 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
hacksign23
Master Cheater
![]() Reputation: 0
Joined: 26 Nov 2006
Posts: 404
|
 Posted: Sat Oct 27, 2007 1:32 am Post subject: Minesweaper Help |
 |
|
well, I made one for this when it was at the beginning. This only works if i freeze the script.
I wanted to make something with a switch to enable/disable the TImer.
The switch is the registersymbol(switch). How can I skip the noping part of the script?
thx if it works:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(switch, 4)
alloc(hookit, 256)
alloc(hookit2, 256)
label(No)
label(Yes)
label(loop)
label(Start)
label(Stop)
registersymbol(switch)
switch:
dd 0
Start:
mov [onoff], 1
Stop:
mov [onoff],0
loop:
hookit:
cmp [switch], 0
je loop
hookit2:
cmp [switch],1
je Yes
No:
jmp loop
Yes:
01002FF5:
nop
01003830:
nop
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(switch)
dealloc(hookit)
dealloc(hookit2)
unregistersymbol(switch)
01002FF5:
inc [0100579c]
01003830:
inc [0100579c]
|
_________________
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Oct 27, 2007 4:06 am Post subject: |
|
|
Dude you already asked this, and again your script is wrong. You need to read more tutorials about the auto assembler and pay attention to your other threads.
_________________
- Retired. |
|
| Back to top |
|
|
hacksign23
Master Cheater
![]() Reputation: 0
Joined: 26 Nov 2006
Posts: 404
|
| Posted: Sat Oct 27, 2007 2:53 pm Post subject: ?? |
|
|
| Wiccaan wrote: | Your script has issues because of what you are attempting to do, and some of it is just completely wrong.
Firstly:
Will not work. The instruction at 1002FF5 is:
inc [0100579C]
Which is 6 bytes long. You only nopped one. You would need:
| Code: | 01002FF5:
nop
nop
nop
nop
nop
nop |
Next:
| Code: | hax:
01003830:
dec [0100579c] |
No idea what you were trying to do there.. lol. Not to mention you should really name your symbols something understandable to others when posting for help. Anyway, my assumption from what you were trying to do with this is this:
Main time script:
| Code: | [ENABLE]
alloc(TimeFlag,4)
alloc(cave,256)
registersymbol(TimeFlag)
label(back)
// Our Time Cave
cave:
cmp [TimeFlag],1
jne back
inc [0100579C]
jmp back
// Create Cave And Jump For Main Time Inc
1002FF5:
jmp cave
nop
back:
// Disable Initial Time Tick
1003830:
nop
nop
nop
nop
nop
nop
[DISABLE]
// Restore Main Time Tick
1002FF5:
inc [0100579C]
// Restore Initial Time Tick
1003830:
inc [0100579C]
// Remove Our Defines
dealloc(cave)
dealloc(TimeCave)
unregistersymbol(TimeFlag) |
Add that to your table then tick it to enable it. Once its enabled, add a new address manually to the table. Name it Time Flag, and for the address put TimeFlag
That value should be 0 to start with. Change it to 1 to enable to the timer, and 0 to disable it while the script is active. |
1. 01002FF5 is 4 byte.
2. When i nop 01002FF5, it actually worked, but i wanted to use a onoff thing.
3. hax:
01003830:
dec [0100579c]
lol I was playing around it was supposed to be
hax:
01003830:
nop
4.I tried ur script, but the timeflag did not work, it automaticly starts when frozen.
THank u
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Oct 27, 2007 6:42 pm Post subject: |
|
|
Did you read what I said to do with my script?
I attached the cheat table for it, again, you needed to add TimeFlag to the table as an address then alter its value from 0 / 1 to turn the timer on and off.
| Description: |
|
Download |
| Filename: |
winmine2.CT |
| Filesize: |
697 Bytes |
| Downloaded: |
772 Time(s) |
_________________
- Retired. |
|
| Back to top |
|
|
hacksign23
Master Cheater
![]() Reputation: 0
Joined: 26 Nov 2006
Posts: 404
|
| Posted: Sat Oct 27, 2007 11:47 pm Post subject: :) |
|
|
Ahh Now i see it. Sorry about before. Where can i learn caves and how can i tell what type of bytes they are? Thanks
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Oct 28, 2007 12:54 am Post subject: Re: :) |
|
|
| hacksign23 wrote: | | Ahh Now i see it. Sorry about before. Where can i learn caves and how can i tell what type of bytes they are? Thanks |
Theres not much to learn about caves. As long as you understand the code that you are altering, and the code you plan for it to do instead, all you need to do is make the jump to the new code to be executed and be sure to jump back to the original code.
Things you need to keep in mind:
A jump to an address is 5 bytes long. When you create a jump, you need to either find a safe spot to create the jump, or make your jump in a spot where you will be able to rewrite the original code in the cave you make.
Lets take the time ticker for example, the address for it is 1002FF5, in the debugger we have:
| Code: | | 1002FF5 - FF 05 9C 57 00 01 - inc [0100579C] |
A quick overview shows that this code increases the value in the address of 100579C by 1. (value+1) 100579C is our time storage address where the current time is held. So we want to overwrite this and create the code to do what we want. Firstly we would need to find a safe spot to jump from. Meaning we need a safe 5 bytes to overwrite with a jump. Our above code is 6 bytes long so we are find. We only need 5, so whats left we need to nop out so we end up with:
| Code: | jmp AddressOfCave
nop |
Now, in this case, we are removing that code, so we do not need it in our cave since we didn't destroy other code just to make our jump. In our script we use alloc which automatically creates, assigns, and readies an address with the given size for us to write to. Lets say we used alloc and got the address of 00150000 for our cave. (This is just an example..)
So our code would look like this:
| Code: | 1002FF5 jmp 00150000
1002FFA nop
1002FFB call 10028B5 (Code that comes after the inc code.) |
So, now we have our cave. Firstly, we want to make sure the cave jumps back to our code. So in the script we used the back label:
This tells the script to jump back to the next address after the jump and other code we wrote. In this case it jumps back to the call. So in turn our cave would currently look like:
Or in code:
Next you said you wanted to compare a flag to 0 and 1 to turn on and off the timer. So we would want to create another storage cave to hold the flag value, then compare it and do what is needed then.
So we alloced the TimerFlag for a 4 byte value, we only needed 1 byte but hey.. its good to make sure you have enough room just incase  So we compare our current value of the TimerFlag to 1 in our cave which looks like:
| Code: | cave:
cmp [TimeFlag],1 |
After we have jne back which says, if the value in TimerFlag does not equal 1, what we were comparing it to, jump back to the original code and continue normally. So if the value in TimeFlag was not 1 (meaning it was 0 in this case) it would mean we do not want the timer to tick and to just continue normally so we have:
| Code: | cave:
cmp [TimeFlag],1
jne back |
After, if the compare was equal, we want it to tick normally like the code was not altered so we add the original code back:
| Code: | cave:
cmp [TimeFlag],1
jne back
inc [0100579C]
jmp back |
So your cave becomes the above.
cmp [TimeFlag],1
Compare the value of TimeFlag to one.
jne back
If the value is not 1, jump back to the original game code and continue.
inc [0100579C]
jmp back
If we got here, the compare was equal. So tick the timer and then jump back to the original game code like it was never altered.
Hope that clears it up for you.
_________________
- Retired. |
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Mon Oct 29, 2007 10:01 pm Post subject: |
|
|
Wiccaan, watch out: not all jmps are 5 bytes. FAR jmps to a constant address are, but:
| Code: | 00402BF6 FF25 9C570001 JMP DWORD PTR DS:[100579C] ; 6 bytes
00402BF6 EB 0F JMP SHORT iexplore.00402C07 ; 2 bytes
00402BF6 FF60 03 JMP DWORD PTR DS:[EAX+3] ; 3 bytes
00402BF6 3E:FF2485 03000000 JMP DWORD PTR DS:[EAX*4+3]; 8 bytes!
|
Gotta watch out, its always best to look at the code you are replacing, and what you are replacing it with.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Oct 29, 2007 11:51 pm Post subject: |
|
|
| nog_lorp wrote: | Wiccaan, watch out: not all jmps are 5 bytes. FAR jmps to a constant address are, but:
... |
Yea I know, but for this the others weren't important for me to explain.
_________________
- Retired. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
