Cheat Engine

[beagle]

hello,

i am new to assembly, and i am trying out more advanced (for me) things in auto assembler.

what i am trying to do is compare two strings, but the problem is one string is stored as "a b c 1 2 3" and the other is stored as "abc123", and i need them to be considered equal. the spaces between the letters in the first string are 0x00 not 0x20.

ideally if the one string did not have spaces between it, the code would look roughly like this:

string2:
abc123 //written as db 61 62 63 etc with no 00 in between.

newmem:
push ecx
mov ecx, [address 1] //this is the address that contains "a b c 1 2 3" on certain conditions. ideally it would be abc123 though.
cmp [string2],ecx
pop ecx
je newmem2

i can get this kind of code to work fine as long as both strings are of the same format, but if one has spaces (00) like that it wont recognize it.

i was trying to use "byte ptr" to try and have it compare every other byte for the spaced string against every byte of the unspaced string, but i can't get that to work. everything i try with byte ptr says it cant be executed. i can't really find out much information on how to properly use it either.

in pseduo code, i was trying to do:
address 1 = a b c 1 2 3
address 2 = abc123

1:
load the first byte of address 1 (a)
compare the first byte of address 1 with the first byte of address 2 (a)
if they are equal jump to 2

2:
load the third byte of address 1 (b)
compare the third byte of address 1 with the second byte of address 2 (b)
if they are equal jump to 3

and so on until i felt it would be unlikely that i would get a false positive.

I am still very new at assembly in general, and i don't have an especially good understanding of how to properly use all of the registers yet, so i am guessing that is where my errors are coming from.

any help on this would be greatly appreciated,

thanks

[Geri]

Just compare the address with both strings. First you compare it with string1 and if it's not equal, compare it with string2.

[beagle]

sorry, i'm not sure if i understand what you mean. i think i didn't explain it properly.

i can find a static address that always contains the string (with a value i won't know). there is an address that is loaded into eax with this same string, but the string has 00 separating each letter.

at different times, eax will contain different strings, so i want this event to happen when only this specific string address is in eax.

so what i am trying to do is compare the value of the static address with the value of the address that is loaded into eax at a particular time. the problem is while these two values are always the same, one has its letters separated by 00 and the other doesnt

so in any example:
static address: "bob"
eax address: "b o b"

next time it could be
static address: "dog"
eax address: "d o g"

and i want to intercept the "d o g" address and change its value to something else, like "cat."

the value of the address doesnt really matter, all that is important is that i can use the static address to kind of intercept and change that second addresses value to something else.

sorry if that doesn't make any sense, i don't really know how to explain it well with code or anything

[Geri]

I didn't know that the string you want to use is not always the same.
You can use byte ptr like this for example:

cmp byte ptr [eax],1

or like this

mov byte ptr [eax],1

However if you want to use registers, you should probably use 8-bit registers.

http://www.sandpile.org/x86/gpr.htm

Eg you could use cl instead of ecx, like this

cmp byte ptr [eax],cl

This instruction can be compiled, because you compare 1 byte with 1 byte.

cmp byte ptr [eax],ecx cannot be compiled, because ecx is 4 bytes (32-bit).

Eg if you want to compare every second byte of an address and let's say eax is the address, the list of compares will look like this:

cmp byte ptr [eax],cl
cmp byte ptr [eax+02],cl
cmp byte ptr [eax+04],cl
cmp byte ptr [eax+06],cl
cmp byte ptr [eax+08],cl

etc.

You can move bytes the same way, just make sure that you are using an 8-bit register like cl. Eg you can use

mov byte ptr cl,[source]
mov byte ptr [store],cl

You can just copy every second byte to an address and your 0x00 or 0x20 or whatever characters between the letters will be removed and then you can just compare the 2 strings without the unnecessary characters.

[beagle]

that's great, thanks a lot for the information, i think this will be exactly what i need. just one thing though, i'm not sure exactly how "cmp" works, or at least probably not enough to use it effectively here.

the unknown string value could be as high as 16 characters, eg "cheat engine1234" and then the eax would hold the value as "c h e a t _ e n g i n e 1 2 3 4". when i am comparing eax with the string address, what is it exactly comparing? if i look at it with a hex editor, i believe only "c h e a " or "cheat en" will be specifically in the address, and the rest will spill into the addresses after it. does cmp somehow take that entire string into account, or just 32 bits worth of letters?

i ask because i don't know how long the string will be, it could be 1 letter or 16 letters and if it is say only 1 letters worth, and i have a bunch of code set to remove spaces accounting for or 16 letters worth, will i have any issues?

thanks again, sorry if this is really basic/obvious.

edit:
oh ok i think i get it now, thanks again. also i am giving your tutorials a read, they are exactly what i've been looking for. i havent really been able to find any ASM tutorials besides basic descriptions of what each opcode does, so these are very helpful.

[Geri]

8-bit registers can hold only 1 byte. 16-bit registers 2 bytes and 32-bit 4 bytes. So with a 32-bit register, you can compare 4 letters with one cmp.

If the length of the string is changing, maybe the unused characters are just filled out with 00.

Probably it's better if you stick to your original idea and compare the bytes one by one, jumping over the invalid characters. Then you will have a big script with lots of compares, but at least you figured out the concept in your head and you can change the script later to replace the big script with a cycle if you want.

[beagle]

Yep i ended up loading the static address into cl, and then doing this:
mov cl,[static address]
cmp byte ptr [eax+2], cl
jne return
mov cl,[static address+1]
cmp byte ptr [eax+4], cl
jne return
. . .
mov cl,[static address+f]
cmp byte ptr [eax+20], cl
jne return
jmp newmem3

so i ended up with about 16 of them to cover the max and min possible characters for the value i wanted to find. it worked perfectly, so thanks again :).


i tried doing it the other way at first though, where i would use mov byte to condense the elongated string to match my static address. the mov byte at least worked, but then i saw when the debugger got to the "cmp" line where i was trying to compare the condensed eax with the static address, it would crash.

here is what i tried:
mov ebx,[cl]
cmp [eax],ebx
(can't be executed in auto assembler)

(here the static address still in cl)
mov ebx,[ecx]
cmp [eax],ebx
(crash)

mov ebx,[static address]
cmp [eax],ebx
(crash)

i'm sure i was making an easy mistake somewhere, but once i switched from mov byte to cmp byte, it all seemed to work ok.

edit:
Oh i forgot, the string in eax actually "started" at eax+2, before that it has 00 00. I think during those mov bytes, i was trying to get it to compare condensed eax+2 with the static string. so i also tried:

mov ecx,[static address]
mov ebx,[eax+2]
cmp [ecx],ebx
(crash)

that's about when i gave up and switched over to cmp byte. with your explanation on how cmp works, i can see that the above cmp's with eax not being eax+2 wouldn't have returned equal, but i don't get why it actually crashed the whole process the second it got to the cmp line. i was thinking maybe i shouldn't have been using ebx, but i changed my code to incorporate pushad pushfd popfd and popad like in your tutorial, which also gave no problems when i switched to cmp byte.

[Geri]

mov ebx,[cl]

You can't store the address on an 8-bit register. It's kinda blurry for me what were you trying to do there. The idea would have been to store a character from [eax] on cl and then copy it to another address without the extra characters. Like

mov byte ptr cl,[eax]
mov byte ptr [new_string],cl
mov byte ptr cl,[eax+2]
mov byte ptr [new_string+1],cl
mov byte ptr cl,[eax+4]
mov byte ptr [new_string+2],cl

etc. Then on the new_string address, you would have got the string without spaces and then you can compare it.

EDIT: Or according to the edit in your post, you would have started with eax+2, then eax+4 and so on.

[beagle]

i recreated the mov byte code that i wrote over with the cmp byte code last night. the mov byte is just like how you posted, but once i get to the cmp line it still crashes:
mov cl,[static address]
mov byte ptr [eax+2], cl
. . .
mov cl,[static address+f]
mov byte ptr [eax+11], cl

mov ecx,[static address]
mov ebx,[eax+2]
cmp [ecx],ebx <-- crash


edit:
ohh ok, i see i messed up, it should be cmp ecx,ebx.
i was reading the registers at the point where it crashed and saw that ecx and ebx had the same address, and i for some reason took that to mean it was right. i just learned how to compare the values of two register addresses, so i think i was using it too much without thinking about what it was really doing.

ah, and i think the reason why eax is spaced out is so the system can incorporate other languages, such as chinese text.

[Geri]

The cmp was crashing because a register that contained a string was used as an addres, which caused an access violation and instant crash.

[beagle]

i just realized there is an extra step i need to do, since the string length can vary.

right now, i have it so that it will do this 16 times, since 16 is the max possible length of the string value that i am looking for:
mov cl,[static address]
cmp byte ptr [eax+2], cl
jne return
. . .
mov cl,[static address+f]
cmp byte ptr [eax+1e], cl
jne return
jmp changemem

this works fine if the string is 16 characters, but if the string is less than that, once mov cl,[static address+x] becomes larger than the string length, the cmp will fail.

i found that in my static address for the string variable, the end of the string is always followed by 00, so i think what i would need to do is something like this, before trying to compare the static address string to eax:

assuming the static address string was "12345"
mov cl,[static address]
cmp byte ptr [cl+4],00
je 4chars
mov cl,[static address]
cmp byte ptr [cl+5],00
je 5chars <--------------------------
mov cl,[static address]
cmp byte ptr [cl+6],00
je 6chars
. . .

and then

5chars:
mov cl,[static address]
cmp byte ptr [eax+2], cl
jne return
. . .
mov cl,[static address+4]
cmp byte ptr [eax+a], cl
jne return
jmp changemem


the thing is though this will get pretty bulky when doing it for all 16 characters. is there a better way to do this?

[Geri]

Sure, there are ways to make a more compact script, but with your current knowledge, it's better if you stick to the easier solution. It's not a problem if your script is big. Executing it doesn't take much time and resources, so you shouldn't see any performance drop. When you will be more familiar with asm, you will have time to improve the coding. For now, just check that the value you are comparing is not 00 and if it is, then you have finished comparing and you can execute the code to replace the string of whatever you want to do with it.

You have to think about it that if you try to replace a string with a bigger string, you will run into problems, because there will not be enough space.

[beagle]

ok i'll leave it as is for now and move on to learning new things.

thanks again for everything, i know how skilled you are so i appreciate that you took the time to help me on such basic stuff.

[Geri]

I wouldn't say that this is so basic. I would definitely not recommend this task for a beginner for practice.