Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


exp multiplier dragon age inquisition
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Mon Nov 30, 2015 12:15 pm    Post subject: exp multiplier dragon age inquisition Reply with quote

I have found the adress that writes the exp.
If I don't give enough information or the wrong information either ignore this post or try to help me.

Find what writes this adress: 1436BEE5D - F3 0F11 73 30 - movss [rbx+30],xmm6

As far as I am aware the easiest way of doing this is with shl.
Is there an "easy" way to do this or does this require a complicated script.

edit: 1436BEE54 - 80 7B 2A 00 - cmp byte ptr [rbx+2A],00
1436BEE58 - 0F28 7C 24 40 - movaps xmm7,[rsp+40]
1436BEE5D - F3 0F11 73 30 - movss [rbx+30],xmm6 <<
1436BEE62 - 0F28 74 24 50 - movaps xmm6,[rsp+50]
1436BEE67 - 74 1D - je DragonAgeInquisition.exe+36BEE86

Edit 2: If I am understanding this correclty with the help of a template it should look like this:

alloc(newmem,2048,"DragonAgeInquisition.exe"+36BEE5D)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
shl rbx, 2

originalcode:
movss [rbx+30],xmm6

exit:
jmp returnhere

"DragonAgeInquisition.exe"+36BEE5D:
jmp newmem
returnhere:

This crashes the game and if I am not mistaking with my testing this is caused by the lines shl rbx, 2
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Mon Nov 30, 2015 3:35 pm    Post subject: Reply with quote

  1. Floating point numbers do NOT work the same way integers do. If you shift that 4 byte value to the left, its float representation would be completely messed up.
  2. You're shifting the register rbx instead of the memory address [rbx+30] (square brackets = dereference address; no square brackets = the value of the register).
  3. SAL/SAR/SHL/SHR will probably mess up the flags set by the previous comparison. This means the program may not jump to where it should in that je instruction later, probably making it crash.

Even if simply shifting the value would work, it's still not going to do what you want. Say you have 200 exp, you gain 10 (so xmm6 == 210), and then you multiply it by 4, you'd end up having 840 exp instead of 240 exp.

Here's a script that should do what you want:
Code:
[ENABLE]
alloc(newmem,1024,"DragonAgeInquisition.exe"+36BEE58)
label(expMultiplier)
label(returnhere)

registersymbol(expMultiplier)

newmem:
  movss xmm7,[rbx+30] //old value; xmm6 = new value
  subss xmm6,xmm7 //gets difference (how much xp to add); stores it in xmm6
  mulss xmm6,[expMultiplier] //multiplies that
  addss xmm6,xmm7 //adds old value to multiplied difference
  movaps xmm7,[rsp+40]//original code
  jmp returnhere
  db CC CC CC CC //padding
expMultiplier:
  dd (float)4.0

"DragonAgeInquisition.exe"+36BEE58:
  jmp newmem
returnhere:

[DISABLE]
"DragonAgeInquisition.exe"+36BEE58:
  movaps xmm7,[rsp+40]

unregistersymbol(expMultiplier)
dealloc(newmem)

After you enable this script, click on Add Address Manually, put expMultiplier in the Address box, and set the type to Float. Then you can change the multiplier with that address when the script is active.

Edit: fixed a stupid typo in the script.

_________________
I don't know where I'm going, but I'll figure it out when I get there.


Last edited by ParkourPenguin on Mon Nov 30, 2015 4:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Mon Nov 30, 2015 3:55 pm    Post subject: Reply with quote

I am sorry to bother you, thank you greatly for the effort but I apperently made a big mistake.
The values I gave weren't correct to begin with this ended up modifying something completely unrelated to exp.
So I have 2 requests whichever you deem aproperiate.
1: try to explain to me how to make a script like you did.
2: would you mind doing it again for this:

1436BB9CC - 49 8D 4E 90 - lea rcx,[r14-70]
1436BB9D0 - 0F28 D8 - movaps xmm3,xmm0
1436BB9D3 - F3 0F11 43 30 - movss [rbx+30],xmm0 <<
1436BB9D8 - E8 F21B0000 - call DragonAgeInquisition.exe+36BD5CF
1436BB9DD - 48 83 C3 38 - add rbx,38

Same principle except this time I ran the scans on a clean level 1 character.
Apperently the game calculates total exp and exp to next level seperatly.
Once again my apologies.

[ENABLE]
alloc(newmem,1024,"DragonAgeInquisition.exe"+36BB9D3)
label(expMultiplier)
label(returnhere)

registersymbol(expMultiplier)

newmem:
movss xmm3,[rbx+30] //old value; xmm6 = new value
subss xmm3,xmm0 //gets difference (how much xp to add); stores it in xmm6
mulsd xmm0,[expMultiplier] //multiplies that
addsd xmm0,xmm3 //adds old value to multiplied difference
movss [rbx+30],xmm3 //original code
jmp returnhere
db CC CC CC CC //padding
expMultiplier:
dd (float)4.0

"DragonAgeInquisition.exe"+36BB9D3:
jmp newmem
returnhere:

[DISABLE]
"DragonAgeInquisition.exe"+36BB9D3:
movaps xmm3,xmm0

unregistersymbol(expMultiplier)
dealloc(newmem)

This makes me feel really stupid haha.
I tried to imake this interchanging the values with yours but obviously to no avail.
nvm I no longer have any clue what I am doing wrong after fiddling around with changing the script some more I ran into the same issue with everything dieing immediatly (including myself).
Thank you very much for your effort.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Mon Nov 30, 2015 4:30 pm    Post subject: Reply with quote

I had a typo in that script. It should be mulss and addss instead of mulsd and addsd. Embarassed
Code:
[ENABLE]
alloc(newmem,1024,"DragonAgeInquisition.exe"+36BB9CC)
label(expMultiplier)
label(returnhere)

registersymbol(expMultiplier)

newmem:
  movss xmm3,[rbx+30]
  subss xmm0,xmm3
  mulss xmm0,[expMultiplier]
  addss xmm0,xmm3
//original code
  lea rcx,[r14-70]
  movaps xmm3,xmm0
  jmp returnhere
  db CC CC CC CC //padding
expMultiplier:
  dd (float)4.0

"DragonAgeInquisition.exe"+36BB9CC:
  jmp newmem
  nop
  nop
returnhere:

[DISABLE]
"DragonAgeInquisition.exe"+36BB9CC:
  lea rcx,[r14-70]
  movaps xmm3,xmm0

unregistersymbol(expMultiplier)
dealloc(newmem)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Mon Nov 30, 2015 4:38 pm    Post subject: Reply with quote

Well thank you once again but I really don't understand why this doesn't work.

I scan for the exp value, find what writes this adress.
Restart the game, repeat step one to see if the values stayed the same.
Then I gave you the values yet somehow the exp value doesn't get multiplyed.
Instead weird things happen in the game, first time instant enemies dying.
This time things I can't explain.
If you would still like to help me: I am open to all ideas because I am really not sure at this point.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Mon Nov 30, 2015 5:14 pm    Post subject: Reply with quote

Does that instruction access more than the address of the exp? Right click on the instruction that writes to your exp and select "Find out what addresses this instruction accesses". Play around in the game for a bit, and if anything besides your exp comes up, then that's probably your problem.

If this is the case, then try to find a static reference to your exp. A pointer would be great.

If this isn't the case, then I dunno. I don't think I have a typo in that script, but I'll test it to be sure.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Mon Nov 30, 2015 5:27 pm    Post subject: Reply with quote

I tried before to no avail to make a pointer for this game (exp)
There is however a table that has a pointer to the exp (can't post urls, google "Dragon age inquisition cheat table" for the table
However I used this pointer to give the information on my first post so I am not sure if this helps (also I am not sure if what is used in that table is a pointer,, atleast it is correct everytime you boot the game)

The "pointer " iin question is pHero0+48*3+30 (float)

edit: might be able to do an actual pointer give me a minute
edit 2:
Code:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>16640</ID>
      <Description>"pointerscan result"</Description>
      <LastState Value="??" Activated="0" RealAddress="00000000"/>
      <Color>80000008</Color>
      <VariableType>Float</VariableType>
      <Address>"DragonAgeInquisition.exe"+02A5D2B0</Address>
      <Offsets>
        <Offset>108</Offset>
        <Offset>20</Offset>
        <Offset>110</Offset>
        <Offset>628</Offset>
        <Offset>50</Offset>
      </Offsets>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

that is with game close and with game open:
Code:

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>16640</ID>
      <Description>"pointerscan result"</Description>
      <LastState Value="29673.68164" Activated="0" RealAddress="91CD79B8"/>
      <Color>80000008</Color>
      <VariableType>Float</VariableType>
      <Address>"DragonAgeInquisition.exe"+02A5D2B0</Address>
      <Offsets>
        <Offset>108</Offset>
        <Offset>20</Offset>
        <Offset>110</Offset>
        <Offset>628</Offset>
        <Offset>50</Offset>
      </Offsets>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

And yes forgot to mention but yes It accessed multiple adresses
okay this is probally not what you meant that is a ppinter to my current xp
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Mon Nov 30, 2015 6:24 pm    Post subject: Reply with quote

If that pointer is completely consistent, then this should work I think:
Code:
[ENABLE]
alloc(newmem,1024,"DragonAgeInquisition.exe"+36BB9CC)
label(expMultiplier)
label(returnhere)
label(originalcode)
registersymbol(expMultiplier)

newmem:
  push rax
  mov rax,"DragonAgeInquisition.exe"+02A5D2B0
  mov rax,[rax+108]
  mov rax,[rax+20]
  mov rax,[rax+110]
  mov rax,[rax+50]
  lea rcx,[rbx+30]
  cmp rax,rcx
  jne originalcode
  movss xmm3,[rbx+30]
  subss xmm0,xmm3
  mulss xmm0,[expMultiplier]
  addss xmm0,xmm3
originalcode:
  pop rax
  lea rcx,[r14-70]
  movaps xmm3,xmm0
  jmp returnhere
  db CC CC CC CC //padding
expMultiplier:
  dd (float)4.0

