|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Wed Jan 03, 2018 1:53 am Post subject: I need help Logging Dice rolls |
|
|
In my quest for perfecting game mechanics reverse engineering techniques / bug hunting the next hurdle is being able to view/log dice rolls.
Dice rolls are a VERY COMMON ELEMENT :
roll to hit , roll to crit, roll to trigger effect on swing, roll do dodge, .
Problem this instruction is often a comparison between two unknowns: the RNG 'roll' but also what it rolls against is often not known about (if they logged it I wouldn't need to log it . There are many time transitory bonuses in play. And of course they there is a question of multiplication / interval . They roll between 0 and 1 ; between 1 and 100 .. etc)
How do I begin approaching something like this ?
No escape running the code step by step [get an execution breakpoint close enough somehow ?] and praying I can make sense of the assembler code (fat chance) ?
EDIT: I can handle the logging. What I need help with is finding the instruction that does the comparison between the stat rolled against and the RNG dice roll.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 03, 2018 10:42 am Post subject: |
|
|
Not something I've done or know much about but I'd probably start by looking at CE's github and seeing how the unrandomizer works and/or looking up common random number generators.
Once you can find the rng in the game you can find where it's used and thus where the numbers are used and therefore the cmp, at least in theory you would eventually
|
|
Back to top |
|
|
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Thu Jan 04, 2018 10:11 pm Post subject: |
|
|
Code: | AbilityInstance:CritTest+2 - 8B EC - mov ebp,esp
AbilityInstance:CritTest+4 - 57 - push rdi
AbilityInstance:CritTest+5 - 48 83 EC 18 - sub rsp,18 { 24 }
AbilityInstance:CritTest+9 - 48 8B F9 - mov rdi,rcx
AbilityInstance:CritTest+c - 48 89 55 E8 - mov [rbp-18],rdx
AbilityInstance:CritTest+10- 41 BA 40E1E417 - mov r10d,17E4E140 { [17B28A70] }
AbilityInstance:CritTest+16- 48 83 EC 20 - sub rsp,20 { 32 }
AbilityInstance:CritTest+1a- 49 BB E075650600000000 - mov r11,Singleton`1:get_Instance { [EC8B4855] }
AbilityInstance:CritTest+24- 41 FF D3 - call r11
AbilityInstance:CritTest+27- 48 83 C4 20 - add rsp,20 { 32 }
AbilityInstance:CritTest+2b- 48 8B C8 - mov rcx,rax
AbilityInstance:CritTest+2e- 83 39 00 - cmp dword ptr [rcx],00 { 0 }
AbilityInstance:CritTest+31- 0FB6 80 C1010000 - movzx eax,byte ptr [rax+000001C1]
AbilityInstance:CritTest+38- 85 C0 - test eax,eax
AbilityInstance:CritTest+3a- 74 0A - je AbilityInstance:CritTest+46
AbilityInstance:CritTest+3c- B8 01000000 - mov eax,00000001 { 1 }
AbilityInstance:CritTest+41- E9 C9000000 - jmp AbilityInstance:CritTest+10f
AbilityInstance:CritTest+46- 48 8B 47 18 - mov rax,[rdi+18]
AbilityInstance:CritTest+4a- 48 8B C8 - mov rcx,rax
AbilityInstance:CritTest+4d- 83 39 00 - cmp dword ptr [rcx],00 { 0 }
AbilityInstance:CritTest+50- 48 8B 40 18 - mov rax,[rax+18]
AbilityInstance:CritTest+54- 48 8B C8 - mov rcx,rax
AbilityInstance:CritTest+57- 48 63 55 E8 - movsxd rdx,dword ptr [rbp-18]
AbilityInstance:CritTest+5b- 45 33 C0 - xor r8d,r8d
AbilityInstance:CritTest+5e- 48 83 EC 20 - sub rsp,20 { 32 }
AbilityInstance:CritTest+62- 83 38 00 - cmp dword ptr [rax],00 { 0 }
AbilityInstance:CritTest+65- 49 BB 405ADC0000000000 - mov r11,FighterStats:CalculateCritRating { [EC8B4855] }
AbilityInstance:CritTest+6f- 41 FF D3 - call r11
AbilityInstance:CritTest+72- 48 83 C4 20 - add rsp,20 { 32 }
AbilityInstance:CritTest+76- F3 0F5A C0 - cvtss2sd xmm0,xmm0
AbilityInstance:CritTest+7a- F2 0F5A E8 - cvtsd2ss xmm5,xmm0
AbilityInstance:CritTest+7e- F3 0F11 6D F4 - movss [rbp-0C],xmm5
AbilityInstance:CritTest+83- 48 8B 47 18 - mov rax,[rdi+18]
AbilityInstance:CritTest+87- 48 8B C8 - mov rcx,rax
AbilityInstance:CritTest+8a- 83 39 00 - cmp dword ptr [rcx],00 { 0 }
AbilityInstance:CritTest+8d- 48 8B 40 18 - mov rax,[rax+18]
AbilityInstance:CritTest+91- F3 0F10 45 F4 - movss xmm0,[rbp-0C]
AbilityInstance:CritTest+96- F3 0F5A C0 - cvtss2sd xmm0,xmm0
