Solved Modifying run speed via memory editor

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat
Aug 26, 2012
4
484
0
Hey all,

So I'm working with a game that looks like I should be able to modify certain player statistics like run speed, attack speed, etc.

I've been going back and forth between using L. Spiro's MHS and CheatEngine to see if I can modify these stats. I can find my run speed as a float, when I use a mount I can see it increase by 30. When I attach the debugger to "find what accesses this address", I get this:

C++:
ucomiss xmm0,[edi+20]
movss [edi+20],xmm0
fld dword ptr [ecx]
As I understand it, "ucomiss xmm0,[edi+20]" means compare floating point value edi+20 with xmm0. I know that xmm0 is always 0, and edi+20 is the run speed, so it will always set the greater than flag.

Then it copies the value from xmm0 (0) into the address at edi+20.

Then it loads the floating point value from ecx (run speed)... where?

I've tried following the pointers to get to a base address, but end up in a loop, which makes me think maybe I'm tackling this wrong. What would be a good direction to go from here? Try and modify the assembly so instead of it loading the run speed from ecx, I just give it an arbitrary number? Is that possible?

Looking for some direction, thanks.
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Ok so I've still been playing with this a bit more.

I don't understand where/how I'm supposed to declare that variable. There doesn't seem to be any room around this instruction point where I can do this, there's a RETN right before this piece of assembly.

C#:
023A1A88 | 8BE5              | MOV     ESP, EBP                              |
023A1A8A | 5D                 | POP     EBP                                       |
023A1A8B | C3                 | RETN                                               |
023A1A8C | D901             | FLD     DWORD PTR [ECX ]               |
023A1A8E | 8BE5             | MOV     ESP, EBP                       |
023A1A90 | 5D               | POP     EBP                            |
023A1A91 | C3               | RETN                                   |
Feeling stuck, thanks for any help, even if its a reference to something else. I've been crashing the application over and over and am ready to change my tactic :p
You can hook at 0x23A1A8C.
Redirect the program flow to your own function, from there you can do whatever you like to.

Read more about it here.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Try and modify the assembly so instead of it loading the run speed from ecx, I just give it an arbitrary number? Is that possible?
yes it is. I don't know how far you are but if this isn't enemy shared you can do
_asm fld dword ptr [YourVariableHere];
instead of ecx when you are going internal, with inline assembly.

Just note that the data type of your variable must be float (-> dword ptr).
 
Aug 26, 2012
4
484
0
_asm fld dword ptr [YourVariableHere];
instead of ecx when you are going internal, with inline assembly.

Just note that the data type of your variable must be float (-> dword ptr).
Ok so I've still been playing with this a bit more.

I don't understand where/how I'm supposed to declare that variable. There doesn't seem to be any room around this instruction point where I can do this, there's a RETN right before this piece of assembly.

C#:
023A1A88 | 8BE5              | MOV     ESP, EBP                              |
023A1A8A | 5D                 | POP     EBP                                       |
023A1A8B | C3                 | RETN                                               |
023A1A8C | D901             | FLD     DWORD PTR [ECX ]               |
023A1A8E | 8BE5             | MOV     ESP, EBP                       |
023A1A90 | 5D               | POP     EBP                            |
023A1A91 | C3               | RETN                                   |
Feeling stuck, thanks for any help, even if its a reference to something else. I've been crashing the application over and over and am ready to change my tactic :p
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Ok so I've still been playing with this a bit more.

I don't understand where/how I'm supposed to declare that variable. There doesn't seem to be any room around this instruction point where I can do this, there's a RETN right before this piece of assembly.

C#:
023A1A88 | 8BE5              | MOV     ESP, EBP                              |
023A1A8A | 5D                 | POP     EBP                                       |
023A1A8B | C3                 | RETN                                               |
023A1A8C | D901             | FLD     DWORD PTR [ECX ]               |
023A1A8E | 8BE5             | MOV     ESP, EBP                       |
023A1A90 | 5D               | POP     EBP                            |
023A1A91 | C3               | RETN                                   |
Feeling stuck, thanks for any help, even if its a reference to something else. I've been crashing the application over and over and am ready to change my tactic :p
What I mean is making an injectable dll
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods