How do you disable a 'cmp' comparator?

[SilverRabbit90]

To begin with, this is a countdown that, in this specific test, goes from 30 to 0. I tried to set it directly to zero, but it bugs the audio (and it's annoying).

I tried this:

Spoiler

Code: Select all

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)0


code:
  movss xmm0,[rbp+04]
  jmp return

BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)

But bugs the audio

.

Then I tried these codes to disable the comparator once the counter is set to 1

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)1
  jmp @f

@@:

cmp [rbp+04],(float)1
jne code

  movss xmm0,[rbp+04]
  jmp return

code:
  movss xmm0,[rbp+04]
  jmp return

BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)

or this:

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)1

cmp [rbp+04],(float)1
je code

code:
  movss xmm0,[rbp+04]
  jmp return

BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

But neither of the two scripts works; the value remains stuck at one when it should execute the normal code (to count down in 1 second).

I need help Thx

[Csimbi]

I am not seeing a cmp.

[SilverRabbit90]

I am not seeing a cmp.

I know 'cmp' as 'compare'; if I'm wrong, could you explain why? In any case, did you understand my question? I would like the value of the counter to be set to 1, then disabled, and execute the normal code.

[Csimbi]

I know 'cmp' as 'compare

Right, spot on.
However, I am not seeing one in the code snippets you posted.

[Zeptiont]

I don't see a cmp instruction either in the first code I'm guessing the original code doesn't have one? In that case you might wanna save and restore original flag registers also your second and third codes jump operators do nothing meaningful. Here's a link on jumps: [Link]

Use jumps like this with cmp:

Code: Select all

newmem:
  pushf // save original flag registers changed by cmp instruction
  cmp [rbp+04],(float)30  // your condition
  je @f // jump to @@ if your condition is met (can also use jne,jb,ja,jbe,jae etc.)
  popf //restore original flag registers
  // either change the code here
  movss xmm0,[rbp+04]
  jmp return

@@:
  popf //restore original flag registers
  // or change the code here
  movss xmm0,[rbp+04]
  jmp return

[SilverRabbit90]

Strangely, I managed to solve it with this (without the audio bug):

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

  cmp [rbp+04],(float)1
  je @f

  mov [rbp+04],(float)1
  jmp return


@@:

  mov [rbp+04],(float)0


code:
  movss xmm0,[rbp+04]
  jmp return


BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

It doesn't restart the countdown as I wanted, but it sets the value contained in [rbp+04] directly to zero.
This is strange since this script causes the audio to bug:

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)0

code:
  movss xmm0,[rbp+04]
  jmp return

BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

Apparently, they do the same thing... (STRANGE)

[SilverRabbit90]

I solved it with these codes as far as the countdown is concerned, although after a few uses the game crashes (I also tried setting it to 10 seconds and it does the countdown regularly).


1)

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem, $1000, BuildArrivePointConstructionTimeZa)

label(code)
label(initialized)
label(invalid_address)
label(return)

newmem:
  cmp [rbp+08],1
  je initialized


  mov rax,[rbp+04]
  test rax,rax
  jz invalid_address

  mov [rbp+04],(float)1
  mov [rbp+08],1
  jmp return



code:
 movss xmm0,[rbp+04]
 jmp return

invalid_address:

 jmp return

initialized:
  movss xmm0,[rbp+04]
  jmp return

BuildArrivePointConstructionTimeZa:
 jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
 db F3 0F 10 45 04 48 8D 44 24 60

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

2)

