|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
SotiCoto How do I cheat? Reputation: 0
Joined: 21 Oct 2017 Posts: 9
|
Posted: Sat Oct 12, 2024 2:42 pm Post subject: Could someone explain what is wrong with this script? |
|
|
TL;DR: I'm trying to use an AoB script to make a pseudo-pointer in Cemu (big-endian, so can't use regular pointers), but it isn't working for me.
Background: I'm trying to train myself modifying someone else's table for MH3U via the Cemu emulator. Big-endian and all that.
When I got the file initially there was one working script in the table and another that didn't work, but I eventually managed to repair the second by making the syntax match the first (using some weird lua AoB Scan instead of the auto-assembler version)...
BUT when I tried to make a new copy with a different AoB (which I've confirmed is unique) and changed all the relevant parts to match the code I'm basing it on... it just crashes the game and fails when I try to enable it.
This leads me to believe that one of the parts I don't understand is not being converted properly... and to be honest I don't understand most of it as I don't know squat about scripting (and most of the tutorials I've found were about injection, which was totally non-helpful)...
The script:
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
{$lua}
if syntaxcheck then return end -- don't run past this point when adding to table/editing
AoB = AOBScan("41 0F 38 F1 94 35 B8 08 00 00 79 20 0F 1F 40 00 83 AC 24 B0 02 00 00 03", "", 0, "")
-- ,
if (AoB) then -- check if there are results or not
lngt = AoB.getCount() -- get the AoB array length
--print("Results found: "..lngt)
unregisterSymbol("MH3U_v3_AOB3")
if (lngt > 0) then registerSymbol("MH3U_v3_AOB3", AoB[0]) end
if (lngt > 0) then MH3U_v3_Bytes3 = AoB[0] end
AoB.Destroy() -- destroy the array
AoB = nil
else
print("No results found.")
return
end
{$asm}
alloc(newmem,512)
alloc(MH3U_v3_3,64)
label(originalcode)
label(update)
registersymbol(MH3U_v3_3)
MH3U_v3_3:
db 00 00 00 00 // initialization
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [MH3U_v3_3],00000000
je update
jmp originalcode
update:
mov [MH3U_v3_3],r13 // Update Pointer
add [MH3U_v3_3],rsi // Update Pointer
add [MH3U_v3_3],000008B8 // Update Pointer
jmp originalcode
originalcode:
db 41 0F 38 F1 94 35 B8 08 00 00 79 20 0F 1F 40 00 83 AC 24 B0 02 00 00 03
jmp MH3U_v3_AOB3+18
MH3U_v3_AOB3:
jmp newmem
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
{$lua}
writeBytes(MH3U_v3_Bytes3, 0x41, 0x0F, 0x38, 0xF1, 0x94, 0x35, 0xB8, 0x08, 0x00, 0x00, 0x79, 0x20, 0x0F, 0x1F, 0x40, 0x00, 0x83, 0xAC, 0x24, 0xB0, 0x02, 0x00, 0x00, 0x03)
unregisterSymbol("MH3U_v3_AOB3")
{$asm}
unregistersymbol(MH3U_v3_3)
dealloc(newmem)
dealloc(MH3U_v3_3) |
I've already changed the AoB, renumbered all the variables to differentiate them from the ones in the other scripts.
Basically I'm trying to make a pseudo-pointer called MH3U_V3_3, following the same syntax the original creator used... but it just isn't working.
I think I've figured out what the "db" thing means. I'm guessing the "jmp" moves in a non-linear order around different parts of the script. I've no idea what the "je" means.
I don't know why the "jmp MH3U_v3_AOB3+18" thing is specifically +18 either, so I hadn't changed that. It was a holdover from version 2 of the script, while version 1 had +17 for some reason. But this seems like the bit most likely to be screwed up. All the other arrays have been updated.
... So can anyone help? Or possibly just explain a much easier way of using an AoB Scan to write to a variable which I can use for a pseudo-pointer in a table?
