 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
relentlesstech
Cheater
![]() Reputation: 1
Joined: 02 Sep 2018
Posts: 44
Location: Rhode Island, USA
|
 Posted: Sat Aug 26, 2023 9:31 pm Post subject: Using AoB to load address? |
 |
|
Long story short, I watched a few videos regarding registering symbols to load addresses from an AoB, but no matter what I try it is not loading the correct value for me - Can someone take a quick look at my script, and possibly guide me in the right direction?
| Code: |
[ENABLE]
aobscanmodule(damage,NeedForSpeedUnbound.exe,F3 0F 11 B3 20 04 00 00)
alloc(newmem,$100,damage)
alloc(gDamage,8) //Allocating memory for my value
registersymbol(gDamage) //Registering symbol for my value
label(me)
label(police)
label(racers)
label(code)
label(return)
newmem:
movss [gDamage],xmm6 //Move value in xmm6 to [gDamage] (my value)
cmp [rbx+0C],(float)165
je me
cmp [rbx+0C],(float)100
je police
cmp [rbx+0C],(float)110
je racers
jmp code
me:
movss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
police:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
racers:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
code:
movss [rbx+00000420],xmm6
jmp return
damage:
jmp1 newmem
nop 7
return:
registersymbol(damage)
[DISABLE]
damage:
db F3 0F 11 B3 20 04 00 00
unregistersymbol(damage)
dealloc(newmem)
dealloc(gDamage,8)
unregistersymbol(gDamage)
|
Or, is there a way to use an AoB to get the value without actually creating a JMP (Just read from where AoB starts)?
_________________
.: Cheat Engine N00b in Progress :.
I'll earn my avatar someday ...
Last edited by relentlesstech on Sun Aug 27, 2023 5:47 am; edited 1 time in total |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Sat Aug 26, 2023 10:44 pm Post subject: |
|
|
`alloc(newmem,$100,damage)` - there's no point in making it that small. It's going to take up 4 KiB anyway. Use $800 (2 KiB) or something. I don't think the code you've written overflows the allocated memory, but it is around half.
`cmp [rbx+0C],(float)165` - `cmp` is for integers, not floating point numbers. Practically speaking, this is probably fine, but the "correct" way is to use `ucomiss`.
`movss [gDamage],xmm6` - why? You seem to understand that xmm6 is being read from and [gDamage] is being written to, but it's reading/writing a float value, not an address. The first sentence of your post seems to indicate you want to store an address.
Next question is which address do you want to store? That instruction seems to access multiple addresses, so you'll have to place that instruction in one of those jcc branches.
Then again, that last sentence seems like you want to store some value?
I really don't understand what you're trying to do.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
relentlesstech
Cheater
![]() Reputation: 1
Joined: 02 Sep 2018
Posts: 44
Location: Rhode Island, USA
|
| Posted: Sun Aug 27, 2023 5:45 am Post subject: |
|
|
| ParkourPenguin wrote: | `alloc(newmem,$100,damage)` - there's no point in making it that small. It's going to take up 4 KiB anyway. Use $800 (2 KiB) or something. I don't think the code you've written overflows the allocated memory, but it is around half.
`cmp [rbx+0C],(float)165` - `cmp` is for integers, not floating point numbers. Practically speaking, this is probably fine, but the "correct" way is to use `ucomiss`.
`movss [gDamage],xmm6` - why? You seem to understand that xmm6 is being read from and [gDamage] is being written to, but it's reading/writing a float value, not an address. The first sentence of your post seems to indicate you want to store an address.
Next question is which address do you want to store? That instruction seems to access multiple addresses, so you'll have to place that instruction in one of those jcc branches.
Then again, that last sentence seems like you want to store some value?
I really don't understand what you're trying to do. |
The script I posted is already working fine, I just wanted to add the ability to be able to extract the value I want (which is stored in xmm6), and have it in my address list so that I can modify the value if I want to.
_________________
.: Cheat Engine N00b in Progress :.
I'll earn my avatar someday ... |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Sun Aug 27, 2023 10:00 am Post subject: |
|
|
But extracting the value won't do anything. `[gDamage]` is only being written to. It's never read from. I think you're confusing addresses and values.
Search for "injection copy". I'm pretty sure that's what you're looking for.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Aug 27, 2023 11:19 am Post subject: Re: Using AoB to load address? |
|
|
| relentlesstech wrote: | | regarding registering symbols to load addresses from an AoB |
-I could be way off on this, but ssuming that [rbx+0C] holds the damage value, then you can try altering the script to match the code below. Once altered, approve the changes and enable the script inside of your cheat table. Once enabled, click on 'Add Address Manually' in the upper-right corner of your cheat table. A new window should pop up. Check the box that says 'Pointer'. In the bottom text field, paste gDamage. Change the value type as needed. Click 'OK'.
(Not tested; may contain errors)
| Code: | [ENABLE]
aobscanmodule(damage,NeedForSpeedUnbound.exe,F3 0F 11 B3 20 04 00 00)
alloc(newmem,$100,damage)
label(me)
label(police)
label(racers)
label(code)
label(return)
label(gDamage)
registersymbol(damage)
registersymbol(gDamage) //Registering symbol for my value
newmem:
cmp [rbx+0C],(float)165
je me
cmp [rbx+0C],(float)100
je police
cmp [rbx+0C],(float)110
je racers
jmp code
me:
push rdi
lea rdi,[rbx+0C]
mov [gDamage],rdi
pop rdi
movss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
police:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
racers:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
code:
movss [rbx+00000420],xmm6
jmp return
gDamage:
dq 0
damage:
jmp1 newmem
nop 7
return:
[DISABLE]
damage:
db F3 0F 11 B3 20 04 00 00
dealloc(newmem)
unregistersymbol(damage)
unregistersymbol(gDamage) |
|
|
| Back to top |
|
|
relentlesstech
Cheater
![]() Reputation: 1
Joined: 02 Sep 2018
Posts: 44
Location: Rhode Island, USA
|
| Posted: Sun Aug 27, 2023 1:03 pm Post subject: Re: Using AoB to load address? |
|
|
| ++METHOS wrote: | | relentlesstech wrote: | | regarding registering symbols to load addresses from an AoB |
-I could be way off on this, but ssuming that [rbx+0C] holds the damage value, then you can try altering the script to match the code below. Once altered, approve the changes and enable the script inside of your cheat table. Once enabled, click on 'Add Address Manually' in the upper-right corner of your cheat table. A new window should pop up. Check the box that says 'Pointer'. In the bottom text field, paste gDamage. Change the value type as needed. Click 'OK'.
(Not tested; may contain errors)
| Code: | [ENABLE]
aobscanmodule(damage,NeedForSpeedUnbound.exe,F3 0F 11 B3 20 04 00 00)
alloc(newmem,$100,damage)
label(me)
label(police)
label(racers)
label(code)
label(return)
label(gDamage)
registersymbol(damage)
registersymbol(gDamage) //Registering symbol for my value
newmem:
cmp [rbx+0C],(float)165
je me
cmp [rbx+0C],(float)100
je police
cmp [rbx+0C],(float)110
je racers
jmp code
me:
push rdi
lea rdi,[rbx+0C]
mov [gDamage],rdi
pop rdi
movss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
police:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
racers:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
code:
movss [rbx+00000420],xmm6
jmp return
gDamage:
dq 0
damage:
jmp1 newmem
nop 7
return:
[DISABLE]
damage:
db F3 0F 11 B3 20 04 00 00
dealloc(newmem)
unregistersymbol(damage)
unregistersymbol(gDamage) |
|
This is close to what I was looking for (not knowing if it were even possible), but the value I'm looking for is stored in xmm6 - The original code I posted was more of just an example regarding the value I wanted, I was hoping I could create a 'main' script that could use the AoBs that I have for my other scripts to load the values into the address list (even if the other scripts are not enabled) - Load value from xmm6 (in this case), and display it in address list (to manually added pointer address as 'gDamage')
EDIT
I just found that my value is also held in [rbx+08], and when I follow the steps and add the pointer, the address is all 0s, and the value is ??? - All I did with the sample you posted was change the [rbx+0C] to [rbx+08]
| Code: |
push rdi
mov rdi,[rbx+08]
mov [gDamage],rdi
pop rdi |
_________________
.: Cheat Engine N00b in Progress :.
I'll earn my avatar someday ... |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Sun Aug 27, 2023 2:40 pm Post subject: |
|
|
Again, you're moving the value stored at the address and not the address itself.