"DragonAgeInquisition.exe"+36BB9CC:
  jmp newmem
  nop
  nop
returnhere:

[DISABLE]
"DragonAgeInquisition.exe"+36BB9CC:
  lea rcx,[r14-70]
  movaps xmm3,xmm0

unregistersymbol(expMultiplier)
dealloc(newmem)

If that didn't work, you can look through this topic for tips on how to fix shared code. Most often, the only option is to use the structure of whatever data you're modifying (the 3rd method in that post), but I don't think you'll be able to find anything that both distinguishes exp from all the other garbage and is consistent between game restarts. You could try backtracing this subroutine call, but that's much more advanced stuff that I can't directly help you with.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Mon Nov 30, 2015 6:28 pm    Post subject: Reply with quote

that new script crashes the game
I should add that now I am pretty certain the initial values i gave you were correct but I just didnt know about the multi access.
So this pointer is once again based on the first info not the second.
my apologies again Embarassed
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Mon Nov 30, 2015 6:45 pm    Post subject: Reply with quote

The reason why it's crashing is probably because it's firing a fault due to this code trying to access a memory region that doesn't exist (AKA: bad pointer).

You seem new to code injection and assembly in general. From what I've seen in that cheat table, this game isn't the easiest thing to hack, and it's definitely not something a beginner should be learning from. Try something else that's easier, like Terraria. Rydian even has some video tutorials on it.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Tue Dec 01, 2015 3:24 am    Post subject: Reply with quote

Well thank you very much for the help Very Happy
I am sorry if this comes out as rude after you helped me yesterday please don't take it that way.
I am willing to pay for the request I made yesterday including the purchase of the game if you don't own it, that is if you even take requests.
Once again not trying to be rude, just trying everything to get this to work (I also posted this in the cheat request forum)f

Edit: iI found 2 instructions that both only change when I gain experience (they don't change when I kill an enemy that doesn't give exp).
Could that be what is needed to make this?
(I know you said I shouldn't be working with this game cause it's too hard but I see it as a challange, even tough I am getting someone else's help).

Both counts are changed in the exact same moment:
Code:

1436BD5EA - 48 89 58 10  - mov [rax+10],rbx
1436BD5EE - 48 89 68 18  - mov [rax+18],rbp
1436BD5F2 - 0F29 70 C8  - movaps [rax-38],xmm6 <<
1436BD5F6 - 0F29 78 B8  - movaps [rax-48],xmm7
1436BD5FA - 0F28 F3  - movaps xmm6,xmm3


and

Code:

1436BD75F - 49 8B 5B 38  - mov rbx,[r11+38]
1436BD763 - 49 8B 6B 40  - mov rbp,[r11+40]
1436BD767 - 41 0F28 73 F0  - movaps xmm6,[r11-10] <<
1436BD76C - 41 0F28 7B E0  - movaps xmm7,[r11-20]
1436BD771 - 4C 89 DC  - mov rsp,r11
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Tue Dec 01, 2015 9:45 am    Post subject: Reply with quote

I'm not interested in money. I'm sure other people on this site are, some of which could do this faster and more efficiently than me. So if anyone else wants to, just speak up.

"movaps" basically moves 4 floats at a time, so I'd also need to know which one is your exp. Just get the value of the register (rax in the first one, r11 in the second) by setting a breakpoint at those instructions (Debug -> Toggle breakpoint), get the current address of your exp, and I can figure it out.

Note that this will also run into the same problem as before if these instructions access more than your exp. 3 other addresses that are near your exp's address will probably pop up, but that's fine (those are the other 3 addresses it's moving w/ the exp).

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Tue Dec 01, 2015 9:59 am    Post subject: Reply with quote

I obviously don't mind not paying, I just felt guilty having you do so much effort for me that I wanted to do something back.
with that said if I understand this correctlythis is not what you mean but when I toggled breakpoint the game crashed, however can't you also see these values in the find what accesses window by scrolling down, if so these:
RAX=000000003519C988
R11=000000001BE7FB40

despite the crash I still got results however I don't know ifv these are usefull
RAX= 000000003534D048
R11=000000003521CFF0
Okay that was stupid as you probally realized the game didn't crash but yea those are the results if i did it right


Last edited by eend04 on Tue Dec 01, 2015 10:08 am; edited 1 time in total
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4285

PostPosted: Tue Dec 01, 2015 10:07 am    Post subject: This post has 1 review(s) Reply with quote

I forgot it automatically gives you that. It might've been crashing because you were using software breakpoints instead of hardware breakpoints, but I dunno.

Are those values for the first instruction you posted, or the second? I'll also need the address of your exp at the time these instructions are run.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
eend04
Newbie cheater
Reputation: 0

Joined: 07 Oct 2015
Posts: 21

PostPosted: Tue Dec 01, 2015 10:14 am    Post subject: Reply with quote

Rax was for the first r11 was for the second that is what I understoond you asked

I rebooted the game this time ill pause it to save the values current values are:
Exp is stored at 351FC950

breakpoint for the first instruction at Rax
=000000003521E138
breakpoint for second instruction at r11
=0000000035216D50
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites