Ulic Qel-Droma
Newbie cheater
![]() Reputation: 0
Joined: 13 Jul 2010
Posts: 15
|
 Posted: Tue Jan 07, 2020 10:10 pm Post subject: Witcher EE Dice Game |
 |
|
I went back to the Witcher 1 and was playing around with the dice game. I wonder if someone might be able to help me write a script that will set the player's rolls to 6? Here's what I know.
The dice rolls are floats.
| Code: | 1 1.875
2 2
3 2.125
4 2.25
5 2.3125
6 2.375 |
The five dice addresses are each offset by C. I can find these manually and alter them to win every time.
Unfortunately, I can't figure out how to automate this by locating a static pointer. When I find the base address I can't find any opcodes that write to it with the debugger. There are two opcodes that access it although I'm not sure what good that does me. It seems tantalizingly close as the listed EBX registrar is the base address I need. However, if I write a script to save EBX I get an incorrect rotrating address that keeps updating with the first target and a workable address with the second but one that isn't static. Any thoughts on next steps? Here are accessing opcodes:
| Code: | witcher.exe+667405 - 8B 44 24 24 - mov eax,[esp+24]
witcher.exe+667409 - 8B 08 - mov ecx,[eax]
witcher.exe+66740B - 89 0B - mov [ebx],ecx
witcher.exe+66740D - 8B 50 04 - mov edx,[eax+04]
witcher.exe+667410 - 5F - pop edi
witcher.exe+667411 - 89 53 04 - mov [ebx+04],edx
witcher.exe+667414 - 8B 40 08 - mov eax,[eax+08]
witcher.exe+667417 - 5E - pop esi
witcher.exe+667418 - 5D - pop ebp
witcher.exe+667419 - 89 43 08 - mov [ebx+08],eax <<
witcher.exe+66741C - 5B - pop ebx
witcher.exe+66741D - 59 - pop ecx
witcher.exe+66741E - C3 - ret
witcher.exe+66741F - 6A 01 - push 01
witcher.exe+667421 - 55 - push ebp
witcher.exe+667422 - 56 - push esi
witcher.exe+667423 - E8 D8FBFFFF - call witcher.exe+667000
witcher.exe+667428 - 8B F8 - mov edi,eax
witcher.exe+66742A - 83 C4 0C - add esp,0C
witcher.exe+66742D - 83 3F 00 - cmp dword ptr [edi],00
witcher.exe+667430 - 75 0F - jne witcher.exe+667441 |
| Code: | EAX=40000000
EBX=0AEDFEBC <<
ECX=00000003
EDX=00000000
ESI=00000007
EDI=4872AA38
ESP=01CCFA5C
EBP=01CCFAC8
EIP=00A6741C |
and...
| Code: | witcher.exe+667D9F - FF 24 85 CC8DA600 - jmp dword ptr [eax*4+witcher.exe+668DCC]
witcher.exe+667DA6 - 8B 44 24 14 - mov eax,[esp+14]
witcher.exe+667DAA - C1 EE 0F - shr esi,0F
witcher.exe+667DAD - 81 E6 FF010000 - and esi,000001FF
witcher.exe+667DB3 - 8D 14 76 - lea edx,[esi+esi*2]
witcher.exe+667DB6 - 8D 04 90 - lea eax,[eax+edx*4]
witcher.exe+667DB9 - 8B 08 - mov ecx,[eax]
witcher.exe+667DBB - 89 0F - mov [edi],ecx
witcher.exe+667DBD - 8B 50 04 - mov edx,[eax+04]
witcher.exe+667DC0 - 89 57 04 - mov [edi+04],edx
witcher.exe+667DC3 - 8B 40 08 - mov eax,[eax+08] <<
witcher.exe+667DC6 - 89 47 08 - mov [edi+08],eax
witcher.exe+667DC9 - E9 78FFFFFF - jmp witcher.exe+667D46
witcher.exe+667DCE - 8B 54 24 18 - mov edx,[esp+18]
witcher.exe+667DD2 - C1 EE 06 - shr esi,06
witcher.exe+667DD5 - 81 E6 FFFF0300 - and esi,0003FFFF
witcher.exe+667DDB - 8D 0C 76 - lea ecx,[esi+esi*2]
witcher.exe+667DDE - 8D 04 8A - lea eax,[edx+ecx*4]
witcher.exe+667DE1 - EB D6 - jmp witcher.exe+667DB9
witcher.exe+667DE3 - 8B CE - mov ecx,esi
witcher.exe+667DE5 - C1 E9 0F - shr ecx,0F
witcher.exe+667DE8 - 81 E1 FF010000 - and ecx,000001FF |
| Code: | EAX=40000000
EBX=0AED4148 <<
ECX=00000003
EDX=00000000
ESI=0AEDEED0
EDI=4872A9FC
ESP=01CCFA78
EBP=01CCFAC8
EIP=00A67DC6 |
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
