 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
CheatEngEnthusiast
How do I cheat?
![]() Reputation: 0
Joined: 25 Oct 2024
Posts: 5
|
 Posted: Wed Dec 04, 2024 11:45 pm Post subject: Isolate code that changes a single value (FastResearch) |
 |
|
I found this table online and this one option "FastWorking" Does 3 things:
-Fast construction
-Fast Building extension
-Fast Research
I would like to know what to do to test separate or delete part of this code to only get the Fast research one working. Basically remove the rest.
| Code: |
</AssemblerScript>
<CheatEntries>
<CheatEntry>
<ID>1337183731</ID>
<Description>"FastWorking"</Description>
<VariableType>Auto Assembler Script</VariableType>
<AssemblerScript>{ Game : Frostpunk2BetaShipping-Win64-Shipping.exe
Version:
Date : 2024-04-21
Author : Administrator
This script does blah blah blah
}
[ENABLE]
aobscanmodule(BuildImmediately,$process,F3??????????????0F2F??0F93??C3????488B) // should be unique
alloc(newmem,$1000,BuildImmediately)
label(BuildImmediatelyCode)
label(return)
alloc(Build,8)
Build:
dd (float)1.0
registersymbol(BuildImmediatelyCode)
newmem:
readmem(BuildImmediately,8)
movq xmm0,[Build]
jmp return
//mov [rcx+B8],(float)1
BuildImmediatelyCode:
readmem(BuildImmediately,8)
jmp return
BuildImmediately:
jmp newmem
nop 3
return:
registersymbol(BuildImmediately)
[DISABLE]
BuildImmediately:
readmem(BuildImmediatelyCode,8)
unregistersymbol(BuildImmediately)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: Frostpunk2-Win64-Shipping.exe+32E59FF
Frostpunk2-Win64-Shipping.exe+32E59DF: CC - int 3
Frostpunk2-Win64-Shipping.exe+32E59E0: 8B 81 FC 00 00 00 - mov eax,[rcx+000000FC]
Frostpunk2-Win64-Shipping.exe+32E59E6: F3 0F 10 0D DA 89 6F 03 - movss xmm1,[Frostpunk2-Win64-Shipping.exe+69DE3C8]
Frostpunk2-Win64-Shipping.exe+32E59EE: 8D 14 40 - lea edx,[rax+rax*2]
Frostpunk2-Win64-Shipping.exe+32E59F1: 03 D2 - add edx,edx
Frostpunk2-Win64-Shipping.exe+32E59F3: 75 0A - jne Frostpunk2-Win64-Shipping.exe+32E59FF
Frostpunk2-Win64-Shipping.exe+32E59F5: 0F 28 C1 - movaps xmm0,xmm1
Frostpunk2-Win64-Shipping.exe+32E59F8: 0F 2F C1 - comiss xmm0,xmm1
Frostpunk2-Win64-Shipping.exe+32E59FB: 0F 93 C0 - setae al
Frostpunk2-Win64-Shipping.exe+32E59FE: C3 - ret
// ---------- INJECTING HERE ----------
Frostpunk2-Win64-Shipping.exe+32E59FF: F3 0F 10 81 B8 00 00 00 - movss xmm0,[rcx+000000B8]
// ---------- DONE INJECTING ----------
Frostpunk2-Win64-Shipping.exe+32E5A07: 0F 2F C1 - comiss xmm0,xmm1
Frostpunk2-Win64-Shipping.exe+32E5A0A: 0F 93 C0 - setae al
Frostpunk2-Win64-Shipping.exe+32E5A0D: C3 - ret
Frostpunk2-Win64-Shipping.exe+32E5A0E: CC - int 3
Frostpunk2-Win64-Shipping.exe+32E5A0F: CC - int 3
Frostpunk2-Win64-Shipping.exe+32E5A10: 48 8B 81 C0 00 00 00 - mov rax,[rcx+000000C0]
Frostpunk2-Win64-Shipping.exe+32E5A17: 48 85 C0 - test rax,rax
Frostpunk2-Win64-Shipping.exe+32E5A1A: 74 2A - je Frostpunk2-Win64-Shipping.exe+32E5A46
Frostpunk2-Win64-Shipping.exe+32E5A1C: 80 B8 B8 00 00 00 00 - cmp byte ptr [rax+000000B8],00
Frostpunk2-Win64-Shipping.exe+32E5A23: 74 21 - je Frostpunk2-Win64-Shipping.exe+32E5A46
}
|
|
|
| Back to top |
|
 |
Gear2ndGandalf
Cheater
![]() Reputation: 0
Joined: 22 Jan 2018
Posts: 36
Location: USA
|
| Posted: Thu Dec 05, 2024 1:08 am Post subject: |
|
|
Without having or playing the game I can't help much but you may want to do a compare. Find out all the addresses that write to [rcx+B8] in the disassembler.
Fast construction, building extension, and research should all have their own base or pointer addresses, so there must be something to differentiate them.
1. So you need to scan for the array of bytes F3??????????????0F2F??0F93??C3????488B.
2. In the Memory Scan Options you want to click the white "Writable" square twice to make it read/write mode otherwise you won't find the array from the script above.
3. Once you search and get options in the scan list, open the disassembler by right clicking the correct result and choosing the open in disassembler option.
4. Right click the line of code (in our case Frostpunk2-Win64-Shipping.exe+32E59FF: F3 0F 10 81 B8 00 00 00 - movss xmm0,[rcx+000000B8]). Select "find out what accesses this address."
5. Do Fast Research in-game and see if an address pops up in the list.
6. Do the other two construction and building extension and see if their addresses pops up after.
7. CTRL+1 for Fast Research address in that pop up window to highlight it blue.
8. CTRL+2 for those other two addresses to highlight them red.
9. Right click any of the highlighted addresses and scan for commonalities.
10. Choose rcx since that's what's being used within the address, but it doesn't have to be rcx.
11. Find something that is consistantly a number like a zero in blue versus the red which consistantly have a different number.
example code doing a compare at the [address+offset] in newmem:
| Code: |
aobscanmodule(BuildImmediately,$process,F3??????????????0F2F??0F93??C3????488B)
alloc(newmem,2048,BuildImmediately)
alloc(Build,8,BuildImmediately)
label(BuildCode return)
Build:
dd (float)1
newmem:
cmp [rcx+04],0 // compare rcx offset of 4 to other addresses
jne BuildCode // jump if NOT equal to BuildCode
readmem(BuildImmediately,8)
movq xmm0,[Build]
jmp return
//mov [rcx+B8],(float)1
BuildCode:
readmem(BuildImmediately,8)
jmp return
BuildImmediately:
jmp newmem
nop 3
return:
registersymbol(BuildImmediately BuildCode Build)
[DISABLE]
BuildImmediately:
readmem(BuildCode,8)
unregistersymbol(*)
dealloc(*)
|
In the above code we are supposed to know that Fast Research is equal to the number 0 at offset [rcx+04], while those other two are different which will make them jump to BuildCode and not get cheated.
Again, the above code is just an example. I don't know which offset would work for you because I don't have the game. You may find that you need [rcx+8] or [rcx+4C0].
Alternatively, you could use the fast research address pointer as a compare for your script. Example below...
| Code: | aobscanmodule(BuildImmediately,$process,F3??????????????0F2F??0F93??C3????488B)
alloc(newmem,2048,BuildImmediately)
alloc(Build,8,BuildImmediately)
label(BuildCode return)
Build:
dd (float)1
newmem:
push ebx // Preserve ebx register so we can use it
mov ebx,"[[Frostpunk2BetaShipping-Win64-Shipping.exe+DEADBEAF]+44]+A8" // fast research pointer address example is being stored in ebx
cmp [rcx+B8],ebx // compare original code offset to fast research in register ebx
jne BuildCode // jump if NOT equal to BuildCode so only fast research gets cheated
readmem(BuildImmediately,8)
movq xmm0,[Build]
pop ebx // pop ebx back onto the stack in game code as it was before injection
jmp return
//mov [rcx+B8],(float)1
BuildCode:
readmem(BuildImmediately,8)
jmp return
BuildImmediately:
jmp newmem
nop 3
return:
registersymbol(BuildImmediately BuildCode Build)
[DISABLE]
BuildImmediately:
readmem(BuildCode,8)
unregistersymbol(*)
dealloc(*) |
In the above code we are comparing our address to the orignal offset in code [rcx+B8] because our addresses going through will jump over the cheat if they do not equal the address of "Fast Research" that is being compared.
You may have the remove the outer brackets of that address as I forget if the last offset gets a bracket [].
You may find that your address is green/static and not need a pointer which is unlikely but it would look like this example below with no offsets.
["Frostpunk2BetaShipping-Win64-Shipping.exe"+DEADBEAF]
Mind the quotes and brackets you will need them.
