Solved Failing to retrieve register content via CodeCave

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

mystery

Newbie
Full Member
Oct 30, 2015
9
102
0
Sup guys.

So I've watched Fleeps tut on "Midfunction Hooking"(removed the hyperlink as the video popped up), which also led me here, and decided to trial my luck using another game. (Metin2 - no hate, looked for a simple mp game :D)
I'm trying to modify Move- as well as Attackspeed, which is a matter of seconds scanning with CE.

As far as I can tell, the Hooking works just fine along with the Patternscan. Found adresses match and following the injected jumps everything seems fine.
The problem is, my register reading appears to be changing in an interval of some seconds, crashing the game when I try to modify the address.
Here's some source:
C++:
PlaceJMP((BYTE*)movAddy, (DWORD)GetPlayerMovspeed, 8);
C++:
__declspec(naked) void GetPlayerMovspeed()
{
	__asm {
			MOVSS XMM0, DWORD PTR DS : [ECX + 0x3D0]
			MOV MovspdRegister, ECX
			//Jump back to our original code		
			JMP[MovJmpBack]
	}
}
How I check for the value in my MainThread:
C++:
		if (GetAsyncKeyState(VK_CONTROL))
		{
			MsgBoxAddy(MovspdRegister);
		}
And here are the original instructions
C++:
00569068  |. 7B 27            JPO SHORT metin2.00569091
0056906A  |. F3:0F118E D00300 MOVSS XMM0, DWORD PTR DS:[ECX+3D0]	<--------
00569072  |. E8 89600000      CALL metin2.0056F100
I also tried to compare live CE register readings with my output, without a match.

Maybe you guys come up with some idea, thanks in advance
Mystery

Edit:
main source file without the dll entry: https://pastebin.com/Ny0a99dr
pre/post hook comparison (sry for format): https://imgur.com/a/4gBlx
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
PDWORD = DWORD PTR, Pointer arithmetic dictates that when you add ( or subtract ) , you're adding the size of the pointer.

I.e. DWORDPTR stuff = 0x0;
stuff += 1;

This will have stuff equal to address 4, because the size of a pointer ( x86 ) is 4 bytes, so its adding the equivalent of 1 pointer to "stuff".

What you want is just a standard dword.
C++:
long addr = *(long*)(Baseaddr + 0xFC32D0);
addr = *(long*)(addr + 0x10);
A nifty tip is to cast to unsigned char * before adding offsets, that type will always be equal to 1 byte ( correct me if im wrong ), so you don't have to worry about the pointer arithmetic
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
Well you posted a lot of code... so where exactly does it crash, and with what error?
 

mystery

Newbie
Full Member
Oct 30, 2015
9
102
0
Well you posted a lot of code... so where exactly does it crash, and with what error?
It doesn't certainly crash, the game does when I try to modify an invalid address, caused by the "corrupt" register reading
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
It doesn't certainly crash, the game does when I try to modify an invalid address, caused by the "corrupt" register reading
We need a little bit more code. For example how do you initialize MovJmpBack?
And did you double check with a memory viewer if the jmp gets placed properly?
 

mystery

Newbie
Full Member
Oct 30, 2015
9
102
0
Вroihon;37766 said:
We need a little bit more code. For example how do you initialize MovJmpBack?
And did you double check with a memory viewer if the jmp gets placed properly?
I did doublecheck, seemed fine to me. I made 2 photos earlier today, gonna add them to the main post as well as more code

Edit: Am I the only one for whom the main topic completely vanished?!
Here it is(would be nice if some mod could fix that):
Sup guys.

So I've watched Fleeps tut on "Midfunction Hooking"(removed the hyperlink as the video popped up), which also led me here, and decided to trial my luck using another game. (Metin2 - no hate, looked for a simple mp game :D)
I'm trying to modify Move- as well as Attackspeed, which is a matter of seconds scanning with CE.

