Cheat Engine

[mouser]

It's been quite a while since the last time I was here, I need some help in understanding because I'm still a terrible noob.

I'm trying different things with Condemned Criminal Origins, one of it is health. I've found the address where the health is stored, it's 200 as float. I lock the value and I don't lose any health and enemies go down as usual. I've pointerscanned it to a level 5 pointer, it's not very reliable. Depending on different levels and saves it may pop up with the correct address or not. Maybe I borked the pointerscan or 5 level/depth is not enough. I figured I want to AOB scan this anyway so I found out what writes to the adress and I came up with the script below.

Here is the opcode

[ParkourPenguin]

You shouldn't override the jna instruction in the jmp to your code. Start your hook at fsub dword ptr[esp+30] instead. Also note that the test eax,eax instruction sets flags for the jna instruction, so if you do use anything that modifies any flags in your code, make sure to restore those flags (pushfd/popfd or rewrite test eax,eax before the jmp back).

However, the reason why it's working for enemies too may simply be because that section of asm is run when the health of anything (not just your player) should change. See this topic for some tips on dealing with shared code.

[mouser]

Thanks for the advice.

I have 2 questions about what you've wrote if you don't mind, I'm not really that familiar with AA so I didn't quite understand it completely.

1. If you look at the second AOB script I posted, there I start at the address you have suggested, then go forward 4 bytes and inject there. When I watch the memory region there and follow the jump after I activated the script, it still takes the jna with it into the allocated memory. I thought that only the specific code will be taken into consideration that is declared by the AOB and there is no additional bytes after the instruciton I targeted and I didn't have it in the code section in the script.
I don't understand why it's still there? Can you see why this is still happening when looking at the script?

2. The test eax,eax instruction, how can one see that there are flags set for the jna instruction? Is this just common knowledge or can I see it when looking at the code section? I wouldn't have thought that it would have anything to do with the jna as eax is not written in the instruction itself (or at least not in the line where jna is at)

3. This question must read very stupid lol.. and maybe it is but from the screenshot I've posted, can I see where the Instruction set starts and ends? How can you tell where one set is ending and the next is beginning? Is it even possible by just looking at it? I confuse opcodes and instructions/Instruction sets on a regular basis I think, which leads to confusion for everybody.

Thanks for the reply, I'm going to read up on the link now and try to write a better script tomorrow and report back.

[ParkourPenguin]

1. Ok, this is what's going on: you're searching for the AoB signature and it returns the address at ...+1F80. You go 4 bytes forward to ...+1F84 and write the jmp to your code there. Because you went 4 bytes forward, it is now overriding the jna (the instruction at ...+1F84 isn't long enough so it takes the next one too). Your jmp is overriding the jna because you told it to. You didn't change your injection point at all; the only thing you changed was how you found the injection point.

2. The sole purpose of the test instruction is to set flags. This is usually done for a jcc or cmovcc instruction. In this case, it's a jna (one of the jcc instructions). Usually, if you see a jcc instruction, then the last instruction prior to that which modifies the eflags register is usually responsible for determining whether or not the jcc instruction should branch. In this case, fsub and fadd don't modify eflags at all, and since the sole purpose of the test instruction is to modify eflags, it's safe to assume that the test instruction sets flags specifically for the jna instruction.

3. I don't believe you're using the term "instruction set" correctly, so I'll just explain everything.

An "instruction" is a single operation a processor performs. It has two main representations: the mnemonic and the machine code. The mnemonic is what is easier for humans to understand- it is a string of text such as test eax,eax. The machine code is the bytes that a computer understands. The machine code of the test eax,eax instruction would be 85 C0.

An instruction's machine code has two main parts to it: the opcode and the operands. The opcode is the bytes that determine what type of action the processor should perform. For instance, should it move data, add two numbers, push something onto the stack, or, in this case, test two numbers against each other. The operands are the bytes that represent information needed by the opcode. In this case, what the test instruction should be testing.

So, with regards to the test eax,eax instruction, 85 is the opcode that tells the processor it should be testing two registers, and C0 is the operand that tells the processor it should be testing eax against itself.

The term "instruction set" refers to all the instructions a processor can perform and everything involved in using said instructions (i.e. registers, native data types, addressing modes, interrupts & exceptions, etc.).

With regards to the size of instructions, CE presents all the bytes that make up an instruction within the disassembler directly left of the mnemonic and directly right of its location in memory. All you need to do is count them to see how many bytes they take up in memory.

In 32-bit processes, non-short jumps requires 5 bytes of space: 1 byte for the opcode and 4 bytes for the address it should jump to. If CE sees a single instruction is not enough for a jump, it will also override the next one, and continue until it has at least 5 bytes available. If it partially overrides an instruction, it will replace the remaining bytes of the instruction with NOPs to prevent it from looking like gibberish.

[Zanzer]

Try finding out what accesses your health, instead of what writes to it.
Games normally have player-specific code due to the user interface or similar reasons.
If you can find an instruction that only touches the player's health, save the base address for use in your health script.
For example, lets say you save the address to a custom variable called player_ptr, your health script can be:

[mouser]

I followed Rydian's guide and I found a single address that accesses my health, I was able to AOB that and apply the same code (insert 200 as float) and now everything works as I wanted it to without strange side effects. Thanks for the tipps and also for the explanations ParkourPenguin and Zanzer, I try to remember them for further CE experiments.

And Zanzer, while I now have what I want, I still find your code template interesting and will try to get it to work also, thanks for that. But I have to admit that I don't understand it completely. Once I've found the playerbase (player stats structure), do I need to aob scan that in the same script or another script. The code you've written is referencing it but it is not scanning for it. I maybe just not seeing why it works because of my lack of knowledge here.
The code in your newmem section, can you explain to me in detail what it does and how you've come to think that this will work?
I really want to understand it in detail:)

[Zanzer]

You would have to use two injections.
The new one you found is likely referencing the same base address of the player structure.
Inside that new injection you would declare and set the value of [player_ptr].

In my code, it compares the value you stored in [player_ptr] with ESI.
At this injection, ESI is holding the base address of the player structure.
If they equal, jump (JE) past the instruction which subtracts from the health value.
Then proceed to pop the value (unchanged) into the unit's health address.

If ESI and [player_ptr] do not equal, then it is an enemy, so we want to do the FSUB as normal.

[mouser]

Thanks for the explanation, I happen to found a youtube video from another forum member that is basically exactly displaying what you have described.

https://www.youtube.com/watch?v=kpSRUJfaT1o

Very cool, I kinda still lack the creativity to write scripts in different ways, I need more practise