Have you ever programmed in C or more generally any language that has both by-value and by-reference semantics?
| Code: | #include <stdio.h>
// this takes an int value
int inc_by_value(int i) {
return i + 1;
}
// this takes the address of an int
int inc_by_reference(int *i) {
*i += 1;
return *i;
}
int main(int, char**) {
int i = 1;
printf("%d\n", inc_by_value(i)); // prints 2
printf("%d\n", i); // prints 1 - did not change `i`
printf("%d\n", inc_by_reference(&i)); // prints 2
printf("%d\n", i); // prints 2
return 0;
}
|
Just copying the value will give you by-value semantics. Whenever that code runs in-game, you'll see the new value, but changing the value in CE won't change the value in-game. Copying the address will give you by-reference semantics: changing the value then will actually change the value of the real address in-game.
Again, "injection copy". There's plenty of information already available.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Aug 27, 2023 3:08 pm Post subject: Re: Using AoB to load address? |
|
|
| relentlesstech wrote: | | I just found that my value is also held in [rbx+08], and when I follow the steps and add the pointer, the address is all 0s, and the value is ??? |
-You enabled the script before manually adding the address?
Also, when asking for help, it is better to provide the full vanilla script so that we can see what is going on in lieu of just guessing. It is also okay to say thank you when people take time out to help you. 
|
|
| Back to top |
|
|
Fernando450
How do I cheat?
![]() Reputation: 0
Joined: 27 Aug 2023
Posts: 1
|
| Posted: Sun Aug 27, 2023 6:48 pm Post subject: Re: Using AoB to load address? |
|
|
I'll address your concerns one by one:
Loading the correct value:
Your script looks correct in terms of syntax. However, there could be various reasons why it's not working:
The AoB might have changed since you last checked.
The AoB might not be unique and could be pointing to multiple locations.
The game or application could have anti-cheat mechanisms that prevent the correct value from being loaded.
There might be another script or modification conflicting with your code.
Ensure you're targeting the correct version of the game/application.
Regarding your code:
I see that you're trying to check a specific float value and based on that value you're making different modifications. The code logic seems fine at a glance.
One thing to note is that you're using jmp1 instead of jmp at damage:, which seems like a typo. Make sure to correct it to jmp newmem.
It might help to have a comment next to each cmp explaining the significance of the float number being checked to understand the logic behind each section.
Reading value without a jump:
You can use Cheat Engine's scripting capabilities to read values directly without creating a jump. Here's a basic idea:
pascal
aobscanmodule(damage,NeedForSpeedUnbound.exe,F3 0F 11 B3 20 04 00 00)
readFloat(damage, value)
This is a basic representation, and you might need to adjust offsets based on where your AoB ends and where the actual value is stored.
Suggestions:
If you're having issues, start with basics. Ensure that your AoB is still valid. Once confirmed, then move onto the more complex parts of your script.
Test individual components of your script to ensure each section is working as expected.
Use Cheat Engine's built-in debugger or similar tools to analyze what's happening in real-time.
Always keep backups and document changes, especially when troubleshooting issues like these.
|
|
| Back to top |
|
|
relentlesstech
Cheater
![]() Reputation: 1
Joined: 02 Sep 2018
Posts: 44
Location: Rhode Island, USA
|
|
| Back to top |
|
|
CassiOwOpeia
Newbie cheater
![]() Reputation: 0
Joined: 29 Nov 2018
Posts: 18
Location: France
|
| Posted: Wed Sep 13, 2023 10:01 pm Post subject: |
|
|
If I understand your problem, then this should work :
| Code: | [ENABLE]
aobscanmodule(damage,NeedForSpeedUnbound.exe,F3 0F 11 B3 20 04 00 00)
alloc(newmem,$800,damage)
label(gDamage)
registersymbol(gDamage) //Registering symbol for my value
label(me)
label(police)
label(racers)
label(code)
label(return)
newmem:
//movss [gDamage],xmm6 There you are only moving the value
//From what I can see I would do something like this I guess ?
push rax // save a temp register
lea rax,[rbx+0C] // load the address of the value [rbx+0C]
// [rbx+0C] is a value,
// and you need the address to modify it later
mov [gDamage],rax // you put the address in [gDamage]
// from now you have to either add manually an address:
// [gDamage]
// or check the pointer checkbox and enter "gDamage"
pop rax
cmp [rbx+0C],(float)165
je me
cmp [rbx+0C],(float)100
je police
cmp [rbx+0C],(float)110
je racers
jmp code
me:
movss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
police:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
racers:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
code:
movss [rbx+00000420],xmm6
jmp return
gDamage:
dq 0
damage:
jmp newmem
nop 7
return:
registersymbol(damage)
[DISABLE]
damage:
db F3 0F 11 B3 20 04 00 00
unregistersymbol(damage)
dealloc(newmem)
unregistersymbol(gDamage) |
This could not work as I don't have access directly to what you are doing, but this is what I do when I want to access via instructions an address. Hope this will help
Here is the code with the ParkourPenguin's advices, I would be happy to know if it's what he means :
| Code: | [ENABLE]
aobscanmodule(damage,NeedForSpeedUnbound.exe,F3 0F 11 B3 20 04 00 00)
alloc(newmem,$800,damage)
label(gDamage)
registersymbol(gDamage) //Registering symbol for my value
label(me)
label(police)
label(racers)
label(code)
label(return)
newmem:
//movss [gDamage],xmm6 There you are only moving the value
//From what I can see I would do something like this I guess ?
