MantisBT - Cheat Engine
View Issue Details
0000054Cheat Enginepublic2008-07-13 22:522008-07-17 20:07
Assigned To 
PlatformOSOS Version
Summary0000054: CE 5.4.2 - Additional NOPs after conditional jump
DescriptionIt seems that CE inserts additional NOPs (for no apparent reason) into the code.
IMHO, these additional NOPs are not needed - they only consume CPU time.
Additional InformationThis is the code in the auto assemble editor (just a small part of it):

cmp eax, 1
jle done1
mov ebx, ecx

This is the resulting code after injection:
00636E8A - 83 f8 01 - cmp eax,01
00636E8D - 7e 14 - jle 00636ea3
00636E8F - 90 - nop
00636E90 - 90 - nop
00636E91 - 90 - nop
00636E92 - 90 - nop
00636E93 - 8b d9 - mov ebx,ecx

Please email me if you need more info or testing.
Thank you.
TagsNo tags attached.
related to 0000011confirmed  Short/Long jumps in Auto-assembler 
Attached Files

Dark Byte   
2008-07-14 02:34   
at compile time it is unknown how long the script is, so fills in the nops in case it's bigger than 128 bytes
2008-07-15 18:21   
(Last edited: 2008-07-15 18:22)
Hi Dark Byte,
I am not sure what you mean by that.
Could you explain it please?
Thank you.

PS. I am guessing that you are saying that the length of the jump is not known (and therefore, it is not known how many bytes are needed for the jump instruction itself). If this is the case, would it be possible to add a two-level compilation (in first round we compile, the second we assemble and compact the code - or, something like that)? I guess your response might be that it's not worth the effort - but in reality, good large code caves are hard to come by...

Dark Byte   
2008-07-15 19:44   
(Last edited: 2008-07-15 19:53)
It's not that easy
If it's found out that the 3th jump has changed in offset because it did need a larger block of code, then the jumps in front of it have to be recalculated again in case they point after it. And that recalculation can then again cause other offsets to change.
This means that the WHOLE script will then need to get recompiled for each jump it encounters
(imagine how slow it'll get then)

Also, you have alloc, why use codecaves ?

2008-07-15 22:54   
(Last edited: 2008-07-15 22:56)
Well, I guessed that in the first round the compiler would not create the final code - it would just compile instruction blocks (things between jumps) and calculate their lengths, and in the second round, these blocks would be compiled again however this time the jumps would be filled in according to the block sizes. Sort of how a normal compiler assembles the EXE from subroutines.
But, ok, no problem - you're the expert. Probably not even worth the effort.
My original concern is clear I guess, so I am happy to consider this issue closed.

As for the caves - the answer is simple: because I create trainers (and these cannot allocate memory, just patch the memory with the necessary code, and done). Well, at least this is how a newbie like me does it ;-)

Thanks for your patience.

Dark Byte   
2008-07-16 01:31   
the auto assembler is more a single line execution script
It encounters an instruction, and assembles it at that point.
If it can't determine what the instruction points to (e.g the target address hasn't been defined yet) it'll pick the worst case scenario

mov eax,#10000

cmp [ecx+200],1
je labelx
will pick the short jump variant

but I guess I can add in a override for script writes to specifically pick a short jump or long jump (e.g "je short address")

as for writing trainers:
If you program them yourself: Look into VirtualAllocEx
If you use the ce trainer maker: CE 5.4's trainer maker does do alloc correctly
2008-07-17 20:07   
Hi Dark Byte,
thank you for all the replies.
I use TMK 1.51 (Trainer Maker Kit from Corsica Productions). It is a simple patcher, but supports customizing the UI any way I like it (labels, button, a whole suite of controls), sound, hotkeys, everything - it is easy to use (like c++ builder) for dummies like me (who don't know anything about win32 and can't even code their own hotkeys).

The thing I don't like about the CE trainer maker (though I did not try the newest versions) is exactly the opposite of what I wrote above about TMK - but I understand asking you to re-write CE's trainer maker would be too big of a request, so I have decided not to ask it...

Issue History
2008-07-13 22:52CsimbiNew Issue
2008-07-14 02:34Dark ByteNote Added: 0000095
2008-07-14 02:34Dark ByteStatusnew => confirmed
2008-07-14 02:34Dark ByteRelationship addedrelated to 0000011
2008-07-15 18:21CsimbiNote Added: 0000103
2008-07-15 18:22CsimbiNote Edited: 0000103
2008-07-15 19:44Dark ByteNote Added: 0000104
2008-07-15 19:53Dark ByteNote Edited: 0000104
2008-07-15 22:54CsimbiNote Added: 0000105
2008-07-15 22:56CsimbiNote Edited: 0000105
2008-07-16 01:31Dark ByteNote Added: 0000106
2008-07-17 20:07CsimbiNote Added: 0000107