|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Autem Expert Cheater Reputation: 1
Joined: 30 Jan 2023 Posts: 119
|
Posted: Wed Apr 19, 2023 9:27 pm Post subject: Can't figure how to compare a pointer to a value in AA |
|
|
Hi, I'm having an odd problem where I can't figure out the way to write a compare between a pointer value and the number 1.
I've tried countless variations involving writing pointers in different ways, tried alloc/symbols/labels, and tried some methods including attempting to load the pointer into variables, etc...
How do I write the compare? I want to compare the value of this pointer...
"WWE2K23_x64.exe"+367FB28]+48b0
...to the number 1.
Here's my most recent attempt. This script is also doing a couple different things, so I included some notes next to the lines that require attention please.
PS: I also tried looking up a way to pull that pointer from my addresslist and read the value that way (maybe by reading the description?), but couldn't figure that out either. Is it possible to pull an address from the addresslist to compare in AA? I'd prefer that method if it's doable.
Code: | define(address,"WWE2K23_x64.exe"+83FD40)
define(bytes,C5 FA 11 7B 10)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"WWE2K23_x64.exe"+83FD40)
alloc(multiplier,4)
label(code)
label(return)
multiplier:
dd (float)0.5
newmem:
mov [p2], "WWE2K23_x64.exe"+367FB28 /////// THIS IS ME TRYING TO LOAD THE POINTER INTO MY VARIABLE "P2" SINCE IT WOULDN'T COMPARE DIRECTLY
mov [p2], [p2]+48b0 /////// STILL ME FINISHING LOADING THE POINTER (OR TRYING TO ANYWAY)
code:
cmp [rbx+10],(float)1.0
ja @f
cmp [p2], 1 /////// ME TRYING TO COMPARE THE POINTER'S VALUE TO THE NUMBER 1, BUT ALWAYS FAILING
je @f
addss xmm7, dword ptr [multiplier]
@@:
vmovss [rbx+10],xmm7
jmp return
address:
jmp newmem
return:
[DISABLE]
address:
db bytes
dealloc(newmem)
dealloc(multiplier)
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Wed Apr 19, 2023 11:04 pm Post subject: |
|
|
The symbol `p2` isn't defined. You probably want to use a general purpose register instead. Backup and restore the register if there's already something important in it with push/pop.
Do NOT compare floating point numbers with `cmp`. It'll probably work most of the time, but not all the time. `cmp` is strictly for integers.
`ucomiss` is the typical way of comparing floats. You need to use a floating point register, however. Normally you could just pick one and it would probably be fine, but since the game is using them all the way to xmm7, I wouldn't gamble any of them don't have something important in them. It would've been nice if you didn't delete the comment at the end that showed the original code.
Are you sure you want to be adding 0.5 to the register? It's called "multiplier" so I figured it should be something different...
Code: | ...
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"WWE2K23_x64.exe"+83FD40)
alloc(multiplier,4)
alloc(compare_value,4)
label(code)
label(return)
multiplier:
dd (float)0.5
compare_value:
dd (float)1.0
newmem:
sub rsp,10
movups [rsp],xmm0
movss xmm0,[compare_value]
ucomiss [rbx+10],xmm0
ja short code
push rcx
mov rcx,["WWE2K23_x64.exe"+367FB28]
cmp [rcx+48b0],1
pop rcx
je short code
addss xmm7, dword ptr [multiplier]
code:
movups xmm0,[rsp]
add rsp,10
vmovss [rbx+10],xmm7
jmp return
address:
jmp newmem
return:
... |
This could be a little simpler if you explain what you're doing and show the original code around the injection point.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Autem Expert Cheater Reputation: 1
Joined: 30 Jan 2023 Posts: 119
|
Posted: Wed Apr 19, 2023 11:28 pm Post subject: |
|
|
Tried your version and got a cannot be compiled error: "Line 21 (ucomiss [rbx..." is the referenced line
The stuff with [multiplier] can be ignored as it's doing something else (adding extra points when a certain condition is met) and is working fine.
The secondary condition is what I can't figure out and that one will be compared to a 1 byte value, not a float.
Here is the original code around the injection point. Normally it just adds a small amount of points to a bar that fills up, but what I'm trying to do is add 2 conditions. The 1st condition is working perfectly as I mentioned but the 2nd one I can't figure out how to compare the one byte value of that pointer to the number 1.
The idea would be a working version of this line: cmp "WWE2K23_x64.exe"+367FB28]+48b0, 1
Code: | WWE2K23_x64.exe+83FD1F: 33 C9 - xor ecx,ecx
WWE2K23_x64.exe+83FD21: 8B C1 - mov eax,ecx
WWE2K23_x64.exe+83FD23: C5 C0 57 FF - vxorps xmm7,xmm7,xmm7
WWE2K23_x64.exe+83FD27: C4 E1 C2 2A F8 - vcvtsi2ss xmm7,rdi,rax
WWE2K23_x64.exe+83FD2C: EB 05 - jmp WWE2K23_x64.exe+83FD33
WWE2K23_x64.exe+83FD2E: C5 BA 58 7B 10 - vaddss xmm7,xmm8,[rbx+10]
WWE2K23_x64.exe+83FD33: C5 FA 10 43 10 - vmovss xmm0,[rbx+10]
WWE2K23_x64.exe+83FD38: C5 F8 2E C7 - vucomiss xmm0,xmm7
WWE2K23_x64.exe+83FD3C: 7A 02 - jp WWE2K23_x64.exe+83FD40
WWE2K23_x64.exe+83FD3E: 74 6E - je WWE2K23_x64.exe+83FDAE
// ---------- INJECTING HERE ----------
WWE2K23_x64.exe+83FD40: C5 FA 11 7B 10 - vmovss [rbx+10],xmm7
// ---------- DONE INJECTING ----------
WWE2K23_x64.exe+83FD45: 48 8B 05 94 71 FB 02 - mov rax,[WWE2K23_x64.exe+37F6EE0]
WWE2K23_x64.exe+83FD4C: 48 8B B8 58 01 00 00 - mov rdi,[rax+00000158]
WWE2K23_x64.exe+83FD53: 4C 8B C6 - mov r8,rsi
WWE2K23_x64.exe+83FD56: 48 8B 17 - mov rdx,[rdi]
WWE2K23_x64.exe+83FD59: B9 20 00 00 00 - mov ecx,00000020
WWE2K23_x64.exe+83FD5E: E8 0D 13 A3 FF - call WWE2K23_x64.exe+271070
WWE2K23_x64.exe+83FD63: 48 85 C0 - test rax,rax
WWE2K23_x64.exe+83FD66: 74 2A - je WWE2K23_x64.exe+83FD92
WWE2K23_x64.exe+83FD68: C7 40 08 24 2D 62 3E - mov [rax+08],3E622D24
WWE2K23_x64.exe+83FD6F: C7 40 0C A6 5A CD 14 - mov [rax+0C],14CD5AA6 |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Wed Apr 19, 2023 11:54 pm Post subject: |
|
|
My bad, mixed up the order of registers. Apparently ucomiss requires the first operand to be an xmm register.
Did you look at the part where the pointer path gets traversed?
Code: | ...
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"WWE2K23_x64.exe"+83FD40)
alloc(multiplier,4)
alloc(compare_value,4)
label(code)
label(return)
multiplier:
dd (float)0.5
compare_value:
dd (float)1.0
newmem:
movss xmm0,[rbx+10]
ucomiss xmm0,[compare_value]
ja short code
mov rax,["WWE2K23_x64.exe"+367FB28]
cmp [rax+48b0],1
je short code
addss xmm7, dword ptr [multiplier]
code:
vmovss [rbx+10],xmm7
jmp return
address:
jmp newmem
return:
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Autem Expert Cheater Reputation: 1
Joined: 30 Jan 2023 Posts: 119
|
Posted: Thu Apr 20, 2023 12:23 am Post subject: |
|
|
Yeah it's all making sense now as I was also mixing up some things (been a long day) but the good news is now it's working perfectly with your latest edit!
Quick question though on how the pointer got written in AA. I could swear I've seen somewhere in the past some single-line-pointers being used in AA scripts instead of having to break up each offset into a new line. I don't remember where I saw it unfortunately, but is there a way to make them work in a single line in an AA script or is it always a must that they be broken up?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4291
|
Posted: Thu Apr 20, 2023 1:02 am Post subject: |
|
|
You can put it all on one line... sort of. It doesn't work as you'd expect.
If you put it on one line, CE will traverse the pointer path when it assembles the instructions and substitute the final address for the pointer path:
Code: | // what's written in the AA script
mov [[[game.exe+1234]+1C]+4],eax
// what's written to memory
mov [000000259A16B750],eax |
Importantly, this means the pointer path will not be traversed at runtime. If any node in the pointer path changes while the script is enabled, the script will stop working at best and crash the game at worst.
Also, there's no guarantee the pointed-to address is close enough to the injected code to access it directly. The instruction could simply fail to assemble. Try to use this in a naive manner and you could run into this problem. See RIP-relative addressing for details.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Autem Expert Cheater Reputation: 1
Joined: 30 Jan 2023 Posts: 119
|
Posted: Thu Apr 20, 2023 1:53 am Post subject: |
|
|
Thanks for the clarification. Yeah that would definitely mess me up if it's not traversed at runtime so that's good to be aware of. Thanks again for all the help.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|