2017-11-21 14:54 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000034Cheat Enginepublic2008-10-13 16:12
ReporterSamwise 
Assigned ToDark Byte 
PrioritynormalSeverityblockReproducibilityalways
StatusresolvedResolutionfixed 
Summary0000034: Assembler assignes wrong code
DescriptionHi,
i use your tool not for cheating but for Game Modding and its really useful here.
Because i use it to modify greater blocks of Code i might have found Problems others not had.

The runtime Assembler and the Autoassembler assign wrong opcodes for some cases.

Example: this is right as byte opcode
6FB65A91 - 6a ff - push ff

This is what Autoassembler does, he uses wordsize when more than 7f i assume you have a wrong check here.
03C40046 - 66 68 ff 00 - push 00ff

because of Stackusage this error is sure for a Deadlock

Another Showstopper:
Original: as you see here your assembler confuses +-
6FB2DBA8 - 8d 8c 10 44 ff ff ff - lea ecx,[eax+edx+000000bc]
Same line after assembling with your assembler WITHOUT changing anything
6FB2DBA8 - 8d 8c 02 bc 00 00 00 - lea ecx,[edx+eax+000000bc]

This are the most ugly Bugs i found, i try to report more when i hit them.
May i make feature requests ?
I wish a feature that i can jump from disassembled output to memory view and vice versa to the exact same adress where i am.
I wish that the go to adress feature not displays the adress on top of screen but the one i highlight as default.

Greetings

Samwise
TagsNo tags attached.
Attached Files

-Relationships
related to 0000042resolvedDark Byte Copy to clipboard always copies both bytes and opcodes 
+Relationships

-Notes

~0000056

Dark Byte (developer)

For the push you're right, it picks the wrong one.
You can currently bypass it by writing "push -1" or "db 6a ff"
And it's not only a deadlock it's total stack annihilation (it changes esp with 2, not 4)

for 8d 8c 10 44 ff ff ff it's more a disassembler problem (assembler and disassembler are actually separate)
This should be lea ecx,[edx+eax+FFFFFF44]



About the feature request: setting the disassembler to the same address as memview is possible using the plugin system. Load the delphi testplugin and memorybrowser will now have a new plugin menu item that allows you to quickly do that
Or use ctrl+g/ctrl+c enter in one window and ctrl+g/ctrl+v in the other

And with the goto address it'll be fixed

~0000057

Samwise (reporter)

Hi,

first of all thanks for this real good Support and this short reaction Time.
Because you do this im willing to report some more ;-) to keep you busy ^^.

Dark Byte:
You can currently bypass it by writing "push -1" or "db 6a ff"

in my case only Workaround 2 is applicable because most times its a 80h so when i write -127 it uses wordsize too and nothing is won :-) but its still annoying to reread every line of code relocation.

Dark Byte:
And it's not only a deadlock it's total stack annihilation (it changes esp with 2, not 4)

Yes thats what i wanted to say :-) sorry im native German speaker

Dark Byte:
About the feature request: setting the disassembler to the same address as memview is possible using the plugin system. Load the delphi testplugin and memorybrowser will now have a new plugin menu item that allows you to quickly do that Or use ctrl+g/ctrl+c enter in one window and ctrl+g/ctrl+v in the other

I not meant to display both all times but only like highlight some byte in Memview or highlight one line in Assembly rightclick and say go there in Memview/assembly because many times its really satisfying to have different displays, but not at all times, so the user should tell what he wants.
Overall this feature would be goot inside all parts of cheatengine like the main table not only to offer view in assembly but offer both ways. Many times i have to choose view in assembly then copy the goto Adress and paste it into the Memview goto thats unnecessary and not good for the workflow.

Dark Byte:
And with the goto address it'll be fixed

Many thanks really annoying this "feature" :-)

Ok here some more annoyances or should i make a new report ?

