 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mordax
Expert Cheater
![]() Reputation: 1
Joined: 16 Apr 2010
Posts: 138
|
 Posted: Mon Sep 23, 2024 8:13 pm Post subject: Help with lua/asm script please |
 |
|
Hi. I'm having some problems figuring out how to do the following: there is a shared opcode that accesses about 300 addresses that i want to change, how would i go about doing that?
here's what i did:
i found the opcode by right clicking on certain address and then breakpoint on read (find out what accesses this address)
then i disassembled that opcode and right clicked and breakpoint on read (find out what addresses this instruction accesses), then the new window will list about 100-600 addresses depending on what happens in game.
it's important to remember that this instruction does not write anything, so changing the instruction itself would have no effect. i need a method to read all of those addresses and then modify all of their values. how would i do that?
here's my asm script (i used aob template and then modified it to find the target address, but i think it's useless for what i need it for.
[ENABLE]
aobscanmodule(inject,game.dll,C7 02 00 00 80 3F F8 AC)
alloc(newmem,$1000,inject)
label(return)
alloc(_logaddr,8)
registersymbol(_logaddr)
newmem:
push rax
mov rax,_logaddr
mov [rax],rdx
pop rax
mov [rdx],3F800000
jmp return
inject:
jmp newmem
nop
return:
registersymbol(inject)
[DISABLE]
inject:
db C7 02 00 00 80 3F
unregistersymbol(inject)
dealloc(newmem)
so how would i be able to somehow intercept all the addresses that this opcode accesses and then modify all of those address values?
can it be done in asm or do i need lua for it? i tried chatgpt, but it doesn't seem to figure it out. i tried for hours, so now i'm here asking. i hope someone can point out how to achieve this. thanks.
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Mon Sep 23, 2024 8:29 pm Post subject: |
|
|
Don't delete the comment at the end of the template. The code around the injection point (including the unmodified original code) is important.
If you want to change the values of all the addresses to the same value, write to the address in your code injection.
| Code: | ...
newmem:
mov [rdx],5
// originalcode:
mov ecx,[rdx]
jmp return
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mordax
Expert Cheater
![]() Reputation: 1
Joined: 16 Apr 2010
Posts: 138
|
| Posted: Mon Sep 23, 2024 9:41 pm Post subject: |
|
|
| ParkourPenguin wrote: | Don't delete the comment at the end of the template. The code around the injection point (including the unmodified original code) is important.
If you want to change the values of all the addresses to the same value, write to the address in your code injection.
| Code: | ...
newmem:
mov [rdx],5
// originalcode:
mov ecx,[rdx]
jmp return
... |
|
sorry, but you don't understand that this opcode is ACCESS ONLY, it does not write any values. forcing a value on read-only opcode has 0 effect. that's not how code works.
if it was write, then yes, but it's read only. this is only opcode that accesses all the addresses i need to modify, there's no shared opcode for write. otherwise i'd just use write.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Mon Sep 23, 2024 10:37 pm Post subject: |
|
|
"Access" can mean read or write. An instruction that writes to an address accesses it.
The instruction `mov [rdx],3F800000`, which I can only assume is the original code, writes the value 0x3F800000 (float 1.0) to the memory location specified by the address `rdx`.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mordax
Expert Cheater
![]() Reputation: 1
Joined: 16 Apr 2010
Posts: 138
|
| Posted: Tue Sep 24, 2024 6:59 am Post subject: |
|
|
| ParkourPenguin wrote: | "Access" can mean read or write. An instruction that writes to an address accesses it.
The instruction `mov [rdx],3F800000`, which I can only assume is the original code, writes the value 0x3F800000 (float 1.0) to the memory location specified by the address `rdx`. |
can you please stop trolling? you clearly have nothing to say that would help me.
that instruction does not write values to addresses, it only accesses them without writing anything.
if i "breakpoint on read", then new window pops-ups and it shows about 300-600 addresses that it accesses. it does not write anything.
it's quite clear you don't know how this works, but i provide this info anyways. it's a multiplier that is being checked. like in some games there are buffs and such. this opcode accesses those multipliers (buffs) for each item/weapon, but it does not write anything.
this happens when i list my inventory in a game. base multiplier is 1 (float), which is what you see.
i'm not a moron, i know what i'm doing. i'm just not that good with lua and asm and i don't know how to write my own code that would do what i ask, but i know what code does and how it works.
this opcode is access only. this means it accesses addresses, but does not write. it is for displaying purposes only. it shows the base multiplier and then there are other opcodes (probably 1 for each address) that checks the individual multipliers for each item and then this opcode + one other are what work together to display correct value (base multipliers = 1 + whatever else).
i need a way to log all of those addresses that this opcode accesses (not writes) and then change value of all those found addresses from x.x to my specified value. understand now?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Tue Sep 24, 2024 11:02 am Post subject: |
|
|
| mordax wrote: | | that instruction does not write values to addresses, it only accesses them without writing anything. |
To be clear, this is the instruction you're talking about:
This instruction does write to a memory location. CE uses intel syntax by default. The first operand is typically the destination. Look up an x64 assembly tutorial if you want to learn more.
And again, an "access" can be a read or a write. Some other jargon in some other part of the internet might attribute a different meaning to the word "access," but regarding Intel / AMD architecture debugging, "access" means read or write.
| mordax wrote: | | if i "breakpoint on read"... |
There is no "breakpoint on read".
https://en.wikipedia.org/wiki/X86_debug_register#cite_note-brkpt_type-19
There are 4 ways a hardware debug register can be used: instruction execution, write to a memory location, I/O operation, and access (i.e. read or write) to a memory location.
Right click an address in the address list (bottom half of main window) and there's two options: "Find out what accesses this address" and "Find out what writes to this address". If you try both, you'll see "accesses" also include writes. e.g. CE tutorial x64 step 2:
| Code: | // Writes
10002B4BC - 29 83 F8070000 - sub [rbx+000007F8],eax
// Accesses
10002B819 - 81 BB F8070000 E8030000 - cmp [rbx+000007F8],000003E8
10002B4BC - 29 83 F8070000 - sub [rbx+000007F8],eax
10002B4CB - 8B 8B F8070000 - mov ecx,[rbx+000007F8]
10002B51E - 83 BB F8070000 00 - cmp dword ptr [rbx+000007F8],00 |
"Find out what accesses this address" finds the instruction `sub [rbx+000007F8],eax`, which is also found by "Find out what writes to this address".
| mordax wrote: | | i need a way to log all of those addresses that this opcode accesses (not writes) and then change value of all those found addresses from x.x to my specified value. |
Change "3F800000" in `mov [rdx],3F800000` to something else. e.g. `mov [rdx],(float)2`
If that doesn't work, some other instruction is writing to it
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mordax
Expert Cheater
![]() Reputation: 1
Joined: 16 Apr 2010
Posts: 138
|
| Posted: Tue Sep 24, 2024 6:32 pm Post subject: |
|
|
| ParkourPenguin wrote: | | mordax wrote: | | that instruction does not write values to addresses, it only accesses them without writing anything. |
To be clear, this is the instruction you're talking about:
This instruction does write to a memory location. CE uses intel syntax by default. The first operand is typically the destination. Look up an x64 assembly tutorial if you want to learn more.
And again, an "access" can be a read or a write. Some other jargon in some other part of the internet might attribute a different meaning to the word "access," but regarding Intel / AMD architecture debugging, "access" means read or write.
| mordax wrote: | | if i "breakpoint on read"... |
There is no "breakpoint on read".
https://en.wikipedia.org/wiki/X86_debug_register#cite_note-brkpt_type-19
There are 4 ways a hardware debug register can be used: instruction execution, write to a memory location, I/O operation, and access (i.e. read or write) to a memory location.
Right click an address in the address list (bottom half of main window) and there's two options: "Find out what accesses this address" and "Find out what writes to this address". If you try both, you'll see "accesses" also include writes. e.g. CE tutorial x64 step 2:
| Code: | // Writes
10002B4BC - 29 83 F8070000 - sub [rbx+000007F8],eax
// Accesses
10002B819 - 81 BB F8070000 E8030000 - cmp [rbx+000007F8],000003E8
10002B4BC - 29 83 F8070000 - sub [rbx+000007F8],eax
10002B4CB - 8B 8B F8070000 - mov ecx,[rbx+000007F8]
10002B51E - 83 BB F8070000 00 - cmp dword ptr [rbx+000007F8],00 |
"Find out what accesses this address" finds the instruction `sub [rbx+000007F8],eax`, which is also found by "Find out what writes to this address".
| mordax wrote: | | i need a way to log all of those addresses that this opcode accesses (not writes) and then change value of all those found addresses from x.x to my specified value. |
Change "3F800000" in `mov [rdx],3F800000` to something else. e.g. `mov [rdx],(float)2`
If that doesn't work, some other instruction is writing to it |
like i said, you don't understand the difference between "breakpoint on read" and "breakpoint on write".
if instruction does not write onto the addresses, then changing its value or register has no effect. it might have visual effect, but no actual effect.
just forget it, i already used a different method. you seriously need to stop ginv false info, there will be others reading it and they will get wrong understanding from you rmisleading information
|
|
| Back to top |
|
|
LeFiXER
Grandmaster Cheater Supreme
![]() Reputation: 20
Joined: 02 Sep 2011
Posts: 1069
Location: 0x90
|
| Posted: Thu Sep 26, 2024 11:21 am Post subject: |
|
|
| mordax wrote: |
like i said, you don't understand the difference between "breakpoint on read" and "breakpoint on write".
if instruction does not write onto the addresses, then changing its value or register has no effect. it might have visual effect, but no actual effect.
just forget it, i already used a different method. you seriously need to stop ginv false info, there will be others reading it and they will get wrong understanding from you rmisleading information |
Just because you don't understand something does not mean it is false information. Parkour Penguin is incredibly versed in computer science therefore has vast insight into game hacking, reverse engineering, and programming fields. To dismiss the wisdom provided by Parkour Penguin is nothing short of stupid. Lastly, to insist someone is trolling when they are taking their time to help you is disrespectful. You should think yourself lucky that they have taken time out of their day to help you with your problem because they didn't have to.
I will never understand why people feel so entitled as if everyone has to help people with their problems. They help because they are kind, you will do well to remember that.
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
 Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Thu Sep 26, 2024 9:35 pm Post subject: |
|
|
@LeFiXER, I am strongly agree !
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
MDon
How do I cheat?
![]() Reputation: 0
Joined: 20 Dec 2024
Posts: 4
|
| Posted: Fri Dec 20, 2024 8:21 am Post subject: Re: Help with lua/asm script please |
|
|
[ENABLE]
aobscanmodule(inject,game.dll,C7 02 00 00 80 3F F8 AC)
alloc(newmem,$40,inject) // $1000 too long... set $40
label(return)
alloc(_logaddr,$1000)
registersymbol(_logaddr)
newmem: // get all addr or you can add cmp..?..nya~
push rax
push rbx
mov rax,_logaddr
cmp [rax],#396 // max addr count..~
ja code
inc [rax]
mov rbx,[rax]
mov [rax+rbx*4],rdx
code:
pop rbx
pop rax
mov [rdx],3F800000
jmp return
inject:
jmp newmem
nop
return:
registersymbol(inject)
[DISABLE]
inject:
db C7 02 00 00 80 3F
unregistersymbol(*) // this all
dealloc(*)
// The effect achieved: Retrieve the value of RDX at around 300 times, not tested yet, it might crash... Meow?~
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
