 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
 Posted: Mon Dec 05, 2005 2:34 pm Post subject: Turtle Asks - "How-To on pointer" |
 |
|
| Turtle wrote: | How do you deal with pointer code that looks like:
fstp dword ptr [esi+1A3]
Is that even pointer code? |
By-the-by. What game? What version? Cracked or not?
First and foremost: You do not want to "Replace with code that does nothing".
Second: You probably don't need to find a pointer. There is probably an FSUB or FADD or FMUL line just above that one that you can 'add to the code list' then 'Replace with code that does nothing'.
Next: In this situation, you want to find out how ESI became ESI, if you wanted to find a pointer, but there is an easier way, im sure.
I'm going to paste in part of a tutorial I wrote, on how to find a pointer path for a register, then add it to CE.
What you need to do, is imagine that *this* line, is the line you found...
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
| Moi wrote: | - Got address of current money.
- Find out "What Writes to this value" (You could even find out what accesses this value. It doesn't matter which way you go. But for this example, do writes...)
- Buy up a new car color, then click on one of the codes that accessed the value.
- Open Disassembler at this location, scroll up a bit, we see...
[a whole bunch of int 3's here, which is 'nothing' code]
0056d610 - mov eax,[ecx+0c]
0056d613 - mov edx,[esp+04]
0056d617 - cmp edx,eax
0056d619 - jna 0056d625
0056d61b - mov [ecx+0c],00000000
0056d622 - ret 0004
0056d625 - sub eax,edx
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
0056d62a - ret 0004
[more int 3's, which is 'nothing' code]
- Again, we still don't see where ECX was 'created'.
- Select mov [ecx+0c],eax
- Click "Debug" then "Toggle Break Point" (also F5)
- Buy something, at which point the game will seem to lock up. It's CE freezing the game, at the line you chose your break point on.
- Click "Debug" then "step" (or F7). You'll notice it goes to the ret line below the mov line.
- Hit F7 again to return to where this chunk was called from.
- It will jump to this line...
007BAB6D - jmp 007babad
- Obviously, it wasn't this that called our previous code chunk, but the line above it.
- If we scroll up a bit, we see this...
007bab59 - mov eax,[0091bf50] <--- get master pointer, put it in EAX
007bab5e - mov ecx,[eax+10] <--- Get DMA pointer, using EAX+10
007bab61 - push esi
007bab62 - add ecx,000000a8 <--- Add a8 to ECX
007bab68 - call 0056d610 <-- the line that called our original code chunk
007BAB6D - jmp 007babad
Bam, Right here, we have the entire path.
[0091BF50] + 10 = ECX
ECX + (a8+0c) = Money Address
Then, we just add that pointer path to CE's list and we're done.
-------------------------------------------------- |
|
|
| Back to top |
|
 |
Turtle
Advanced Cheater
![]() Reputation: 7
Joined: 25 Jul 2004
Posts: 85
|
| Posted: Tue Dec 06, 2005 7:24 am Post subject: Re: Turtle Asks - "How-To on pointer" |
|
|
| Why would I imagine that line? My question was about "fstp dword ptr [esi+1A3]"
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25296
Location: The netherlands
|
| Posted: Tue Dec 06, 2005 8:17 am Post subject: |
|
|
fstp dword ptr [esi+1A3]
look at the [xxxxxxxx] part, in this case [esi+1a3]
esi will probably hold the value the pointer has, and 1a3 is the offset
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Turtle
Advanced Cheater
![]() Reputation: 7
Joined: 25 Jul 2004
Posts: 85
|
| Posted: Tue Dec 06, 2005 11:43 am Post subject: |
|
|
| Dark Byte wrote: | fstp dword ptr [esi+1A3]
look at the [xxxxxxxx] part, in this case [esi+1a3]
esi will probably hold the value the pointer has, and 1a3 is the offset |
I know.
But why is "fstp dword ptr" used? Is it because there is a float value?
Are "float" and "real" the same thing?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25296
Location: The netherlands
|
| Posted: Tue Dec 06, 2005 11:51 am Post subject: |
|
|
fstp dword ptr [esi+1a3], stores the floating point value value in st(0) to the 4 byte (dword size) at esi+1a3
that means that at esi+1a3 is a 4 byte floating point value (float in ce)
http://podgoretsky.com/ftp/Docs/Hardware/Processors/Intel/24547111.pdf (page 321)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Tue Dec 06, 2005 6:27 pm Post subject: Re: Turtle Asks - "How-To on pointer" |
|
|
| Turtle wrote: | | Why would I imagine that line? My question was about "fstp dword ptr [esi+1A3]" |
Because...
| Turtle wrote: | How do you deal with pointer code that looks like:
fstp dword ptr [esi+1A3]
Is that even pointer code? |
The word 'pointer' was used so much, I thought you were more asking how to find a pointer to the value, and not about floating point numbers, which are indeed two entirely different things 
Also, Im pretty sure the P in FSTP stands for "Pop", as it will then auto-pop the regisers in the stack it used. Someone, please correct me if i'm wrong here.
There are other FS commands, like FS, or FST, which wouldnt auto-pop.
| Turtle wrote: | | Are "float" and "real" the same thing? |
( from http://www.mathwords.com/n/nonreal_numbers.htm )
===============================================
Nonreal Numbers
The complex numbers that are not real. That is, the complex numbers with a nontrivial imaginary part.
For example, 3 + 2i is nonreal, 2i is nonreal, but 3 is real.
===============================================
Also, floating point numbers, at least in 4 byte forms, are sometimes, not "exact" (which i suppose would be different from real/non-real).
Often times, you'll go to type in a very specific decimal number like.
1.32132132132132 - Will be converted to 1.32132136821747 , because 4 bytes of data wouldn't be enough to describe every possible 'situation' of longer decimal numbers.
All whole numbers are exact however (from my experience).
I think though, when you 'store real' - it will store a float that doesnt contain the E notation. Once again, I'm open to corrections.
|
|
| Back to top |
|
|
me
Grandmaster Cheater
 Reputation: 2
Joined: 24 Jun 2004
Posts: 733
Location: location location
|
| Posted: Tue Dec 06, 2005 8:24 pm Post subject: |
|
|
well no need to get too involved with pythagoras theorem and imaginary numbers 
just use the same sort of methods to trace back to the floating point adresses as you would the 4 byte addresses, the same rules apply for --> the value held in the registers + the offset --> pointing to the address you need,,,,,,,,,,
advanced maths can be risky you can lose count of your bedspreads
_________________
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Thu Dec 08, 2005 11:55 pm Post subject: |
|
|
| me wrote: | advanced maths can be risky you can lose count of your bedspreads
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