[/code]
|
|
Back to top |
|
|
Game Hacking Dojo Expert Cheater Reputation: 1
Joined: 17 Sep 2023 Posts: 211
|
Posted: Sat Oct 12, 2024 3:12 pm Post subject: |
|
|
Sorry to say but why did you even think you could solve the problem if you don't know what a simple assembly instruction does? Yes, your tweak might be very subtle but if the purpose is learning, I suggest you start with something easy. This is pretty difficult for you at your current level. Don't try to fix anyone's script, rather make your own and understand how the basic template works.
For us to help you solve the problem we need you to have enough knowledge to explain it.
If the purpose of this is to tweak something you use for the game you play then I'd suggest you wait for whoever made the script to fix it.
First, watch some tutorials on YouTube maybe to get started
|
|
Back to top |
|
|
SotiCoto How do I cheat? Reputation: 0
Joined: 21 Oct 2017 Posts: 9
|
Posted: Sat Oct 12, 2024 6:11 pm Post subject: |
|
|
Game Hacking Dojo wrote: | Sorry to say but why did you even think you could solve the problem if you don't know what a simple assembly instruction does? |
Because it worked before, though I was doing a bit less then.
And because that is how I tend to do things. I find something that works and try to make it do something a little different, or change parts of it to see what effect it has in practice... though it can only get me so far when changes either don't do anything or outright crash the program.
Quote: | For us to help you solve the problem we need you to have enough knowledge to explain it. |
Perhaps. But then if I could explain the problem then I could probably solve the problem myself and wouldn't have to ask for help in the first place. I'm asking precisely because I don't know. In any case, I provided as much information as I could under the circumstances in order to make it easier for others to help me.
I'm also attempting trial-and-error to figure things out in the meanwhile, but that is slow-going and demotivating.
Quote: | If the purpose of this is to tweak something you use for the game you play then I'd suggest you wait for whoever made the script to fix it. |
That was my first resort... but they posted it a few years ago, and their last post at all was 2 years ago. That path was a dead end. I'm attempting other things now.
Quote: | First, watch some tutorials on YouTube maybe to get started |
Tried that. Just got a load of false positives. In fact I believe I remarked as much in the original post. Every single one that deals with scripty stuff is all about injects, and I don't want to inject. And most Cheat Engine tutorials in general are rudimentary stuff about pointer scanning or othersuch things irrelevant to the task at hand.
Basically the "tutorials" route is at the place where I cannot find any tutorials relevant to what I'm trying to do, so it is effectively another dead end.
Long story short, I can logically deduce that the problem is a relatively small one as nearly identical scripts do exactly what I need to do, but what exactly I need to change to make it work isn't obvious to me.
|
|
Back to top |
|
|
Game Hacking Dojo Expert Cheater Reputation: 1
Joined: 17 Sep 2023 Posts: 211
|
Posted: Sat Oct 12, 2024 6:47 pm Post subject: |
|
|
You can't find a tutorial tailored to your case. If you want to learn then you should learn because what you are doing is overloading yourself and you can't keep up.
Even if your issue is simple I still can't help you despite you providing somewhat enough information. I can't help because I have to explain an entire book to be able to give you an idea of what's happening that's not possible here. Here people ask questions that can be explained in a few lines. I make tutorials on YouTube. My goal is to teach complex stuff and you can find some. I hope somebody helps you. Good luck
https://www.youtube.com/@GameHackingDojo
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4518
|
Posted: Sat Oct 12, 2024 6:47 pm Post subject: |
|
|
I think whoever wrote that script knows less about CE than you do.
There's no reason for that {$lua} block. Just do a regular aobscan.
Don't execute code written by `db` unless you know what you're doing. In this case, this is what is crashing your game.
`jmp MH3U_v3_AOB3+18` - this does jump past the end of the injected code, but why do it this way?
You should really start from scratch instead of trying to shape a turd into art.
- In the main CE window, right click the area under "Memory scan options" with the Writable / Executable / CoW checkboxes and select "Preset: scan all memory"
- Scan for that array of bytes
- Right click the result and select "Disassemble this memory region" (Ctrl+D)
- Right click that instruction (movbe) and select "Find out what addresses this instruction accesses"
- Play in the game for a little while. Do different things. See if any other addresses come up other than the one you want. If there are several addresses... good luck. See step 9 of the CE tutorial. If there's just one, continue on.
- Go to Memory Viewer -> Tools -> Auto Assemble
- In the AA window, go to Template -> AOB Injection
- Give a unique symbol name (e.g. updateMoneyOrSomething)
- File -> Assign to cheat table
- Close the window
- Double click the new script in the address list (bottom half of main window)
- Make a typical "injection copy" script
e.g. something like this:
Code: | [ENABLE]
...
alloc(MH3U_v3_3,8)
...
newmem:
push rcx
lea rcx,[r13+rsi+000008B8]
mov [MH3U_v3_3],rcx
pop rcx
code:
movbe [r13+rsi+000008B8],edx
jmp return
MH3U_v3_3:
dq 0
...
registersymbol(MH3U_v3_3)
[DISABLE]
...
unregistersymbol(MH3U_v3_3)
dealloc(MH3U_v3_3)
... |
If you have trouble, post the script in its entirety. Don't remove the comment at the bottom that shows the code around the injection point- that's important information.
The only thing you might want to remove is the game's name, but with cemu I don't think that'll be an issue.
To read the pointer in the address list:
- Add address manually
- Check the "pointer" checkbox
- Base address is MH3U_v3_3
- Only offset is 0 (the offset 8B8 was accounted for in the AA script)
- Type / description is whatever; click OK
- Click + drag that new memory record onto the script memory record to add it as a child
- Right click the script memory record -> Group config -> Hide children when deactivated
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SotiCoto How do I cheat? Reputation: 0
Joined: 21 Oct 2017 Posts: 9
|
Posted: Sat Oct 12, 2024 7:20 pm Post subject: |
|
|
ParkourPenguin wrote: | I think whoever wrote that script knows less about CE than you do.
There's no reason for that {$lua} block. Just do a regular aobscan. |
I would have thought so too...
BUT when I first downloaded the table, one of the scripts had the lua block and the other had a regular aobscan... and the regular aobscan one didn't work. I tried finding anything logically inconsistent in it I could fix... but couldn't find anything. Strange as it might seem, when I converted it to the lua block thing, it worked. That is why I'm still trying to use that approach.
I also tried a regular aobscan with the new one I'm trying to figure out, but that didn't work either.
Quote: | Don't execute code written by `db` unless you know what you're doing. In this case, this is what is crashing your game.
`jmp MH3U_v3_AOB3+18` - this does jump past the end of the injected code, but why do it this way? |
I mean... I guessed that was what was wrong... but for some odd reason both the two scripts that DO work have something similar in them and they don't crash... and the one I'm trying to figure out doesn't work any better without that +18 than it does otherwise. In fact I just checked the first script and it crashes Cemu if I remove the +17 in it (first script has +17, second has +18, and both were like that when I downloaded).
Quote: | - In the main CE window, right click the area under "Memory scan options" with the Writable / Executable / CoW checkboxes and select "Preset: scan all memory"
- Scan for that array of bytes
- Right click the result and select "Disassemble this memory region" (Ctrl+D)
- Right click that instruction (movbe) and select "Find out what addresses this instruction accesses"
- Play in the game for a little while. Do different things. See if any other addresses come up other than the one you want. If there are several addresses... good luck. See step 9 of the CE tutorial. If there's just one, continue on.
- Go to Memory Viewer -> Tools -> Auto Assemble
- In the AA window, go to Template -> AOB Injection
- Give a unique symbol name (e.g. updateMoneyOrSomething)
- File -> Assign to cheat table
- Close the window
- Double click the new script in the address list (bottom half of main window)
- Make a typical "injection copy" script
e.g. something like this:
[code] |
Hold on hold on...
Just lemme see if I've got this right.
I just want to use a code to find an address. I don't want to change the code at all. I was under the impression that the whole "Inject" thing implies changing the code itself. But I just want the code to lead me either to the address I need or one that is always a fixed distance from it, so I can use it in place of a pointer (which don't work here because big-endian).
In fact ideally I probably don't want anything in the script that tampers with the core array where the code is based. It is just a waypoint in the road.
Is it safe to use the "AoB Injection" thing if I don't want to inject anything into the code?
