Forgive me for having to hide the like/dislike, but I do get haters and that's fine. But I have one particular hater that has many accounts and loves to spam my vids with dislikes with each of them, which doesn't bother me, because I get paid everytime he comes here to do it,, but I feel the need to turn it off because I know it's one person doing it, but others may think it is several when it isn't. I do care about your opinions, and your comments, so please don't think me turning it off as me not caring.. I just refuse to give that troll any satisfaction for his pathetic trolling actions.
Great video! I was asking myself a long time how to write a script for that but that it would be so easy blew my mind. You're doing a great job making these videos. keep on!
Yet another awesome tutorial man! I've known about the (float) (double) (int) method for ages but it's still entertaining to watch you because I feel like I still learn a lot throughout your videos. It's like magic! You seem to alwayus cover up stuff you wouldn't even expect which is truly amazing. I've learned a lot from you! I have a question though. You know the qword, you name it.. What are these? Can you list all of them, qword, dword... and have an explaination on them? I'd appreciate it a ton! Thanks :)
John Kittz that sounds like a reasonable thing for me to look into for you.. Although that there could be many reasons this happens beyond some type of anti hacks -- Sn34kyMofo made a vid where this happened to him but it stemmed from a CMP and Flag discrepancies he showed how to fix.. You may want to give it a look and maybe see if this helps you until I can pull some things together : ua-cam.com/video/uBCo-Ek0rPg/v-deo.html
+Cheat The Game Thanks so much man ! It Really means a lot your taking the time to do this for me I just wanna know if there's a way to stop the reset from happening I don't think it's a anti-cheat since I've tried for hours to locate the "soldier" and the "phone"
John Kittz It's no problem I'm always happy to try to help when I can.. I believe trying that pushf and popf method maybe your fix for the instant zeros,. flags can be cruel sometimes.Id give that vid link a look he goes over it step by step.
thank you so much for the awesome tut ive been talking to your pals at the CTG discord and they have helped me do so much man so keep doing what you are doing :D
that means it is using a double with a carrier xmm registry.. You cant move a double value directly into the address so you would need to use that xmm registry. eg: label(my_double) registersymbol(my_double) newmem: code: movsd xmm0,[my_double] movsd [rax+10],xmm0 jmp return my_double: dq (double)9999
@@94D33M It isnt working because you are trying to move a double into a single precision floating point.. it needs to be movsd not movss because you need two addresses stored in the xmm1 registry and under your mydouble label skip a space between the dq and the (double)9999 - I change it to 100 just as a personal preference to allocate less space. aobscanmodule(INJECT,Tutorial-x86_64.exe,F3 0F 11 8E B8 07 00 00) // should be unique alloc(newmem,$1000,"Tutorial-x86_64.exe"+2C283) label(code) label(return) label(mydouble) registersymbol(mydouble) newmem: movsd xmm1, [mydouble] movsd [rsi+000007B8], xmm1 jmp return code: movss [rsi+000007B8],xmm1 jmp return mydouble: dq (double)9999
There's an even easier way to handle DOUBLE values. When you find the opcode that writes or accesses the targeted address, there should always be another 4 bytes AFTER the targeted offset. So instead of the one shown in your video: alloc(dammo,4) dammo: dq (double)5000 newmem: code: fld qword ptr[dammo] fstp qword ptr [ebx+498] This is MUCH easier with this variation: newmem: code: fstp qword ptr [ebx+498] mov [ebx+49C],(float)5000 DOUBLE values always have 8 bytes in association, so it only makes sense that the next 4 bytes added onto offset 498 would be the targeted value that would be in it's true form, and by true form in it's FLOAT form.