push rax // save a temp register
lea rax,[rbx+0C] // load the address of the value [rbx+0C]
// [rbx+0C] is a value,
// and you need the address to modify it later
mov [gDamage],rax // you put the address in [gDamage]
// from now you have to either add manually an address:
// [gDamage]
// or check the pointer checkbox and enter "gDamage"
// don't forget to pop rax, here I continue to use it so you can use comiss
mov rax,(float)165
ucomiss [rbx+0C],rax
je me
mov rax,(float)100
ucomiss [rbx+0C],rax
je police
mov rax,(float)110
ucomiss [rbx+0C],rax
je racers
jmp code
me:
movss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
police:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
racers:
subss xmm6,[rbx+0C]
movss [rbx+00000420],xmm6
jmp return
code:
movss [rbx+00000420],xmm6
jmp return
gDamage:
dq 0
damage:
jmp newmem
nop 7
return:
pop rax
registersymbol(damage)
[DISABLE]
damage:
db F3 0F 11 B3 20 04 00 00
unregistersymbol(damage)
dealloc(newmem)
unregistersymbol(gDamage) |
| Description: |
|
| Filesize: |
7.87 KB |
| Viewed: |
2958 Time(s) |
|
| Description: |
|
| Filesize: |
5.55 KB |
| Viewed: |
2958 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Wed Sep 13, 2023 11:22 pm Post subject: |
|
|
| CassiOwOpeia wrote: | | Code: | ...
//movss [gDamage],xmm6 There you are only moving the value
//From what I can see I would do something like this I guess ?
push rax // save a temp register
lea rax,[rbx+0C] // load the address of the value [rbx+0C]
// [rbx+0C] is a value,
// and you need the address to modify it later
mov [gDamage],rax // you put the address in [gDamage]
// from now you have to either add manually an address:
// [gDamage]
// or check the pointer checkbox and enter "gDamage"
// don't forget to pop rax, here I continue to use it so you can use comiss
mov rax,(float)165
ucomiss [rbx+0C],rax
...
damage:
jmp newmem
nop 7
return:
pop rax |
|
I'd move `rbx` into [gDamage], make a new pointer, use `gDamage` as the base address, and use `C` as the offset.
`ucomiss` can't take general purpose registers. Use an xmm register instead.
Putting `pop rax` after the return label at the injection point is a bad idea. This negligently overwrites some of the game's code and will probably crash the game.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
relentlesstech
Cheater
![]() Reputation: 1
Joined: 02 Sep 2018
Posts: 44
Location: Rhode Island, USA
|
| Posted: Thu Sep 14, 2023 5:37 am Post subject: |
|
|
I just ended up doing this to load the addresses:
| Code: | aobscan(arraystart,CD CC 2C 3F E8 B4 61 3F 00 00 80 3F 00 C8 AF 47 00 C8 AF 47 00 C8 AF 47 00 C8 AF 47 00 C8 AF 47 00 C8 AF 47 00 C8 AF 47 00 C8 AF 47 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** 00 00 80 3F 00 00 00 00 00 00 00 00 ** ** ** 40 00 00 00 00 ** ** ** ** F0 15 19 44 01 00 00 00 *0 ** ** 33 00 00 00 00 *0 ** ** ** 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 42 00 00 A0 40 00 00 00 00 CD CC 14 41 CC CC 50 41 66 66 D4 41 67 66 83 42 33 33 97 42 9A 19 AA 42 00 00 B4 42 00 00 20 41 00 00 A0 40 00 00 68 40 BC BB 4B 40 00 00 40 40 BB BB 3B 40 BC BB 2B 40 22 22 1A 40)
registersymbol(_damage)
label(_damage)
arraystart+90:
_damage:
|
And added the pointers to the correct offsets once the script was loaded
_________________
.: Cheat Engine N00b in Progress :.
I'll earn my avatar someday ... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
