Problem with a script, cannot find a correct function in Memory View, cheat engine

[marek1957]

Hello People,
In the beggining, thank you all for your mega support and for helping me explaining a lot of functions.

I have a problem with my script, my script when activated is affecting a lot of sectors in game which I don't want to change. How to separate my script from these functions???

I was trying to hack Asphalt 8 game, I tried to reconstruct this hack: [Link]

I already found that when car is wrecked/damaged, the value is 1, when the car is "new" - value is 0 (4-bytes search).
Also when the "screen" is broken, value is 1, and when the "screen" is not-broken, value is 0.

I made a script for "damaged cars" in Asphalt 8, here is my script:

Code: Select all

[ENABLE]
//DAMAGED CAR - SCRIPT BELOW
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
originalcode:
mov byte ptr [ecx+000001BB],00

exit:
jmp returnhere

"Asphalt8.exe"+A9E634:
jmp newmem
nop
nop
returnhere:

//NO BROKEN SCREEN - SCRIPT BELOW
alloc(newmem2,2048)
label(returnhere2)
label(originalcode2)
label(exit2)

newmem2:
originalcode2:
mov [esi+00000358],00

exit2:
jmp returnhere2

"Asphalt8.exe"+1E583F:
jmp newmem2
nop
returnhere2:
 
[DISABLE]
//DAMAGED CAR - SCRIPT BELOW
dealloc(newmem)
"Asphalt8.exe"+A9E634:
cmp byte ptr [ecx+000001BB],01
//Alt: db 80 B9 BB 01 00 00 00

//NO BROKEN SCREEN - SCRIPT BELOW
dealloc(newmem2)
"Asphalt8.exe"+1E583F:
db 38 86 58 03 00 00 74 7F A1 F4 71 B3 01 38 98 48 02 00 00 74 72 39 9E 5C 03 00 00 75 6A 68 FC 00 00 00 E8 EA 29 A9 00 8B F8 83 C4 04 89 7D E8 89 5D FC 85 FF 74 3C 68 FC 00 00 00 53 57 E8 17 00 10 01 83 C4 0C 89 5D F0
//Alt: db 38 9E 58 03 00 00

My script when activated is working but... is affecting also:
- camera view
- changing gravity
- there are some effects of black clouds appearing and sometimes text WRECKED appearing

How can I separate the above-mentioned things so that they do not activate with my script?

Please, check the following video so that you know exactly what I am talking about:
[Link]

I am waiting for your answers or suggestions,
Best Regardsm
Marek

[TimFun13]

Well, first you inject a single instruction when enabling the "NO BROKEN SCREEN", then inject a lot more when dialing, this make not sense at least without context.

Why write all this when disabling:

Code: Select all

38 86 58 03 00 00 74 7F A1 F4 71 B3 01 38 98 48 02 00 00 74 72 39 9E 5C 03 00 00 75 6A 68 FC 00 00 00 E8 EA 29 A9 00 8B F8 83 C4 04 89 7D E8 89 5D FC 85 FF 74 3C 68 FC 00 00 00 53 57 E8 17 00 10 01 83 C4 0C 89 5D F0

and it doesn't match the original code from "Alt":

Code: Select all

38 9E 58 03 00 00

Other then that it's whats called shared opcode, step 9 in the Cheat Engine tutorial deals with this kind of thing, I would start there.

But that is the best I can do with so little information.

[sbryzl]

Also these all look like byte pointer instructions so your replacement instruction should likely reference a byte pointer.

Code: Select all

newmem2:
originalcode2:
mov byt ptr [esi+00000358],00

And since these instructions being replaced are compares are you certain the address is not accessed between the time the game writes to it and the time your replacement instruction writes to it?

[marek1957]

And since these instructions being replaced are compares are you certain the address is not accessed between the time the game writes to it and the time your replacement instruction writes to it?

Yes, thats true.

SBRYZL, can you help me to separate such things what I mentioned in my first post from my script? Because I don't have any idea how to do that..

[sbryzl]

SBRYZL, can you help me to separate such things what I mentioned in my first post from my script? Because I don't have any idea how to do that..

I don't know what's working for you and what's not and I don't have the game. If using a byte pointer doesn't fix it then it's probably a shared opcode as Tim13 said.

[Blayde]

Also these all look like byte pointer instructions so your replacement instruction should likely reference a byte pointer.

Yeah indeed.
"mov byt ptr [esi+00000358],00" = "mov [esi+00000358],0"
Use brain.exe.

Don't try to help if you can not.

@marek1957
1: You must check if the opcode you found is used only for demage or it's shared.
2: In DISABLE section you must use/write the original opcode/instruction
"Asphalt8.exe"+1E583F:
This is not the original instruction/opcode - db 38 86 58 03 00 00 74 7F A1 F4 71 B3 01 38 98 48 02 00 00 74 72 39 9E 5C 03 00 00 75 6A 68 FC 00 00 00 E8 EA 29 A9 00 8B F8 83 C4 04 89 7D E8 89 5D FC 85 FF 74 3C 68 FC 00 00 00 53 57 E8 17 00 10 01 83 C4 0C 89 5D F0

PS:
PM me if you need help.

[sbryzl]

Also these all look like byte pointer instructions so your replacement instruction should likely reference a byte pointer.

Yeah indeed.
"mov byt ptr [esi+00000358],00" = "mov [esi+00000358],0"
Use brain.exe.

Don't try to help if you can not.

Try to take your own advice instead of giving it to others.

mov [esi+00000358],0

in 32 bit mode becomes

mov dword ptr [esi+00000358],00000000

[Blayde]

in 32 bit mode becomes

mov dword ptr [esi+00000358],00000000

Asm is smart enough to undesrstand the instructions.
You don't need this: dword ptr,byte ptr etc.....

Can you help me
00000000=32 bit
0000000000000000=64 bit
Am i right?

[sbryzl]

in 32 bit mode becomes

mov dword ptr [esi+00000358],00000000

Asm is smart enough to undesrstand the instructions.
You don't need this: dword ptr,byte ptr etc.....

Can you help me
00000000=32 bit
0000000000000000=64 bit
Am i right?

Try this script for a visual of what happens.

Code: Select all

[ENABLE]
 alloc(BytPtrNotSpecified,500)
 registersymbol(BytPtrNotSpecified)

 BytPtrNotSpecified:
mov [esi+00000358],0
mov byte ptr [esi+00000358],0
mov word ptr [esi+00000358],0
mov dword ptr [esi+00000358],0
mov qword ptr [esi+00000358],0


[DISABLE]
 dealloc(BytPtrNotSpecified)
 unregistersymbol(BytPtrNotSpecified)

[Blayde]

mov qword ptr [esi+00000358],0 - Invalid
qword is 64bit


I mean that if:
mov dword ptr [esi+00000358],0 - is the original opcode
and you what to change it to something like: mov dword ptr [esi+00000358],1
Yoy just write: mov [esi+358],1(dword not needed).
Capish?

Edit:
Can you tell me the result of this:
fild [eax+10]
fstp st(0)
fstp [eax+10]

Edit 2:
you do not need to say what is the size of data you gonna move
If I give you an arbitrary number, there is no way for you to tell me what type of data it is or on what platform it originates on.
99 can be represented in a BYTE, WORD, DWORD, QDWORD, float, double, and a long double.
What the data means to you does not matter to the assembler, just how you want to use it.

[sbryzl]

The issue was how to produce a byte pointer. You need to specify a byte pointer if that's what it is.

[Blayde]

The issue was how to produce a byte pointer. You need to specify a byte pointer if that's what it is.

NVM.
Btw the issue is bad/not working (as expected) script.

[sbryzl]

If you are attached to a 32bit process then use some common sense and comment the qword instruction.

Code: Select all

[ENABLE]
 alloc(BytPtrNotSpecified,500)
 registersymbol(BytPtrNotSpecified)

 BytPtrNotSpecified:
mov [esi+00000358],0
mov byte ptr [esi+00000358],0
mov word ptr [esi+00000358],0
mov dword ptr [esi+00000358],0
//mov qword ptr [esi+00000358],0


[DISABLE]
 dealloc(BytPtrNotSpecified)
 unregistersymbol(BytPtrNotSpecified)

[TimFun13]

Code: Select all

 Size of data is inferred based on the source or destination register
 mov rax, [L] ; loads 64 bits
 mov eax, [L] ; loads 32 bits
 mov al, [L] ; loads 8 bits
 mov [L], rax ; stores 64 bits
 mov [L], eax ; stores 32 bits
 mov [L], ax ; stores 16 bits

When no registry is given the process default is used, so 64 bit 64 bits, 32 bit 32 bits.

This PDF will lay it out for you:

Code: Select all

http://courses.ics.hawaii.edu/ReviewICS312/morea/DataSizeAndArithmetic/ics312_datasize.pdf

[TimFun13]

If you are attached to a 32bit process then use some common sense and comment the qword instruction.

And Dude, I mean come on. Read up.
sbryzl is correct.