 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Kronogenics
Advanced Cheater
 Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
 Posted: Thu Dec 01, 2016 8:30 am Post subject: Teleport to cursor |
 |
|
I am attempting to make a script that when activated teleports the character to the mouse location. This is a 2D game so the player and mouse only have X,Y coordinates. I have the X,Y of the mouse and the player, the player is stored as a double and the mouse is stored as a float, I am able to teleport the player by doing
| Code: |
{ Game : N++.exe
Version:
Date : 2016-11-30
Author : Kronogenics
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,npp.dll,F2 0F 11 41 E8 E9) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
mov [1Test],(int)500
cvtsi2sd xmm0,[1Test]
movsd [ecx-18],xmm0
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db F2 0F 11 41 E8
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "npp.dll"+2F010C
"npp.dll"+2F00DE: F2 0F 11 09 - movsd [ecx],xmm1
"npp.dll"+2F00E2: F2 0F 10 41 30 - movsd xmm0,[ecx+30]
"npp.dll"+2F00E7: F2 0F 58 C1 - addsd xmm0,xmm1
"npp.dll"+2F00EB: F2 0F 11 01 - movsd [ecx],xmm0
"npp.dll"+2F00EF: F3 0F 6F 41 E8 - movdqu xmm0,[ecx-18]
"npp.dll"+2F00F4: F3 0F 7F 41 08 - movdqu [ecx+08],xmm0
"npp.dll"+2F00F9: F2 0F 10 09 - movsd xmm1,[ecx]
"npp.dll"+2F00FD: F2 0F 10 41 E8 - movsd xmm0,[ecx-18]
"npp.dll"+2F0102: F2 0F 58 41 F8 - addsd xmm0,[ecx-08]
"npp.dll"+2F0107: F2 0F 58 49 F0 - addsd xmm1,[ecx-10]
// ---------- INJECTING HERE ----------
"npp.dll"+2F010C: F2 0F 11 41 E8 - movsd [ecx-18],xmm0
// ---------- DONE INJECTING ----------
"npp.dll"+2F0111: E9 EA FE 6A 08 - jmp 0FFD0000
"npp.dll"+2F0116: EB 03 - jmp npp.dll+2F011B
"npp.dll"+2F0118: 8B 55 98 - mov edx,[ebp-68]
"npp.dll"+2F011B: 0F 57 C9 - xorps xmm1,xmm1
"npp.dll"+2F011E: 8B 81 98 00 00 00 - mov eax,[ecx+00000098]
"npp.dll"+2F0124: 66 0F 14 C9 - unpcklpd xmm1,xmm1
"npp.dll"+2F0128: 83 F8 09 - cmp eax,09
"npp.dll"+2F012B: 74 47 - je npp.dll+2F0174
"npp.dll"+2F012D: 83 F8 06 - cmp eax,06
"npp.dll"+2F0130: 74 42 - je npp.dll+2F0174
}
|
but doing the below which is actually moving the players X to the mouses X which just dosen't work and I can't understand why.
| Code: |
{ Game : N++.exe
Version:
Date : 2016-11-30
Author : Kronogenics
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,npp.dll,F2 0F 11 41 E8 E9) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cvtss2sd xmm0,[mCord]
movsd [ecx-18],xmm0
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db F2 0F 11 41 E8
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "npp.dll"+2F010C
"npp.dll"+2F00DE: F2 0F 11 09 - movsd [ecx],xmm1
"npp.dll"+2F00E2: F2 0F 10 41 30 - movsd xmm0,[ecx+30]
"npp.dll"+2F00E7: F2 0F 58 C1 - addsd xmm0,xmm1
"npp.dll"+2F00EB: F2 0F 11 01 - movsd [ecx],xmm0
"npp.dll"+2F00EF: F3 0F 6F 41 E8 - movdqu xmm0,[ecx-18]
"npp.dll"+2F00F4: F3 0F 7F 41 08 - movdqu [ecx+08],xmm0
"npp.dll"+2F00F9: F2 0F 10 09 - movsd xmm1,[ecx]
"npp.dll"+2F00FD: F2 0F 10 41 E8 - movsd xmm0,[ecx-18]
"npp.dll"+2F0102: F2 0F 58 41 F8 - addsd xmm0,[ecx-08]
"npp.dll"+2F0107: F2 0F 58 49 F0 - addsd xmm1,[ecx-10]
// ---------- INJECTING HERE ----------
"npp.dll"+2F010C: F2 0F 11 41 E8 - movsd [ecx-18],xmm0
// ---------- DONE INJECTING ----------
"npp.dll"+2F0111: E9 EA FE 6A 08 - jmp 0FFD0000
"npp.dll"+2F0116: EB 03 - jmp npp.dll+2F011B
"npp.dll"+2F0118: 8B 55 98 - mov edx,[ebp-68]
"npp.dll"+2F011B: 0F 57 C9 - xorps xmm1,xmm1
"npp.dll"+2F011E: 8B 81 98 00 00 00 - mov eax,[ecx+00000098]
"npp.dll"+2F0124: 66 0F 14 C9 - unpcklpd xmm1,xmm1
"npp.dll"+2F0128: 83 F8 09 - cmp eax,09
"npp.dll"+2F012B: 74 47 - je npp.dll+2F0174
"npp.dll"+2F012D: 83 F8 06 - cmp eax,06
"npp.dll"+2F0130: 74 42 - je npp.dll+2F0174
}
|
I believe that the conversion from an ss to a sd is where it goes wrong
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 10:48 am Post subject: |
|
|
Specifically what is going wrong with the script? Is it not activating? Does it crash the game? Does it teleport the player unexpectedly?
What type of value is stored at mCord? (4-byte, float, double...)
When the mouse is on the player for any arbitrary position the player could be in, is the value at mCord (after any applicable value conversions) equivalent to the player's coordinates?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 10:50 am Post subject: |
|
|
| It teleports the player unexpectedly. mCord is a float. The mouse cords are slightly off when I have the mouse over the player but it seems to be static (something I should be able to correct on my own)
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 10:59 am Post subject: |
|
|
I don't think there are any errors with that script assuming mCord is correct. How is the value at mCord being written to? If it's another code injection, make sure that instruction doesn't also access other addresses.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 11:25 am Post subject: |
|
|
| Code: |
{ Game : N++.exe
Version:
Date : 2016-11-30
Author : Kronogenics
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,npp.dll,F3 0F 11 1F F3 0F 11 57 04 F3 0F 10) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
movss [edi],xmm3
movss [edi+04],xmm2
mov [mCord],edi
jmp return
INJECT:
jmp newmem
nop
nop
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db F3 0F 11 1F F3 0F 11 57 04
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "npp.dll"+76A73
"npp.dll"+76A3C: 8B 4D AC - mov ecx,[ebp-54]
"npp.dll"+76A3F: F3 0F 10 0D F4 2C E4 06 - movss xmm1,[npp.dll+5D2CF4]
"npp.dll"+76A47: 68 20 B4 BF 06 - push npp.dll+38B420
"npp.dll"+76A4C: F3 0F 10 19 - movss xmm3,[ecx]
"npp.dll"+76A50: F3 0F 10 51 04 - movss xmm2,[ecx+04]
"npp.dll"+76A55: F3 0F 58 D8 - addss xmm3,xmm0
"npp.dll"+76A59: F3 0F 58 15 60 70 71 07 - addss xmm2,[npp.dll+EA7060]
"npp.dll"+76A61: F3 0F 10 05 F0 2C E4 06 - movss xmm0,[npp.dll+5D2CF0]
"npp.dll"+76A69: F3 0F 11 47 08 - movss [edi+08],xmm0
"npp.dll"+76A6E: F3 0F 11 4F 0C - movss [edi+0C],xmm1
// ---------- INJECTING HERE ----------
"npp.dll"+76A73: F3 0F 11 1F - movss [edi],xmm3
"npp.dll"+76A77: F3 0F 11 57 04 - movss [edi+04],xmm2
// ---------- DONE INJECTING ----------
"npp.dll"+76A7C: F3 0F 10 11 - movss xmm2,[ecx]
"npp.dll"+76A80: F3 0F 10 59 04 - movss xmm3,[ecx+04]
"npp.dll"+76A85: F3 0F 58 15 64 70 71 07 - addss xmm2,[npp.dll+EA7064]
"npp.dll"+76A8D: F3 0F 58 1D 68 70 71 07 - addss xmm3,[npp.dll+EA7068]
"npp.dll"+76A95: F3 0F 10 0D FC 2C E4 06 - movss xmm1,[npp.dll+5D2CFC]
"npp.dll"+76A9D: F3 0F 10 05 F8 2C E4 06 - movss xmm0,[npp.dll+5D2CF8]
"npp.dll"+76AA5: F3 0F 11 47 18 - movss [edi+18],xmm0
"npp.dll"+76AAA: F3 0F 11 57 10 - movss [edi+10],xmm2
"npp.dll"+76AAF: F3 0F 11 5F 14 - movss [edi+14],xmm3
"npp.dll"+76AB4: F3 0F 11 4F 1C - movss [edi+1C],xmm1
}
|
This is the code for actually setting mCord, which I don't believe is accessing anything else.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 12:33 pm Post subject: |
|
|
Oh. You're moving the address of the coordinates into mCord instead of the value. It would be better to say that mCord is a pointer to a float instead of just a float.
It's fine to do it like that. However, in the code injection which teleports the player, you need to dereference mCord one more time:
| Code: | code:
push eax -- backs up eax
mov eax,[mCord] -- moves the address of the mouse coordinate into eax
cvtss2sd xmm0,[eax] -- converts the float at the address eax into a double
pop eax -- restores backup
movsd [ecx-18],xmm0
jmp return |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 12:56 pm Post subject: |
|
|
| That works perfectly. Can you explain what you mean by dereferencing?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 1:15 pm Post subject: |
|
|
I'm mostly referring to the dereference operator in C. I may not have used it perfectly when I said "one more time," but it more or less refers to treating the value at an address as another address.
In your code injection which writes to the symbol mCord:
| Code: | movss [edi],xmm3
movss [edi+04],xmm2
mov [mCord],edi |
You are moving edi, the address of the mouse's coordinate value, into mCord. So, mCord is some arbitrary address in memory, [mCord] (the value at mCord) is the address of the mouse's value, and [[mCord]] (the value at the value at mCord) is the mouse's value.
Thus, in your code injection which teleports the player:
| Code: | cvtss2sd xmm0,[mCord]
movsd [ecx-18],xmm0 |
You are actually converting the address of the mouse's coordinate as if it were a float to a double. You need to give cvtss2sd the actual float value.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 1:17 pm Post subject: |
|
|
Thank you!
Also, it does seem that for whatever reason the left side of the screen when pointed to sets my mouse to -16, which means that my cursor and my player are not in sync. I said earlier that I thought it to be static, which it is not. How would I go about fixing this?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 1:26 pm Post subject: |
|
|
I don't know what you mean by "static." I figured you meant to say it was offset by a constant amount (which I'm guessing is -16 relative to the player).
If the mouse is always 16 units behind the player, just add 16 to the mouse's coordinates before you write it to the player's coordinates.
| Code: | alloc(mouseoffs,8)
...
code:
push eax
mov eax,[mCord]
cvtss2sd xmm0,[eax]
addsd xmm0,[mouseoffs]
pop eax
movsd [ecx-18],xmm0
jmp return
mouseoffs:
dq (double)16.0
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 1:31 pm Post subject: |
|
|
| I don't know why I use the word static, you're correct, except it is not always -16 behind the player, as I increase the x cord of my mouse it will eventually equal that of the player and then surpass it.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 1:38 pm Post subject: |
|
|
So one increases at a different rate than the other?
Just make a function that maps one to the other and I'll translate that into assembly. If you don't know how to do that, put your mouse cursor exactly over your player at arbitrary positions in the map, log the value of your mouse cursor's coordinate and the value of your player's coordinate, and post that data here (get at least 5 unique data points).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 1:41 pm Post subject: |
|
|
| Alright, I will do this as soon as I can, I have to leave school soon so once I get home I will do this. Thank you for your help! Also, if I wanted to make a static pointer to say eax during a specific instruction but I didn't want to inject upon that instruction (so that it doesn't move, making it inject able by a different script) how would I go about doing this?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
| Posted: Thu Dec 01, 2016 5:08 pm Post subject: |
|
|
| Kronogenics wrote: | | Also, if I wanted to make a static pointer to say eax during a specific instruction but I didn't want to inject upon that instruction (so that it doesn't move, making it inject able by a different script) how would I go about doing this? |
A pointer is a data type. Pointers exist in memory; they aren't a concept or an idea of a reference to some value. Pointers cannot point to a register, but there might be a pointer to a value contained within a register. If you want to find a pointer, using the pointerscanner will require the least effort and knowledge on your part.
There are many other alternatives you aren't considering. The most prevalent of which would be to simply find a different injection point. A script whose only purpose is to copy some value into a registered symbol generally doesn't require a specific injection point (as long as it's run often enough). It can be at a different instruction that accesses the address, near an instruction that accesses the address, at or near an instruction that accesses an address close to the desired address, and at other locations more complicated to explain and very unlikely necessary to use.
It's also possible to combine two different scripts that access the same injection point into one and turn each feature off independently. A common pattern for this would be to have a parent script that injects the code of all the different injection points and use flags to check if it should execute a specific code. Then, have child scripts (or even raw values) to toggle the flags appended to the parent script.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Kronogenics
Advanced Cheater
Reputation: 0
Joined: 01 Dec 2016
Posts: 82
|
| Posted: Thu Dec 01, 2016 6:45 pm Post subject: |
|
|
I can't seem to understand this, your code worked for the X axis, but replicating the code and replacing the parts I needed in order for it to work on the Y axis crashes my game?
