Cheat Engine

[TheRedEye]

I'm trying to create a script for warrock.exe,
while the game is running I'm writing to some address.
a push[xxxxxxx] command
the problem is I dont know how long is the dword of the stack.
how can I get his lenght.

thanks.

[Symbol]

What do you mean "the length"? of the stack?
and don't you mean "push xxxxxx"?

When you push something to the stack, esp will point to the stack address of it, for example esp is 22FFC4, so when you'll push something esp will point to 22FFC0 (DWORD is 4 bytes) and when you pop something, esp will incrase by 4. (unless you push/pop more/less than 4 bytes)

[TheRedEye]

How much byte I know it push/pop ??

[Slugsnack]

Depends what you push on. For example, "push 0" would only push 1 byte whereas "push eax" would push a dword.

[TheRedEye]

I want to do like this

[Recifense]

According to "IA-32 Intel® Architecture Software Developer’s Manual":

Description
Decrements the stack pointer and then stores the source operand on the top of the stack. The address-size attribute of the stack segment determines the stack pointer size (16 bits or 32 bits), and the operand-size attribute of the current code segment determines the amount the stack pointer is decremented (2 bytes or 4 bytes). For example, if these address- and operand-size attributes are 32, the 32-bit ESP register (stack pointer) is decremented by 4 and, if they are 16, the 16-bit SP register is decremented by 2. (The B flag in the stack segment’s segment descriptor determines the stack’s address-size attribute, and the D flag in the current code segment’s segment descriptor, along with prefixes, determines the operand-size attribute and also the address-size attribute of the source operand.) Pushing a 16-bit operand when the stack addresssize attribute is 32 can result in a misaligned the stack pointer (that is, the stack pointer is not aligned on a doubleword boundary).

Operation
IF StackAddrSize = 32
THEN
IF OperandSize = 32
THEN
ESP <- ESP - 4;
SS:ESP <- SRC; (* push doubleword *)
ELSE (* OperandSize = 16*)
ESP <- ESP - 2;
SS:ESP <- SRC; (* push word *)
FI;
ELSE (* StackAddrSize = 16*)
IF OperandSize = 16
THEN
SP <- SP - 2;
SS:SP <- SRC; (* push word *)
ELSE (* OperandSize = 32*)
SP <- SP - 4;
SS:SP <- SRC; (* push doubleword *)
FI;
FI;

I guess that one way to solve the problem is to inform the compiler what you want to be pushed. You can do that by using the cast "dword ptr" for 4 bytes or "word prt" for 2 bytes. Ex.: push dword ptr 1.

Cheers

[Symbol]

[Psy]

You can push 16-bit registers... so like 'push ax' is a very valid instruction.
EAX is a general purpose register as was stated

[TheRedEye]

hmm
I'm not using a compiler, I'm writing into a process of a game.
How can I use this push options?

[Recifense]

Well, I guess you can use def byte and def double word to solve this problem:

push 0400 => 66 68 00 04 (push word ptr)
push 0400 => 68 00 04 00 00 (push dword ptr)

Using DEFs you can do like that:
db 68 // push dword ptr
dd 0400

db 66 68 //push word ptr
dw 0400

Cheers.

[Psy]

Or just type "push <value>" shouldn't be an issue, unless its a real old CE build that has interpreter issues...

[TheRedEye]

hmm in order to jmp back 4 address place
I need to PUSH ??
what value?

[Labyrnth]

[TheRedEye]

jcc
?

I saw someone doing it with push []
how can I do it like he does?

[Symbol]

push Address
ret

But you don't have to do that, you can simply jmp Address.