 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Ulic
How do I cheat?
![]() Reputation: 0
Joined: 27 Apr 2008
Posts: 6
|
 Posted: Sun Apr 27, 2008 8:11 pm Post subject: Help With An Auto Assemble Script |
 |
|
I'm messing around with Fable: The Lost Chapters and I've encountered a problem. I can't find the base pointer for Gold. I can get to a second level pointer but that's it. So I want to work around this by using an auto assemble script but I don't understand auto assemble scripts very well at all.
Can someone help me out with the meat of the script? I know I could just add nop after the address I found but I'd like it to let me increase my gold but prevent it from decreasing. Frankly I have no idea what I'm doing and probably shouldn't even try. I'm not even sure I identified the correct opcode for what I want to do but here's what I've pieced together so far:
| Code: | [ENABLE]
label(cave) //Do I have to/should I give a size?
00400019: //A code cave I found
???
??? //Really no idea what to put in here to prevent my gold from decreasing while still allowing it to increase
???
0057b338: //The address I found where the opcode fires
jmp 00400019 //Jump to the heart of my script, currently filled with ???
nop //To take care of any left over bytes
back:
[DISABLE]
0057b338:
mov [esi+3c],eax //The original opcode that was firing |
I have a SS of CE with the opcode and disassembler windows open but I can't post url's yet so I'll describe it as best I can.
"The following opcodes change at the sellected address:"
| Code: | | 0057b338 - 89 46 3c - mov [esi+3c],eax |
"Memory Viewer:"
| Code: | Address Bytes Opcode
0057b331 57 push edi
0057b332 8b 7e 3c mov edi,[esi+3c]
0057b335 8d 04 1f lea eax,[edi+ebx]
0057b338 89 46 3c mov [esi+3c],eax //This is the address and opcode that fire
0057b33b 38 90 b6 10 00 call 006869d0
0057b340 8b 80 dc 00 00 00 mov eax,[eax+000000dc]
0057b346 8b 4e 3c mov ecx,[esi+3c]
0057b349 83 c0 53 add eax,5c
0057b34c 85 c9 test ecx,ecx
0057b34e 7d 06 jnl 0057b356 |
Please help me out, I'd like to know if I'm on the right track but feel free to totally scrap my script and call me an idiot if I going in totally the wrong direction. Thanks in advance.
|
|
| Back to top |
|
 |
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Sun Apr 27, 2008 8:59 pm Post subject: |
|
|
Use the template script from CE.
And work with this instruction.
0057b338 89 46 3c mov [esi+3c],eax
eax is gold moved into the address [esi+3c]
So you can cheat very easy by making eax a value.
mov eax,5F5E0FF
Basically moving $99,999,999 into eax.
Then mov [esi+3c],eax
So it all looks like this in your script.
mov eax,5F5E0FF
mov [esi+3c],eax
Good luck.
|
|
| Back to top |
|
|
Ulic
How do I cheat?
![]() Reputation: 0
Joined: 27 Apr 2008
Posts: 6
|
| Posted: Sun Apr 27, 2008 9:42 pm Post subject: |
|
|
Ahhh sweet. Thanks for your help.
That will set my cash at $99,999,999 whenever I buy or sell anything right? That is much better than the nop solution I knew would work which would have prevented me from ever gaining money. I'll try implementing that and see if I can get it to work.
As a follow up, is there some why I could improve on the script say by having it store whatever the "cash" value is before I buy or sell something and then comparing that with the value after I bought or sold something and only allow the value to change if the new value is higher? eax is the new altered value anyway right? Could I just scroll up the decompiler and find where this new value is being moved into eax and store the old value first? Is this even possible? Does it work that way? If it is possible is the information I need handy or next to impossible to find.
Thanks again.
|
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Mon Apr 28, 2008 2:49 am Post subject: |
|
|
First the whole script, then i'll explain a bit at the bottom...
| Code: |
[enable]
alloc(cave,50) //allocate an area of memory to use, 50 bytes
label(skip) //create 2 labels to help us easily move in memory
label(back)
cave: //at the cave address, we do the code we want
lea eax,[edi+ebx]
cmp eax,[esi+3c]
jng skip
mov [esi+3c],eax
skip:
jmp back // then jump back to running game code
57b335: // we tell the game to jump to the cave when it hits here
jmp cave
nop // nop left over bytes that would cause problems
[disable] //the disable part to restore the original code and destroy cave
57b335:
lea eax,[edi+ebx]
mov [esi+3c],eax
dealloc(cave)
|
Ok firstly there are a few things you did wrong or didn't do.
You made a 'label(cave)' instead of alloc cave. Which would have just told CE that you wished to use the name 'cave' as a label, instead of telling it to create a cave with a certain number of bytes. Proper syntax, "alloc(cave,50)" like that. The name of my allocated memory space is 'cave' and i'll defined 50 bytes which should be enough.
After trying to allocate a code cave you went ahead and manually found an area of existing memory (in the PE header) to use as a cave, which spoils the whole idea.
Also when you made your jump out from normal code you used one NOP to try to eliminate left over op-codes. A long jmp uses 5-bytes, and you NOP'ed one, which still leaves 2 bytes at "0057b33b" left-over. You should have NOP'ed those 2 extra bytes too, and recreated the destroyed instruction at your cave.
My cave should work based on the info you provided, but you might have to play around with it.
What I am doing at the cave is comparing the new value that would normally be moved into the pointer [esi+3c] with 'cmp', then making a conditional jump statement after it. So besically if the new value is not-greater (jng - jump if not greater), then it will not be moved and we will instead proceed to the 'skip' line of my code, which we defined with 'label(skip)'.
Hope that helps some 
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Mon Apr 28, 2008 8:05 am Post subject: |
|
|
| Ulic wrote: | | Could I just scroll up the decompiler and find where this new value is being moved into eax and store the old value first? Is this even possible? Does it work that way? If it is possible is the information I need handy or next to impossible to find. |
Yes, you can. Also look at the debug options in CE or use ollydbg.
Then you can step the code and see where eax gets it value from.
|
|
| Back to top |
|
|
Ulic
How do I cheat?
![]() Reputation: 0
Joined: 27 Apr 2008
Posts: 6
|
| Posted: Mon Apr 28, 2008 7:26 pm Post subject: |
|
|
Thanks guys. The script Psych supplied works great just had to declare "back" in the body of the script. I'm having trouble applying the same logic to other circumstances however. There is a general experience value that I would like to do the same thing for and again can't find the base pointer for.
"The following opcodes change at the selected address:"
| Code: | | 006d6f8e 01 51 14 - add [ecx+14],edx |
"Memory Viewer:"
| Code: | Address Bytes Opcode
006d6f60 8b 44 24 24 mov eax,[esp+04]
006d6f64 8b 51 5c mov edx,[ecx+5c]
006d6f67 8b 92 fc 00 00 00 mov edx,[edx+000000fc]
006d6f6d 8d 04 80 lea eax,[eax+eax*4]
006d6f70 c1 e0 04 shl eax,04
006d6f73 8b 44 02 3c mov eax,[edx+eax+3c]
006d6f77 8b 51 18 mov edx,[ecx+18]
006d6f7a 8d 14 82 lea edx,[edx+eax*4]
006d6f7d 56 push esi
006d6f7e 8b 74 24 0c mov esi,[esp+0c]
006d6f82 28 32 sub [edx],esi
006d6f84 8b 51 18 mov edx,[ecx+18]
006d6f8a 8b 10 mov edx,[eax]
006d6f8c 79 09 jns 006d6f97
006d6f8e 01 51 14 add [ecx+14],edx //This is the address and opcode that fire
006d6f91 c7 00 00 00 00 00 mov [eax],00000000
006d6f97 5e pop esi
006d6f98 c2 08 00 ret 0008 |
I tried this among other permutations:
| Code: | [ENABLE]
alloc(cave,50)
label(skip)
label(back)
cave:
cmp edx,01 //Comparing edx, the value that is equal to the change in experience, to 1
jng skip //If edx < 1 jump to skip
add [ecx+14],edx //Else add edx and [ecx+14] storing it at [ecx+14]
skip:
jmp back
6d6f8e:
jmp cave
nop
back:
[DISABLE]
6d6f8e:
add [ecx+14],edx
dealloc(cave) |
What am I missing, why won't that work? It just crashes the game.
|
|
| Back to top |
|
|
Chase Payne
Grandmaster Cheater
 Reputation: 1
Joined: 20 Mar 2008
Posts: 533
|
| Posted: Mon Apr 28, 2008 9:38 pm Post subject: |
|
|
Try [ecx+14] on cmp... that could be why its crashing (i'm stillv ery new on this) if cmp causes crashes jsu tplay around with it
also I think what they mean by cave is for you to make the jump go to a code cave.
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Mon Apr 28, 2008 10:16 pm Post subject: |
|
|
cave: <--- is the allocated code cave/ same as using an address here. But is is predefined as 50 bytes in size.
jmp cave <--- jump to the code cave.
You need to toggle this script while looking at the assembly in memory.
Make sure it is nopping all of the left over bytes when it replaces the original instruction with a jmp.
If it isnt you need to add another nop to clean up the left over bytes.
Give this a try and see what happens as well, im curious about something.
| Code: |
[ENABLE]
alloc(cave,50)
label(skip)
label(back)
cave:
cmp edx,01
jng skip
add [ecx+14],edx
jmp back
skip:
jmp back
6d6f8e:
jmp cave
nop
back:
[DISABLE]
6d6f8e:
add [ecx+14],edx
dealloc(cave)
|
|
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Tue Apr 29, 2008 2:38 am Post subject: |
|
|
Look heres the deal:
| Code: |
006d6f8e 01 51 14 add [ecx+14],edx //This is the address and opcode that fire
006d6f91 c7 00 00 00 00 00 mov [eax],00000000
|
Your creating a jump out at 0x6d6f8e, that will take 5 bytes, destroying completely the opcode at that location and partly the opcode thats coming next at 0x6d6f91.
You have put one NOP in, but are going to need 3 more, to give a total of 4 NOP's. Then you will need to recreate the destroyed opcodes at your cave in full.
There is nothing wrong with your scripts, the cmp is fine and the jmp between the 'back' label is fine too. There is no need to perform 2 seperate jumps out.
So try this as a result:
| Code: |
[ENABLE]
alloc(cave,50)
label(skip)
label(back)
cave:
cmp edx,01 //Comparing edx, the value that is equal to the change in experience, to 1
jng skip //If edx < 1 jump to skip
add [ecx+14],edx //Else add edx and [ecx+14] storing it at [ecx+14]
skip:
mov [eax],00000000
jmp back
6d6f8e:
jmp cave
db 90 90 90 90
back:
[DISABLE]
6d6f8e:
add [ecx+14],edx
mov [eax],00000000
dealloc(cave)
|
This here i'm still concerned about though:
| Code: |
cave:
cmp edx,01 //Comparing edx, the value that is equal to the change in experience, to 1
jng skip //If edx < 1 jump to skip
add [ecx+14],edx //Else add edx and [ecx+14] storing it at [ecx+14]
skip:
mov [eax],00000000
jmp back
|
I don't know how those opcodes are running, and re-creating them the way its done there may still throw the game into a fuss, but it should be ok.
The key thing here was the fact that you were not fully destroying leftover opcodes, and that would be the primary reason the game was crashing.
Get back to me on it,... 
|
|
| Back to top |
|
|
Ulic
How do I cheat?
![]() Reputation: 0
Joined: 27 Apr 2008
Posts: 6
|
| Posted: Tue Apr 29, 2008 9:49 pm Post subject: |
|
|
Again thanks guys. Psych you were right the problem wasn't enough jumps it was that I wasn't NOPing the left over bytes. I didn't realize that I would run into the next address and have to NOP those bytes as well. Psych's modified script worked fine. I did change it up some to be a little more roubust once I had a working version though. Here it is:
| Code: | [ENABLE]
alloc(cave,50)
label(skip)
label(back)
label(plus)
cave:
cmp [ecx+14],14FF0 //Comparing the current experience value with 86000, the value of the most expensive upgrade
jng plus //Jump to plus if current experience is less than 86000 else continue
cmp edx,00 //Comparing the value to be added to the current experience value to 0
jng skip //Jump to skip if the value to be added is less than 0 (negative) else continue
add [ecx+14],edx //Add the newly acquired experience value to the current experience value
skip:
mov [eax],00000000
jmp back
plus:
mov [ecx+14],14FF0 //For below see above
cmp edx,00
jng skip
add [ecx+14],edx
jmp back
6d6f8e:
jmp cave
db 90 90 90 90 //NOPing left over bytes
back:
[DISABLE]
6d6f8e:
add [ecx+14],edx
mov [eax],00000000
dealloc(cave) |
So now I've got a script for gold, one for general experience, one for the game's combat multiplier (not discussed), all I really want now is one for health and one for mana but I'm at a bit of a loss here. I found two addresses when I was searching for health, one doesn't seem to affect my health when I freeze or NOP it though. I also think the opcode I found that does affect health effects not just my character but everyone in the game, enemies included. When I nop it no one takes damage. I'm not entirely sure what the code is doing either so that makes it tough.
| Code: | Address Bytes Opcode
006A6309 3c 01 cmp al,01
006A630B 75 0d jne 006a631a
006A630D a0 c8 86 3b 01 mov ax,[013b86c8] : 0000
006A6312 84 c0 test al,al
006A6314 0f 85 ab 01 00 00 jne 006a64c5
006A631A f6 86 bc 00 00 00 01 test byte ptr [esi+000000bc],01
006A6321 0f 84 9e 01 00 00 je 006a64c5
006A6327 d9 44 24 08 fld dword ptr [esp+08]
006A632B 57 push edi
006A632C d8 86 b4 00 00 00 fadd dword ptr [esi+000000b4]
006A6332 d9 9e b4 00 00 00 fstp dword ptr [esi+000000b4] //This is the op code that fires
006A6338 8b 46 34 mov eax,[esi+34]
006A633B f6 c4 20 test ah,20
006A633E 74 65 je 006a63a5
006A6340 8d 44 24 0c lea eax,[esp+0c]
006A6344 8d 7e 44 lea edi,[esi+44]
006A6347 50 push eax |
This is the other address's opcode. I've coppied less as it seems to do nothing:
| Code: | Address Bytes Opcode
00647C11 e8 5a cc de ff call 00434870
00647C16 8b 45 f0 mov eax,[ebp-10]
00647C19 8b 88 b4 00 00 00 mov ecx,[eax+000000b4]
00647C1F 89 4f 34 mov [edi+34],ecx
00647C22 68 84 00 00 00 push 00000084 |
Any suggestions here guys? If not that's alright, thanks for all your help so far.
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Wed Apr 30, 2008 1:34 pm Post subject: |
|
|
| Ulic wrote: | | Again thanks guys. Psych you were right the problem wasn't enough jumps it was that I wasn't NOPing the left over bytes. |
Lab said:
You need to toggle this script while looking at the assembly in memory.
Make sure it is nopping all of the left over bytes when it replaces the original instruction with a jmp.
If it isnt you need to add another nop to clean up the left over bytes.
Of course you do know [Psych] is Labs alter ego, or it is the other way around? Hmmm, remains to be seen!
Could be my brother from another mother instead.
|
|
| Back to top |
|
|
Psy
Grandmaster Cheater Supreme
![]() Reputation: 1
Joined: 27 Mar 2008
Posts: 1366
|
| Posted: Wed Apr 30, 2008 1:40 pm Post subject: |
|
|
Hehe 
Lab did say that early on... 
It would seem to be the most common mistake people make, not cleaning up left-over bytes... 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
