Reverse Engineering Asked on July 26, 2021
Im using cheat engine as a beginner to getting into Disassembly and Hacking, and I want to know how to modify an address/pointer (not really sure how to term it) thats using a movss [...],xmm#
?
Specifically, Im modifying the Health in Satisfactory.
Fall damage causes the movss [rbx+00000164],xmm0
to fire, xmm0
represents the amount of health subtracted from the damage of falling.
Then it sends xmm0
to rbx+000000164
.
That causes the health to go down. I want it to go Up, or not lose/gain any at all.
I tried seeing if there were any xmm#s in the scanner that lined up with max health (100) to see if I could just send the player’s max health every time they took damage (This would solve it easily)
However, it doesnt have it.
As seen here:
I was following a tutorial https://wiki.cheatengine.org/index.php?title=Tutorials:Auto_Assembler:Injection_full, but they made it super simple, mentioning only…
Now the easiest thing to do here, since the code already adds is to just make the number positive.
Thats not very informing, they were lucky, their value is just a number that can be set to positive or negative, or just be modified.
Mine cant.
So the big question is, is there anything I can do to modify or change it? I need to make this simpler.
By the way, heres my script that Im using to actually “hack” the health. All it does right now is the default xmm0 send, basically it does nothing.
{ Game : FactoryGame-Win64-Shipping.exe
Version:
Date : 2020-03-15
Author : taylo
This script does blah blah blah
}
define(address,"FactoryGame-Win64-Shipping.exe"+90E3AA)
define(bytes,F3 0F 11 83 64 01 00 00)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000,"FactoryGame-Win64-Shipping.exe"+90E3AA)
label(code)
label(return)
newmem:
code:
movss [rbx+00000164],xmm0
jmp return
address:
jmp newmem
nop 3
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// movss [rbx+00000164],xmm0
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "FactoryGame-Win64-Shipping.exe"+90E3AA
"FactoryGame-Win64-Shipping.exe"+90E376: 49 89 6B B0 - mov [r11-50],rbp
"FactoryGame-Win64-Shipping.exe"+90E37A: 4D 89 73 A8 - mov [r11-58],r14
"FactoryGame-Win64-Shipping.exe"+90E37E: E8 BD D5 FB FF - call FactoryGame-Win64-Shipping.exe+8CB940
"FactoryGame-Win64-Shipping.exe"+90E383: 0F 28 C8 - movaps xmm1,xmm0
"FactoryGame-Win64-Shipping.exe"+90E386: 0F 2F 0D 53 B9 64 02 - comiss xmm1,[FactoryGame-Win64-Shipping.exe+2F59CE0]
"FactoryGame-Win64-Shipping.exe"+90E38D: 0F 82 B9 00 00 00 - jb FactoryGame-Win64-Shipping.exe+90E44C
"FactoryGame-Win64-Shipping.exe"+90E393: F3 0F 10 83 64 01 00 00 - movss xmm0,[rbx+00000164]
"FactoryGame-Win64-Shipping.exe"+90E39B: F3 0F 5F CE - maxss xmm1,xmm6
"FactoryGame-Win64-Shipping.exe"+90E39F: 0F B6 83 6C 01 00 00 - movzx eax,byte ptr [rbx+0000016C]
"FactoryGame-Win64-Shipping.exe"+90E3A6: F3 0F 5C C1 - subss xmm0,xmm1
// ---------- INJECTING HERE ----------
"FactoryGame-Win64-Shipping.exe"+90E3AA: F3 0F 11 83 64 01 00 00 - movss [rbx+00000164],xmm0
// ---------- DONE INJECTING ----------
"FactoryGame-Win64-Shipping.exe"+90E3B2: A8 01 - test al,01
"FactoryGame-Win64-Shipping.exe"+90E3B4: 75 4C - jne FactoryGame-Win64-Shipping.exe+90E402
"FactoryGame-Win64-Shipping.exe"+90E3B6: A8 02 - test al,02
"FactoryGame-Win64-Shipping.exe"+90E3B8: 74 1D - je FactoryGame-Win64-Shipping.exe+90E3D7
"FactoryGame-Win64-Shipping.exe"+90E3BA: 48 89 6C 24 28 - mov [rsp+28],rbp
"FactoryGame-Win64-Shipping.exe"+90E3BF: 4C 8B CF - mov r9,rdi
"FactoryGame-Win64-Shipping.exe"+90E3C2: 0F 28 D1 - movaps xmm2,xmm1
"FactoryGame-Win64-Shipping.exe"+90E3C5: 4C 89 74 24 20 - mov [rsp+20],r14
"FactoryGame-Win64-Shipping.exe"+90E3CA: 48 8B D6 - mov rdx,rsi
"FactoryGame-Win64-Shipping.exe"+90E3CD: 48 8B CB - mov rcx,rbx
}
After a bit more research, and help from a friend, I figured it out.
the movss
and mov
are opcodes and its usually in the form of a float (for movss atleast)
So, hence, you CAN change its value.
Simply write movss [..address..],(float)###
replace ### with your number.
As for my question, it works, I have disabled the entire game's health decrement. Making all creatures and players invulnerable forever using the same method.
As seen here by MY use of it:
Yes, I know it was about modifying the movss, but my value IS a float, its just stored in the "form" of an Integer, so it uses mov, you can use this same movss code.
code:
mov [rbx+00000164],(float)100
jmp return
mov
is like saying move
, it moves the value in the operand and sends it to the address.
So its as simple as moving a number. I just had bad formatting, and didnt realise you had to specify the data type via something like (float)
Answered by Mister SirCode on July 26, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP