| View previous topic :: View next topic |
| Author |
Message |
aikoncwd
Grandmaster Cheater
 Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
 Posted: Mon Jan 07, 2013 6:51 am Post subject: Help with fistp instruction |
 |
|
I have this problem:
There is a time on a game, at the start of the stage, the time is 99, and then decrease by 1 every second, when time reach 00 you will insta-dead. I found the address, its Double, and this address change every time I start the game, so I want to make an AA script to solve this. This is the original script:
| Code: | fistp qword ptr [ecx+edx]
ret
nop |
If I use the "replace" functions with nop's, the game crash. I know that fistp instruction pops an integer from the top of FPU Stack into the destination, but I dont know how can modify this section to prevent decrease time, any help?
I tried fistp st(0) but dont work.
ecx+edx = Address where the time is stored
Thanks  |
|
| Back to top |
|
 |
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jan 07, 2013 7:05 am Post subject: |
|
|
Try "find out what addresses this instruction accesses" first.
If there are more addresses accessed (not just one), you found shared function. Function which updates other timers.
Edit:
fistp can be replaced with fstp st(0) too, ( instead of nop ).
_________________
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Mon Jan 07, 2013 7:20 am Post subject: |
|
|
| mgr.inz.Player wrote: | Try "find out what addresses this instruction accesses" first.
If there are more addresses accessed (not just one), you found shared function. Function which updates other timers.
Edit:
fistp can be replaced with fstp st(0) too, ( instead of nop ). |
Thanks for your reply, this is what I get:
First, I replaced the fistp instruction with fstp st(0), but then the game is frezze and don't continue running until I disable the script, so this dont work 
Second, I used "find out what addresses this instruction accesses" and I get 2 instructions accessing to this addres:
fild qword ptr [ecx+eax] (this count like 900 times in a sec)
fistp qword ptr [ecx+edx] (this count 1 time is a sec)
But I dont know how to continue now |
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Mon Jan 07, 2013 9:10 am Post subject: |
|
|
fstp st0, yes it would pop form the stack but then you would get a new st0 not the correct one.
the fstp st0 instruction pops from into st0 thus changing st0
your game crashes because of the stack or because of the changed register st0
this will solve your problem
| Code: | alloc(newmem,8)
registersymbol(newmem)
newmem:
db 00 00 00 00 00 00 00 00
game.exe+offset:
fistp qword ptr [newmem]
ret
nop |
is basically says: instead of writing to the address that the game accesses (checks) to see if the time's up, write to an address that the game doesn't check
or you could also write the value that you want to st0 before the fistp instruction
_________________
... Fresco |
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Mon Jan 07, 2013 9:22 am Post subject: |
|
|
| Fresco wrote: | fstp st0, yes it would pop form the stack but then you would get a new st0 not the correct one.
the fstp st0 instruction pops from into st0 thus changing st0
your game crashes because of the stack or because of the changed register st0
this will solve your problem
| Code: | alloc(newmem,8)
registersymbol(newmem)
newmem:
db 00 00 00 00 00 00 00 00
game.exe+offset:
fistp qword ptr [newmem]
ret
nop |
is basically says: instead of writing to the address that the game accesses (checks) to see if the time's up, write to an address that the game doesn't check
or you could also write the value that you want to st0 before the fistp instruction |
Hi, I used your code, but the game frezze+crash instant |
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Mon Jan 07, 2013 12:30 pm Post subject: |
|
|
well you shouldn't have used it like i wrote it ...
especially this part of it:
| Fresco wrote: | | Code: | //[...]
game.exe+offset:
fistp qword ptr [newmem]
ret
nop |
|
first of all... replace "game.exe+offset" with the real address of the fistp code
then delete the ret and the nop instructions
like this:
| Code: | //[...]
correct address here:
fistp qword ptr [newmem] |
that should work
fistp qword ptr [ecx+edx]
fistp = store and pop
qword ptr = size 8bytes (qword = quad word = 8 bytes = doube? = long long integer?)
[ecx+edx] = where to store ? ... well calculate the value of ecx+edx and you get the where ... by this:
fistp qword ptr [newmem]
were basically changing the where ...
where ? well at newmem's address
next time the game checks the address ecx+edx to see if it's 0 and exit if so, it won't find any changes , because the original code that wrote to ecx+edx, instead of writing to ecx+edx writes to newmem which the game doesn't check and therefore doesn't know it's content.
_________________
... Fresco |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jan 07, 2013 1:14 pm Post subject: |
|
|
| Fresco wrote: | | fstp st0, yes it would pop form the stack but then you would get a new st0 not the correct one |
He doesn't want that value. He just wants "NOP" that instruction.
Of course it will pop from the stack.
"fstp st(0)" actually is "fstp st(0),st(0)", which actually is "fst st(0),st(0); then pop ST(0)"
This is the proper way to "nop" some fpu instructions.
The crash probably happens because that piece of code is shared with other timers.
| AikonCWD wrote: | Second, I used "find out what addresses this instruction accesses" and I get 2 instructions accessing to this addres:
fild qword ptr [ecx+eax] (this count like 900 times in a sec)
fistp qword ptr [ecx+edx] (this count 1 time is a sec) |
No no no. You used "find out what accesses this address". You should use "find out what addresses this instruction accesses". Go to memory viewer, right click "fistp qword ptr [ecx+edx]" and choose that feature mentioned eariler. You should see only one address. If you see more, that means this piece of code is not only for "99 timer". So changing that piece of code can corrupt other timers.
editing reason: typo.
_________________
Last edited by mgr.inz.Player on Mon Jan 07, 2013 1:38 pm; edited 1 time in total |
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Mon Jan 07, 2013 1:22 pm Post subject: |
|
|
| mgr.inz.Player wrote: | | No no no. You used "find out what accesses this address". You should use "find out what addresses this instruction accesses". Go to memory viewer, right click "fistp qword ptr [ecx+edx]" and choose that feature mentioned eariler. You should see only one address. If you see more, that means this piece of code is not only for "99 timer". So changing that piece of code can corrupt other timers. |
Im sorry, my reading level is like a potatoe. Now I used the function you mentioned, this is what I get (attached).
Is there a solution for this?
PD: Im from spain, sorry for my english 
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jan 07, 2013 1:37 pm Post subject: |
|
|
Yes. I had the same problem with timers in AC:B and AC:R.
You need additional checks. Like stack check, structure check, register check, caller check. There's no universal method.
In that window: "changed address". Change from 4 bytes to double and post screen shot again. If other timers always start significantly below 99, like below 50, we can try to filter out all other addresses (other timers).
edit:typo.
_________________
Last edited by mgr.inz.Player on Mon Jan 07, 2013 2:14 pm; edited 1 time in total |
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Mon Jan 07, 2013 1:58 pm Post subject: |
|
|
| mgr.inz.Player wrote: | Yes. I had the same problem with timers in AC:B and AC:R.
You need additional checks. Like stack check, structure check, register check, caller check. There's no universal method.
In that window: "changed address". Change from 4 bytes to double and post screen shot again. If other timers always start significantly below 99, like below 50, we can try to filer out all other addresses (other timers). |
One question...
it is possible to get the address where the game store the 99time value? We know that the adress is [ecx+edx] so... it is possible to registersymbol, asing the value of [ecx+edx] and show on CE table?
I'm saying that because if I search the address where the value is stored, I can freeze and it works well, the problem is that the address change every time you restart the game
I saw a CE table made by a user from this forum using this metod, so I know its possible but I dont know how to make it
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jan 07, 2013 2:03 pm Post subject: |
|
|
It is posssible. But you also get addresses for other timers.
You still have to filter out other addresses (timers).
Edit:
give that screenshot I mentioned in my previous post. And give me another one: screenshot of "memory view" window with highlighted fistp......
_________________
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Mon Jan 07, 2013 2:19 pm Post subject: |
|
|
| mgr.inz.Player wrote: | It is posssible. But you also get addresses for other timers.
You still have to filter out other addresses (timers).
Edit:
give that screenshot I mentioned in my previous post. And give me another one: screenshot of "memory view" window with highlighted fistp...... |
Let's try another easy thing. I put the URL for download the game. Is a freeware game, no installation required, only execute and play.
Use Z for fire and X for jump. You will see top-right corner a timer. The game store that value in Double, try by yourself because its the easy way than posting screenshoots here (im so noob)
URL: http://www(.)locomalito(.)com/maldita_castilla.php
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jan 07, 2013 3:00 pm Post subject: |
|
|
Hmm, is it emulator or something ?
_________________
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Mon Jan 07, 2013 3:02 pm Post subject: |
|
|
| mgr.inz.Player wrote: | | Hmm, is it emulator or something ? |
No, just a stand-alone game
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Mon Jan 07, 2013 3:16 pm Post subject: |
|
|
Try this (I played 20 seconds only, going to sleep now):
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp ebp,00000001
jne originalcode
cmp ecx,00000008
jne originalcode
cmp eax,0013FB58
jne originalcode
fistp qword ptr [edx]
fstp ST(0)
jmp returnhere
originalcode:
fistp qword ptr [edx]
fistp qword ptr [ecx+edx]
exit:
jmp returnhere
"Maldita Castilla.exe"+4544:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"Maldita Castilla.exe"+4544:
//Alt: fistp qword ptr [edx]
//Alt: fistp qword ptr [ecx+edx]
db DF 3A DF 3C 11 |
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