6FB2DEFB - eb 03 - jmp queryinterface+2ea20
6FB2DF0C - 75 f2 - jne queryinterface+2ea20

ok what you see here is activated view symbols which is a nice feature mostly because of the user defined symbols BUT for short Jumps this is REALLY annoying
because you see a symbol with no relevance and a useless offset you canot see where the jump goes without switching view symbols on and off and on and off and ..
It would be better to disable symbolviewing for short jumps OR to have a separate button to aktivate user defined symbols

another one:
6FB2DEE8 - e8 77 eb f8 ff - call 6fabca64
What you see here is a call to the IMPORT Table of the dll im viewing there gets the ordinal of another dll called
when you activate "show module adresses" this call only shows the name and an useless offset of the dll im viewing in not the name and function/ordinal of the target this is a mayor annoyance because when i want to see where it leads i have to follow the call to the Jumptable and follow to the target, there activate "show module adresses" to see where i arrived (show module adresses is useless for any other thing the way it is now)
Intermodular calls should show the target dll + name of the target function or ordinal when no name available.

Thanks for your time, if you want i supply you with more reports :-)

Greetings

Samwise

~0000058

Dark Byte (developer)

Sure, just keep on reporting bugs (disassembler/assembler bugs can stay in this one)

~0000061

Samwise (reporter)

Hi,

how long is it to the next bugfixed Release?
The Push Bug is getting a mayor Pain in my ass ;-)
the Assembler in many cases uses bigger opcodes than he should and smaller ones when he shouldnt.

all PUSH greater 7F will get Word Pushes
and if i WANT to use more like PUSH 00000050 <- clearly a dword
the assembler cuts of the 00 destroying my Stack in many places.

Im sure willing to Report more "glitches" but the reported bugs are stopping me from using Cheat Engine at the Moment. The Code im Modifying is too huge to fix all this by Hand.

Because i have no Delphi Development tools im nailed to wait for a new Binary Release. Thanks for your help.

Greetings

Samwise

~0000062

Dark Byte (developer)

Last edited: 2008-03-30 01:58

try this one: http://cheatengine.org/downloads/CheatEngine541.exe

The bugs have been fixed but the IAT lookup will take a bit longer (I'll need to add more communication between the pe-inspector and the symbolhandler for that, and symbolviewing now shows the userdefinied symbols if they are defined for a specific address, but no way to disable it fully yet)

>I wish a feature that i can jump from disassembled output to memory view and vice versa to the exact same adress where i am.
added as ctrl+space

>I wish that the go to adress feature not displays the adress on top of screen but the one i highlight as default.
Now uses the selected address instead of startaddress

push ff assembles to
6a ff

push 00ff assembles to
66 68 FF 00

push 000000ff assembles to
68 FF 00 00 00


8d 8c 10 44 ff ff ff is not disassembled as:
lea ecx,[eax+edx-000000bc] (of course, no idea why any compiler would do anything as messed up as this...)

~0000066

Samwise (reporter)

Hi,
first of all many thanks for this nice support.
Im Sad that the fixes lead to some other issues, not as bad as the previous,
but bad enough to give me some hour of headache :-)

Dark Byte:
8d 8c 10 44 ff ff ff is not disassembled as:
lea ecx,[eax+edx-000000bc] (of course, no idea why any compiler would do anything as messed up as this...)
Thats simple VC2003 optimizations do this crap and its found inside 1000s of locations inside the Code im working on ^^. But anyway it should get fixed alone from the reason to keep consistency between your assembler and disassembler because your assembler does it right.

Oh by the Way maybe this here is something interesting for you:
http://binary-reverser.org/tools/BeaEngine/index.php

Ok lets go to the gory details:

The Autoassembler in the Version you gave me the Link seems to have a
Problem with German umlauts and seams to "eat" them. Would have be no Problem
when i had followed my own Rules not to use Umlauts in Labels, but i did ^^

mov [var_borderx_auflsung],00000070
should have been:
mov [var_borderx_auflösung],00000070

until solution is there i rewrite my labels to use oe (i idiot should have done this anyway but before it was no problem)

On the ocassion to change the Labels i discovered that there is no way to rename the labels or "userdefined Symbols" so i had to add them again with other name. Oh, found out that double klick will remove it, not verry intuitive and only discovered by chance.


Now a really big Problem:
8b 0d c4 4f ba 6f - mov ecx,[glob_screensizex] <- value of 400h (1024)
after you fixed the Push error we now have a new problem:
83 e9 90 - sub ecx,90
this here resulted in disruption of my new game UI it took me long to figure out
to fix it using
2d 90 00 00 00 - sub eax,00000090
You see the Problem ? in the above case the EAX was meant to be decreased and as EAX is a DWORD register it should be treated like one
(the value has no type indicator) before the push fix this worked (or only because it was over 7f?) now EAX gets treated like a byte Register and the value gets not calculated as should.


Some further Bugs/Annoyances i discovered:
When you minimize Cheat engine Mainwindow all other Windows vanish too.
Sometimes i only want to have this out of the Way because i only need Autoassembler and Memoryview Window to work with.



Greetings

Samwise

~0000067

Dark Byte (developer)

Last edited: 2008-03-30 22:14

german chars: Might be a result of fixing it for Chinese chars

83 e9 90 - sub ecx,90:
This is hard to determine what the user wants, since it is a valid instruction for the given notation
81 /5 = Subtract imm32 from r/m32
83 /5 = Subtract sign-extended imm8 from r/m32

But, the assembler and disassembler solve it by looking at/showing it in either 8 bit notation or 32-bit notation
If you change your code to "sub ecx,00000090" it'll generate the code:
81 E9 90 00 00 00
which is what I assume is what you want

In the previous version this didn't show up because the 81 /5 variant (sign extended imm8) was never chosen due to the bug in 8-bit instruction picking

I'll look into the other suggestions

~0000068

Samwise (reporter)

Last edited: 2008-04-07 15:13

Hi,

many thanks.
I now fixed my scripts so that i can continue to work and found some more things.

The dll and process enumeration is on autoattach in the early beginning when only some dlls loaded and not refreshed at a later time so when you enumerate them huge parts are missing without indication.
The enumeration should be done on the first call to enumerate.
Workaround for now is to manually reattach later.

Because i startet working again be prepared for more ;-)
EDIT:
here we go ^^
Original in Memory Viewer:
83 f8 12 - cmp eax,12
7c 05 - jnge 6fae562b
b8 12 00 00 00 - mov eax,00000012

code in autoassembler:
cmp eax,12
jnge 6fae562b
mov eax,00000012

Result:
3d 12 00 00 00 - cmp eax,00000012
7c 03 - jnge 6fae562b
b8 12 00 00 00 - mov eax,00000012

Destroying code beneath

EDIT:
Uh keep em rolling ^^
in Assembly Viewer part of Memory View:

Copy to Clipboard
Bytes+Opcodes
Bytes
Opcodes
has no Function at all it always is bytes+opcode

EDIT:
Another one
When using Autoassembler Templates for example Coderelocation
it would be fine if it uses the Textselection when text is selected.

another thing i noticed:
in assembly view when i follow a call to a ordinal and above the 1 opcode there
are fillerbytes (vc2003 seems to use int3) klicking on the 1 opcode not only marks this but the line above it too. This is only a display Bug but i want to mention it.

EDIT:
Found another URGENT Bug:
When you have more than 1 Memoryview Window open it happens often that you see under the editing Cursor Wrong Data and if you edit you overwrite other Memory leading to a bad Crash of the application. I thing you have a really ugly Pointer issue there.




Greetings

Samwise

~0000069

Dark Byte (developer)

ce picking eax,xxx instead of rm32,8 version : fixed (thats what causes the 5 byte eax version while the rm8 one can be done in 3)

Copy to clipboard has been fixed

Templates working with multiline selections: working on

Selecting the line above: confirmed, has to do with functionstart selection (was usefull for showing the functionname before the assembler code, kinda messed up here)

2+ memview window open causes bug when editing: Can you describe a way to make it happen every time? I've just spend a few minutes trying to get anything weird to happen when editing, but all works

~0000070

Samwise (reporter)

Last edited: 2008-04-08 13:35

Hi,

i try to nail it down but i thing pointer issues are not easy to catch.
I think it has to do with the cursor (cursor positioning?) because the overall sight displays correct data only the data "under" the cursor seems to come from somewhere different (and so seems to edit somewhere different). Had this issue now many times but only when i had more than 1 memory view window. Maybe check the var holding your cursor Position? DOnt know have no knowledge about internal working of cheat engine :-). Im trying to get more informations.

PS:
When you have fixed versions i would be glad to download them so i not repeatedly get old bugs but instead new ones ;-) that i can report here.

Edit:
another one. When Closing Cheat Engine there is no notification about changed autoassembler window :-( because i were too stupid i lost 2 Times Data now ^^


Greetings

Samwise

~0000071

Samwise (reporter)

Hi,

another one verry curious
search Memory array of bytes from Memoryview Window is not working.
I searched something definitely there but found nothing.

Greetings

Samwise

~0000072

Dark Byte (developer)

There is a small parser problem for the membrowser's scanner (old singlethreaded scanroutine)
Make sure not to write more than 1 space, else it'll handle it as if you wrote a ? or a * at the 2nd space
But if you didn't accidentally put in a space too many then I have no idea why it didn't find it

~0000074

Samwise (reporter)

Last edited: 2008-04-15 11:03

Hi,

seems i nailed down the Edit Problem with the Cursor in Memview.
When the Cursor is active in Memview and for example you display a line of x08 bytes and then you resize the window to display for example x18 bytes there goes something horribly wrong.


The search problem is weierd now i find what i search ??? there must be some sporadic problem somewhere *sigh

Because the size of my Code in tne meantime the Autoassembler gets REALLY slow now. To circumvent this i disabled Syntax highlight and im splitting now parts into separate scripts. Now what i saw when Disabling Syntax highlight is that if its disabled the fontsize and font is changed to sometihing smaller and more unreadable. Beside this it would be fine to configure own font and fontsize in autoassembler. Because i have some tables there (db style) i often wished that there is a monospace font by default. The way it is now tables are really ugly.


Greetings

Samwise

~0000075

Dark Byte (developer)

Last edited: 2008-04-16 04:59

When resizing the window with something in the editbox does let it stay yes, and keeps on going from there.


about the search, my guess is that that time you accidentally put in a space too many.

And a font selection option is a good idea yes.

About being slow, I know, perhaps I should write a code editor from scratch instead of relying on richedit from windows.
You say you split it up into separate scripts, I take it you use the "include" option to chain them back together? (else you'd be executing script by script which can be annoying)


Also, kinda off-topic, I see you're writing quite a big script in the auto assembler which is fine. Just wondering if you knew that you can also write your code as a dll and then use loadlibrary(dllname.dll) in a auto assembler script, followed by calls to exported functions in that dll? (when loadlibrary is used it'll enumerate the symbols so the autoassembler can use it)

e.g:
loadlibrary(playertracker.dll)
...
codeinjection_at_routine_that_handles_the_player:
push ecx //player object
call StorePlayer //StorePlayer exported by dll, which handles tables, databases, and even gui and the likes

~0000076

Samwise (reporter)

Last edited: 2008-04-28 10:48

Hi,

another one
Auto Assembler cannot assemble this it everytime wants to use more bytes
83 c0 03 - add eax,03

For the search i really dont know what happened but i could swear i used with and without spaces and some variants because i was curious what happens.

Dark Byte
You say you split it up into separate scripts, I take it you use the "include" option to chain them back together? (else you'd be executing script by script which can be annoying)

No i execute them separate the good part is that there are areas in gamemodding where you can make a separate project. I use Cheatengine as a Codehunter and as a liVe Modding System to see Changes inside the running game. Cheatengine does quite well there i use Ollydebug and IDA Pro too. The Final Result i feed into my own Modloader and my own dlls so i not use Cheatengine in the final Part.

Nevertheless im using Cheatengine only since short before my 1 Bugreport so i was unaware of the loadlibrary and the include. Really good to know. Do you have some list of available Commands and declaration types ? i looked into the Board but its not too well structured when it goes to the Auto Assembler. Documentation is greatly appreciated. As you see im willing to give back in form of Bug Reports and there are still many ;-)

EDIT: Forget about Dokumentation i looked into the .hlp file ^^

I looked into cvs of autoassembler and even if my pascal time is 20 years back i managed to find some commands ;-)
A good addition to the Loadbinary command would be a feature in memview to save selected block as binary.

loadlibrary evaluates ALL of the dll Members of the loaded dll? What is with ordinals? The Game im modding has many ordinal only dlls so im interested in how to utilize these.


Till this time i not used the Scriptengine. Because it uses c its of high interest in using it. Is ther somewhere an excessive Dokumentation on how to use this?

For the Autoassembler a globalalloc would be fine that only allocs memory once and not every call. I have to often execute some scripts and this kind of messes with memory. Is there a way around it?

EDIT:
The result for Assemblyscan should be copyable to the clipboard to make Reference lists etc.





Greetings

Samwise

~0000118

Dark Byte (developer)

you might be interested in this temp build: http://www.cheatengine.org/downloads/CheatEngine543.exe

It has a new editor.
It now picks the assembler instructions better
And not sure if you're one of those that asked, you can now override the nops the AA puts in for unknown distance jumps by specifying it's a short jump by doing jmp short xxxxxxxx
Not yet a globalalloc though, but still planned

~0000182

Dark Byte (developer)

globalalloc is in too.
Just closing this report as it's become old and it's better to have separate reports for each bug/feature
+Notes

-Issue History
Date Modified Username Field Change
2008-03-13 13:54 Samwise New Issue
2008-03-14 03:51 Dark Byte Note Added: 0000056
2008-03-14 03:51 Dark Byte Status new => confirmed
2008-03-14 03:52 Dark Byte Status confirmed => assigned
2008-03-14 03:52 Dark Byte Assigned To => Dark Byte
2008-03-14 14:49 Samwise Note Added: 0000057
2008-03-15 04:06 Dark Byte Note Added: 0000058
2008-03-29 20:43 Samwise Note Added: 0000061
2008-03-30 01:55 Dark Byte Note Added: 0000062
2008-03-30 01:58 Dark Byte Note Edited: 0000062
2008-03-30 19:38 Samwise Note Added: 0000066
2008-03-30 22:13 Dark Byte Note Added: 0000067
2008-03-30 22:14 Dark Byte Note Edited: 0000067
2008-04-01 15:39 Samwise Note Added: 0000068
2008-04-01 17:12 Samwise Note Edited: 0000068
2008-04-01 17:14 Samwise Note Edited: 0000068
2008-04-01 17:23 Samwise Note Edited: 0000068
2008-04-02 19:55 Samwise Note Edited: 0000068
2008-04-07 15:13 Samwise Note Edited: 0000068
2008-04-08 05:27 Dark Byte Note Added: 0000069
2008-04-08 10:45 Samwise Note Added: 0000070
2008-04-08 10:47 Samwise Note Edited: 0000070
2008-04-08 13:35 Samwise Note Edited: 0000070
2008-04-14 19:38 Samwise Note Added: 0000071
2008-04-14 19:45 Dark Byte Note Added: 0000072
2008-04-15 09:50 Samwise Note Added: 0000074
2008-04-15 11:03 Samwise Note Edited: 0000074
2008-04-16 04:37 Dark Byte Note Added: 0000075
2008-04-16 04:40 Dark Byte Note Edited: 0000075
2008-04-16 04:42 Dark Byte Note Edited: 0000075
2008-04-16 04:42 Dark Byte Note Edited: 0000075
2008-04-16 04:59 Dark Byte Note Edited: 0000075
2008-04-16 14:09 Samwise Note Added: 0000076
2008-04-17 17:03 Samwise Note Edited: 0000076
2008-04-17 18:34 Samwise Note Edited: 0000076
2008-04-17 20:25 Samwise Note Edited: 0000076
2008-04-28 10:48 Samwise Note Edited: 0000076
2008-05-08 00:37 Dark Byte Relationship added related to 0000042
2008-08-23 05:07 Dark Byte Note Added: 0000118
2008-10-13 16:11 Dark Byte Note Added: 0000182
2008-10-13 16:11 Dark Byte Status assigned => resolved
2008-10-13 16:11 Dark Byte Resolution open => fixed
+Issue History