 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
 Posted: Fri Nov 24, 2023 8:09 am Post subject: Something wrong with my code |
 |
|
Can anyone tell me whats wrong here:
| Code: |
[ENABLE]
aobscanmodule(INJECT,rock.exe,B3 F3 0F 11 83 28 03 00 00) // should be unique
alloc(newmem,$1000,"rock.exe"+779E52)
alloc(mul,4)
alloc(limit,4)
label(code)
label(return)
newmem:
fld [rbx+320]
fmul [rbx+320]
fld [rbx+324]
fmul [rbx+324]
fadd st(1)
fsqrt
fcomp [limit]
add esp,4
fstsw ax
sahf
jb speeder
code:
movss [rbx+00000328],xmm0
jmp return
speeder:
fld [rbx+324]
fmul [mul]
fstp [rbx+324]
fld [rbx+320]
fmul [mul]
fstp [rbx+320]
jmp code
mul:
dd (float)2
limit:
dd (float)20
INJECT+01:
jmp newmem
nop
nop
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+01:
db F3 0F 11 83 28 03 00 00
unregistersymbol(INJECT)
dealloc(newmem)
dealloc(mul)
dealloc(limit)
|
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4307
|
| Posted: Fri Nov 24, 2023 12:55 pm Post subject: |
|
|
The "Auto Assembler tutorials" forum is for tutorials, not help
Why are you using x87 instructions in 64-bit code? Use SSE instructions instead
You're not specifying data size when accessing memory. e.g. `fld [rbx+320]` could be accessing a float or a double. Use `dword ptr[...]` or `qword ptr[...]` for float or double respectively.
Those `fmul` instructions that square values could just be `fmul st(0),st(0)`
`fadd st(i)` is a little ambiguous as it could mean `fadd st(i),st(0)` or `fadd st(0),st(i)`. CE uses the latter.
You're not popping one of the values from the FPU stack. i.e. `fadd st(1)` should be just `faddp` (no arguments)
Why `fcomp` / `fstsw ax` / `sahf`? Do you know what the FPU status word and EFLAGS register are? `fcomip` is a thing that exists. The unordered version is probably more appropriate (i.e. `fucomip`)
`add esp,4` - no
You're modifying rax without backing it up
Don't mix SSE and x87 instructions. If the game is using SSE (i.e. `movss [...],xmm0`), you should too.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
| Posted: Fri Nov 24, 2023 2:36 pm Post subject: |
|
|
Okay. I can see that I am wrong on multiple fronts here. What I am doing is:
Calculating the magnitude of a vector whose x and y components are in rbx+320 and +324. And then comparing it with limit variable. If it is less than jump to speeder code label otherwise continue with original code label execution.
Can you help me write this in sse instructions?
I dont completely understand sse instructions because I dont know how they backup xmm registers.
Also,in comparison instructions of floats or double, its not as simple as integer types. I cant just
| Code: |
cmp [rbx+55],edx
jl code
|
It seems they set status words or something but how do I compare if a value is greater than or less than the other value?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4307
|
| Posted: Fri Nov 24, 2023 3:15 pm Post subject: |
|
|
You can usually get away with not backing them up. Most XMM registers won't be in use at most injection points. You can look at the injection point to get a good idea. Include the comment at the bottom of the script that shows the code around the injection point.
If you need to back up xmm registers, use `movups` and put each register some place where there's 16 bytes available. The stack is the most convenient choice.
`ucomiss` / `ucomisd` sets EFLAGS- specifically ZF, PF, CF. Use equal, above, or below conditionals (e.g. jae, jne, jb, etc.)
| Code: | newmem:
// back up registers
sub rsp,20
movups [rsp],xmm0
movups [rsp+10],xmm1
// magnitude of 2d vec
movss xmm0,[rbx+320]
movss xmm1,[rbx+324]
mulss xmm0,xmm0
mulss xmm1,xmm1
addss xmm0,xmm1
sqrtss xmm0,xmm0
// compare limit
movss xmm1,[limit]
ucomiss xmm0,xmm1
jae code
// speeder:
movss xmm1,[mul]
movss xmm0,[rbx+320]
mulss xmm0,xmm1
movss [rbx+320],xmm0
movss xmm0,[rbx+324]
mulss xmm0,xmm1
movss [rbx+324],xmm0
code:
// restore registers
movups xmm0,[rsp]
movups xmm1,[rsp+10]
add rsp,20
// original code
movss [rbx+328],xmm0
jmp return |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
| Posted: Fri Nov 24, 2023 4:04 pm Post subject: |
|
|
Thanks a ton. That worked like a charm. You are a saviour.
Few more questions:
Why did you allocate 20 bytes in the stack when you said it requires 16 bytes per xmm register?
Why can I not use jg,jle,je etc after ucomiss but only those that you specified?
Can you share snippet to do the same compare using FPU syntax?
Thanks again in adavnce.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4307
|
| Posted: Fri Nov 24, 2023 7:36 pm Post subject: |
|
|
That's 0x20 bytes. 0x20 = 32 in decimal. 2 xmm registers, 16 bytes per register.
jg / jge / jl / jle check different flags in the EFLAGS register. ucomiss just sets those flags to 0 regardless of the result.
The x87 version is pretty much what you wrote but with the changes I previously mentioned.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
| Posted: Sat Nov 25, 2023 10:42 pm Post subject: |
|
|
Why does the game crash when I do:
| Code: |
myvar:
dd (float)0.01
|
It seems I cant mention decimal in that declaration.
Is there an alternate way?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4307
|
| Posted: Sat Nov 25, 2023 10:51 pm Post subject: |
|
|
That code is fine- it writes the float 0.01 to the address "myvar". Something else is wrong.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
| Posted: Sun Nov 26, 2023 2:39 am Post subject: |
|
|
In
| Code: |
ucomiss xmm2,xmm3
jae code
|
Will the execution jump to code when xmm2 is greater than xmm3 or when xmm3 is greater than xmm2?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4307
|
| Posted: Sun Nov 26, 2023 12:25 pm Post subject: |
|
|
| sgsgwv$6263 wrote: | In
| Code: |
ucomiss xmm2,xmm3
jae code
|
Will the execution jump to code when xmm2 is greater than xmm3 or when xmm3 is greater than xmm2? |
That will jump if xmm2 is greater than or equal to xmm3
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
| Posted: Wed Nov 29, 2023 9:06 am Post subject: |
|
|
Thanks for the help so far.
Whats wrong here:
| Code: |
[ENABLE]
aobscanmodule(speeder,rock.exe,B3 F3 0F 11 83 28 03 00 00) // should be unique
alloc(newmem,$2000,"rock.exe"+779E52)
alloc(const_speed,4)
alloc(fastbit,4)
alloc(min_z_speed,4)
registersymbol(fastbit)
label(code)
label(return)
newmem:
min_h:
dd (float)300
// back up registers
sub rsp,40
movups [rsp],xmm0
movups [rsp+10],xmm1
movups [rsp+20],xmm2
movups [rsp+30],xmm3
// magnitude of 2d vec
movss xmm0,[rbx+320]
movss xmm1,[rbx+324]
mulss xmm0,xmm0
mulss xmm1,xmm1
addss xmm0,xmm1
sqrtss xmm0,xmm0
// compare health to isolate player
movss xmm2,[min_h]
movss xmm3,[rbx+280]
ucomiss xmm2,xmm3
jae code
// check if fastbit is on or not
cmp [fastbit],1
jne code
// compare limit
movss xmm1,[const_speed]
ucomiss xmm0,xmm1
jae code
// speeder:
divss xmm1,xmm0
movss xmm0,[rbx+320]
mulss xmm0,xmm1
movss [rbx+320],xmm0
movss xmm0,[rbx+324]
mulss xmm0,xmm1
movss [rbx+324],xmm0
code:
// restore registers
movups xmm0,[rsp]
movups xmm1,[rsp+10]
movups xmm2,[rsp+20]
movups xmm3,[rsp+30]
add rsp,40
//backup registers
sub rsp,10
movups [rsp],xmm1
//compare zspeed
movss xmm1,[min_z_speed]
ucomiss xmm0,xmm1
jae originalcode
//jump higher
movss xmm1,[const_speed]
mulss xmm0,xmm1
//restore registers
movups xmm1,[rsp]
add rsp,10
jmp originalcode
originalcode:
// original code
movss [rbx+328],xmm0
jmp return
const_speed:
dd (float)40
min_z_speed:
dd (float)0
speeder+01:
jmp newmem
nop
nop
nop
return:
registersymbol(speeder)
[DISABLE]
speeder+01:
db F3 0F 11 83 28 03 00 00
unregistersymbol(speeder)
dealloc(newmem)
dealloc(const_speed)
dealloc(fastbit)
dealloc(min_z_speed)
unregistersymbol(fastbit)
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4307
|
| Posted: Wed Nov 29, 2023 11:58 am Post subject: |
|
|
| sgsgwv$6263 wrote: | | Code: | newmem:
min_h:
dd (float)300
...
speeder+01:
jmp newmem |
|
`jmp newmem` jumps to garbage. Allocate some memory for `min_h` and put it elsewhere. e.g. `const_speed` and `min_z_speed` are correct.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
sgsgwv$6263
Advanced Cheater
![]() Reputation: 0
Joined: 05 Aug 2020
Posts: 75
|
| Posted: Wed Nov 29, 2023 12:24 pm Post subject: |
|
|
| Suprisingly min_h works fine. But if you intialize another such variable liks that the game crashes.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
