 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Babelhex
How do I cheat?
![]() Reputation: 0
Joined: 30 Apr 2024
Posts: 4
|
 Posted: Tue Apr 30, 2024 7:19 pm Post subject: How to manipulate player movement speed ? |
 |
|
Hey,
I'm having a really hard time figuring out how to increase the player movement speed in both X and Z axis at the same time. Well... I did find an opcode that gave the player around 10x multiplied speed for all states (walk/run/sprint), but no way to change the value to something different.
The game in question is SAND LAND. I'm pretty new to Cheat Engine. Just started tinkering with it a couple of days ago and finding the ability to change game code is really fun and interesting.
I've found both the coordinates and movement speed addresses/opcodes. I've even managed to make simple jump height script and a cmp godmode script.
I'm at a loss what to do. I've been at this for hours getting nowhere.
I've attached some screenshots with comments for reference. The red outlines is when standing still and the blue ones when I move.
I appreciate any pointers (no pun intended) you can give me. 
Edit: I can't post links or double post and a 5 attachments limit. I can't upload the "velocity access" screenshot.
| Description: |
|
| Filesize: |
81.71 KB |
| Viewed: |
1042 Time(s) |
|
| Description: |
| Velocity opcode. NOP'ing this does nothing. |
|
| Filesize: |
548.44 KB |
| Viewed: |
1042 Time(s) |
|
| Description: |
|
| Filesize: |
376.73 KB |
| Viewed: |
1042 Time(s) |
|
| Description: |
|
| Filesize: |
36.76 KB |
| Viewed: |
1042 Time(s) |
|
| Description: |
| Coordinates opcode. NOP'ing this prevents my character to move in all axis. It also stops the camera from following the character. Footstep sounds disabled etc... |
|
| Filesize: |
524.03 KB |
| Viewed: |
1042 Time(s) |
|
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 143
Joined: 06 Jul 2014
Posts: 4357
|
| Posted: Tue Apr 30, 2024 9:24 pm Post subject: |
|
|
1.jpg - That instruction is `movups`, or "move unaligned packed singles". The word "packed" means there's 4 floats it's moving at once.
A naive way of implementing a movement speed hack is to find the difference between the new values and the old values, multiply it by a constant, and then add that difference to the old values.
I would need to know which of the 4 floats being accessed are important to give a good example; however, if you're fine with changing all 4 of them, this works:
| Code: | alloc(moveSpeedMult,4)
newmem:
sub rsp,20
movups [rsp],xmm0
movups [rsp+10],xmm1
movaps xmm1,[rdi+1D0] // old
subps xmm12,xmm1 // diff = new - old
movss xmm0,[moveSpeedMult]
shufps xmm0,xmm0,0 // xmm0 = xmm0[0,0,0,0]
mulps xmm12,xmm0 // diff *= mult
addps xmm12,xmm1 // new = old + diff
movups xmm1,[rsp+10]
movups xmm0,[rsp]
add rsp,20
// original code
movups [rsi+1D0],xmm12
jmp return
moveSpeedMult:
dd (float)3
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Babelhex
How do I cheat?
![]() Reputation: 0
Joined: 30 Apr 2024
Posts: 4
|
| Posted: Wed May 01, 2024 8:54 am Post subject: |
|
|
| ParkourPenguin wrote: | 1.jpg - That instruction is `movups`, or "move unaligned packed singles". The word "packed" means there's 4 floats it's moving at once.
A naive way of implementing a movement speed hack is to find the difference between the new values and the old values, multiply it by a constant, and then add that difference to the old values.
I would need to know which of the 4 floats being accessed are important to give a good example; however, if you're fine with changing all 4 of them, this works:
| Code: | alloc(moveSpeedMult,4)
newmem:
sub rsp,20
movups [rsp],xmm0
movups [rsp+10],xmm1
movaps xmm1,[rdi+1D0] // old
subps xmm12,xmm1 // diff = new - old
movss xmm0,[moveSpeedMult]
shufps xmm0,xmm0,0 // xmm0 = xmm0[0,0,0,0]
mulps xmm12,xmm0 // diff *= mult
addps xmm12,xmm1 // new = old + diff
movups xmm1,[rsp+10]
movups xmm0,[rsp]
add rsp,20
// original code
movups [rsi+1D0],xmm12
jmp return
moveSpeedMult:
dd (float)3
|
|
Thank you. Your script did compile, but it changed a lot more than just the player velocity. Enemies had wonky speeds, the map screen was empty and all the 3D models in the menu's (player character, items etc..) vanished. My guess is that the map is a 3D model as well and the position of all models was moved to other coordinates or the camera position did.
I had to decrease the float value to 1.07 to not getting faster than light speed, but everything else started to break even at 1.01 float value.
How would I go about finding the 4 floats and separate only the player coordinate values from everything else? The first 3 float values inside xmm12 is my coordinates and the 4th was a 0.
Maybe that's to a broad question and it would take forever to explain it, but I do want to learn how all this works eventually.
So let me see if I understand your script right:
| Code: | newmem:
sub rsp,20
movups [rsp],xmm0
movups [rsp+10],xmm1 |
This code saves the current state of the xmm0 and xmm1 registers by pushing their values onto the stack and the Sub rsp,20 allocates space for the registers floats/values?
| Code: | movaps xmm1,[rdi+1D0] // old
subps xmm12,xmm1 // diff = new - old
movss xmm0,[moveSpeedMult]
shufps xmm0,xmm0,0 // xmm0 = xmm0[0,0,0,0]
mulps xmm12,xmm0 // diff *= mult
addps xmm12,xmm1 // new = old + diff |
This code loads my original and new coordinates, check the difference and multiply it?
| Description: |
| The float values for this opcode |
|
| Filesize: |
60.33 KB |
| Viewed: |
929 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 143
Joined: 06 Jul 2014
Posts: 4357
|
| Posted: Wed May 01, 2024 11:55 am Post subject: |
|
|
| Babelhex wrote: | | Your script did compile, but it changed a lot more than just the player velocity. |
Right click that instruction and make sure it only accesses the address you want. If it does, then you probably shouldn't modify all 4 floats in the register. If it doesn't, see step 9 of the CE tutorial. This whole process is quite annoying in general, so you might be better off doing something else.
I'd look at how the game generates new coordinates from the old coordinates- i.e. the instructions that modify xmm12 up to that point. If that instruction accesses that much stuff in the game, the information I'd want is probably in a caller, which would make this much more annoying to find for someone who's new to assembly.
That whole code around the instruction that writes to your velocity in 2.jpg is interesting. I'm curious what the 3 floats are at rsp+50 and how they compare to your current coordinates (the 3 floats at rax+1D0). I don't think it means anything for a movement speed hack, but it might point you in the right direction- perhaps what you're looking for is further up in that function.
All the code around that address looks interesting based on the instructions accessing your coordinates, but that's too much for me to analyze just through some pictures.
You're correct about my code. Those first 3 instructions back up the values of xmm0 / xmm1, and the rest is commented.
4.jpg- that doesn't really help. I assume this was when the instruction at game.exe+37D2B87 triggered some kind of breakpoint, but I still have no idea which values you want to modify in xmm13. Is it the first one and the second one? The second one and the third one?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Babelhex
How do I cheat?
![]() Reputation: 0
Joined: 30 Apr 2024
Posts: 4
|
| Posted: Thu May 02, 2024 6:26 pm Post subject: |
|
|
| ParkourPenguin wrote: | Right click that instruction and make sure it only accesses the address you want. If it does, then you probably shouldn't modify all 4 floats in the register. If it doesn't, see step 9 of the CE tutorial. This whole process is quite annoying in general, so you might be better off doing something else.
I'd look at how the game generates new coordinates from the old coordinates- i.e. the instructions that modify xmm12 up to that point. If that instruction accesses that much stuff in the game, the information I'd want is probably in a caller, which would make this much more annoying to find for someone who's new to assembly.
That whole code around the instruction that writes to your velocity in 2.jpg is interesting. I'm curious what the 3 floats are at rsp+50 and how they compare to your current coordinates (the 3 floats at rax+1D0). I don't think it means anything for a movement speed hack, but it might point you in the right direction- perhaps what you're looking for is further up in that function.
All the code around that address looks interesting based on the instructions accessing your coordinates, but that's too much for me to analyze just through some pictures.
4.jpg- that doesn't really help. I assume this was when the instruction at game.exe+37D2B87 triggered some kind of breakpoint, but I still have no idea which values you want to modify in xmm13. Is it the first one and the second one? The second one and the third one? |
You're right. I'm pretty new to Assembly and coding in general. I've been at it for only a week now. I'm starting to understand the fundementals of Assembly and what the different instructions mean, but I'm still having a hard time finding out how all the opcodes relates to eachother like in screenshot 1 and 2. That's what hinders me the most I think.
I sort of figured out the correct opcode to only manipulate the velocity values thanks to your input. I added the extra cmp code so only I get the speed boost and not the enemies, but there is a slight issue.
| Code: |
alloc(speedmultiplier,16,writeVelocity)
speedmultiplier:
dd (float)20 (float)20 (float)1 (float)1
label(code)
label(return)
newmem:
cmp [rbx+B8C],0
je code
mulps xmm0,[speedmultiplier]
code:
movsd [rbx+000000C4],xmm0
jmp return
writeVelocity+01:
jmp newmem
nop 3
return:
registersymbol(writeVelocity)
|
Here is the code I've written. The problem i'm having is that I do get the increased speed, but I get them in burst the moment the key is pressed, then it quickly is reduced down to normal speed until the camera catches up. Then another speed burst. This happens in a span of about 2 seconds, then repeats as long as I hold down the run key. This is on higher multipliers though. It's mostly fine on 2-3x. The bursts of speed is perceived as small stutters. I'm not sure how to deal with that.
This has been a good learning experience for me. Maybe I started with a way to hard assignment as a beginner.
| Description: |
The opcode for increased velocity
Video: https://streamable.com/mco4nb |
|
| Filesize: |
593.55 KB |
| Viewed: |
756 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 143
Joined: 06 Jul 2014
Posts: 4357
|
| Posted: Thu May 02, 2024 7:26 pm Post subject: |
|
|
Some other instruction is writing to the address.
In 2-2.jpg, that instruction looks like it was only executed 16 times. That's remarkably low even if you moved around for only a couple seconds while watching what accessed the address.
I'd guess one of the red instructions that's run far more frequently is causing the behaviour you describe.
Try replacing that instruction in 2.jpg, the one at game.exe+3771829, with nops and see what happens. (right click in disassembler -> "Replace with code that does nothing"; right click again -> "Restore with original code" to undo; alternatively, enable write logging in the settings)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Babelhex
How do I cheat?
![]() Reputation: 0
Joined: 30 Apr 2024
Posts: 4
|
| Posted: Fri May 03, 2024 8:30 am Post subject: |
|
|
| ParkourPenguin wrote: | Some other instruction is writing to the address.
In 2-2.jpg, that instruction looks like it was only executed 16 times. That's remarkably low even if you moved around for only a couple seconds while watching what accessed the address.
I'd guess one of the red instructions that's run far more frequently is causing the behaviour you describe.
Try replacing that instruction in 2.jpg, the one at game.exe+3771829, with nops and see what happens. (right click in disassembler -> "Replace with code that does nothing"; right click again -> "Restore with original code" to undo; alternatively, enable write logging in the settings) |
The blue opcodes in 2-2.jpg with 16 writes is executed at the same speed as the red opcodes. about 50-60 every second. The screenshot is just me moving the character 1-2 steps forward.
NOP "game.exe+3771829" did not change anything about the player velocity.
I did however find a working combination for a speed hack by pure coincidence and I don't understand why it works. Some of these opcodes is so far from each other and I'm still trying to figure out how I can make sense of it. I know CE have a diagram option, but I don't understand how to use the info it provides yet.
Running the same script on this address "game.exe+37614F2 - movsd [rbx+000000C4],xmm1" and NOP "game.exe+37612C0 - movaps xmm13,[rsp+00000080]". (screenshot below)
When doing this, the speed multiplier works as intended when changing the float values in the script. At least for the X and Z axis. Another weird thing that happens when NOP said opcode is that the velocity in Z and X axis stays at 0 even though I'm moving. It only counts when I'm in the air.
Anyway, I'll keep working on this and try to figure it out eventually. Thank you for throwing some ideas my way and being patient with me. I'm having fun, but it can also get really frustrating sometimes. I guess the frustration will lessen (or maybe not) as I learn more how all this works.
| Description: |
|
| Filesize: |
541.13 KB |
| Viewed: |
590 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 143
Joined: 06 Jul 2014
Posts: 4357
|
| Posted: Fri May 03, 2024 1:00 pm Post subject: |
|
|
All that code comes from the programmers who made the game. It's hard to know what they were thinking or how they set their system up. It would be nice if things were simple, but that's rarely the case outside of toy projects.
Reverse engineering even small parts of a game is always a pain. Sometimes it's best to simply poke and prod around at various things and see what happens. Replacing some instructions with nops might give you information on the semantics of those instructions. Changing the values of registers might lead to interesting results too (right click -> Change register at this location; this change is made before the instruction has executed). Even simply setting a breakpoint and looking at the values of registers and memory locations can give you lots of information (also see right click -> Break and trace).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
