 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
 Posted: Wed Sep 23, 2015 5:33 pm Post subject: repe movsd? |
 |
|
There's this 4 byte integer value (strength); when I look at what is "writing" to it, I go back into the game and increase the value; it comes up with some weird instruction I haven't seen, "repe movsd"; CE tells me that it "moves data from string to string"? If I try and see what accesses that instruction, nothing comes up.
So how would I modify the address this instruction is accessing?
Here's a screenshot:
| Description: |
|
| Filesize: |
26.22 KB |
| Viewed: |
20788 Time(s) |
|
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Wed Sep 23, 2015 7:41 pm Post subject: |
|
|
Are you sure the value is really 4-bytes? If your stats can't go above 255, try changing the type to 1-byte.
Also, choose what ACCESSES the address instead. Do you see a better instruction?
Have you tried changing the value of address you found?
Does it actually update the game? Change it and try increasing it by 1 again, in-game.
Did it revert back to its original value +1 or increase the value you set it to?
|
|
| Back to top |
|
|
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Thu Sep 24, 2015 8:19 am Post subject: |
|
|
| Zanzer wrote: | Are you sure the value is really 4-bytes? If your stats can't go above 255, try changing the type to 1-byte.
Also, choose what ACCESSES the address instead. Do you see a better instruction?
Have you tried changing the value of address you found?
Does it actually update the game? Change it and try increasing it by 1 again, in-game.
Did it revert back to its original value +1 or increase the value you set it to? |
When I change the 4 byte value it does update it in the game and increases all other stats that it's tied to; e.g. strength increases hp a bit as well as damage.
When I change the strength value to 800, it reverts to 20 (which is the max for that character). I can also find the other stats nearby.
I've tried what accesses it, but it comes up with another "repe movsd"; it's a bit different though; I'll link an image to it.
Seems like uploading an image doesn't work now, try this link: http://imgur.com/h5C8XpW
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Thu Sep 24, 2015 10:54 am Post subject: |
|
|
Older Game Maker games, script interpretation thing, I don't know of any specific way to mess with it and nobody else I've seen here does either.
_________________
|
|
| Back to top |
|
|
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Thu Sep 24, 2015 11:08 am Post subject: |
|
|
| Rydian wrote: | | Older Game Maker games, script interpretation thing, I don't know of any specific way to mess with it and nobody else I've seen here does either. |
Damn; I just wanted to increase the max...
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4290
|
| Posted: Thu Sep 24, 2015 3:35 pm Post subject: |
|
|
I don't know why CE is translating that as "repe movsd", I think "rep movsd" is a better mnemonic (and ODA translates it as that), but I'll explain both.
"movsd" as a standalone instruction moves the doubleword at the address in ESI to the address in EDI. After it does this, it increments both ESI and EDI by the size of the data you moved (4 in the case of a dword).
More info on movsd
"rep" and "repe" are very similar. They aren't instructions, but act like prefixes to a certain instruction. They repeat this instruction using ECX as a counter. ECX is decremented by 1 after each iteration, and if ECX is ever 0, it stops and goes on to the next instruction.
More info on rep/repe
The main difference is that "repe" will also exit if the zero flag isn't set. Since neither "movsd" nor "rep/repe" modify any flags, I don't think "repe" is a correct interpretation of those specific opcodes. If it was trying to check if the ZF is set initially, I think JNZ/JNE would've been preferred prior to all the setup for the "rep movsd" instruction.
(from this point on, "strength" refers to the address your strength value is stored at, not the value itself)
Anyways, in order to get what address is being read from and put into strength (or vise versa for instructions reading from strength), you have to look at ESI if the instruction is writing to strength or EDI if the instruction is reading form strength. You can tell whether that instruction is writing to / reading from strength by setting a breakpoint and looking at ECX, ESI, and EDI, which you'd need to do anyway for finding ESI/EDI.
TLDR: In all honesty, though, I wouldn't recommend trying to increase the max this way. It's not worth the effort IMO.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Thu Sep 24, 2015 4:12 pm Post subject: |
|
|
| ParkourPenguin wrote: | I don't know why CE is translating that as "repe movsd", I think "rep movsd" is a better mnemonic (and ODA translates it as that), but I'll explain both.
"movsd" as a standalone instruction moves the doubleword at the address in ESI to the address in EDI. After it does this, it increments both ESI and EDI by the size of the data you moved (4 in the case of a dword).
More info on movsd
"rep" and "repe" are very similar. They aren't instructions, but act like prefixes to a certain instruction. They repeat this instruction using ECX as a counter. ECX is decremented by 1 after each iteration, and if ECX is ever 0, it stops and goes on to the next instruction.
More info on rep/repe
The main difference is that "repe" will also exit if the zero flag isn't set. Since neither "movsd" nor "rep/repe" modify any flags, I don't think "repe" is a correct interpretation of those specific opcodes. If it was trying to check if the ZF is set initially, I think JNZ/JNE would've been preferred prior to all the setup for the "rep movsd" instruction.
(from this point on, "strength" refers to the address your strength value is stored at, not the value itself)
Anyways, in order to get what address is being read from and put into strength (or vise versa for instructions reading from strength), you have to look at ESI if the instruction is writing to strength or EDI if the instruction is reading form strength. You can tell whether that instruction is writing to / reading from strength by setting a breakpoint and looking at ECX, ESI, and EDI, which you'd need to do anyway for finding ESI/EDI.
TLDR: In all honesty, though, I wouldn't recommend trying to increase the max this way. It's not worth the effort IMO. |
Ah; makes more sense now. I read through a instruction set reference guide and it said something about EDI and ESI being important, so I had a look. [ESI] has the attribute points in it, whereas [EDI] seems to have "(atribute points) + 1" when I spend a point; so [EDI] seems to be a "lag" of some sort.
The "repe movsd" instruction seems to be responsible for a lot of things  ; if I mess with it too much, all my stats go up to max. I tried forcing it to go over the max by adding in "add [esi],20" but that just sets the strength to the max (20) and that's it, can't get it higher.
There are difference races that have their maximum potential value increased (ogres have a max of 24 on str); so maybe there's some other value that governs the actual max? Well, if it exists, I can't find it nearby the attributes (I looked through the structure).
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4290
|
| Posted: Thu Sep 24, 2015 5:05 pm Post subject: |
 |
|
| deama1234 wrote: | | Ah; makes more sense now. I read through a instruction set reference guide and it said something about EDI and ESI being important, so I had a look. [ESI] has the attribute points in it, whereas [EDI] seems to have "(atribute points) + 1" when I spend a point; so [EDI] seems to be a "lag" of some sort. |
It's not really a "lag", it's just how the game subtracts from your attribute points when you use them.
I'd guess the game sends the value to some routine that is called whenever you "use" a point. This routine subtracts 1 from that value, then it goes to store it back in the address where it got the value from. [ESI] is the new value, while [EDI] is the old value that's being updated.
| deama1234 wrote: | | The "repe movsd" instruction seems to be responsible for a lot of things ; if I mess with it too much, all my stats go up to max. I tried forcing it to go over the max by adding in "add [esi],20" but that just sets the strength to the max (20) and that's it, can't get it higher. |
That probably means some other instruction is writing to it overriding the change that you made. Try keeping the "Find out what writes to this address..." window open and put in a value above 20. If an instruction pops up that hasn't popped up before, then that's what's responsible for making sure it doesn't go past the max (it would be lucky if this were the case).
You can NOP that instruction to get past the max. Make sure to do any applicable clean up around that instruction (i.e. set ECX to 0 if needed, increase ESI and EDI if needed).
| deama1234 wrote: | | There are difference races that have their maximum potential value increased (ogres have a max of 24 on str); so maybe there's some other value that governs the actual max? Well, if it exists, I can't find it nearby the attributes (I looked through the structure). |
The max values for each race are probably stored in memory somewhere else. The game uses these max values and compares them to the current values, and if the values are greater, it sets the values to what the max is. If you can find that routine, you can get past the max.
But yeah, you'd be really lucky if the max was the next dword after the value itself.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Thu Sep 24, 2015 6:35 pm Post subject: |
|
|
| ParkourPenguin wrote: |
That probably means some other instruction is writing to it overriding the change that you made. Try keeping the "Find out what writes to this address..." window open and put in a value above 20. If an instruction pops up that hasn't popped up before, then that's what's responsible for making sure it doesn't go past the max (it would be lucky if this were the case).
You can NOP that instruction to get past the max. Make sure to do any applicable clean up around that instruction (i.e. set ECX to 0 if needed, increase ESI and EDI if needed). |
Nope, there's just those two "repe movsd" instructions, that's it.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4290
|
| Posted: Thu Sep 24, 2015 7:48 pm Post subject: |
|
|
In that case, the address you found is used strictly as a means of storage, such that no useful routine directly touches that address. If a useful routine (i.e. the one that checks if it's greater than the max value) needs to read this address, it will call this subroutine that gets the value and gives it to the routine that wants it. This is more inefficient than just getting it directly, but it also makes tracking down a specific routine (i.e. the max value checker) much harder.
I don't think it's feasible to get past the max value using what instructions access that address. You'd probably have a better time searching for the max values and ruling out the hundreds of thousands of matches you'd get by hand.
There is one more thing that you might be able to try: you said that "I can also find the other stats nearby". If the stats' values are all next to each other, then the max values for these stats might also be next to each other in the same pattern, even if they aren't near the stats themselves. Turn all the max values into an AoB (in the same order that the stats are in), scan for that, and if you're lucky, you might find where the max values are stored.
Beyond that, I can't think of any easy way of getting past it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Fri Sep 25, 2015 6:58 am Post subject: |
|
|
| ParkourPenguin wrote: |
There is one more thing that you might be able to try: you said that "I can also find the other stats nearby". If the stats' values are all next to each other, then the max values for these stats might also be next to each other in the same pattern, even if they aren't near the stats themselves. Turn all the max values into an AoB (in the same order that the stats are in), scan for that, and if you're lucky, you might find where the max values are stored.
|
BINGO! Found it! And it's a nice static AoB too! Thanks!
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Fri Sep 25, 2015 7:17 am Post subject: |
|
|
You can see if you can try to find a structure for the global variables too, if you know what they are.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
