KOREAN CHEAT ENGINE MEMORY HACK TUTORIAL - CT INCLUDED

**[MPGH]Jov** · 10-30-2017

Overwatch Aime Nucleus ct everything 4 - Principle
There are two ways to deal with mistakes with the assembly I know. When you are dealing with 32-bit games in the past, you often manipulate mistakes through the f-series. fld, fadd, and fmul. This series of f statements has been continuously written since the game (ex.

Most recent CPUs support SSE . SSE is a set of instructions that use xmm registers and handle them. SSE supports all data types needed for arithmetic operations, such as float, double, and int, and allows a more complex computation to be done with a single instruction. It is also very convenient to deal with three-dimensional vectors because it can be operated in parallel. Overwatch deals with mistakes through SSE. So I'll show you how to use SSE properly with this meta. In other words, it will fix the previous ct. It may seem a bit annoying, but it's easier to explain and less script length. I'll take advantage of the SSE4.1 instruction set, and there are commands that the cheat engine does not recognize. For example, there is a DPPS instruction.

Overwatch Aim Nucleus All of ct 3 - Coordinates 2 - VisibleHook patch method
So far we have looked at MouseHook, SpeedUp, and the last remaining hooking point is VisibleHook. In the previous posting, when I got the result of wall delimitation, the opcode coming out was mov [rbx + 78], al. If you do not understand, let's look at the image below. Of course, of all the same results, we only hook where we put the call.

First, I will talk about the enemy number. Let's look at the picture below.

mov rbx, [rsi + 60]. In enemy nuclei, enemy numbers are used to find enemies that minimize mouse movement among many enemies. Overwatch.exe + 113EC5B - inc [rsi + 60] is the code that increases the enemy number. Looking further down, you can also see that you are looping with an enemy number. If you have any notices, you will get a sense of how to get the total number. It is listed in Overwatch.exe + 113EC6B - cmp eax, [rsi + 50]. When the game is patched, review the opcode to find out how to get the enemy number and modify the script.

Secondly, it is the section to put the enemy coordinates and their coordinates. See below.

The script comments are kindly written enemy, me. Overwatch.exe + 113EC29 - lea rcx, [rbp + 000000A0] As I mentioned in the previous post, I explained here that there is both an enemy and my coordinates. Therefore, the content of [rbp + A0] with offset 0 in xmm0 register and the content of [rbp + B0] with offset 10 in xmm1 register are copied. Once the game is patched, you can re-examine the opcode appropriately and modify the script.

The rest of the VisibleHook script is computed with the enemy number and coordinates obtained above, and the aiming point is pointed at the enemy. All of the ct patching methods have been described so far. The next chapter will explain the principles of the emir nuclear.

Overwatch Aim Nuclear All of ct 2 - Coordinates 1 - SpeedUp patch method
There are two important ingredients in the over watch aime nucleus. You must be able to change the aim point to the desired direction. This was covered in the last post. This time, it deals with how to find the enemy and my position in order to direct the aim point. There are a number of ways to debug enemy coordinates in fps games. One of the easiest ways to think is to think that the enemy's position is somewhere in memory and repeat the scan. You may need help from others. I called a friend and made a room, and a friend moved the carrick and I scanned it. It is easy to think, but hard to practice. However, the method of finding the position of the enemy and my position in the over-watch emir nuclear ct is different now. It is a method of finding the wall discrimination function and using the parameters of the function. The wall separation function gives two coordinates and map data as parameters and judges whether or not there is a gap between the coordinates. It usually has its coordinates and enemy coordinates so you can hook it up here. Finding the wall separator function is very simple. Scan for any enemy, but if you see the enemy 1, if you do not see the enemy 0 Scanning like this is done immediately. You can scan a bot at the training site. Below is the video.

The area to focus on is the "write" part of the wall separator function into memory. Because there will be a wall separator function around it. So let's focus on mov [rbx + 78], al. There are several results, all of which are the same. This is what Overwatch has recently done to stop the emmy nuclear weapons, and it is Naruto 's subversive. Let's look at that later.

mov [rbx + 78], a little above call al Overwatch.exe + D2F340 is seen. The function is a wall-delimiting function because it returns the eax value when it returns. As I mentioned earlier, the wall delimiter function takes two coordinates as parameters. So just look at both rdx and rcx. When debugging, rdx is not related to coordinates and you can see that rcx is the culprit. If you look at rcx, you can see that there are three float values at offset 0 and offset 0x10, respectively, which are the coordinates of the enemy coordinates and your character in order. Now I've got all the important ingredients for my bot. The remaining thing is to obtain the direction vector with two pairs of coordinates obtained by hooking around the wall division function and normalize the vector to length 1. This can be done by students who have studied higher mathematics courses. However, in order to manipulate mistakes through assemblies, knowledge must exist. This will be discussed later in the posting. Now, I'm going to talk about Blizzard's "subterfuge patch" recently. Before the patch, mov [rbx + 78], al only showed up when I pinned the result of the wall distinction. Therefore, there was no problem when hooked. We now have several identical mov [rbx + 78], al patterns and change patterns that we use periodically. I went to the parent function to take a quick look at what was happening.

Notice that call rax calls a function with a wall separator function. Debugging shows that rax continues to change periodically and that this is the effect of the subsonic patch.

The bypass method is very simple. You can hook it up there and drive the call to one place. This is where I originally hooked up to improve the reactivity. I have a security patch, but there is no cost to bypass it. At least Blizzard employees should patch up a subspecialty and see how they use inline functions. Finally, let's look at SpeedUp part of ct. The code is simple.

Overwatch.exe + 11368AA - In the call rax part, rip is changed to SpeedUp . You can see that you do not call rax but call it directly where you want it. Think directly about how you got the address. Looking at the code, I loop through the loop and call it many times, which increases the precision of the immune nucleus. In the early days, there was no SpeedUp, but the emme nucleus was not soft but torn. If you want to know what effect this is, you can change cmp [Count], 10 to 10 to 1. Finally, there is code to set rcx. In the original code, add rcx, r14 is displayed. When debugging, rcx value is always 0. Therefore, when hooking, use mov rcx, r14. At the end of the call, you must also use the mov statement because the value of rcx changes. Once the game is patched, you should debug again, look at the opcodes, and change the SpeedUp script to set the call address and rcx appropriately .

Overwatch Aim Nucleus ct All 1 - Aiming Point - MouseHook patch method
In overwatch, you must be able to change your aim point to the direction of your enemy if you want to achieve your core. Let's see how the over-watch handles the aiming direction and hack it. In the over-watch, the aiming direction is generally expressed as a direction vector learned in high school. However, the vector size is normalized to 1 so that calculation is easy. More simply, it is called the Cartesian coordinate system. Overwatch is easy to implement. This is because, in a game using a spherical coordinate system, the transformation of the orthogonal coordinate system and the spherical coordinate system is required to implement the emanucleus. The Cartesian coordinate system is represented by three real numbers and the spherical coordinate system by two real numbers. Whatever the coordinate system is, the value changes in memory when the aim point is turned around. So, to find the address of this value, you can turn the mouse around and scan. Let's see the video.

We find that the sum of all three float values found is 1, which is added to all of them. If you are curious, try the calculator yourself. Finding the address you find will give you some results.

I have made it the hooking point of the most frequent calls. Let's take a closer look through the memory viewer.

Overwatch.exe + 105BFE4 - movaps xmm0, [rdx + 00000D20] where rdx + D20 represents the address of the aimpoint vector value. Since rdx is a parameter set from the parent function and there is no place to change rdx in particular, the hooking location can be picked anywhere around. However, because there is a bug where the xmm register is cleared when debugging the current cheat engine, you must catch the hooking point before using the xmm register. Therefore, the appropriate hooking point is the first part of the function, ie, the part where the push ebx is located. Lastly, let's look at where we store the address of the aimpoint vector in the current AIM nuclear ct. Let's look at the MouseHook part of ct.

Overwatch.exe + 105bf90 - In push rbx, change rip to MouseHook. Then put the address of the aim point vector in the [mouse] variable and return to the original code. The [mouse] value is used to point to where the enemy actually exists. Later on you will see how the value of [mouse] is handled. Finally, I will briefly explain the ct patch method. Once the game is patched, you can re-debug it, change the MouseHook code so that you can see the opcode through Find and put the correct value back into [mouse]. Of course, hooking and returning addresses should be set appropriately. Overwatch requires a bit of reverser discretion because the opcode changes for each patch. (I explained that I needed a little because I explained it hard so far.) Anyway, I have to manually grasp and patch myself. Since other parts are the same, I will reduce the explanation from this posting.