X Axis code:
| Code: |
{ Game : N++.exe
Version:
Date : 2016-12-01
Author : Kronogenics
This script does blah blah blah
}
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(INJECT,npp.dll,F2 0F 11 41 E8 F2 0F 11 49 F0 EB) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
push eax
mov eax,[mCord]
cvtss2sd xmm0,[eax]
pop eax
movsd [ecx-18],xmm0
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
db F2 0F 11 41 E8
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "npp.dll"+2F010C
"npp.dll"+2F00DE: F2 0F 11 09 - movsd [ecx],xmm1
"npp.dll"+2F00E2: F2 0F 10 41 30 - movsd xmm0,[ecx+30]
"npp.dll"+2F00E7: F2 0F 58 C1 - addsd xmm0,xmm1
"npp.dll"+2F00EB: F2 0F 11 01 - movsd [ecx],xmm0
"npp.dll"+2F00EF: F3 0F 6F 41 E8 - movdqu xmm0,[ecx-18]
"npp.dll"+2F00F4: F3 0F 7F 41 08 - movdqu [ecx+08],xmm0
"npp.dll"+2F00F9: F2 0F 10 09 - movsd xmm1,[ecx]
"npp.dll"+2F00FD: E9 FE FE ED 08 - jmp 0FF00000
"npp.dll"+2F0102: F2 0F 58 41 F8 - addsd xmm0,[ecx-08]
"npp.dll"+2F0107: F2 0F 58 49 F0 - addsd xmm1,[ecx-10]
// ---------- INJECTING HERE ----------
"npp.dll"+2F010C: F2 0F 11 41 E8 - movsd [ecx-18],xmm0
// ---------- DONE INJECTING ----------
"npp.dll"+2F0111: F2 0F 11 49 F0 - movsd [ecx-10],xmm1
"npp.dll"+2F0116: EB 03 - jmp npp.dll+2F011B
"npp.dll"+2F0118: 8B 55 98 - mov edx,[ebp-68]
"npp.dll"+2F011B: 0F 57 C9 - xorps xmm1,xmm1
"npp.dll"+2F011E: 8B 81 98 00 00 00 - mov eax,[ecx+00000098]
"npp.dll"+2F0124: 66 0F 14 C9 - unpcklpd xmm1,xmm1
"npp.dll"+2F0128: 83 F8 09 - cmp eax,09
"npp.dll"+2F012B: 74 47 - je npp.dll+2F0174
"npp.dll"+2F012D: 83 F8 06 - cmp eax,06
"npp.dll"+2F0130: 74 42 - je npp.dll+2F0174
}
|
Y Axis Code:
| Code: |
{ Game : N++.exe
Version:
Date : 2016-12-01
Author : Kronogenics
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,npp.dll,F2 0F 11 49 F0 EB) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
push eax
mov eax,[mCord+4]
cvtss2sd xmm1,[eax]
pop eax
movsd [ecx-10],xmm1
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db F2 0F 11 49 F0
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "npp.dll"+2F0111
"npp.dll"+2F00E2: F2 0F 10 41 30 - movsd xmm0,[ecx+30]
"npp.dll"+2F00E7: F2 0F 58 C1 - addsd xmm0,xmm1
"npp.dll"+2F00EB: F2 0F 11 01 - movsd [ecx],xmm0
"npp.dll"+2F00EF: F3 0F 6F 41 E8 - movdqu xmm0,[ecx-18]
"npp.dll"+2F00F4: F3 0F 7F 41 08 - movdqu [ecx+08],xmm0
"npp.dll"+2F00F9: F2 0F 10 09 - movsd xmm1,[ecx]
"npp.dll"+2F00FD: E9 FE FE ED 08 - jmp 0FF00000
"npp.dll"+2F0102: F2 0F 58 41 F8 - addsd xmm0,[ecx-08]
"npp.dll"+2F0107: F2 0F 58 49 F0 - addsd xmm1,[ecx-10]
"npp.dll"+2F010C: E9 EF FE B0 F9 - jmp 00B30000
// ---------- INJECTING HERE ----------
"npp.dll"+2F0111: F2 0F 11 49 F0 - movsd [ecx-10],xmm1
// ---------- DONE INJECTING ----------
"npp.dll"+2F0116: EB 03 - jmp npp.dll+2F011B
"npp.dll"+2F0118: 8B 55 98 - mov edx,[ebp-68]
"npp.dll"+2F011B: 0F 57 C9 - xorps xmm1,xmm1
"npp.dll"+2F011E: 8B 81 98 00 00 00 - mov eax,[ecx+00000098]
"npp.dll"+2F0124: 66 0F 14 C9 - unpcklpd xmm1,xmm1
"npp.dll"+2F0128: 83 F8 09 - cmp eax,09
"npp.dll"+2F012B: 74 47 - je npp.dll+2F0174
"npp.dll"+2F012D: 83 F8 06 - cmp eax,06
"npp.dll"+2F0130: 74 42 - je npp.dll+2F0174
"npp.dll"+2F0132: F3 0F 6F 41 F8 - movdqu xmm0,[ecx-08]
}
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