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa, JWE2.exe, F3 0F 10 45 04 48 8D 44 24 60)
alloc(newmem, $1000, BuildArrivePointConstructionTimeZa)

label(code)
label(initialized)
label(returnToOriginal)
label(invalid_address)

newmem:

  push rax
  push rbx
  push rcx
  push rdx
  push rsi
  push rdi
  push r8
  push r9
  push r10
  push r11
  push r12
  push r13
  push r14
  push r15

  cmp [rbp+08], 1
  je initialized


  mov rax, [rbp+04]
  test rax, rax
  jz invalid_address

  mov [rbp+04], (float)1
  mov [rbp+08], 1
  jmp returnToOriginal

invalid_address:
  mov [rbp+04],(float)0
  jmp returnToOriginal

initialized:
  movss xmm0, [rbp+04]
  jmp returnToOriginal

code:
  movss xmm0, [rbp+04]
  jmp returnToOriginal

returnToOriginal:
  pop r15
  pop r14
  pop r13
  pop r12
  pop r11
  pop r10
  pop r9
  pop r8
  pop rdi
  pop rsi
  pop rdx
  pop rcx
  pop rbx
  pop rax
  jmp return

BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04 48 8D 44 24 60

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

[Rhark]

Wouldn't it be better to use an instruction that writes the float value to the address you want to modify? Your code snippets are so strange to me and doesn't help portray what you are trying to achieve.

Am I understanding correctly that you want to do some sort of "Fast Construction" or similar cheat?

[SilverRabbit90]

Wouldn't it be better to use an instruction that writes the float value to the address you want to modify? Your code snippets are so strange to me and doesn't help portray what you are trying to achieve.

Am I understanding correctly that you want to do some sort of "Fast Construction" or similar cheat?

First of all, it’s a cheat for fast building.
Okay, I’ll try to explain myself better by giving examples based on what I have done/know how to do.

Now what I do with this script is set the value contained in [rbp+04] to 5

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)5

code:
  movss xmm0,[rbp+04]
  jmp return


BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

Video 1:

Spoiler

Now, if I set it directly to 0 for "Instant Building," the audio gets bugged.

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)0

code:
  movss xmm0,[rbp+04]
  jmp return


BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

Video 2:

Spoiler

With this script, the timer is set to 5 seconds and then the countdown is restarted.

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem, $1000, BuildArrivePointConstructionTimeZa)

label(code)
label(initialized)
label(invalid_address)
label(return)

newmem:
  cmp [rbp+08],1
  je initialized


  mov rax,[rbp+04]
  test rax,rax
  jz invalid_address

  mov [rbp+04],(float)5
  mov [rbp+08],1
  jmp return



code:
 movss xmm0,[rbp+04]
 jmp return

invalid_address:

 jmp return

initialized:
  movss xmm0,[rbp+04]
  jmp return

BuildArrivePointConstructionTimeZa:
 jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
 db F3 0F 10 45 04 48 8D 44 24 60

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

Video 3:

Spoiler

This is exactly what I wanted to do, but I couldn't manage it (I also need it for other games where a counter can't always be set directly to 0; for example, if the health of some enemies is set directly to zero with an OHK, the game bugs out). Basically, what I want to do is set an initial value (in this case, 5 seconds, but it could also be 5 HP) and then let the normal code execute as if I were disabling the script.
The main problem with this is that after a few uses, the game crashes.


I would like to know if it can be resolved with something like:

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

mov [rbp+04],(float)5
brake this code

or

mov [rbp+04],(float)5
stop this code

or

mov [rbp+04],(float)5
end this code

or

mov [rbp+04],(float)5
finish this code

code:
  movss xmm0,[rbp+04]
  jmp return


BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

Some kind of command that makes it stop executing the code as if you had manually disabled the script, in this case to restart the countdown as in Video 3. Maybe with a Lua script.


This script is used to achieve "Instant Build" without the audio bug.

Spoiler

Code: Select all

[ENABLE]

aobscanmodule(BuildArrivePointConstructionTimeZa,JWE2.exe,F3 0F 10 45 04 48 8D 44 24 60) // should be unique
alloc(newmem,$1000,BuildArrivePointConstructionTimeZa)

label(code)
label(return)

newmem:

  cmp [rbp+04],(float)1
  je @f

  mov [rbp+04],(float)1
  jmp return


@@:

  mov [rbp+04],(float)0


code:
  movss xmm0,[rbp+04]
  jmp return


BuildArrivePointConstructionTimeZa:
  jmp newmem
return:
registersymbol(BuildArrivePointConstructionTimeZa)

[DISABLE]

BuildArrivePointConstructionTimeZa:
  db F3 0F 10 45 04

unregistersymbol(BuildArrivePointConstructionTimeZa)
dealloc(newmem)

Video 4:

Spoiler

It works, but I don't think it's the same for other games.

[SunBeam]

Hi there.

'the audio bugs' -> of course it does and it will always will, considering there are animations that are linked to each frame that's counted towards completion of the building.

Let's assume you have 5 seconds of building time:

- 1s - show scaffold - it has a certain sound tied to the frame
- 2s - show planks - it has a certain sound tied to the frame
- etc.

What you're doing is hacking the timer, but not the animation. So your timer skips frames and jumps instantly to near completion while the animation stays behind. So let me guess: building finishes, but audio keeps playing?

EDIT: Yep, that's pretty much what I see in "Video 2". You have to find the "building completed" flag or condition and force it, so whatever sounds keep playing are stopped.

---

I don't have the Steam version (I see you're using JWE2.exe) or any other, so I got that FitGirl repack. It comes with 2 developer executables, I used the "JWE2.release.exe" one, but the logic I applied was this:

- start building something -> e.g.: Control Center
- take a look at the construction timer and pause game
- in CE, search for Value Type: Float, Value between... -> the timer value you saw on your screen -1 or -2 to the left box; the timer value you saw on your screen +1 or +2 to the right box (e.g.: if your timer is 26, then search for "between 24 and 28")
- go back to game, resume game, let timer decrease some more
- continue the search to filter down on values using the "value between" logic above
- in no time you'll be left with 4 values or so; pick apart which one is yours by modifying its value
- back in-game, it should update once you unpause, so you'd know if it's the right one or not
- debug it; first on write, then what accesses, to have a complete overview

I got these on my end (of course they won't match yours in your exe):

Code: Select all

JWE2.release.exe+248877B - F3 0F10 46 04         - movss xmm0,[rsi+04] <<
JWE2.release.exe+2488780 - F3 0F5C C1            - subss xmm0,xmm1
JWE2.release.exe+2488784 - 0F2F F8               - comiss xmm7,xmm0
JWE2.release.exe+2488787 - F3 0F11 46 04         - movss [rsi+04],xmm0 <<

Code: Select all

JWE2.release.exe+250ABB0 - F3 0F10 55 04         - movss xmm2,[rbp+04] <<
JWE2.release.exe+250ABB5 - 8B D3                 - mov edx,ebx
JWE2.release.exe+250ABB7 - 49 8B CC              - mov rcx,r12
JWE2.release.exe+250ABBA - E8 11E6C1FD           - call JWE2.release.AK::SoundEngine::PrepareGameSyncs+3E3
JWE2.release.exe+250ABBF - 41 FF CD              - dec r13d

If you follow the flow in the first snippet:

- get/read timer's float value to xmm0
- subtract step ticker from it (ticker value is in xmm1)
- set/write timer's float value from the updated xmm0

So instead of bluntly adjusting that timer value to say 1 or 5, why not hack the ticker?

Code: Select all

movss xmm0,[rsi+04]
movss xmm15,[fMultiplier]
mulss xmm1,xmm15
jmp return

fMultiplier:
dd (float)10.0

So what the above does now is this:

Code: Select all

movss xmm0,[rsi+04] // timer
movss xmm15,[fMultiplier] // multiplier, in our case 10.0
mulss xmm1,xmm15 // ticker * 10.0
subss xmm0,xmm1

So the build speed now is increased by hijacking the countdown timer and making the game elapse times 10, instead of times 1.



And no, the audio doesn't bug.

BR,
Sun

[Rhark]

Sunbeam's method is the ideal method for "Fast Construction" etc. For health as you mentioned with some games not allowing you to set the health to 0 without it bugging you have two options that I can think of:

A: find what handles your damage value and multiply that.

B: compare two XMM register values and write 1 to the health once (so more of a two-hit kill).


an example for "B" would be this:

Code: Select all

newmem:
movss xmm15,[rax+40] // pretend this is the health
movss xmm14,[hpVal] // this will be (float)1
comiss xmm15,xmm14
jle @f
movss [rax+40],xmm14

....

hpVal:
  dd (float)1

...

This checks if the value of health is (float)1 and if above it will write (float)1 to it and then skip writing (float)1 afterwards so the next hit would kill them (some games this having health at 1 would kill them regardless, depends on the game).

[SilverRabbit90]

...

Thank you, I understand that it’s better to choose a good script ignition point in order to mainly work on the registers. I didn’t understand why you specifically chose the xmm15 register; perhaps because you assumed it was empty? I tried using the xmm10 register, and everything works perfectly.
In this specific case, it wasn't necessary to search for the timer using "Value Between," but I do use it as well when I can't find the value directly.

Video:

Spoiler

[SunBeam]

...

Honestly, I never fiddle anymore with Entity->Health (or whatever you wanna call it). It makes no sense to me to make 1-hit kill with adjusting AI health to 0 or 1. What works even better is adjusting the damage output. In the majority of game engines, ::TakDamage or ::DoDamage functions are generic, so any type of Entity (be it player or enemy) will use that same function. It's all a matter of filtering player from enemy and making it so dealt damage is multiplied with your static -> ::DoDamage( ..., fVal * fMultiplier, ... ). Game does the rest for ya.

...

If you take a look at calling conventions, you will see that SSE/SSE2 instructions can be used in the list of arguments. Since most games do not use functions with complex arguments, chances that a function will end-up using xmm14 or xmm15 are very slim. Try to imagine a function with ... 16 float arguments. Highly unlikely -> MyFunc( arg0 = xmm0, arg1 = xmm1, ..., arg15 = xmm15 ). The majority of them walk up to xmm4, even in the mixed mode -> __this(rcx)::MyFunc( arg0 = rdx, arg1 = xmm1, arg2 = r9, arg3 = xmm3, etc. ). To sum it up, I used xmm15 cuz there's no way in hell it's being used by that function/at that spot in the function. Sure, xmm10 is a good choice as well.

In general, check who calls the function and inspect that function: see if xmm10 ... xmm15 are used at all in the body of the function. Then go into your function and check the same thing. You'll form, in time, this logic that it's safe to use them without worrying the game uses them.

Lastly, the float search: CE automatically rounds up for you. It works 99% of the time to search for the integer value you see on screen (rounded float), but sometimes scanning fails. I've tried that in quite a lot of games and it hasn't worked every time. Because my % was not as high, I got as "best practices" to scan between -1/-2 and +1/+2. If it works for you, fine, keep it that way. But know of the alternative. You noticed that your timer value is not 22, but 21.7985 (which, rounded up, is 22) or 22.23478 (which, rounded down, is 22); but never 22.0; right?

[Rhark]

...

XMM14/XMM15 are rarely used so that's why we favour them. You can also kind of "push" and "pop" them if you store their original value in a custom symbol and then write that symbol value back to the XMM register at the end of the script.

E.g.

Code: Select all

movss [XMM14Save],xmm14
movss [XMM15Save],xmm15
=

movss xmm15,[blahblah]
etc
...

end:
movss xmm14,[XMM14Save]
movss xmm15,[XMM15Save]

...

Yeah that is the preferred method, but sometimes that is harder to figure out than simply editing the health so it would be useful to some.

[Metanoia]

...

XMM14/XMM15 are rarely used so that's why we favour them. You can also kind of "push" and "pop" them if you store their original value in a custom symbol and then write that symbol value back to the XMM register at the end of the script.

E.g.

Code: Select all

movss [XMM14Save],xmm14
movss [XMM15Save],xmm15
=

movss xmm15,[blahblah]
etc
...

end:
movss xmm14,[XMM14Save]
movss xmm15,[XMM15Save]

...

Yeah that is the preferred method, but sometimes that is harder to figure out than simply editing the health so it would be useful to some.

Or just slap it on the stack why make a symbol for it ...