think chances to encounter this increase by the amount of RAM ?!
ps2: i did not know about the 1byte-jmp? interesting...

[SilverRabbit90]

Do you want to enter 2 aob in 1 script?

I finally made it. What I wanted to do was:


By activating the first script you can see the points (in this game only when they get)

First Script:

Spoiler

Code: Select all

[ENABLE]

//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)

alloc(infPoints,8)
registersymbol(infPoints)

infPoints:
dd 0

label(code)
label(return)


Disabilitando il secondo script si tornerà semplicemente a vedere il valore "Punti"

Example:

[spoiler=][img]https://i.postimg.cc/R0m10LCq/Pic-First-Second-Script.png[/img][/spoiler]

label(seePoints)
registersymbol(seePoints)

label(SetPoints)
registersymbol(SetPoints)

newmem:

mov [seePoints],rsi

cmp [infPoints],1
jne code

push r15
mov r15,SetPoints
mov r15d,dword ptr [r15]
mov [rsi+18],r15d
pop r15

  movsxd  rdx,dword ptr [rsi+18]
    test rdx,rdx
  mov rcx,rax
  jmp return


code:
  movsxd  rdx,dword ptr [rsi+18]
    test rdx,rdx
  mov rcx,rax
  jmp return

  SetPoints:
  dd (int)100

  seePoints:
  dq 0

HUDScreen:OnPlayerScoreModified+62:
  jmp newmem
  nop 2
return:
//registersymbol(PointsA)

[DISABLE]

HUDScreen:OnPlayerScoreModified+62:
  db 48 63 56 18 48 8B C8

unregistersymbol(*)
dealloc(*)

After that by activating the second script you can change the value to your liking.


(or if you have set a predefined value in the first script CE will use that

Spoiler

Code: Select all

[ENABLE]

//aobscan(PointsA,48 63 56 18 48 8B C8 83 38 00 49 BB 40) // should be unique
assert(HUDScreen:OnPlayerScoreModified+62,48 63 56 18 48 8B C8 83 38 00 49 BB ?0) // should be unique
alloc(newmem,$1000,HUDScreen:OnPlayerScoreModified+62)

alloc(infPoints,8)
registersymbol(infPoints)

infPoints:
dd 0

label(code)
label(return)

label(seePoints)
registersymbol(seePoints)

label(SetPoints)
registersymbol(SetPoints)

newmem:

mov [seePoints],rsi

cmp [infPoints],1
jne code

mov [rsi+18],(int)100

  movsxd  rdx,dword ptr [rsi+18]
    test rdx,rdx
  mov rcx,rax
  jmp return


code:
  movsxd  rdx,dword ptr [rsi+18]
    test rdx,rdx
  mov rcx,rax
  jmp return

  SetPoints:
  dd (int)100

  seePoints:
  dq 0

HUDScreen:OnPlayerScoreModified+62:
  jmp newmem
  nop 2
return:
//registersymbol(PointsA)

[DISABLE]

HUDScreen:OnPlayerScoreModified+62:
  db 48 63 56 18 48 8B C8

unregistersymbol(*)
dealloc(*)

)


Second Script:

Spoiler

Code: Select all

[ENABLE]

infPoints:
dd 1
 
 
[DISABLE]

infPoints:
dd 0

Disabling the second script you will simply return to see the value of "Points".


Example:

Spoiler

This video helped me a lot (I have been trying to do it for a long time):
[Link]