|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
pusheax How do I cheat? Reputation: 0
Joined: 26 Jan 2016 Posts: 5 Location: Philippines
|
Posted: Tue Jan 26, 2016 7:31 pm Post subject: Operand and pointer problem |
|
|
So I'm dealing with this Operand mov [esi+01],edx that gets called at least a thousand times each second to modify different addresses (from interface to in-game resource values, etc). My problem is that it is the only Opcode that gets called to modify my HP.
I've already found the pointer and the offset in my Player structure which means myCode does a cmp so I know it only carries on with the cheat when accessing my own HP so that it does not affect other things in the game.
My bigger problem is that since this opcode is so multi-purpose (almost like those found in some console emulators), the struct keeps changing and doing a cmp with an invalid pointer from random other type of structs causes my game to CTD.
I have already tried
cmp [pointer+offset],0
je _Backtogame
and even doing a
or eax,eax
jz _Backtogame
to no avail. it just keeps crashing when doing the cmp. Here is the code I've been trying to get to work but keeps crashing as soon as I do the cmp:
Code: |
_GodMode2:
push eax
mov eax,[esi+1A]
mov eax,[eax+08]
or eax,eax
jz _ExitGM2
cmp word ptr [eax],1 //My Own HP?
jne _ExitGM2 //Jump if false
mov edx,[esi+01] //Keep my HP as it was
_ExitGM2:
pop eax
mov [esi+01],edx //original code
mov byte ptr [ebx],00 //original code
jmp _BackGM2 //back to game
|
_________________
Stars are holes in the sky from which the light of the infinite shines. ~Confucius |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Tue Jan 26, 2016 7:59 pm Post subject: |
|
|
First of all, mov [esi+01],edx is neither an operand nor an opcode- it's called an instruction.
If "the pointer" is in your player's structure and you try to dereference that pointer, then of course it'll probably crash since not every structure is the same as the one your health is in.
You could also hook an instruction that accesses the address of your health instead. Or hook any instruction that accesses anything else in the same structure as your health. Or find a pointer to your health or anything else in the same structure (doesn't have to be a static pointer) and hook some instruction that accesses the address of that pointer. You should have plenty of instructions to chose from; nevertheless, if it absolutely must be run whenever your health is written to, then you might be able to hook an instruction around the instruction mov [esi+01],edx much easier (i.e. backtracing it to a calling procedure might help).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
pusheax How do I cheat? Reputation: 0
Joined: 26 Jan 2016 Posts: 5 Location: Philippines
|
Posted: Tue Jan 26, 2016 8:20 pm Post subject: |
|
|
ParkourPenguin wrote: | First of all, mov [esi+01],edx is neither an operand nor an opcode- it's called an instruction.
If "the pointer" is in your player's structure and you try to dereference that pointer, then of course it'll probably crash since not every structure is the same as the one your health is in.
You could also hook an instruction that accesses the address of your health instead. Or hook any instruction that accesses anything else in the same structure as your health. Or find a pointer to your health or anything else in the same structure (doesn't have to be a static pointer) and hook some instruction that accesses the address of that pointer. You should have plenty of instructions to chose from; nevertheless, if it absolutely must be run whenever your health is written to, then you might be able to hook an instruction around the instruction mov [esi+01],edx much easier (i.e. backtracing it to a calling procedure might help). |
Thanks! You are right, it has to be whenever the health is written to since the game can decide to write zero and it would simply be over for my character. I'm very much new to this asm thingy reading tuts on here and was wondering if there is a tut for the backtracing to the calling procedure. Thanks again for the insight!
_________________
Stars are holes in the sky from which the light of the infinite shines. ~Confucius |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Tue Jan 26, 2016 9:42 pm Post subject: |
|
|
I forgot about this- it's probably the easiest thing you could do to solve this problem, but there are a few quirks with it that are mentioned in that topic.
You might also be able to use Ultimap if you just want to prevent taking damage (tutorial). Find the function that's called when you take damage, and NOP it along with any arguments to it.
However, if you really want to try backtracing:
http://forum.cheatengine.org/viewtopic.php?t=530290
Backtracing is a very hard and time-consuming thing for a beginner to do, especially for this kind of an instruction that accesses many different addresses. As such, I would highly recommend against you attempting to backtrace this if it's your first time. Nevertheless, I'll explain the basics of what to do.
First of all, trace that instruction back several callers. The caller (or the subroutine that called that caller, or the one that called the one that called the caller, etc...) might only be run when the game is writing to your health. To test this, you'll have to get creative with your use of conditional breakpoints since that instruction is run so often with so many addresses. After that, look at the instructions leading up to mov [esi+01],edx and find out where it gets edx (and optionally esi) from. Trace it back to that call that's only run when your health gets written to. Then, hook an instruction that's used to calculate edx in that call, and do what you want from there.
Also, if this game is run on an emulator (e.g. desmume), then you probably shouldn't even attempt backtracing. That just complicates things beyond belief.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Tue Jan 26, 2016 9:46 pm Post subject: |
|
|
That is your originalcode? Seems odd.
Also...
Code: | cmp word ptr [eax],1 |
You're comparing something from a different register? Is this your script?
Anyway, if absolutely all else fails, you can always use a pointer. And if you must write a script, you can use a pointer for your compare, also...but it's not recommended because pointers are less reliable.
|
|
Back to top |
|
|
pusheax How do I cheat? Reputation: 0
Joined: 26 Jan 2016 Posts: 5 Location: Philippines
|
Posted: Tue Jan 26, 2016 10:19 pm Post subject: |
|
|
ParkourPenguin wrote: | I forgot about - it's probably the easiest thing you could do to solve this problem, but there are a few quirks with it that are mentioned in that topic.
You might also be able to use Ultimap if you just want to prevent taking damage (). Find the function that's called when you take damage, and NOP it along with any arguments to it.
However, if you really want to try backtracing:
Backtracing is a very hard and time-consuming thing for a beginner to do, especially for this kind of an instruction that accesses many different addresses. As such, I would highly recommend against you attempting to backtrace this if it's your first time. Nevertheless, I'll explain the basics of what to do.
First of all, trace that instruction back several callers. The caller (or the subroutine that called that caller, or the one that called the one that called the caller, etc...) might only be run when the game is writing to your health. To test this, you'll have to get creative with your use of conditional breakpoints since that instruction is run so often with so many addresses. After that, look at the instructions leading up to mov [esi+01],edx and find out where it gets edx (and optionally esi) from. Trace it back to that call that's only run when your health gets written to. Then, hook an instruction that's used to calculate edx in that call, and do what you want from there.
Also, if this game is run on an emulator (e.g. desmume), then you probably shouldn't even attempt backtracing. That just complicates things beyond belief. |
Wow thanks! I would definitely look into the isbadreadptr/isbadwriteptr. I have never tried Ultimap though but from the sounds of it there is a chance that the nopping might force a ctd but I'll try that route as well. I think I will leave the backtracing for when I know more about asm coz my vocabulary of it ain't that good yet. Also, this is actually for some old game called X3: Terran Conflict 3.1. I know Recifence made an oustanding script for it, but it lacks a certain GodMode that I would like to have added as well.
++METHOS wrote: |
That is your originalcode? Seems odd.
Also...
Code: | cmp word ptr [eax],1 |
You're comparing something from a different register? Is this your script?
Anyway, if absolutely all else fails, you can always use a pointer. And if you must write a script, you can use a pointer for your compare, also...but it's not recommended because pointers are less reliable. |
Yep! I thought so as well when I first saw it, not the typical add or sub I usually see. It appears as if though the final values are processed somewhere else and this instruction just writes it.
I just thought it was easier if I'd use eax to temporarily store the pointer plus the offset with my attempts to test if it returns a valid pointer. I just saw it though.
_________________
Stars are holes in the sky from which the light of the infinite shines. ~Confucius |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Tue Jan 26, 2016 10:48 pm Post subject: |
|
|
pusheax wrote: | I have never tried Ultimap though but from the sounds of it there is a chance that the nopping might force a ctd... |
Actually, if the call is only run once when you take damage and you NOP everything properly, I can't think of any instances off the top of my head in which it would crash the game. I'd be more worried about DBVM causing a BSOD if I were you.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Tue Jan 26, 2016 11:23 pm Post subject: |
|
|
pusheax wrote: | ++METHOS wrote: |
That is your originalcode? Seems odd. |
Yep! I thought so as well when I first saw it, not the typical add or sub I usually see. | -Not actually what I meant, but no worries.
pusheax wrote: | ++METHOS wrote: | Code: | cmp word ptr [eax],1 |
You're comparing something from a different register? | I just thought it was easier | -Okay...I see what you did. My mistake. Have you tried checking the registers to see if you can use anything there?
Anyway, change your script as shown below. Enable your script. When you enable your script, the instruction where you are injecting should show a jump. Right-click on it and select 'follow'. Right-click, as shown below, and check to see what addresses it accesses. If you see more than one, your filter is no good. If you see nothing, even after getting hit, your filter is no good. If it crashes after you enable, see what ParkourPenguin wrote.
Code: | _GodMode2:
push edi
mov edi,[esi+1A]
mov edi,[edi+08]
cmp word ptr edi,1
pop edi
jne _ExitGM2
mov [esi+01],edx //right-click here
_ExitGM2:
mov [esi+01],edx
mov byte ptr [ebx],00
jmp _BackGM2 |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|