 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
bismult
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2022
Posts: 23
|
 Posted: Sun Mar 16, 2025 9:50 pm Post subject: [HELP] Having some trouble with AOB Injection Copies |
 |
|
How would I go about doing an AOB injection copy for a more complex opcode? The issue is in the "codeboundingRadius" section. I'm not sure how to multiply the address by 4, then move it into the base used for the pointer.
| Code: | aobscanmodule(boundingRadius,game_module.dll,F3 43 0F 59 74 93 0C) // should be unique
alloc(newmemboundingRadius,$1000,boundingRadius)
alloc(boundingRadiusBase,8)
registersymbol(boundingRadiusBase)
label(codeboundingRadius)
label(returnboundingRadius)
newmemboundingRadius:
codeboundingRadius:
mov [boundingRadiusBase],r11
add [boundingRadiusBase],r10
mulss xmm6,[r11+r10*4+0C]
jmp returnboundingRadius
boundingRadius:
jmp newmemboundingRadius
nop 2
returnboundingRadius:
registersymbol(boundingRadius) |
[/code]
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 149
Joined: 06 Jul 2014
Posts: 4634
|
| Posted: Sun Mar 16, 2025 11:02 pm Post subject: |
|
|
| Code: | push rax
lea rax,[r11+r10*4+0C]
mov [boundingRadiusBase],rax
pop rax
mulss xmm6,[r11+r10*4+0C] // original code
jmp return |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
bismult
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2022
Posts: 23
|
| Posted: Mon Mar 17, 2025 8:19 pm Post subject: |
|
|
| ParkourPenguin wrote: | | Code: | push rax
lea rax,[r11+r10*4+0C]
mov [boundingRadiusBase],rax
pop rax
mulss xmm6,[r11+r10*4+0C] // original code
jmp return |
|
Thanks! Is rax the register I would always use? Doing this for other addresses sometimes results in the pointer address being null (a bunch of zeros)
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 149
Joined: 06 Jul 2014
Posts: 4634
|
| Posted: Tue Mar 18, 2025 1:22 am Post subject: |
|
|
No, you can use any general-purpose 64-bit register, including ones used in the address calculation itself (as long as you backup / restore it with push / pop)
`rax` does have one particular use over other registers in avoiding the limitations of RIP-relative addressing (see `mov` opcode A3), but that's not relevant in this case. Both `newmemboundingRadius` (your code) and `boundingRadiusBase` (accessed address) are allocated in the same script, so they'll be close by to each other.
| bismult wrote: | | Doing this for other addresses sometimes results in the pointer address being null (a bunch of zeros) |
`boundingRadiusBase` is initialized to 0 when the script is activated. After the script is activated, the game will run the code injection when it was suppose to run the original code. Activating the script doesn't mean the code injection will be run in that instant as well. If the game doesn't run the original code periodically, then you'll need to perform whatever action required to make it run in order for the address to be assigned correctly- e.g. press a button, open a menu, attack something, get hit... whatever made the instruction access the address originally.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
bismult
Newbie cheater
![]() Reputation: 0
Joined: 09 Mar 2022
Posts: 23
|
| Posted: Sat Mar 22, 2025 8:58 pm Post subject: |
|
|
| ParkourPenguin wrote: | No, you can use any general-purpose 64-bit register, including ones used in the address calculation itself (as long as you backup / restore it with push / pop)
`rax` does have one particular use over other registers in avoiding the limitations of RIP-relative addressing (see `mov` opcode A3), but that's not relevant in this case. Both `newmemboundingRadius` (your code) and `boundingRadiusBase` (accessed address) are allocated in the same script, so they'll be close by to each other.
| bismult wrote: | | Doing this for other addresses sometimes results in the pointer address being null (a bunch of zeros) |
`boundingRadiusBase` is initialized to 0 when the script is activated. After the script is activated, the game will run the code injection when it was suppose to run the original code. Activating the script doesn't mean the code injection will be run in that instant as well. If the game doesn't run the original code periodically, then you'll need to perform whatever action required to make it run in order for the address to be assigned correctly- e.g. press a button, open a menu, attack something, get hit... whatever made the instruction access the address originally. |
I see now, this worked perfectly. Thanks for the help!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
