 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
fade2gray
Newbie cheater
![]() Reputation: 0
Joined: 01 Oct 2010
Posts: 12
|
 Posted: Thu Nov 04, 2021 1:55 pm Post subject: Tutorial Step 4: Alternative Solution. |
 |
|
I stumbled on an old video tutorial by Chris Fayte (youtube dot com/watch?v=Q9vnUMWFFw8) which explains the procedures needed to directly set the Health and Ammo to 5000 using AOB injection scripts - the scripts are based on the CE 6.5.1 32bit tutorial but also work with CE 7.2.
The thing is, both scripts work fine but with a certain limitation; clicking the Hit me button multiple times has no ill effect, but clicking the Fire button four more times after the initial click, will produce an "Invalid floating-point operation" error. I know there's no need for further clicks after Next has been triggered, but nothing-ventured-nothing-gained.
Also, at around 10m50s into the video, Chris provides some extra info that enabled me to adapt the scripts for use with the 64bit version of the tutorial, and I've attached my resulting cheat table hoping someone may have the time to take a look into what's causing the floating-point error mentioned above.
Thanks for your help.
N.B. Unfortunately, the cheat table is 8,192 bytes and won't attach.
| Code: | { 32bit Tutorial Step 4 Alternative Solution: Float Health}
[ENABLE]
aobscanmodule(health,Tutorial-i386.exe,D9 9E C0 04 00 00) // should be unique
alloc(newmem,$100)
label(code)
label(return)
newmem:
code:
fstp dword ptr [esi+000004C0]
mov [esi+000004C0],(float)5000
jmp return
health:
jmp newmem
nop
return:
registersymbol(health)
[DISABLE]
health:
db D9 9E C0 04 00 00
unregistersymbol(health)
dealloc(newmem) |
| Code: | { 32bit Tutorial Step 4 Alternative Solution: Double Ammo }
[ENABLE]
aobscanmodule(ammo,Tutorial-i386.exe,DD 9B C8 04 00 00) // should be unique
alloc(newmem,$100)
label(code)
label(return)
alloc(dammo,4)
dammo:
dq (double)5000
newmem:
code:
fld qword ptr [dammo]
fstp qword ptr [ebx+000004C8]
jmp return
ammo:
jmp newmem
nop
return:
registersymbol(ammo)
[DISABLE]
ammo:
db DD 9B C8 04 00 00
unregistersymbol(ammo)
dealloc(newmem)
dealloc(dammo) |
| Code: | { 64bit Tutorial Step 4 Alternative Solution: Float Health }
[ENABLE]
aobscanmodule(health,Tutorial-x86_64.exe,F3 0F 11 8E 18 08 00 00) // should be unique
alloc(newmem,$100,health)
label(code)
label(return)
alloc(fhealth,4)
fhealth:
dd (float)5000
newmem:
code:
fld dword ptr [fhealth]
fstp dword ptr [rsi+00000818]
//movss [rsi+00000818],xmm1
jmp return
health:
jmp newmem
nop 3
return:
registersymbol(health)
[DISABLE]
health:
db F3 0F 11 8E 18 08 00 00
unregistersymbol(health)
dealloc(newmem)
dealloc(fhealth) |
| Code: | { 64bit Tutorial Step 4 Alternative Solution: Double Ammo }
[ENABLE]
aobscanmodule(ammo,Tutorial-x86_64.exe,F2 0F 11 83 20 08 00 00) // should be unique
alloc(newmem,$1000,ammo)
label(code)
label(return)
alloc(dammo,4)
dammo:
dq (double)5000
newmem:
code:
fld qword ptr [dammo]
fstp qword ptr [rbx+00000820]
//movsd [rbx+00000820],xmm0
jmp return
ammo:
jmp newmem
nop 3
return:
registersymbol(ammo)
[DISABLE]
ammo:
db F2 0F 11 83 20 08 00 00
unregistersymbol(ammo)
dealloc(newmem)
dealloc(dammo) |
_________________
I am, and always will be, a CE novice. |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Thu Nov 04, 2021 6:37 pm Post subject: |
|
|
The "32bit Tutorial Step 4 Alternative Solution: Double Ammo" script overflows the fpu stack.
The original code is:
| Code: | | DD 9B C8040000 - fstp qword ptr [rbx+000004C8] |
The code you're replacing that with is:
| Code: | fld qword ptr [dammo]
fstp qword ptr [rbx+00000820] |
fstp pops a value off the fpu stack. fld pushes a value onto the stack.
The original code removes a value while your code leaves the stack size unchanged. Every time your code executes, it effectively leaks a value on the x87 stack, eventually causing a stack overflow floating-point exception.
The 64-bit scripts shouldn't mix x87 and SSE.
The overwhelming majority of the time, you should be using SSE in 64-bit code. e.g. for the ammo script, this is ok:
| Code: | code:
movsd xmm0,[dammo]
movsd [rbx+00000820],xmm0
jmp return |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
fade2gray
Newbie cheater
![]() Reputation: 0
Joined: 01 Oct 2010
Posts: 12
|
| Posted: Sat Nov 06, 2021 6:41 am Post subject: [Solved] Tutorial Step 4: Alternative Solution. |
|
|
Thanks for your reply.
Your 64-bit example was simple to understand and implement.
The 32-bit ammo issue; as fld is causing a stack-overflow, is there any other method that can be used to achieve the same result without producing the same error?
Edit:
I have since discovered that the new code needs to be...
| Code: | code:
fstp st(0)
fld qword ptr [dammo]
fstp qword ptr [ebx+000004C8]
jmp return |
_________________
I am, and always will be, a CE novice. |
|
| Back to top |
|
|
Csimbi
I post too much
 Reputation: 94
Joined: 14 Jul 2007
Posts: 3110
|
| Posted: Sat Nov 06, 2021 12:25 pm Post subject: |
|
|
You don't understand how stacks work, do you?
You need to leave it as it was - popping extra or pushing extra onto stack will always cause an exception (or crash, if the exception is not handled).
|
|
| Back to top |
|
|
fade2gray
Newbie cheater
![]() Reputation: 0
Joined: 01 Oct 2010
Posts: 12
|
| Posted: Sat Nov 06, 2021 1:00 pm Post subject: |
|
|
| Csimbi wrote: | | You don't understand how stacks work, do you? |
Well, I do understand the basic concept that values get pushed onto and popped off the stack for temporary storage and later use.
| Csimbi wrote: | | You need to leave it as it was - popping extra or pushing extra onto stack will always cause an exception (or crash, if the exception is not handled). |
Hmm,
This causes an exception when clicking the fire button multiple times.
| Code: | code:
fld qword ptr [dammo]
fstp qword ptr [ebx+000004C8]
jmp return |
This does not cause any exception.
| Code: | code:
fstp st(0)
fld qword ptr [dammo]
fstp qword ptr [ebx+000004C8]
jmp return |
So, if using fstp st(0) and fld qword ptr [dammo] is not the correct approach (despite apparently working), how else might I achieve the desired effect?
_________________
I am, and always will be, a CE novice. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Sat Nov 06, 2021 9:31 pm Post subject: |
|
|
| fade2gray wrote: | | Code: | code:
fstp st(0)
fld qword ptr [dammo]
fstp qword ptr [ebx+000004C8]
jmp return |
|
This code is correct.
The original code is popping a value off the fpu stack. The injected code has to pop a value off the fpu stack as well.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
fade2gray
Newbie cheater
![]() Reputation: 0
Joined: 01 Oct 2010
Posts: 12
|
| Posted: Sun Nov 07, 2021 7:11 am Post subject: |
|
|
| ParkourPenguin wrote: | | This code is correct. |
Thank you for the confirmation.
_________________
I am, and always will be, a CE novice. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
