Cheat Engine

[cryptickxx]

Sorry if this is a noob question. I would search, but the concept is too broad and gives me too many unwanted results that do not answer my question.

Well anyways. Is there a relationship between nops and ticking ZF flags? Like if ZF flags or to make it zeroes at that address then should it be the same as changing bytes to no operations?

Or am I completely off track? lol.

[Labyrnth]

Off track.

Nops is not zeros like some think.

nop = 90 in bytes
ZF = zero flag

Ticking the flag sets it from 1 to 0 or 0 to 1 depending on the situation.
So if the flag was for je and you ticked the z flag it would be like doing jnz.
ZF = 1 yes im going to jump/ 0 no im not going to jump or the other way around as well. * Depending on situation.
je = jump if equal/ Bytes =74
jnz = jump if not zero/ Bytes = 75
nop = 90

[Slugsnack]

Expanding on that a little bit, when the processor sees the NOP instruction, it will do "no operation". As Labyrnth said, NOP has the bytes 90.

ZF is one of the flags from the EFLAGS 32 bit register. Code execution in the assembly language is nearly controlled categorically by the state of certain flags. ZF or the Zero Flag is set when the last instruction resulted in a 0. For example, this instruction:

CMP EAX,0

If EAX = 0, then the difference is 0 therefore the compare results in the zero flag being set. Otherwise the Zero Flag will not be set. The flag's status in this case is known as "clear".

In terms of any particular relationship between the two.. Both are used to varying extents in reverse engineering. Ticking/changing the state of ZF will often let you temporarily change the flow of the code and help you know where to patch the code. NOP can be used to get rid of functions you don't want to occur. Let's say we had the following instructions:

PUSH 0
PUSH [XXXXXXXX]
PUSH [XXXXXXXX]
PUSH 0
CALL user32.MessageBoxA

If we overwrote the last instruction (the call) with NOPs, then the message box would never pop up.

Was there any particular context you were thinking of ?

[Labyrnth]

Real world example of removing something.
TeamSpeak

Here is a function in Team Speak that controls how many copies of TS you can run. [PolyGamy] So to fix the application you can remove the custom function completely and it will work.


Nop the whole function.


Now Team Speak will load as many times as you execute it.

[cryptickxx]

Wow this explained a lot. Thank you very much, it was really helpful and I'm starting to understand the concepts better overall.

But it doesn't really help in what I was trying to accomplish... Would there be any way of modifying the bytes to 90/Nop via debug registers like Flag Ticking or changing the EIP/EAX/ etc?

I cannot directly change the array of bytes into nop strings since the memory region I am trying to modify is protected.



Edit:

OHHH NEVERMIND! I think I know what to do... do I just right click -> assemble -> type in nop?

Edit2: Never mind that didn't work too well either. lol

[Labyrnth]

You can write a script so you can toggle it as well.
Instead of having to find it every time and doing that.

[Spawnfestis]

[Labyrnth]

Yes something like that, Might ned more then 1 nop tho .