As far as I can tell, the Hooking works just fine along with the Patternscan. Found adresses match and following the injected jumps everything seems fine.
The problem is, my register reading appears to be changing in an interval of some seconds, crashing the game when I try to modify the address.
Here's some source:
C++:
PlaceJMP((BYTE*)movAddy, (DWORD)GetPlayerMovspeed, 8);
C++:
__declspec(naked) void GetPlayerMovspeed()
{
	__asm {
			MOVSS XMM0, DWORD PTR DS : [ECX + 0x3D0]
			MOV MovspdRegister, ECX
			//Jump back to our original code		
			JMP[MovJmpBack]
	}
}
How I check for the value in my MainThread:
C++:
		if (GetAsyncKeyState(VK_CONTROL))
		{
			MsgBoxAddy(MovspdRegister);
		}
And here are the original instructions
C++:
00569068  |. 7B 27            JPO SHORT metin2.00569091
0056906A  |. F3:0F118E D00300 MOVSS XMM0, DWORD PTR DS:[ECX+3D0]	<--------
00569072  |. E8 89600000      CALL metin2.0056F100
I also tried to compare live CE register readings with my output, without a match.

Maybe you guys come up with some idea, thanks in advance
Mystery

Edit:
main source file without the dll entry: https://pastebin.com/Ny0a99dr
pre/post hook comparison (sry for format): https://imgur.com/a/4gBlx
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
1.) movAddy += 0; - thats useless
2.) Ew you uploaded it rotated :(
3.) Why does your code MOVSS from ecx into xmm0 when the code shows movss [esi+3d0], xmm1 ?
 

mystery

Newbie
Full Member
Oct 30, 2015
9
102
0
1.) movAddy += 0; - thats useless
2.) Ew you uploaded it rotated :(
3.) Why does your code MOVSS from ecx into xmm0 when the code shows movss [esi+3d0], xmm1 ?
1) and 3) are because i tried to use a different place in the process after the former failed
2) sry :D
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
well using the spot you showed in the image you have to use esi and put the value from xmm1 into esi+3d0 , then you can get whatever value you want, i assume from esi.

That'd probably be why you have an "invalid" address, because you're getting it from the wrong register, if thats not the case then show us your updated code so we aren't working from the past
 

mystery

Newbie
Full Member
Oct 30, 2015
9
102
0
well using the spot you showed in the image you have to use esi and put the value from xmm1 into esi+3d0 , then you can get whatever value you want, i assume from esi.

That'd probably be why you have an "invalid" address, because you're getting it from the wrong register, if thats not the case then show us your updated code so we aren't working from the past
The image was to confirm the jump is placed correctly, which is the case imo.

Apart from that, I've run into another problem;
I moved to a pointer since the hooking won't work which looks like this
Reading the first address works just fine:
C++:
			PDWORD pdwAddress = (PDWORD)*(PDWORD)(baseAdr + 0x00FC32D0);
			MsgBoxAddy((DWORD)pdwAddress);
But adding the next offset
C++:
			PDWORD pdw2ndAddress = (PDWORD)*(PDWORD)(pdwAddress + 0x10);
			MsgBoxAddy((DWORD)pdw2ndAddress);
Always reads a zero, causing the game to crash on the next step

PS: Reading the destination address (in this case 0x0BDFE120) directly works flawlessly as well.
 
Last edited:

mystery

Newbie
Full Member
Oct 30, 2015
9
102
0
PDWORD = DWORD PTR, Pointer arithmetic dictates that when you add ( or subtract ) , you're adding the size of the pointer.

I.e. DWORDPTR stuff = 0x0;
stuff += 1;

This will have stuff equal to address 4, because the size of a pointer ( x86 ) is 4 bytes, so its adding the equivalent of 1 pointer to "stuff".

What you want is just a standard dword.
C++:
long addr = *(long*)(Baseaddr + 0xFC32D0);
addr = *(long*)(addr + 0x10);
A nifty tip is to cast to unsigned char * before adding offsets, that type will always be equal to 1 byte ( correct me if im wrong ), so you don't have to worry about the pointer arithmetic
Finally, at least something works
One of those retarded mistakes taking ages to be discovered :D, thanks
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
And to your current problem like i said, show us the updated code + the actual assembly you replaced
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods