game crahs, what the error in my cheat?

[DRDNK1000]

sorry i dont understan what screenshot u want
can u give me exeple so i know what to take?

Just the main template of AOB does show some of the nearby code. If I don't know what is doing what, I don't know what's wrong.
According to your script, "FC64.dll"+1F352BE should have what I'm asking for. Go there, and do a screenshot or copy/paste the code that is near that.

movaps xmm1,[rax+00000100]
movaps [rbp+00],xmm1
movaps xmm0,[rax+00000110]
movaps [rbp+10],xmm0
movaps xmm1,[rax+00000120] --the one
movaps [rbp+20],xmm1
test bl,bl

[TheByteSize]

BTW, your're trying to store a 64 bits register into a 32 bits Symbol.
define your symbol with

Code: Select all

dq 0

[TimFun13]

...

It might be crashing because you're passing zeros to the value, when you load the saved coordinates.
That and is "teleport" an AOB symbol? It's not set in your script.

With this you're moving 64 bits when you need to move 32 bits for the floating points.

Code: Select all

push rbx
mov rbx,[rax+120]
mov [z_cho],rbx
mov rbx,[rax+124]
mov [x_cho],rbx
mov rbx,[rax+128]
mov [y_cho],rbx
pop rbx

So change it to something like this:

Code: Select all

push rbx
mov ebx,[rax+120]
mov [z_cho],ebx
mov ebx,[rax+124]
mov [x_cho],ebx
mov ebx,[rax+128]
mov [y_cho],ebx
pop rbx

Thus the "dd" is fine but you need to just use the first 32 bits of RBX.


But I would also try to just see if it's the injection point, just use the AOB template and don't add any code and see if it crashes with just the redirect to your script and back to the game's code.


Here is another way of doing it just as an example.

Code: Select all

// This seems to be missing the AOB scan.
// Is "teleport" set with an AOB scan?

assert(teleport, 0F 28 88 20 01 00 00) // I like to use "assert" to insure that I'm in the right place.

alloc(newmem,$1000,"FC64.dll"+1F352BE)
// alloc(newmem,$1000,teleport) // if "teleport" is an AOB symbol then this will work.

label(myCode)
label(load)
label(en_save)
label(en_load)
label(save)
label(z_cho)
label(x_cho)
label(y_cho)
label(code)
label(return)
registersymbol(en_save)
registersymbol(en_load)

newmem:
align 10 // not really needed but insures the aligned instruction won't have any problems.
z_cho: //120
dd (float)0
x_cho:  // 124
dd (float)0
y_cho:  // 128
dd  (float)0
dd 0// Not used just needed for the packed instruction.

en_save:
dd 0

en_load:
dd 0


myCode: // You can just make a label and use that for the redirect so you only need 1 allocation.
cmp [en_save],1
je save
cmp [en_load],1
je load
jmp code


save:
mov [en_save],0
movaps xmm1,[rax+120]
movaps [z_cho],xmm1
jmp return // no need to go to the original code because XMM1 has been set.

load:
mov [en_load],0
movaps xmm1,[z_cho]
movaps [rax+120],xmm1
jmp return // no need to go to the original code because XMM1 has been set.


code:
  movaps xmm1,[rax+120]
  jmp return

teleport:
  jmp myCode // Here you just need to jump to the start of your code.
  nop
  nop
return:
registersymbol(teleport)

[DISABLE]

teleport:
  db 0F 28 88 20 01 00 00

unregistersymbol(en_save)
unregistersymbol(en_load)
unregistersymbol(teleport)
dealloc(newmem)

[SunBeam]

Anyone asked him the version he's playing? I just recorded a video over FC4's VMProtect integrity check. Latest version on Steam/UPlay (1.10) doesn't have those checks in anymore. Older ones do, however not sure up until which version. I used 1.3 in my video here.

In short: in older versions of the game when you enter game world or exit to main menu there's an integrity check over the game's executable code running. If you've used a script that modifies at least 1 byte of that executable code, the game crashes. Hence why everyone said in the past to "disable it before entering game world or when exiting".

[DRDNK1000]

...

thank you
i tried my hack in another game and it workd
i tried the cheat on fc4 again only yhit the X and it still crush haha.

also if i talk to you
big thx for your toturials, i learn from the, a lot.