|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Rudo Advanced Cheater Reputation: 2
Joined: 27 Jun 2015 Posts: 80
|
Posted: Wed Apr 19, 2017 8:57 am Post subject: Question: Dissecting code using other debugger |
|
|
So I was trying to update a few cheats from justa_dude's old Terraria CT. I used WinDBG to dissect the game and got everything I needed to update the cheat. But here is one thing I don't really get why:
So here is what the intructions look like in CE's Memory View:
Code: | 2DB358CE: 8B 40 28 - mov eax,[eax+28]
2DB358D1: FF 50 1C - call dword ptr [eax+1C]
2DB358D4: 3B 45 9C - cmp eax,[ebp-64]
2DB358D7: 0F 8D B0 01 00 00 - jnl 2DB35A8D
2DB358DD: 8B 45 A4 - mov eax,[ebp-5C]
2DB358E0: 0B 45 A0 - or eax,[ebp-60]
2DB358E3: 74 0A - je 2DB358EF
|
But when I dissect the function using WinDBG, it looks something like this:
Code: | 41fa555b 8b4028 mov eax,dword ptr [eax+28h]
41fa555e ff501c call dword ptr [eax+1Ch]
41fa5561 3b459c cmp eax,dword ptr [ebp-64h]
41fa5564 0f8d5e010000 jge 41fa56c8
41fa556a 8b45a4 mov eax,dword ptr [ebp-5Ch]
41fa556d 0b45a0 or eax,dword ptr [ebp-60h]
41fa5570 740c je 41fa557e
|
(they changed the jump jnl to jge, but I don't think it matters)
So my questions:
1) Why does the 2 intructions different?
Code: | 2DB358CE: 8B 40 28 - mov eax,[eax+28] |
compare to
Code: | 41fa555b 8b4028 mov eax,dword ptr [eax+28h] |
I thought they would be the same... both intructions would be mov eax,[eax+28] or
mov eax,dword ptr [eax+28h].
2) What is the "h" thing stand for? (e.x: [eax+28h]) and why it doesn't appear in CE.
English is not my mother tongue so I am very sorry if I cause any confusion.
Edit: h stands for hex. Silly me.
Last edited by Rudo on Wed Apr 19, 2017 9:15 am; edited 2 times in total |
|
Back to top |
|
|
rog9001 Expert Cheater Reputation: 2
Joined: 22 Dec 2015 Posts: 214 Location: Jupiter
|
Posted: Wed Apr 19, 2017 9:06 am Post subject: |
|
|
1. They are the same thing its just in the second one
Code: |
mov eax,dword ptr [eax+28h]
|
its saying that its moving into eax (dword ptr) a unsigned 32-bit unit of data (in other words a value which is in the range 0 - 4,294,967,295).
2. "h" stands for "hex" its just saying that the offset is in hex nothing else.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Apr 19, 2017 9:11 am Post subject: |
|
|
Well it's obviously just a matter of showing the same thing differently since you're looking at the same thing, just with different tools
1. CE separates each byte to make it easier to read while WinDBG doesn't, it's still the same 3 bytes in the same order making up the same instruction.
CE also doesn't bother showing the implied "dword ptr" since that's the default (I think it is for most assemblers/debuggers, could be wrong however), though it does if it's something else, eg a byte ptr.
2. The h suffix is the same as the 0x prefix in most programming languages, a way to show that the number is in hexadecimal rather than decimal. CE simply has chosen to make most things hexadecimal by default so doesn't bother with a prefix or suffix for hexadecimal
extra. As for the jnl and jge, you can think of, say, 9 as "not less" than 3 or as "greater than (or equal to)" 3; 3 itself would be equal to three and not greater than 3.
|
|
Back to top |
|
|
Rudo Advanced Cheater Reputation: 2
Joined: 27 Jun 2015 Posts: 80
|
Posted: Wed Apr 19, 2017 9:20 am Post subject: |
|
|
Thanks you for the quick replies. Everything is solved.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|