Cheat Engine

mdockz · Cheater Reputation: 0 Joined: 24 Feb 2013 Posts: 41

I have this bit of code here, from the debugger.

00992E52 - 83 E2 03 - and edx,03
00992E55 - 83 F9 08 - cmp ecx,08
00992E58 - 72 2A - jb 00992E84 <<
00992E5A - F3 A5 - repe movsd
00992E5C - FF 24 95 742F9900 - jmp dword ptr [edx*4+00992F74]

EAX=1B8FEAAC
EBX=00000000
ECX=0000036E
EDX=00000000
ESI=1B8FDCF4
EDI=0019EF5C
ESP=0019EA9C
EBP=0019EAA4
EIP=00992E5A

I want to make a change at the address [ESI-1E].

Can someone explain how I can do this, with a script.

Here is what i try but it doesnt change the information on the address.

[ENABLE]
alloc(blah,1024)
label(return)

00992E58:
JMP blah
return:

blah:
MOV [esi-1E],5F626577
MOV [esi+22],67616D69
MOV [esi+26],616D2E65
MOV [esi+2A],00000063
jb 00992E84
JMP return

[DISABLE]
dealloc(blah)

00992E58:
jb 00992E84

Any help would be appreciated.

M-Z · Posted: Mon Oct 10, 2016 1:36 pm Post subject:

First of all I wonder why it does not crash.
On 00992E58 you make a jump to allocated memory (blah), but the instruction you replace is only 2 bytes long. Far jump takes 5 or 6 bytes.
Perhaps making a jump on cmp instruction will do you more good.
PS. Why are you not using predefined templates?

mdockz · Cheater Reputation: 0 Joined: 24 Feb 2013 Posts: 41

thanks for that, didnt even notice that...

However i still crash with this code.

++METHOS · Posted: Mon Oct 10, 2016 3:00 pm Post subject:

Add the ESI address to your cheat table and right-click on it to see what is writing/accessing it. From there, you should be able to let CE build a script for you, by using one of the instructions that populate the list, that will allow you to alter whatever you want.

M-Z · Posted: Mon Oct 10, 2016 4:31 pm Post subject:

It still looks weird. Why are you not using templates (CTRL+Alt+T, CTRL+i)?
You still jump from 00992E58. To "overwrite" instructions starting from cmp, it should be 00992E55.

sbryzl · Posted: Mon Oct 10, 2016 10:01 pm Post subject:

This might work. I don't know.

mdockz · Cheater Reputation: 0 Joined: 24 Feb 2013 Posts: 41

++METHOS · Posted: Tue Oct 11, 2016 12:14 am Post subject:

What is this for? If you add the address of ESI to your cheat table and change the value, does it stick? You may not be working with the correct address.

As far as an injection point, if changing the value manually works, then writing a script to change the values should also work. If the injection point is not ideal, and you can't find anything else that is accessing the address at ESI, you could try any of the other addresses inside of, or near, the same structure:

[esi-1E]
[esi-1A]
[esi-16]
[esi-12]

Add the above addresses (or any other within range) to your cheat table to see if any instructions are accessing them for a better injection point. But again, none of that will matter if you are working with the wrong value(s).

mdockz · Cheater Reputation: 0 Joined: 24 Feb 2013 Posts: 41

So I found that it doesnt matter, if i alter the code in that section it crashes, I can alter code everywhere else but here i think it is not Read/Write/Execute code.

This doesn't even work, and it doesnt even alter anything just makes it go through an extra loop.

sbryzl · Posted: Tue Oct 11, 2016 9:47 am Post subject:

There's no reason that code should change anything. It still runs the same ops as the original program and just puts them at a different location.