Save register address to a variable in Auto Assemble to revert the values when disabling

[mdnpascual]

How do I get a register address in auto assemble to a variable so I can properly revert the values I've modified?

I have a code that looks like these:

Code: Select all

code:
code:
  mov [edi+40], 0x3c23d70a  //orig: 0.4
  mov [edi+50], 0x41400000  //orig: 6
  fstp dword ptr [edi+60]
  mov [edi+60], 0 //orig: 1.6
  fld dword ptr [edi+60]
  lea eax,[ebp-00000160]
  jmp return

The original auto assembled one was only meant to change [edi+60], but since I found found some relevant values around [edi+60], I also modified them here.

How do I store the value of [edi] so I can disable the cheat properly by reverting those values previously(edi+40 and +50)?

[Blayde]

How do I store the value of [edi] so I can disable the cheat properly by reverting those values previously(edi+40 and +50)?

Can you post your script with original values ?
You can also just find poiter to [edi+40].

[mdnpascual]

I found a thread on the old cheat engine forums where apparently I can create a variable dynamically and use it as long I allocate memory for it. I removed all but one address where I want to revert its value but when I tried it, it still won't disable

How do I store the value of [edi] so I can disable the cheat properly by reverting those values previously(edi+40 and +50)?

Can you post your script with original values ?

Code: Select all

[ENABLE]

registersymbol(edipointer)

aobscan(AccANDrange,D9 47 60 8D 85 A0 FE FF FF 83 EC 04 D9 1C 24 83 EC 08) // should be unique
alloc(newmem,$2048)
alloc(edipointer,$4)

label(code)
label(return)

newmem:

code:
  mov [edipointer],edi
  ////////
  mov [edi+50], 0x41400000  //orig: 6
  mov [edi+60], 0 //orig 1.6
  fld dword ptr [edi+60]
  lea eax,[ebp-00000160]
  jmp return

AccANDrange:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(AccANDrange)

[DISABLE]

mov [edipointer+50], 0x40c00000
AccANDrange:

  db D9 47 60 8D 85 A0 FE FF FF


unregistersymbol(edipointer)
unregistersymbol(AccANDrange)
dealloc(newmem)
dealloc(edipointer)

{
// ORIGINAL CODE - INJECTION POINT: 1CDB45BD

""+1CDB4597: 89 08                          -  mov [eax],ecx
""+1CDB4599: 8B 8D DC FE FF FF              -  mov ecx,[ebp-00000124]
""+1CDB459F: 89 48 04                       -  mov [eax+04],ecx
""+1CDB45A2: 8B 8D E0 FE FF FF              -  mov ecx,[ebp-00000120]
""+1CDB45A8: 89 48 08                       -  mov [eax+08],ecx
""+1CDB45AB: 8D 85 E4 FE FF FF              -  lea eax,[ebp-0000011C]
""+1CDB45B1: 83 EC 0C                       -  sub esp,0C
""+1CDB45B4: 50                             -  push eax
""+1CDB45B5: E8 66 12 FF FF                 -  call 1CDA5820
""+1CDB45BA: 83 C4 0C                       -  add esp,0C
// ---------- INJECTING HERE ----------
""+1CDB45BD: D9 47 60                       -  fld dword ptr [edi+60]
""+1CDB45C0: 8D 85 A0 FE FF FF              -  lea eax,[ebp-00000160]
// ---------- DONE INJECTING  ----------
""+1CDB45C6: 83 EC 04                       -  sub esp,04
""+1CDB45C9: D9 1C 24                       -  fstp dword ptr [esp]
""+1CDB45CC: 83 EC 08                       -  sub esp,08
""+1CDB45CF: 8B 8D E4 FE FF FF              -  mov ecx,[ebp-0000011C]
""+1CDB45D5: 89 0C 24                       -  mov [esp],ecx
""+1CDB45D8: 8B 8D E8 FE FF FF              -  mov ecx,[ebp-00000118]
""+1CDB45DE: 89 4C 24 04                    -  mov [esp+04],ecx
""+1CDB45E2: 50                             -  push eax
""+1CDB45E3: E8 A8 C2 85 E9                 -  call 06610890
""+1CDB45E8: 83 C4 0C                       -  add esp,0C
}

[Blayde]

I'm not sure if this will work.
If you find pointer to "original value 0.4" (mov [edi+40], 0x3c23d70a //orig: 0.4) i think i can help you.
Btw is this (0.4) the same every time you start/restart the game ?

[mdnpascual]

ye, those values are always the same. It's just different addresses and same offset against edi found on that aobscan

[Blayde]

Ok. Now search for this value (0.4) and find pointer to it (instead of what writes).

[UltimatePoto42]

You could use [Link] for this.
Example:

Code: Select all

define(oldBytes, 5C 0A 00 00)
	// 00000A64
		// mov edx,[ecx+00000A5C]
define(newBytes, 60 0A 00 00)
	// 00000A60
		// mov edx,[ecx+00000A60]
define(byteLenght, 4)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobManaChargeHook, game.exe, ...)
define(injManaChargeHook, aobManaChargeHook+12)
registerSymbol(injManaChargeHook)

alloc(memManaChargeHook, byteLenght)
registerSymbol(memManaChargeHook)

memManaChargeHook:
	readMem(injManaChargeHook, byteLenght) // save the bytes some where for later.

////
//// ---------- Injection Point ----------
injManaChargeHook:
	db newBytes // write new bytes for hook.


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injManaChargeHook:
	readMem(memManaChargeHook, byteLenght) // restore old bytes that where saved.

dealloc(memManaChargeHook)
unregisterSymbol(injManaChargeHook)
unregisterSymbol(memManaChargeHook)

Just change the address from injection points to the values address and set the byte length to the size of your values.

EDIT:
Or you could use a luaCall for this:

Code: Select all

...
[DISABLE]
...
luaCall(readInteger('[SomeSymbolToTheValue]', writeInteger('[SomeSymbolItWasSavedTo]')))

Or for a float:

Code: Select all

...
[DISABLE]
...
luaCall(readFloat('[SomeSymbolToTheValue]', writeFloat('[SomeSymbolItWasSavedTo]')))

Just know that the Lua code will always run first in a Cheat Engine memory record.

[sbryzl]

If you don't know the original address you can record it within your codecave.

Code: Select all

[ENABLE]

label(edipointer)
registersymbol(edipointer)

aobscan(AccANDrange,D9 47 60 8D 85 A0 FE FF FF 83 EC 04 D9 1C 24 83 EC 08)
registersymbol(AccANDrange)

alloc(newmem,$204)
//alloc(edipointer,$4)

label(code)
label(return)

newmem:
edipointer:
dq 0

code:
  mov [edipointer],edi
  mov [edipointer+4],1
  ////////
  mov [edi+50], 0x41400000  //orig: 6
  mov [edi+60], 0 //orig 1.6
  fld dword ptr [edi+60]
  lea eax,[ebp-00000160]
  jmp return

AccANDrange:
  jmp code
  nop
  nop
  nop
  nop
return:

[DISABLE]
assert(edipointer+4,1)

[edipointer]+50:
dd (float)6
[edipointer]+60:
dd (float)1.6

//mov [edipointer+50], 0x40c00000
AccANDrange:

  db D9 47 60 8D 85 A0 FE FF FF


unregistersymbol(edipointer)
unregistersymbol(AccANDrange)
dealloc(newmem)

edit: needed to comment this: mov [edipointer+50], 0x40c00000

[Blayde]

Why you gays read this?
Hi/she just need one timer. So?
STN please i just want ot help.
Can i just hack this gays ? (not misspelled)


Codecave?
Readmem?
Simple and stupid.

[TimFun13]

Why you gays read this?
Hi/she just need one timer. So?
STN please i just want ot help.
Can i just hack this gays ? (not misspelled)
...

Are you sure, because with the miss use of the your singulars and plurals kinda make it seem like misspelling would make more sense?

So just to conform, you're just homophobic, not misspelling?

[Blayde]

Why you gays read this?
Hi/she just need one timer. So?
STN please i just want ot help.
Can i just hack this gays ? (not misspelled)
...

Are you sure, because with the miss use of the your singulars and plurals kinda make it seem like misspelling would make more sense?

So just to conform, you're just homophobic, not misspelling?

Try your luck in trainer / table section if you are that smart sir.
Peace

[mdnpascual]

If you don't know the original address you can record it within your codecave.

Code: Select all

[ENABLE]

label(edipointer)
registersymbol(edipointer)

aobscan(AccANDrange,D9 47 60 8D 85 A0 FE FF FF 83 EC 04 D9 1C 24 83 EC 08)
registersymbol(AccANDrange)

alloc(newmem,$204)
//alloc(edipointer,$4)

label(code)
label(return)

newmem:
edipointer:
dq 0

code:
  mov [edipointer],edi
  mov [edipointer+4],1
  ////////
  mov [edi+50], 0x41400000  //orig: 6
  mov [edi+60], 0 //orig 1.6
  fld dword ptr [edi+60]
  lea eax,[ebp-00000160]
  jmp return

AccANDrange:
  jmp code
  nop
  nop
  nop
  nop
return:

[DISABLE]
assert(edipointer+4,1)

[edipointer]+50:
dd (float)6
[edipointer]+60:
dd (float)1.6

//mov [edipointer+50], 0x40c00000
AccANDrange:

  db D9 47 60 8D 85 A0 FE FF FF


unregistersymbol(edipointer)
unregistersymbol(AccANDrange)
dealloc(newmem)

edit: needed to comment this: mov [edipointer+50], 0x40c00000

At first I was wondering why the game was crashing at enable, then I noticed that the jmp was changed from newmem to code. Fixed the problem and it works for all the static values I'm changing! Thank you

[Blayde]

..I noticed that the jmp was changed from newmem to code. .

Your code was ok (check your second post)
NEVER put new memory under newmem. You can, but it's not good decision. Ask the "professionals" why.

[TimFun13]

Why you gays read this?
Hi/she just need one timer. So?
STN please i just want ot help.
Can i just hack this gays ? (not misspelled)
...

Are you sure, because with the miss use of the your singulars and plurals kinda make it seem like misspelling would make more sense?

So just to conform, you're just homophobic, not misspelling?

Try your luck in trainer / table section if you are that smart sir.
Peace

I can only hope others can understand and answer questions as well as you.

Why avoid the questions?

[sbryzl]

NEVER put new memory under newmem. You can, but it's not good decision. Ask the "professionals" why.

If you think that's bad you should see what I did to Mount and Blade's skillset function.