 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
frjd
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2006
Posts: 8
|
 Posted: Sat Dec 30, 2006 4:20 pm Post subject: Please explain this asm code... |
 |
|
Please explain this - The code put the "hero" in GOD mode, how/why does it work?
This (original) code:
005C536C D919 FSTP DWORD PTR DS:[ECX]
005C536E 8B82A0060000 MOV EAX,DWORD PTR DS:[EDX+6A0]
Is replaced with:
005C536C E8DF Call
005C536E B7A4FF909090 10B50 nop nop nop
- So instead of putting the value at ptr EDX+6A0 in EAX we jump to the cave...
Cave written at 10B50:
10B50 D9 19 fstp [ecx] Store real
C7 01 00 90 9C C5 mov [ecx], c59c9000
8B 82 A0 06 00 00 mov eax, [edx+000006a0]
C3 ret
90 nop
Why do we need the fstp? (assign memory for a real?)
Then c59c9000 is put at ECX?
Value stored at edx+6a0 is put in EAX?
(it this not what we just removed?)
So only modification is as I can see that c59c9000 is put at ECX?
005C5374 85C0 TEST EAX,EAX
005C5376 75 35 JNZ SHORT godfathe.005C53AD
005C5378 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
005C537C D980 84060000 FLD DWORD PTR DS:[EAX+684]
005C5382 8D56 08 LEA EDX,DWORD PTR DS:[ESI+8]
005C5385 D80A FMUL DWORD PTR DS:[EDX]
005C5387 D95C24 14 FSTP DWORD PTR SS:[ESP+14]
005C538B D901 FLD DWORD PTR DS:[ECX]
005C538D D81A FCOMP DWORD PTR DS:[EDX]
005C538F DFE0 FSTSW AX
005C5391 F6C4 41 TEST AH,41
005C5394 74 13 JE SHORT godfathe.005C53A9
005C5396 D901 FLD DWORD PTR DS:[ECX]
005C5398 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
005C539C D85C24 14 FCOMP DWORD PTR SS:[ESP+14]
005C53A0 DFE0 FSTSW AX
005C53A2 F6 C4 05 TEST AH,05
005C53A5 7B 02 JNP 005C53A9
005C53A7 8B D1 MOV EDX,ECX
005C53A9 8B 12 MOV EDX,[EDX]
005C53AB 89 11 MOV [ECX],EDX
005C53AD 8D 43 04 LEA EAX,[EBX+04]
005C53B0 8D 7E 58 LEA EDI,[ESI+58]
005C53B3 3B F8 CMP EDI,EAX
005C53B5 74 24 JE 005C53DB
005C53B7 8B 18 MOV EBX,[EAX]
005C53B9 8B 0F MOV ECX,[EDI]
005C53BB 3B CB CMP ECX,EBX
005C53BD 74 19 JE 005C53D8
005C53BF 85 C9 TEST ECX,ECX
005C53C1 74 06 JE 005C53C9
And another cave:
push ebx
lea ebx,[eax+000010f8]
mov [00010ad0],ebx
cmp byte ptr [00400450],01
jne 00400426
mov [eax+000010f8],4545da1e
fld [eax+000010f8]
pop ebx
ret
nop
|
|
| Back to top |
|
 |
dezuzi
Expert Cheater
![]() Reputation: 0
Joined: 09 Aug 2006
Posts: 146
Location: In your washing machine
|
|
| Back to top |
|
|
frjd
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2006
Posts: 8
|
| Posted: Mon Jan 01, 2007 11:44 am Post subject: |
|
|
| dezuzi wrote: | could you be more specific at what that code is supposed to do, and you didnt write it?
its extremely messy you might want to clean it up before asking what it does  |
Yes, some of the code is copied from Olly some from CE, and it contain both adress and the HEX code. But I did not think it was hard to see trough.
Know it might be difficault to explain without the full source.
The code is "stolen" from an other trainer for a different version of the game "Godfather". It works - but not 100% - thats why I want to modify.
Problem is that if the player get a lot of damage he lose some functions, (can open doors, is not longer thrown away by explotions...) and the
only "cure" is to disable trainer and get killed.
Anyway I belive that it is the second cave that I found later that does the most of the GOD MODE. (But it is a bit complex for me to understand).
push ebx
lea ebx,[eax+000010f8]
mov [00010ad0],ebx
cmp byte ptr [00400450],01
// at adr 00400450 the trainer make a one byte datacave with a 01 hex.
// guess he want this to evaluate true always?
// why not just jump always?
jne 00400426
mov [eax+000010f8],4545da1e
fld [eax+000010f8]
pop ebx
ret
nop
|
|
| Back to top |
|
|
dezuzi
Expert Cheater
![]() Reputation: 0
Joined: 09 Aug 2006
Posts: 146
Location: In your washing machine
|
|
| Back to top |
|
|
frjd
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2006
Posts: 8
|
| Posted: Mon Jan 01, 2007 1:51 pm Post subject: |
|
|
Thank.
| dezuzi wrote: |
mov [eax+000010f8],4545da1e // mov 4545da1e(most likely a float) onto the location eax+000010f8. the rest isnt important
anything else i can help with? |
This might be why I could not find the correct decreasing value with CE.
(did not try to search for float?!) 
4545da1e might be a max. value for health?
This is the original code - what i done with the value?
(I know the ASM codes full names, but what do they do, how is the value decresed?)
FLD DWORD PTR DS:[EAX+10F8]
//This above is replaced with the call to the cave.
FCOMP DWORD PTR DS:[A9140C]
FSTSW AX
TEST AH,41
JPE SHORT godfathe.004A9087
PUSH 0
MOV ECX,ESI
CALL godfathe.0040D6F7
TEST AL,AL
JE SHORT godfathe.004A9087
OR DWORD PTR DS:[ESI+10],4
MOV EAX,DWORD PTR DS:[ESI+10]
SHR EAX,2
AND EAX,1
POP ESI
|
|
| Back to top |
|
|
dezuzi
Expert Cheater
![]() Reputation: 0
Joined: 09 Aug 2006
Posts: 146
Location: In your washing machine
|
| Posted: Mon Jan 01, 2007 8:19 pm Post subject: |
|
|
| Code: | | 4545da1e might be a max. value for health? |
4545da1e is a float value in hex format  i recognise it as a float
a rather unusual set of assembly code hehe
FCOMP DWORD PTR DS:[A9140C] //compares real with [00a9140c] and pushes DS
FSTSW AX //stores the FPU status word into AX
TEST AH,41 //logical compare
JPE SHORT godfathe.004A9087 //jump if parity even to the given address
PUSH 0 // push 0 on the stack
MOV ECX,ESI // moves esi onto ecx
CALL godfathe.0040D6F7 // calls a function
TEST AL,AL // logical compare
JE SHORT godfathe.004A9087 //jump if equal to given address
OR DWORD PTR DS:[ESI+10],4 // logical inclusive, not important
MOV EAX,DWORD PTR DS:[ESI+10] //moves [esi+10] onto eax
SHR EAX,2 //divides it by two, two times
AND EAX,1 // logical and
POP ESI //pops esi off the stack
i dont exactly get the godmode part, what kind of game is this? tetris?
_________________
Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.
Dynamic memory is my playground.. |
|
| Back to top |
|
|
frjd
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2006
Posts: 8
|
|
| Back to top |
|
|
dezuzi
Expert Cheater
![]() Reputation: 0
Joined: 09 Aug 2006
Posts: 146
Location: In your washing machine
|
|
| Back to top |
|
|
frjd
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2006
Posts: 8
|
| Posted: Tue Jan 02, 2007 3:13 am Post subject: |
|
|
| dezuzi wrote: | | but why dont you make your own godmode? |
Well first I could not find the right value to modify (still have not tried to search for a float, might try this later), also this is my first try to make a trainer and it is many years since I have used asm (and most for microprocessor not much for PC)... So honest I did not see how to solve the problem, and as it allready was done for another version of the game it seems like the easy way to just get the code from an existing trainer...
Also the game use the e5.0001 protection so it tend to crach when another debugger is attached (or more correctly if e5.0001 is detatched) making it hard to debug with breakpoints and trace.
---
Tried a new float search, found 3 adresses traced "what write to this adress", however the function found that write also write healh for the enemy, so now no one can die. 
Still dont understand the "caves" the other trainer use - but I guess they was made due to the above problem.
|
|
| Back to top |
|
|
dezuzi
Expert Cheater
![]() Reputation: 0
Joined: 09 Aug 2006
Posts: 146
Location: In your washing machine
|
| Posted: Tue Jan 02, 2007 12:35 pm Post subject: |
|
|
most of the time cheat engine will be able to find what writes.reads to/from a location before the application crashes, ive never encountered this "e5.0001 protection" myself.
when you were looking for that float value a certain id will be loaded in one of the registers, this will be identical to the "character", find your character's ID and make a cmp(compare) for it
caves are just parts of allocated memory by the process itself that isnt being used, you could compare it to a storage place that isnt being used completely
if theres anything else i can help you with feel free to ask
_________________
Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.
Dynamic memory is my playground.. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
