Cheat Engine

[slippppppppp]

im trying to code a engine in C++.
I want my memory viewer to replicate CE's, but i have one problem. I'm able to read the bytes properly, but i want to know how to put the right bytes together. For example :
//supposed to be mov eax, 10
00400000 : mov eax
00400001 : 10

In cheatengine, it looks like:
00400000 : mov eax, 10
00400002 : new operations

I need help with splitting the bytes properly :[

[samuri25404]

Start at an address, and try to convert the first byte to an Assembler instruction. If that fails, then try with the first two bytes; if that fails, first three...

etc.

[slippppppppp]

Is there like an open source file where i can convert Byte in String format to opcodes?

[FerrisBuellerYourMyHero]

The bytes that make up the code is called machine code. Obviously no matter how good with numbers you are it would be pretty hard to be able to interpret the machine code as assembly instructions.

What your asking is how to code a disassembler in C++. A disassembler takes those machine code bytes and converts them into human readable assembly instructions. An assembler is quite the opposite, it takes your asm instructions and converts them into machine code.

Anyway its a bit complicated. I've thought of the idea before but never actually tried doing it.

A good place to start is maybe with cheat engine's disassembler.pas!

http://ce.colddot.nl/browser/Cheat%20Engine/disassembler.pas?rev=62

So you see its not a matter of "splitting the bytes properly". You have to read the bytes and convert them into string assembly instructions.

For example for a jump or call instruction you'd have to interpret 0xE9/0xE8 as JMP/CALL

then add the jump offset (the next one/four bytes) to the address of where the E8/E9 is. Finally add the size of the instruction (a long jump is 5 bytes) that gives you the address it jumps to/calls

so long jump

Addr + jump offset + 5;

short jump

Addr + jump offset + 2;

and thats just one of the many opcodes there are! There's a lot which is what makes it tricky. Also E8/E9 isnt always a jump or call it could be part of another instruction.

If you've ever noticed if you make ce go to an address in the middle of an instruction it disassembles it even though its in the middle of an instruction... Thats the disassembler at work! Trying to interpret the bytes as assembly instructions...

[lurc]

It's actually not that difficult. Dark_Byte filters every single byte (Which i found kinda confusing... especially for SIB, which was so unnecessary... I made the same function in C++ in 52 lines...)

What I did was make a huge array of opcode commands and rules. (Using the operand and size rules in Intel's software manual). Each function would return a size to add on to the main size that is being used.

I have a function for

Interpreting the first byte for rules
ModRM (For byte commands which next byte is a ModRM byte)
SIB (For byte commands which next byte is SIB byte)

Overall it wasn't to difficult, you just need to know what your doing.

Here's a pic:


I haven't filtered all rules yet so some opcodes get skipped like in the picture u can see BOUND ESP, its one of the ones i haven't implimented yet. I also need to do Float pointer instructions. Other then that its done

[sponge]

[slippppppppp]

lurc you need to helpp mee

[lurc]

[dnsi0]

I gave up on this while making my crap engine. So I just made it a hex editor instead. Before I started, I asked dark byte and he said look at the intel instruction manual. I did then I forgot about it cause there were hundreds of pages of instructions and their matching opcodes >.<

[lurc]