Quote: | If you have trouble, post the script in its entirety. Don't remove the comment at the bottom that shows the code around the injection point- that's important information.
The only thing you might want to remove is the game's name, but with cemu I don't think that'll be an issue. |
One of the original scripts had it at the top. The other didn't have it. I figured it was just comment stuff. Does it change the function of the script?
Quote: | To read the pointer in the address list:
- Add address manually
- Check the "pointer" checkbox
- Base address is MH3U_v3_3
- Only offset is 0 (the offset 8B8 was accounted for in the AA script)
- Type / description is whatever; click OK
- Click + drag that new memory record onto the script memory record to add it as a child
- Right click the script memory record -> Group config -> Hide children when deactivated
|
I know that bit already. I've made quite a few pseudo-pointers with the existing MH3U_V3_1 and 2 variables made by the other versions of the script (the working one from the original creator and the broken one I somehow managed to fix).
And I'd like to take just a moment to say I hate Cemu for being Big-Endian. I've never had so much trouble getting a table working in all my life.
Last edited by SotiCoto on Sat Oct 12, 2024 7:25 pm; edited 1 time in total |
|
Back to top |
|
|
AylinCE Grandmaster Cheater Supreme Reputation: 34
Joined: 16 Feb 2017 Posts: 1419
|
Posted: Sat Oct 12, 2024 7:23 pm Post subject: |
|
|
ParkourPenguin wrote: | I think whoever... |
+1's will be added to this comment. I'm just a bit stuck on the time limit.
"You heal the wound by filtering light into it with your hand.
(It could probably be tiring..) But, please continue with such explanatory lessons.
You have the knowledge to rebuild most people who love coding from scratch.
(You're probably one of the "Rare" masters left.)
Excellent...
_________________
|
|
Back to top |
|
|
SotiCoto How do I cheat? Reputation: 0
Joined: 21 Oct 2017 Posts: 9
|
Posted: Sat Oct 12, 2024 7:30 pm Post subject: |
|
|
Incidentally, I'm not sure if this is relevant... but the area of the memory I was trying to isolate was relating to the monsters in hunts.
I found the code that updates whenever the monster takes damage and have been using that to try and get a pseudo-pointer for the address it writes to... which is the Monster Health...
BUT since it only updates when the monster is damaged, I'm not sure if the script actually needs the code itself to update in order to function...
I manually checked the array at the start of the hunt and it brings back one result as it should... but maybe I should be attacking the monster to activate the script, or finding another nearby address that updates constantly from another code?
ANYHOW...
I've just run Aob Injector auto assembler thingie on the code which updates monster health...
This is what it spat out, unchanged, in its entirety:
Code: | { Game : Cemu 2.0-39 (experimental) - FPS: 60.00 [Vulkan] [NVIDIA GPU] [TitleId: 00050000-10117200] MH3U [EU
Version:
Date : 2024-10-13
Author : SotiCoto
This script does blah blah blah
}
[ENABLE]
aobscan(MonHealth,41 0F 38 F1 94 35 B8 08 00 00 79) // should be unique
alloc(newmem,$1000,MonHealth)
label(code)
label(return)
newmem:
code:
movbe [r13+rsi+000008B8],edx
jmp return
MonHealth:
jmp newmem
nop 5
return:
registersymbol(MonHealth)
[DISABLE]
MonHealth:
db 41 0F 38 F1 94 35 B8 08 00 00
unregistersymbol(MonHealth)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 18977863EF5
18977863EBD: 0F 1F 40 00 - nop dword ptr [rax+00]
18977863EC1: 83 AC 24 B0 02 00 00 01 - sub dword ptr [rsp+000002B0],01
18977863EC9: 89 D0 - mov eax,edx
18977863ECB: 89 44 24 18 - mov [rsp+18],eax
18977863ECF: 83 AC 24 B0 02 00 00 03 - sub dword ptr [rsp+000002B0],03
18977863ED7: 8B 5C 24 14 - mov ebx,[rsp+14]
18977863EDB: 01 DA - add edx,ebx
18977863EDD: 0F 98 84 24 8C 02 00 00 - sets byte ptr [rsp+0000028C]
18977863EE5: 0F 9F 84 24 8D 02 00 00 - setg byte ptr [rsp+0000028D]
18977863EED: 0F 94 84 24 8E 02 00 00 - sete byte ptr [rsp+0000028E]
// ---------- INJECTING HERE ----------
18977863EF5: 41 0F 38 F1 94 35 B8 08 00 00 - movbe [r13+rsi+000008B8],edx
// ---------- DONE INJECTING ----------
18977863EFF: 79 20 - jns 18977863F21
18977863F01: 0F 1F 40 00 - nop dword ptr [rax+00]
18977863F05: 83 AC 24 B0 02 00 00 03 - sub dword ptr [rsp+000002B0],03
18977863F0D: BA 00 00 00 00 - mov edx,00000000
18977863F12: 41 0F 38 F1 94 35 B8 08 00 00 - movbe [r13+rsi+000008B8],edx
18977863F1C: E9 2C 00 00 00 - jmp 18977863F4D
18977863F21: 83 AC 24 B0 02 00 00 02 - sub dword ptr [rsp+000002B0],02
18977863F29: 39 C2 - cmp edx,eax
18977863F2B: 0F 9F 84 24 8D 02 00 00 - setg byte ptr [rsp+0000028D]
18977863F33: 7E 18 - jle 18977863F4D
} |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4518
|
Posted: Sat Oct 12, 2024 8:16 pm Post subject: |
|
|
SotiCoto wrote: | Is it safe to use the "AoB Injection" thing if I don't want to inject anything into the code? | The code you were previously using was a poorly written AOB injection.
SotiCoto wrote: | BUT since it only updates when the monster is damaged, I'm not sure if the script actually needs the code itself to update in order to function... | Good question- your thoughts are correct. Your code injection that initializes your pointer will be run when the game was suppose to execute the original injection point. If the original code only executes when a monster is attacked, you'll need to attack a monster to initialize the pointer.
That template code CE generated looks correct. Merge the code I wrote with that generated code. Put my alloc under the template's alloc, copy & paste the instructions between the newmem and code labels, etc.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SotiCoto How do I cheat? Reputation: 0
Joined: 21 Oct 2017 Posts: 9
|
Posted: Sat Oct 12, 2024 11:47 pm Post subject: |
|
|
ParkourPenguin wrote: | The code you were previously using was a poorly written AOB injection. |
Okay. My mistake. I thought injections were only where the code array is being overwritten / changed.
Quote: | Good question- your thoughts are correct. Your code injection that initializes your pointer will be run when the game was suppose to execute the original injection point. If the original code only executes when a monster is attacked, you'll need to attack a monster to initialize the pointer. |
That isn't ideal, but if it works then it is better than nothing.
I spent a few hours trying to find the address of the monster's species, given a list of species IDs I catalogued via other methods... but it doesn't change during a hunt, so it is impossible to track changes.
I tried for monster location / coordinates too, since that would be tracked constantly, but all my efforts to find it so far failed. I found something near the health that seemed to change when the monster rotated, though it didn't correspond logically to any measure of angle / rotation I know of, but when I tried a code that wrote to it, the whole thing resulted in a crash.
Health is simply the easiest to find since it goes down when I hit it and goes up when the monster rests.
Quote: | That template code CE generated looks correct. Merge the code I wrote with that generated code. Put my alloc under the template's alloc, copy & paste the instructions between the newmem and code labels, etc. |
In case there is any sort of miscommunication here... I'm pretty sure that auto-generated thingie whatsit will find the location of the code itself, rather than the address it writes to... which is why the original shoddy code had two variables: one for the AoB and one for the pseudo-pointer.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4518
|
Posted: Sun Oct 13, 2024 9:35 am Post subject: |
|
|
SotiCoto wrote: | In case there is any sort of miscommunication here... I'm pretty sure that auto-generated thingie whatsit will find the location of the code itself, rather than the address it writes to... which is why the original shoddy code had two variables: one for the AoB and one for the pseudo-pointer. |
Yes. After you merge my code and the autogenerated template code, the resulting script will also have two variables: one for the AoB and one for the pointer.
Try merging it yourself.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|