Is it possible to modify a movss or xmm# in Assembly using Cheat Engine?
Reverse Engineering Asked on July 26, 2021
Im using cheat engine as a beginner to getting into Disassembly and Hacking, and I want to know how to modify an address/pointer (not really sure how to term it) thats using a movss [...],xmm#?
Specifically, Im modifying the Health in Satisfactory.
Fall damage causes the movss [rbx+00000164],xmm0 to fire, xmm0 represents the amount of health subtracted from the damage of falling.
Then it sends xmm0 to rbx+000000164.
That causes the health to go down. I want it to go Up, or not lose/gain any at all.
I tried seeing if there were any xmm#s in the scanner that lined up with max health (100) to see if I could just send the player’s max health every time they took damage (This would solve it easily)
However, it doesnt have it.
As seen here:
I was following a tutorial https://wiki.cheatengine.org/index.php?title=Tutorials:Auto_Assembler:Injection_full, but they made it super simple, mentioning only…
Now the easiest thing to do here, since the code already adds is to just make the number positive.
Thats not very informing, they were lucky, their value is just a number that can be set to positive or negative, or just be modified.
Mine cant.
So the big question is, is there anything I can do to modify or change it? I need to make this simpler.
By the way, heres my script that Im using to actually “hack” the health. All it does right now is the default xmm0 send, basically it does nothing.
{ Game : FactoryGame-Win64-Shipping.exe
Version:
Date : 2020-03-15
Author : taylo
This script does blah blah blah
}
define(address,"FactoryGame-Win64-Shipping.exe"+90E3AA)
define(bytes,F3 0F 11 83 64 01 00 00)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000,"FactoryGame-Win64-Shipping.exe"+90E3AA)
label(code)
label(return)
newmem:
code:
movss [rbx+00000164],xmm0
jmp return
address:
jmp newmem
nop 3
return:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
address:
db bytes
// movss [rbx+00000164],xmm0
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "FactoryGame-Win64-Shipping.exe"+90E3AA
"FactoryGame-Win64-Shipping.exe"+90E376: 49 89 6B B0 - mov [r11-50],rbp
"FactoryGame-Win64-Shipping.exe"+90E37A: 4D 89 73 A8 - mov [r11-58],r14
"FactoryGame-Win64-Shipping.exe"+90E37E: E8 BD D5 FB FF - call FactoryGame-Win64-Shipping.exe+8CB940
"FactoryGame-Win64-Shipping.exe"+90E383: 0F 28 C8 - movaps xmm1,xmm0
"FactoryGame-Win64-Shipping.exe"+90E386: 0F 2F 0D 53 B9 64 02 - comiss xmm1,[FactoryGame-Win64-Shipping.exe+2F59CE0]
"FactoryGame-Win64-Shipping.exe"+90E38D: 0F 82 B9 00 00 00 - jb FactoryGame-Win64-Shipping.exe+90E44C
"FactoryGame-Win64-Shipping.exe"+90E393: F3 0F 10 83 64 01 00 00 - movss xmm0,[rbx+00000164]
"FactoryGame-Win64-Shipping.exe"+90E39B: F3 0F 5F CE - maxss xmm1,xmm6
"FactoryGame-Win64-Shipping.exe"+90E39F: 0F B6 83 6C 01 00 00 - movzx eax,byte ptr [rbx+0000016C]
"FactoryGame-Win64-Shipping.exe"+90E3A6: F3 0F 5C C1 - subss xmm0,xmm1
// ---------- INJECTING HERE ----------
"FactoryGame-Win64-Shipping.exe"+90E3AA: F3 0F 11 83 64 01 00 00 - movss [rbx+00000164],xmm0
// ---------- DONE INJECTING ----------
"FactoryGame-Win64-Shipping.exe"+90E3B2: A8 01 - test al,01
"FactoryGame-Win64-Shipping.exe"+90E3B4: 75 4C - jne FactoryGame-Win64-Shipping.exe+90E402
"FactoryGame-Win64-Shipping.exe"+90E3B6: A8 02 - test al,02
"FactoryGame-Win64-Shipping.exe"+90E3B8: 74 1D - je FactoryGame-Win64-Shipping.exe+90E3D7
"FactoryGame-Win64-Shipping.exe"+90E3BA: 48 89 6C 24 28 - mov [rsp+28],rbp
"FactoryGame-Win64-Shipping.exe"+90E3BF: 4C 8B CF - mov r9,rdi
"FactoryGame-Win64-Shipping.exe"+90E3C2: 0F 28 D1 - movaps xmm2,xmm1
"FactoryGame-Win64-Shipping.exe"+90E3C5: 4C 89 74 24 20 - mov [rsp+20],r14
"FactoryGame-Win64-Shipping.exe"+90E3CA: 48 8B D6 - mov rdx,rsi
"FactoryGame-Win64-Shipping.exe"+90E3CD: 48 8B CB - mov rcx,rbx
}
One Answer
After a bit more research, and help from a friend, I figured it out.
the movss and mov are opcodes and its usually in the form of a float (for movss atleast)
So, hence, you CAN change its value.
Simply write movss [..address..],(float)### replace ### with your number.
As for my question, it works, I have disabled the entire game's health decrement. Making all creatures and players invulnerable forever using the same method.
As seen here by MY use of it:
Yes, I know it was about modifying the movss, but my value IS a float, its just stored in the "form" of an Integer, so it uses mov, you can use this same movss code.
code:
mov [rbx+00000164],(float)100
jmp return
mov is like saying move, it moves the value in the operand and sends it to the address.
So its as simple as moving a number. I just had bad formatting, and didnt realise you had to specify the data type via something like (float)
Answered by Mister SirCode on July 26, 2021
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Jon Church on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Joshua Engel on Why fry rice before boiling?
- Peter Machado on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?