If you find yourself lost on the steps 1 -11 above (I know poorly explained) you may want to check out Stephen Chapman Cheat Engine tutorials on YouTube. That's where I started.
| Description: |
| OG Code for more Context. |
|
| Filesize: |
159 KB |
| Viewed: |
1271 Time(s) |
|
Last edited by Gear2ndGandalf on Thu Dec 05, 2024 12:54 pm; edited 2 times in total |
|
| Back to top |
|
|
CheatEngEnthusiast
How do I cheat?
![]() Reputation: 0
Joined: 25 Oct 2024
Posts: 5
|
| Posted: Thu Dec 05, 2024 3:28 am Post subject: |
|
|
| Gear2ndGandalf wrote: |
If you find yourself lost on the steps 1 -11 above (I know poorly explained) you may want to check out Stephen Chapman Cheat Engine tutorials on YouTube. That's where I started. |
It was very clear even for a complete noob thank you. But on point 11 finding something that is constistantly a 0 does that mean restarting the game and redoing the steps?
In any case following your instructions I found that the offset of 80 was always 0 for the research addresses. I put that in the code and tried but it wouldnt instantly complete the research, i dont know why. I opened cheat engine again and checked and did the comparison, and value at offset 80 IS 0(for the research address). Although now that I think about it, its 0 in 4 bytes that I did my checks. So is it possible to compare the value in 4 bytes and still modify it in float? If thats even the problem because then again isnt a 0 in 4 bytes also a 0 in float.
More Info:
The completion rate of the buildings, extensions and research are all float values that go from 0 to 1 (by small steps). Each new building/extension/research is a new address.
| Description: |
| added the offset to the code |
|
| Filesize: |
753.84 KB |
| Viewed: |
1261 Time(s) |
|
| Description: |
|
| Filesize: |
626.33 KB |
| Viewed: |
1261 Time(s) |
|
|
|
| Back to top |
|
|
Gear2ndGandalf
Cheater
![]() Reputation: 0
Joined: 22 Jan 2018
Posts: 36
Location: USA
|
| Posted: Thu Dec 05, 2024 4:36 am Post subject: |
|
|
| CheatEngEnthusiast wrote: | | But on point 11 finding something that is consistently a 0 does that mean restarting the game and redoing the steps? |
It can be consistently any number, but generally it’s best to do a compare for numbers in the single digits in my experience. You do not have to restart the game. But if you do, redo the steps to make sure your number is the same on offset 80. You may find out that it isn’t consistent.
| CheatEngEnthusiast wrote: | | I found that the offset of 80 was always 0 for the research addresses. I put that in the code and tried but it wouldn’t instantly complete the research. |
Try Changing movq to movss xmm0,[Build]
| CheatEngEnthusiast wrote: | | Although now that I think about it, its 0 in 4 bytes that I did my checks. So is it possible to compare the value in 4 bytes and still modify it in float? |
I’ve always done my compares in 4bytes regardless of which value we’re working with. Not sure if it’s a rule, but every tutorial I’ve followed had compares being done in bytes - 4bytes. It’s okay for your script whether you’re dealing with ints, floats, or doubles.
|
|
| Back to top |
|
|
CheatEngEnthusiast
How do I cheat?
![]() Reputation: 0
Joined: 25 Oct 2024
Posts: 5
|
| Posted: Thu Dec 05, 2024 8:12 am Post subject: |
|
|
| Gear2ndGandalf wrote: |
Try Changing movq to movss xmm0,[Build]
|
Its still not working :/ It looks so close too.
I tested both movq and movss, they both only work when the filtering two lines (cmp and jne) arent there. Ive tested other offsets where the research thing went to zero and one of the buildings instantly constructed instead of the research. Weird stuff. the value of the building with the offset in float and in 4 bytes wasnt 0 while the research one was 0 and it didnt insta research
| Gear2ndGandalf wrote: |
I’ve always done my compares in 4bytes regardless of which value we’re working with. Not sure if it’s a rule, but every tutorial I’ve followed had compares being done in bytes - 4bytes. It’s okay for your script whether you’re dealing with ints, floats, or doubles.
|
That would be ideal but is the cmp in the code comparing in 4 bytes?
|
|
| Back to top |
|
|
Gear2ndGandalf
Cheater
![]() Reputation: 0
Joined: 22 Jan 2018
Posts: 36
Location: USA
|
| Posted: Thu Dec 05, 2024 9:58 am Post subject: |
|
|
Try these: I think it may be the second set of code where we move our value into [rcx+B8] instead of xmm0. Fingers crossed!
| Code: | aobscanmodule(BuildImmediately,$process,F3??????????????0F2F??0F93??C3????488B)
alloc(newmem,2048,BuildImmediately)
alloc(Build,8,BuildImmediately)
label(BuildCode return)
Build:
dd (float)1
newmem:
readmem(BuildImmediately,8) // moved this to before the compare
cmp [rcx+80],0
jne BuildCode
movq xmm0,[Build] // or use movss instead of movq
jmp return
BuildCode:
readmem(BuildImmediately,8)
jmp return
BuildImmediately:
jmp newmem
nop 3
return:
registersymbol(BuildImmediately BuildCode Build)
[DISABLE]
BuildImmediately:
readmem(BuildCode,8)
unregistersymbol(*)
dealloc(*) |
| Code: | aobscanmodule(BuildImmediately,$process,F3??????????????0F2F??0F93??C3????488B)
alloc(newmem,2048,BuildImmediately)
alloc(Build,8,BuildImmediately)
label(BuildCode return)
Build:
dd (float)1
newmem:
readmem(BuildImmediately,8) // move this before or after the compare
cmp [rcx+80],0 // compare this offset from rcx to zero for research
jne BuildCode // jump all other addresses not related to research into BuildCode
push ebx // preserve ebx register for use
mov ebx,[Build] // store [Build] into ebx
mov [rcx+B8],ebx // mov float 1 inside of [Build] into OG address
movq xmm0,[rcx+B8] // use movq or movss to move OG address into xmm0
pop ebx // restore ebx to the stack as it was
jmp return
BuildCode:
readmem(BuildImmediately,8)
jmp return
BuildImmediately:
jmp newmem
nop 3
return:
registersymbol(BuildImmediately BuildCode Build)
[DISABLE]
BuildImmediately:
readmem(BuildCode,8)
unregistersymbol(*)
dealloc(*) |
|
|
| Back to top |
|
|
CheatEngEnthusiast
How do I cheat?
![]() Reputation: 0
Joined: 25 Oct 2024
Posts: 5
|
| Posted: Thu Dec 05, 2024 11:19 am Post subject: |
|
|
The first code did the same as before and the second one wouldnt activate even after changing the newmem order unfortunately.
Its hard out there for cheat engine users, who knows why this code is putting its blindfolds on. I appreciate the help tho  Last thing are you sure
'cmp [rcx+80], 0' compares a 4 byte value? Is there any way to make sure?
|
|
| Back to top |
|
|
Gear2ndGandalf
Cheater
![]() Reputation: 0
Joined: 22 Jan 2018
Posts: 36
Location: USA
|
| Posted: Thu Dec 05, 2024 12:03 pm Post subject: |
|
|
| CheatEngEnthusiast wrote: | Last thing are you sure
'cmp [rcx+80], 0' compares a 4 byte value? Is there any way to make sure? |
Yes I'm sure. So I just found out since we’re moving a float which is a double word you could use movd instead of movq.
movq = 8 bytes movd = 4 bytes.
Try this:
| Code: | assert("Frostpunk2-Win64-Shipping.exe"+32E59FF,F3 0F 10 81 B8 00 00 00)
define(buildImmediately,"Frostpunk2-Win64-Shipping.exe"+32E59FF)
alloc(newmem,2048,buildImmediately)
alloc(build,4,buildImmediately)
label(code return)
build:
dd (float)1
newmem:
cmp [rcx+80],0
jne code
push ebx
mov ebx,[build]
mov [rcx+B8],ebx
movss xmm0,[rcx+B8]
pop ebx
jmp return
code:
movss xmm0,[rcx+000000B8]
jmp return
buildImmediately:
jmp newmem
nop 3
return:
registersymbol(buildImmediately build)
[DISABLE]
buildImmediately:
db F3 0F 10 81 B8 00 00 00
unregistersymbol(*)
dealloc(*) |
or
| Code: | assert("Frostpunk2-Win64-Shipping.exe"+32E59FF,F3 0F 10 81 B8 00 00 00)
define(buildImmediately,"Frostpunk2-Win64-Shipping.exe"+32E59FF)
alloc(newmem,2048,buildImmediately)
alloc(build,4,buildImmediately)
label(code return)
build:
dd (float)1
newmem:
cmp [rcx+80],0
jne code
movss xmm0,[build]
jmp return
code:
movss xmm0,[rcx+000000B8]
jmp return
buildImmediately:
jmp newmem
nop 3
return:
registersymbol(buildImmediately build)
[DISABLE]
buildImmediately:
db F3 0F 10 81 B8 00 00 00
unregistersymbol(*)
dealloc(*) |
It's not future proof but above is how I would structure the code. Try those. Move the script to the root of the table where it's not under the Active parent script.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
