 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
bmelvir
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2025
Posts: 6
|
 Posted: Thu Sep 25, 2025 5:52 pm Post subject: Getting my script to work after reloading a game |
 |
|
I'm trying to create a script that multiplies a value by 2. I got it to work, but I'm running the issue where if i close and reload the game, the script won't work anymore. I imagine it's because CE is trying to read and write to addresses that aren't valid anymore. I know there are ways to make it so that CE work with relative addresses (I've seen tutorials showing it like "game.exe+235E") rather than a fixed address like 235EADD355B, but i have no idea how to make it work that way... 
| Code: | { Game : Monster Sanctuary.exe
Version:
Date : 2025-09-25
Author : User
This script does blah blah blah
This script was done based on these addresses. You want to inject code before
"add eax,ecx" to make it so that ecx <- ecx x2
266A07768CD was the base address for injection in this case
266A07768C3 - 48 8B C8 - mov rcx,rax
266A07768C6 - 48 8B 85 58FFFFFF - mov rax,[rbp-000000A8]
266A07768CD - 03 C1 - add eax,ecx // <<<< BASE ADDRESS FOR INJECTION
266A07768CF - 89 46 44 - mov [rsi+44],eax
}
[ENABLE]
aobscan(exp_multiplier_sym,77 A0 66 02 00 00 41 FF D3 48 8B C8 48 8B 85 58 FF FF FF 03 C1 89 46 44) // should be unique
alloc(newmem,$1000,exp_multiplier_sym)
label(code)
label(return)
newmem:
imul ecx, #4
code:
add eax,ecx
mov [rsi+44],eax
jmp return
exp_multiplier_sym+13:
jmp newmem
return:
registersymbol(exp_multiplier_sym)
[DISABLE]
exp_multiplier_sym+13:
db 03 C1 89 46 44
unregistersymbol(exp_multiplier_sym)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 266A07768CD
266A0776894: 48 63 46 44 - movsxd rax,dword ptr [rsi+44]
266A0776898: 48 89 85 58 FF FF FF - mov [rbp-000000A8],rax
266A077689F: 48 8B CF - mov rcx,rdi
266A07768A2: 48 BA FF FF FF FF FF FF FF FF - mov rdx,FFFFFFFFFFFFFFFF
266A07768AC: 83 3F 00 - cmp dword ptr [rdi],00
266A07768AF: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000]
266A07768B6: 49 BB E0 6E 77 A0 66 02 00 00 - mov r11,00000266A0776EE0
266A07768C0: 41 FF D3 - call r11
266A07768C3: 48 8B C8 - mov rcx,rax
266A07768C6: 48 8B 85 58 FF FF FF - mov rax,[rbp-000000A8]
// ---------- INJECTING HERE ----------
266A07768CD: 03 C1 - add eax,ecx
// ---------- DONE INJECTING ----------
266A07768CF: 89 46 44 - mov [rsi+44],eax
266A07768D2: 48 8B CD - mov rcx,rbp
266A07768D5: 48 83 C1 90 - add rcx,-70
266A07768D9: 49 BA A0 D4 F3 A1 66 02 00 00 - mov r10,00000266A1F3D4A0
266A07768E3: 66 66 90 - nop 3
266A07768E6: 49 BB C0 52 1B F9 66 02 00 00 - mov r11,00000266F91B52C0
266A07768F0: 41 FF D3 - call r11
266A07768F3: 85 C0 - test eax,eax
266A07768F5: 75 99 - jne 266A0776890
266A07768F7: 48 C7 45 88 00 00 00 00 - mov qword ptr [rbp-78],00000000
} |
Last edited by bmelvir on Thu Sep 25, 2025 7:58 pm; edited 1 time in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25793
Location: The netherlands
|
| Posted: Thu Sep 25, 2025 5:59 pm Post subject: |
|
|
the routine you're hooking may have to be jitted first. (executed one time)
if it's mono you can activate mono and then jit/compile it manually
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
bmelvir
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2025
Posts: 6
|
| Posted: Thu Sep 25, 2025 6:05 pm Post subject: |
|
|
| Sorry, I don't know exactly what that means :s
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25793
Location: The netherlands
|
| Posted: Thu Sep 25, 2025 6:22 pm Post subject: |
|
|
play the game first until the thing the game's value is changed by the code you're hooking.
Only after that try to activate the script
if it works then, then you can look into how mono->activate mono works
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
bmelvir
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2025
Posts: 6
|
| Posted: Thu Sep 25, 2025 8:02 pm Post subject: |
|
|
I don't think it worked. I closed the game, while keeping CE up with the script. I reloaded the game and opened the process in CE. I won a battle and tried to enabled the script on the list, but nothing happened. When i right click on it, it says
"Error while scanning for AOB's: exp_multiplier_sym Error: Not all results found> >"
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25793
Location: The netherlands
|
| Posted: Thu Sep 25, 2025 11:48 pm Post subject: |
|
|
you changed your script. the original aob was better
do not include bytes that belong to address specifiers
so better start from the bytes at 266A07768C0
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
bmelvir
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2025
Posts: 6
|
| Posted: Fri Sep 26, 2025 11:47 am Post subject: |
|
|
sorry, i added some comments to the script mostly for myself, because since i knew i'd have to re-create the script all the time, i wanted to add some information for myself to make it easier later. but other than that, the script is basically the same (i generated it the same way)...
how can i make it so that i don't have to recreate the script every time i want to play the game? none of the tutorials i've watched and copied have this same problem i'm having
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Sep 26, 2025 1:27 pm Post subject: |
|
|
| bmelvir wrote: | | Code: | | aobscan(exp_multiplier_sym,77 A0 66 02 00 00... |
|
These bytes from the aobscan pattern include bytes from the value in the instruction `mov r11,00000266A0776EE0`. That value will probably change when the game is restarted, meaning the bytes in the aob pattern will probably change too.