AbilityInstance:CritTest+9a- 48 8B C8 - mov rcx,rax
AbilityInstance:CritTest+9d- F2 0F10 C8 - movsd xmm1,xmm0
AbilityInstance:CritTest+a1- F2 0F5A C9 - cvtsd2ss xmm1,xmm1
AbilityInstance:CritTest+a5- 48 83 EC 20 - sub rsp,20 { 32 }
AbilityInstance:CritTest+a9- 83 38 00 - cmp dword ptr [rax],00 { 0 }
AbilityInstance:CritTest+ac- 49 BB E05CDC0000000000 - mov r11,FighterStats:CalculateCritPercentChance { [EC8B4855] }
AbilityInstance:CritTest+b6- 41 FF D3 - call r11
AbilityInstance:CritTest+b9- 48 83 C4 20 - add rsp,20 { 32 }
AbilityInstance:CritTest+bd- F3 0F5A C0 - cvtss2sd xmm0,xmm0
AbilityInstance:CritTest+c1- F2 0F5A E8 - cvtsd2ss xmm5,xmm0
AbilityInstance:CritTest+c5- F3 0F11 6D F0 - movss [rbp-10],xmm5
AbilityInstance:CritTest+ca- 66 0F57 C0 - xorpd xmm0,xmm0
AbilityInstance:CritTest+ce- F3 0F10 0D 4A000000 - movss xmm1,[AbilityInstance:CritTest+120] { [100.00] }
AbilityInstance:CritTest+d6- F3 0F5A C9 - cvtss2sd xmm1,xmm1
AbilityInstance:CritTest+da- F2 0F5A C9 - cvtsd2ss xmm1,xmm1
AbilityInstance:CritTest+de- F2 0F5A C0 - cvtsd2ss xmm0,xmm0
AbilityInstance:CritTest+e2- 48 83 EC 20 - sub rsp,20 { 32 }
AbilityInstance:CritTest+e6- 49 BB 702EF64100000000 - mov r11,UnityEngine:Random:Range { [EC8B4855] }
AbilityInstance:CritTest+f0- 41 FF D3 - call r11
AbilityInstance:CritTest+f3- 48 83 C4 20 - add rsp,20 { 32 }
AbilityInstance:CritTest+f7- F3 0F5A C0 - cvtss2sd xmm0,xmm0
AbilityInstance:CritTest+fb- F3 0F10 4D F0 - movss xmm1,[rbp-10]
AbilityInstance:CritTest+100- F3 0F5A C9 - cvtss2sd xmm1,xmm1
AbilityInstance:CritTest+104- 48 33 C0 - xor rax,rax
AbilityInstance:CritTest+107- 66 0F2F C8 - comisd xmm1,xmm0
AbilityInstance:CritTest+10b- 40 0F97 C0 - seta al
AbilityInstance:CritTest+10f- 48 8B 7D F8 - mov rdi,[rbp-08]
AbilityInstance:CritTest+113- C9 - leave
AbilityInstance:CritTest+114- C3 - ret
AbilityInstance:CritTest+115- 02 00 - add al,[rax]
AbilityInstance:CritTest+117- 00 00 - add [rax],al
AbilityInstance:CritTest+119- 48 83 EC 20 - sub rsp,20 { 32 }
AbilityInstance:CritTest+11d- 49 BB 000000C842000000 - mov r11,00000042C8000000 { -939524096 }
|
was extremely lucky that this is a Unity game and mono dissector
Have only a vague idea how to proceed from here but I have a strong feeling I'm in the right place.
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Thu Jan 04, 2018 10:22 pm Post subject: |
|
|
Code: | AbilityInstance:CritTest+e6- 49 BB 702EF64100000000 - mov r11,UnityEngine:Random:Range { [EC8B4855] }
AbilityInstance:CritTest+f0- 41 FF D3 - call r11 |
dive in and patch it there.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
peddroelm Advanced Cheater Reputation: 0
Joined: 03 Oct 2014 Posts: 84
|
Posted: Thu Jan 04, 2018 10:35 pm Post subject: |
|
|
My assembler knowledge is way bellow basic. I currently don't know what ~80% of the instructions there do.
I would like to read up on them so I can fallow the execution with the parameters (do I need an external tool to transform the hex values [non address] from the registers into floats ) ?
Now that I got here I found another thing that interests me game mechanics wise - the conversion from sum of critical rating stat to critical chance. Pretty certain this function can help with that too ..
It will just take me a long time.. Its been over 20 years since I've step by stepped assembler code :blush: . (My recollection of the mechanics of parameters transmission /recovery between function calls is beyond hazy)
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Thu Jan 04, 2018 10:39 pm Post subject: |
|
|
feel free to post snapshots here (if others dont mind) me or anyone else wil probably help.
peddroelm wrote: | I would like to read up on them so I can fallow the execution with the parameters (do I need an external tool to transform the hex values [non address] from the registers into floats ) ? |
if the float value in memory location (address) then CE should display it as a float on the right-hand-side of the instruction, otherwise you might would to do it manually.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|