MantisBT - Cheat Engine
View Issue Details
0000027Cheat Enginepublic2008-01-23 17:422008-01-29 17:23
ReporterCsimbi 
Assigned ToDark Byte 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Summary0000027: CE causes crash by restoring wrong code
DescriptionCE 5.4.0.5
Thief Gold (1.37)
Trying to patch health on falling
Original code:
0052A781 - 8b f1 - mov esi,ecx
0052A783 - 83 c8 ff - or eax,ff
0052A786 - 89 46 24 - mov [esi+24],eax
0052A789 - 89 46 28 - mov [esi+28],eax
0052A78C - 8b 46 38 - mov eax,[esi+38]
0052A78F - 85 c0 - test eax,eax
0052A791 - 74 09 - je 0052a79c

I wrote this script (using auto-assemble) to experiment:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

0052A783:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov eax, 16

originalcode:
or eax,ff
mov [esi+24],eax

exit:
jmp returnhere

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
0052A783:
or eax,ff
mov [esi+24],eax

dealloc(newmem)

After enabling the script and disabling it in the cheat table, the original code is not restored - there is some garbage instead and causes crash:
0052A781 - 8b f1 - mov esi,ecx
0052A783 - 0d ff 00 00 00 - or eax,000000ff
0052A788 - 89 46 24 - mov [esi+24],eax
0052A78B - 28 8b 46 38 85 c0 - sub [ebx-3f7ac7ba],cl
0052A791 - 74 09 - je 0052a79c
As You can see, the original "or eax,ff" mysteriously became "or eax,000000ff".

This I assume is a bug - if not, let me know how can I solve it.
Thanks.
TagsNo tags attached.
Attached Files

Notes
(0000046)
Dark Byte   
2008-01-23 23:38   
It's not really a bug
There are mutliple ways to write an instruction and CE doesn't always pick the same instruction as the game used.
In this case it picks the 'smaller' version (83 c8 is 2 bytes, 0d is 1)

If you want to override it you have to use db and fill in the exact bytes.
e.g in your script the disable code should look like:
0052a783:
db 83 c8 ff //or eax,ff
mov [esi+24],eax

Issue History
2008-01-23 17:42CsimbiNew Issue
2008-01-23 23:38Dark ByteNote Added: 0000046
2008-01-23 23:38Dark ByteStatusnew => feedback
2008-01-29 17:23Dark ByteStatusfeedback => resolved
2008-01-29 17:23Dark ByteResolutionopen => fixed
2008-01-29 17:23Dark ByteAssigned To => Dark Byte