You'll need to find a better aob signature manually. Go to the main CE window, right click the area with the writable / executable / copy-on-write checkboxes, select "Preset: scan all memory", set the value type to array of bytes, and scan for various AoBs until you find a pattern that's unique.
You can use wildcards to ignore certain bytes. e.g. `49 BB ?? ?? ?? ?? ?? ?? ?? ?? ...` to get the `mov r11,00000266A0776EE0` instruction without the value.
Adjust the offset from the symbol as necessary depending on where the pattern starts. e.g. in the script CE generated, the offset is 0x13 past `exp_multiplier_sym`.
That assembly looks like the output of a mono JIT compiler. If mono features are available ("mono" menu in the top bar of main CE window), you can use that to find the function instead of an aobscan.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
bmelvir
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2025
Posts: 6
|
| Posted: Fri Sep 26, 2025 10:38 pm Post subject: |
|
|
all scripts i showed here was generated using CE's templates (I used the "AOB injection" one). The only part I added was this line
i'm having trouble figuring out how to search for an array of bytes. i mean, i can search for array of bytes, but i'm having trouble finding the code. maybe because i'm not replacing the right bytes with wildcards?
I'm basing myself on the script file CE generated. So here's the code
| Code: | {
// ORIGINAL CODE - INJECTION POINT: 266A07768CD
266A0776894: 48 63 46 44 - movsxd rax,dword ptr [rsi+44]
266A0776898: 48 89 85 58 FF FF FF - mov [rbp-000000A8],rax
266A077689F: 48 8B CF - mov rcx,rdi
266A07768A2: 48 BA FF FF FF FF FF FF FF FF - mov rdx,FFFFFFFFFFFFFFFF
266A07768AC: 83 3F 00 - cmp dword ptr [rdi],00
266A07768AF: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000]
266A07768B6: 49 BB E0 6E 77 A0 66 02 00 00 - mov r11,00000266A0776EE0
266A07768C0: 41 FF D3 - call r11
266A07768C3: 48 8B C8 - mov rcx,rax
266A07768C6: 48 8B 85 58 FF FF FF - mov rax,[rbp-000000A8]
// ---------- INJECTING HERE ----------
266A07768CD: 03 C1 - add eax,ecx
// ---------- DONE INJECTING ----------
266A07768CF: 89 46 44 - mov [rsi+44],eax
266A07768D2: 48 8B CD - mov rcx,rbp
266A07768D5: 48 83 C1 90 - add rcx,-70
266A07768D9: 49 BA A0 D4 F3 A1 66 02 00 00 - mov r10,00000266A1F3D4A0
266A07768E3: 66 66 90 - nop 3
266A07768E6: 49 BB C0 52 1B F9 66 02 00 00 - mov r11,00000266F91B52C0
266A07768F0: 41 FF D3 - call r11
266A07768F3: 85 C0 - test eax,eax
266A07768F5: 75 99 - jne 266A0776890
266A07768F7: 48 C7 45 88 00 00 00 00 - mov qword ptr [rbp-78],00000000
} |
and this is what i'm searching for in CE
| Code: | | 48 63 ? ? 48 89 ? ? ? ? ? 48 8B CF 48 |
which returns only 1 result:
| Code: | 27769892272 - 48 63 40 3C - movsxd rax,dword ptr [rax+3C]
27769892276 - 48 89 85 78FFFFFF - mov [rbp-00000088],rax
2776989227D - 48 8B CF - mov rcx,rdi
27769892280 - 48 8D 64 24 00 - lea rsp,[rsp+00]
27769892285 - 90 - nop
27769892286 - 49 BB 0017896977020000 - mov r11,0000027769891700
27769892290 - 41 FF D3 - call r11
27769892293 - 48 89 45 B0 - mov [rbp-50],rax
27769892297 - 48 8B 4D 98 - mov rcx,[rbp-68]
|
which is different than the original code. what am i doing wrong?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Fri Sep 26, 2025 11:39 pm Post subject: |
|
|
Probably what DB said previously: the code hadn't yet been JIT-compiled when you scanned.
JIT = Just In Time compilation: assembly code is only generated when it's suppose to be run for the first time. Before that, it doesn't exist. If you want to find that code, you must first do something in game so that the code is generated.
If CE's mono features are available, CE can JIT compile functions itself- no need to do something in game first.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
bmelvir
How do I cheat?
![]() Reputation: 0
Joined: 25 Sep 2025
Posts: 6
|
| Posted: Sat Sep 27, 2025 10:11 am Post subject: |
|
|
| Ooooh, i think it's starting to make a bit more sense to me now! ^^; Thank you! I'll mess around with this a bit more.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