I'm confused as to how +Jesus Christ thought that would be a good idea... The float and double formats are based on a similar principle, namely exponents, BUT they are different, a float has 8 bits for the exponent and 23 for the fractional portion while a double has 11 bits for the exponent and 52 for the fraction (see en.wikipedia.org/wiki/Single-precision_floating-point_format and en.wikipedia.org/wiki/Double-precision_floating-point_format). Simply making the second 32 bits of a double 0 (second due to endianness) and then setting the first 32 bits (which is the sign value, the 11 exponent bits, and 20 fractional bits) to the full 32 bit sign-exponent-fraction format of a float is obviously illogical if you expect it to make the double have the same value as the float, eg. (float)5000. Since 3 bits previously used to represent the fractional value are now also used as part of the representation for the exponent. It simply doesn't make sense. +Cheat The Game's method on the other hand, of moving the hex/binary format for a value manually does, but it only works if you can afford to have the second half be 0 (you probably can since you're probably not putting some really specific value like 1.99242474433223), or at least are willing to "manually" determine the hex value for each half and store it in two mov instructions (since mov qword ptr [xxx], xxx won't let you do it in one), and which half goes where in the 8 bytes, which means you have to keep that endianness in mind. Personally I'd prefer putting the value in memory and then using fld/fild since it requires less understanding of how everything is working. It probably also technically uses less memory (you're still putting a 64 bit double value somewhere but now you have 2 mov statements) but even more importantly is that you could change that memory at anytime and thus change what value is being stored, whereas it'd be a lot harder to change the instructions storing constant/immediate values (to use the technical assembly term you'd see abbreviated in docs, eg imm).
FreeER atubeacct The question shouldn't be 'why it's good idea', it should be 'does it work'. The answer is quite evident, Yes. Then next should be, is it fast? Definitely, all you gotta do is add one line of opcode at the bottom (or top, depending on the game). Then next, is it easy to change dynamically? Yes, just change the floating value under that line of opcode and you're good to go. I reckon you try this on many flash games, this is how they function. Heck maybe even PC games, but not a lot of PC games use doubles. Cheat The Game You don't need to put in *'mov [ebx+498],00000000'* just go straight into the next line and you're good. As for why it requires you to do it in HEX form, I can't tell, *maybe* it's on Cheat Engines end. Sometimes you will require to put it in HEX form, just like I have to cmp some offsets in their HEX form instead of their byte form. I'm kind of annoyed by that, always gets me lol. Recommend a video made by Stephen Chapman called *'Search Tips for Game Hacking Research'* And look up on the comment section to find a user name *'wikiwikit'* and read the discussion about a test someone did for Double values. Cheers!
Hy! Have you tried to cheat the game, called From Dust? Like infinite material,timer freeze ect. I tried to do it with your video but I failed every time and I have no idea how to do it the right way. :(
yes but if that value is effecting what you are wanting to effect..Then I seriously doubt it is a double try changing that values value type and see if another value type makes more sense,, you hardly ever find a value with an exponent like that.
for all of the value types i use the value doesn't change when it is supposed to. Except for when it is at 8 bytes which makes the value 72058698909876224. But do i have to use some specification when using an 8 byte value like you have to do with a float "(float)"?
Would just like to pointout that you should allocate 8 bytes not 4 (alloc(dammo, 8)), since it results in a memory "leak" where you change some random bytes. otherwise good tutorial :D
Haven't watched this yet, but I'm pretty sure it's going to be good and useful (I have a vague idea of how they work but...) xD edit: I've watched now and it was as good and useful as I'd expected xD
Thank you man.. You probably wont need this lesson as your knowledge is more vast.. This lesson is more on a beginner/intermediate level, due to lots of questions I get about floats, doubles, fld, and fstp.. So I decided to make the vid instead of answering each one over and over.
Actually, I stopped at 2 minutes and started trying this myself... the float was easy enough using my typical "mov [xxx], (float)xxx" after the fstp (overwriting whatever the value was) but that isn't working for the double lol... I could probably google how to pop a float/double and load a constant value as a double and then repeat the store and pop instruction but.. that's what your video is for right? xD I've really just started to shift to using AA scripts more often, I'd used pointers for the longest time because I understood them better (and haven't shared my CTs much), so I haven't really looked into how the floating point instructions worked recently (let alone used them enough to have it memorized yet).
Yeah exactly, I just hardly ever run into it, so I never gave it much thought. When I did run into it, it was a situation where I could just nop it out or just find a pointer path and be done with it. But I had never actually tried to move a value into a qword before, so I had to research it a bit, and the different ways people were doing it, made no sense to me as a lot of them were reaching over their shoulders to scratch their ass type routes. Finally I found Geri and MrAntiFun that gave info in the past, that made more sense to me that works beautifully.
What I ended up with for the double before fully watching the implementation (I started googling when I saw dq because I vaguely remembered doing it before a long time ago) was pastebin.com/CeTRJdBq using fild instead of fld, just because I tend to use ints more so if I were to want to load something that _wasn't_ a constant and likely to change it's probably going to be an int, not a double and thus this requires less conversions back and forth (presumably). Nice video btw. Though by the end I was kind of hoping you'd mention/show or link to the other ways you found of people storing a double, at least assuming they weren't all obvious things done because the author didn't know this method... xD Though I imagine a common one would have been using the stack for the memory instead of pre allocating memory eg. sub esp, 8 mov [esp], #5000 fild [esp] add esp, 8 fstp qword ptr [ebx+498] or even just mov [esp-8], #5000 fild [esp-8] fstp qword ptr [ebx+498] though, those might only work well with fild since testing with (double) and fld seems to work as well as the original attempt duplicating the float method, not lol
btw, got the stack to work with (float) and fld dword ptr lol mov [esp-4], (float)5000 fld [esp-4] // or fld dword ptr [esp-4] if you want to be explicit fstp qword ptr [ebx+498] Using (double) causes CE to do just mov ..., 0 for some reason but without error when clicking "ok" in the editor.
Cheat The Game Hi, I would like to point you to a game that is a real challenge as the value resets every menu every turn the dma has changed. I would really like if you could take on this challenge and how do you zoom in what program do you use to record and edit to what the zooms in your videos? the challenge game name is blood bowl 2 Norse I'm stuck on even team gold let alone team stats. I'm going to try to save the pointer to global symbol but I think what's required is back tracing the game even if values are frozen it drops that address and makes a new dma instantly. I've never seen a game do that before. I'd love to learn how to go about hacking this one I know finding good example games is hard so here is one that almost says try hacking me ha ha! I'd also like to see what you could do with pocket ufo pc. imo its found to train with. I look forward to your insite into this game. thanks for adding to the wonderful cheat engine community Cheers!
Thanks! I was having trouble with some Unity games using floats and doubles. This was nice, simple and straight to the point.
My pleasure pal, glad I was able to help you
Great lesson! This shit made me beat my head against the wall the first time I ever ran across it, lol.
Ha Ha Ha Thank you pal.. My head is very familiar with that wall as well.
Forgive me for having to hide the like/dislike, but I do get haters and that's fine. But I have one particular hater that has many accounts and loves to spam my vids with dislikes with each of them, which doesn't bother me, because I get paid everytime he comes here to do it,, but I feel the need to turn it off because I know it's one person doing it, but others may think it is several when it isn't. I do care about your opinions, and your comments, so please don't think me turning it off as me not caring.. I just refuse to give that troll any satisfaction for his pathetic trolling actions.
Great video! I was asking myself a long time how to write a script for that but that it would be so easy blew my mind.
You're doing a great job making these videos. keep on!
Thank you friend.. I'm glad I was able to help you.
hey @15:15 when you alloc (dammo,4) we need to dealloc it down there too right?
Yes you do, I sometimes forget it
Yet another awesome tutorial man!
I've known about the (float) (double) (int) method for ages but it's still entertaining to watch you because I feel like I still learn a lot throughout your videos. It's like magic! You seem to alwayus cover up stuff you wouldn't even expect which is truly amazing. I've learned a lot from you!
I have a question though.
You know the qword, you name it.. What are these? Can you list all of them, qword, dword... and have an explaination on them? I'd appreciate it a ton! Thanks :)
Thank you Aunt Melissa. ;) here you go: www.c-jump.com/CIS77/ASM/Instructions/I77_0250_ptr_pointer.htm
and
edwin-wang.com/2012/02/bit-nybble-byte-word-dword-qword/
For 32bit,
bit = …1 bit…
nybble = 4 bits = 1/2 byte
byte = 8 bits = 2 nybbles
WORD = 2 bytes = 4 nybbles = 16 bits
DWORD = 2 WORDs = 4 bytes = 8 nybbles = 32 bits
QWORD = 2 DWORDs = 4 WORDs = ….. = 64 bits
mov BYTE PTR [ESI], 5 ; Store 8-bit value
mov WORD PTR [ESI], 5 ; Store 16-bit value
mov DWORD PTR [ESI], 5 ; Store 32-bit value
mov QWORD PTR [ESI], 5 ; Store 64-bit value
ty Chris !! :) i finally learn what means FLD / FSTP / XMM1 thx to you :D , keep up the good work ! :D
You are welcome my friend. I do appreciate you watching! :)
hey man, i do some hacks with cheat engine, but i wonder if it's possible to model swap via CE?
Yes it is possible but Im not sure how to go about it though
Oh nice, i already did character modifier, map modifier ... i want to swap models cause the game has some interesting things
like cutscene models and that kind of stuff
Great Tutorial Man! Helped Me Get through my First FSTP Encounter!
Keep up the Awesome Videos!!
Thank you pal I appreciate you watching.
Could You Do a Tutorial On Dealing With games that reset values to 0 when Said Value is modified ?
John Kittz that sounds like a reasonable thing for me to look into for you.. Although that there could be many reasons this happens beyond some type of anti hacks -- Sn34kyMofo made a vid where this happened to him but it stemmed from a CMP and Flag discrepancies he showed how to fix.. You may want to give it a look and maybe see if this helps you until I can pull some things together : ua-cam.com/video/uBCo-Ek0rPg/v-deo.html
+Cheat The Game Thanks so much man ! It Really means a lot your taking the time to do this for me I just wanna know if there's a way to stop the reset from happening I don't think it's a anti-cheat since I've tried for hours to locate the "soldier" and the "phone"
John Kittz It's no problem I'm always happy to try to help when I can.. I believe trying that pushf and popf method maybe your fix for the instant zeros,. flags can be cruel sometimes.Id give that vid link a look he goes over it step by step.
Can we actually find out which float value is loaded? Like Float = 1000
thank you so much for the awesome tut ive been talking to your pals at the CTG discord and they have helped me do so much man so keep doing what you are doing :D
Glad to hear it! Thank you for your support!
does this work with 64 bit too? where the opcode starts with 'movsd' cuz when i try it crashes
that means it is using a double with a carrier xmm registry.. You cant move a double value directly into the address so you would need to use that xmm registry.
eg:
label(my_double)
registersymbol(my_double)
newmem:
code:
movsd xmm0,[my_double]
movsd [rax+10],xmm0
jmp return
my_double:
dq (double)9999
thanks mate!!!!
@@ChrisFayte And also why do you make the alloc for newmem from 1000 to 100 ?
@@94D33M It isnt working because you are trying to move a double into a single precision floating point.. it needs to be movsd not movss because you need two addresses stored in the xmm1 registry and under your mydouble label skip a space between the dq and the (double)9999 - I change it to 100 just as a personal preference to allocate less space.
aobscanmodule(INJECT,Tutorial-x86_64.exe,F3 0F 11 8E B8 07 00 00) // should be unique
alloc(newmem,$1000,"Tutorial-x86_64.exe"+2C283)
label(code)
label(return)
label(mydouble)
registersymbol(mydouble)
newmem:
movsd xmm1, [mydouble]
movsd [rsi+000007B8], xmm1
jmp return
code:
movss [rsi+000007B8],xmm1
jmp return
mydouble:
dq (double)9999
@@ChrisFayte Thanks alot for the reply, btw nice music at the starting and ending , was epic, what music is it ?
There's an even easier way to handle DOUBLE values. When you find the opcode that writes or accesses the targeted address, there should always be another 4 bytes AFTER the targeted offset.
So instead of the one shown in your video:
alloc(dammo,4)
dammo: dq (double)5000
newmem:
code: fld qword ptr[dammo]
fstp qword ptr [ebx+498]
This is MUCH easier with this variation:
newmem:
code: fstp qword ptr [ebx+498]
mov [ebx+49C],(float)5000
DOUBLE values always have 8 bytes in association, so it only makes sense that the next 4 bytes added onto offset 498 would be the targeted value that would be in it's true form, and by true form in it's FLOAT form.
That is awesome!! Thank you for sharing that.. Yes much easier..
Just one question though,, why does it give me a truncated float value when I try that method?
Putting it in its hex form seems to have fixed it:
code:
fstp qword ptr [ebx+498]
mov [ebx+498],00000000
mov [ebx+49C],40B38800
I'm confused as to how +Jesus Christ thought that would be a good idea...
The float and double formats are based on a similar principle, namely exponents, BUT they are different, a float has 8 bits for the exponent and 23 for the fractional portion while a double has 11 bits for the exponent and 52 for the fraction (see en.wikipedia.org/wiki/Single-precision_floating-point_format and en.wikipedia.org/wiki/Double-precision_floating-point_format).
Simply making the second 32 bits of a double 0 (second due to endianness) and then setting the first 32 bits (which is the sign value, the 11 exponent bits, and 20 fractional bits) to the full 32 bit sign-exponent-fraction format of a float is obviously illogical if you expect it to make the double have the same value as the float, eg. (float)5000. Since 3 bits previously used to represent the fractional value are now also used as part of the representation for the exponent. It simply doesn't make sense.
+Cheat The Game's method on the other hand, of moving the hex/binary format for a value manually does, but it only works if you can afford to have the second half be 0 (you probably can since you're probably not putting some really specific value like 1.99242474433223), or at least are willing to "manually" determine the hex value for each half and store it in two mov instructions (since mov qword ptr [xxx], xxx won't let you do it in one), and which half goes where in the 8 bytes, which means you have to keep that endianness in mind.
Personally I'd prefer putting the value in memory and then using fld/fild since it requires less understanding of how everything is working. It probably also technically uses less memory (you're still putting a 64 bit double value somewhere but now you have 2 mov statements) but even more importantly is that you could change that memory at anytime and thus change what value is being stored, whereas it'd be a lot harder to change the instructions storing constant/immediate values (to use the technical assembly term you'd see abbreviated in docs, eg imm).
FreeER atubeacct The question shouldn't be 'why it's good idea', it should be 'does it work'. The answer is quite evident, Yes. Then next should be, is it fast? Definitely, all you gotta do is add one line of opcode at the bottom (or top, depending on the game). Then next, is it easy to change dynamically? Yes, just change the floating value under that line of opcode and you're good to go. I reckon you try this on many flash games, this is how they function. Heck maybe even PC games, but not a lot of PC games use doubles.
Cheat The Game You don't need to put in *'mov [ebx+498],00000000'* just go straight into the next line and you're good. As for why it requires you to do it in HEX form, I can't tell, *maybe* it's on Cheat Engines end. Sometimes you will require to put it in HEX form, just like I have to cmp some offsets in their HEX form instead of their byte form. I'm kind of annoyed by that, always gets me lol.
Recommend a video made by Stephen Chapman called *'Search Tips for Game Hacking Research'* And look up on the comment section to find a user name *'wikiwikit'* and read the discussion about a test someone did for Double values.
Cheers!
Thanks for the turtorial, it helps me alot for understanding the function in Assembler! (Even i dont use "CheatEngine")
Hy! Have you tried to cheat the game, called From Dust? Like infinite material,timer freeze ect. I tried to do it with your video but I failed every time and I have no idea how to do it the right way. :(
will this still work if the double has more than 300 decimal places, like this number7.29291075675719E-304
yes but if that value is effecting what you are wanting to effect..Then I seriously doubt it is a double try changing that values value type and see if another value type makes more sense,, you hardly ever find a value with an exponent like that.
for all of the value types i use the value doesn't change when it is supposed to. Except for when it is at 8 bytes which makes the value 72058698909876224. But do i have to use some specification when using an 8 byte value like you have to do with a float "(float)"?
You would use the same expressions for a quad word for both..
ok, thank you. I'm a bug fan of your videos btw :D
error in line 14 ............................ this instruction cant be complied how to fix please reply...................
I would need to see your script to see the error
but how can i saw you
Do you not know how to copy and paste?
Would just like to pointout that you should allocate 8 bytes not 4 (alloc(dammo, 8)), since it results in a memory "leak" where you change some random bytes. otherwise good tutorial :D
Thank you pal, yes that was an oversight on my part. I appreciate all the input you provide, you always have good information. I like that. =D
Haven't watched this yet, but I'm pretty sure it's going to be good and useful (I have a vague idea of how they work but...) xD
edit: I've watched now and it was as good and useful as I'd expected xD
Thank you man.. You probably wont need this lesson as your knowledge is more vast.. This lesson is more on a beginner/intermediate level, due to lots of questions I get about floats, doubles, fld, and fstp.. So I decided to make the vid instead of answering each one over and over.
Actually, I stopped at 2 minutes and started trying this myself... the float was easy enough using my typical "mov [xxx], (float)xxx" after the fstp (overwriting whatever the value was) but that isn't working for the double lol... I could probably google how to pop a float/double and load a constant value as a double and then repeat the store and pop instruction but.. that's what your video is for right? xD
I've really just started to shift to using AA scripts more often, I'd used pointers for the longest time because I understood them better (and haven't shared my CTs much), so I haven't really looked into how the floating point instructions worked recently (let alone used them enough to have it memorized yet).
Yeah exactly, I just hardly ever run into it, so I never gave it much thought. When I did run into it, it was a situation where I could just nop it out or just find a pointer path and be done with it. But I had never actually tried to move a value into a qword before, so I had to research it a bit, and the different ways people were doing it, made no sense to me as a lot of them were reaching over their shoulders to scratch their ass type routes. Finally I found Geri and MrAntiFun that gave info in the past, that made more sense to me that works beautifully.
What I ended up with for the double before fully watching the implementation (I started googling when I saw dq because I vaguely remembered doing it before a long time ago) was pastebin.com/CeTRJdBq using fild instead of fld, just because I tend to use ints more so if I were to want to load something that _wasn't_ a constant and likely to change it's probably going to be an int, not a double and thus this requires less conversions back and forth (presumably).
Nice video btw. Though by the end I was kind of hoping you'd mention/show or link to the other ways you found of people storing a double, at least assuming they weren't all obvious things done because the author didn't know this method... xD
Though I imagine a common one would have been using the stack for the memory instead of pre allocating memory eg.
sub esp, 8
mov [esp], #5000
fild [esp]
add esp, 8
fstp qword ptr [ebx+498]
or even just
mov [esp-8], #5000
fild [esp-8]
fstp qword ptr [ebx+498]
though, those might only work well with fild since testing with (double) and fld seems to work as well as the original attempt duplicating the float method, not lol
btw, got the stack to work with (float) and fld dword ptr lol
mov [esp-4], (float)5000
fld [esp-4] // or fld dword ptr [esp-4] if you want to be explicit
fstp qword ptr [ebx+498]
Using (double) causes CE to do just mov ..., 0 for some reason but without error when clicking "ok" in the editor.
Nice video man
Thank you my friend.
Cheat The Game
Hi, I would like to point you to a game that is a real challenge as the value resets every menu every turn the dma has changed. I would really like if you could take on this challenge and how do you zoom in what program do you use to record and edit to what the zooms in your videos?
the challenge game name is
blood bowl 2 Norse
I'm stuck on even team gold let alone team stats. I'm going to try to save the pointer to global symbol but I think what's required is back tracing
the game even if values are frozen it drops that address and makes a new dma instantly. I've never seen a game do that before.
I'd love to learn how to go about hacking this one
I know finding good example games is hard so here is one that almost says try hacking me ha ha!
I'd also like to see what you could do with pocket ufo pc. imo its found to train with.
I look forward to your insite into this game. thanks for adding to the wonderful cheat engine community
Cheers!
love your accent!
heh heh Thank you friend. :)