Cheat Engine

ulysse31 · Posted: Thu Mar 19, 2015 5:59 pm Post subject: Help with reading memory

Hi, so I am practicing memory understanding/reading, atm i use cheat engine tutorial and I have trouble understanding something.
I am at step 6 andI found the value i had to find, saw what accessed the value.

There instead looking for pointer value etc i actually want to understand the code, so what writes the original value (health) is
mov [edx],eax

In what accessed the health value i had :
mov eax,[eax]
mov [edx],eax
mov eax,[eax]
mov eax,[eax]

//
Howevery by opening memory viewer right before the code that writes (mov [edx],eax) I see this mov eax,[ebp-10]
So what I understand is that [edx] is where my health value is being updated, it is updated by eax which comes from [ebp-10].
If i check where [ebp-10] comes from i get this :
mov [ebp-10],eax
and if i check where this eax comes from i get this :
mov eax,000003E8
and right before this i get this :
mov eax,[eax]

And the what accesses this adress gave me the last mov eax,[eax] i wrote, the one before mov eax,000003E8.
i dont understand why, as mov eax,000003E8 is after mov eax,[eax] it should contain the value we are interested in which is then given to [ebp-10] and then back to eax and finally to [edx] which is what we cared about?
I could understand if there was a call in between those mov eax,[eax] and mov eax,000003E8 ; a call could (shouldn't afaik) but could change ebp (although i know it's supposd not to change ebp).
Or a conditional jump that would leave mov eax,000003E8 out of the code, but no there is no such things between these lines so I am really missing something here, can anyone explain ?

Edit :
I realised i tracked the value displayed instead of the adress which was edx.

justa_dude · Posted: Thu Mar 19, 2015 6:41 pm Post subject: Re: Help with reading memory

ulysse31 · Posted: Thu Mar 19, 2015 7:59 pm Post subject:

Thanks.

I have now realised that [ebp-10] contains the health value while [ebp-0C] contains the adress which will be updated with the value; actually more accurately [tut.exe+245360] contains this adress.
I froze the value of the adress saying where to store health value and when i click change pointer obviously enough the pointer doesn't change anymore.

However when I look into the heal value and where it comes from (not where it gets stored anymore) I do all that I mentioned on the first post and it doesn't make sense.
So i focused on [ebp-10] which i am 99,99% sure contains the new health value every time.
Now either a call ninja changes [ebp-10] (as calls end with leave or an ebp set back it's unlikely) either the instruction mov [ebp-10],eax is what changes our health value.
And every time [ebp-10] gets updated (mov [ebp-10],eax) the same function call is done right before so i am assuming that this is the function determining the new heathvalue and that this function simply updates eax which is then stored into [ebp-10].
this function is here : 0040CD60 (tut.exe +CD60)
this function calls several function but at the very end it calls tut.exe+6F30
and after it does mov eax,edx.

So i went to tut.exe+6F30 to find what is edx and as it was getting too complicated i simply found the latest code of this function changing edx and i set it to add edx,01

So i would expect either a crash either the health value to do +1 every time i change it but instead it seemingly keeps having its random pattern.

Any idea why ? =)

Edit :
Ok then i watched it over and thought... I am adding 1 to a random value so why am i surprised that random +1 is still random ?
I was ashamed but it is 1 am here so please don't judge me.
I replaced it with a code injection (new code was taking too many bytes) and i wrote mov edx,01.
It worked so i did find the function into the function changing the health but after a few clicks it said this :
"Congratulation, you screwed up with CE tutorial, press OK to continue and risk data corruption or press cancel to exit".
Of course i pressed ok =)