Cheat Engine

[Future_Shock]

First off, I'm not a programmer, although I've spent countless hours reading posts on this board as well as much ASM info as I can handle on the web...so please bear with me..was wondering if someone could give me some direction:

I'm looking for a specific 'number' inside an exe. I've used the techniques discussed in this forum and was able to get CE to locate this number.

CS shows me that the value I'm looking for is found at: 25434B0.

My research shows me that it's a 'float'. (Taught myself this yesterday).

When I browse 25434B0 CE shows me:

4D 6A 56 44 (then some more numbers). I think the 44 is not part of the float, but at this point I dont think it matters. (tell me if it does).

The decimal equivalent of the above hex is 857.66blablabla

I am now interested in determining what writes to this area because I would like to know if this is the spot where my number is always going to be located every time I run the exe or it gets an 'update'.

So I followed various instructions in this forum and used CE to tell me that location 00492e47 writes to this area. CE shows me:

00492e47 - 89 0a - mov [edx], ecx

My research indicates that this command copies the value of ecx into memory location edx. The reason it copies it into the memory location edx as opposed to the register edx is due to the brackets (correct me if I'm wrong). Therefore, this tells me two things (correct me if I'm wrong):

1) The value I've been looking for and found, is stored in ecx.
2) The area where this value is written to is dictated by edx.

Knowing this, it occurred to me that I need to find out how edx ends up being my current memory location of 25434B0. This is where I get lost.

Disassembly of 'before' and 'after' 00492e47 reveals:

00492e29 - 44 - inc esp
00492e2a - 24 13 - and al,13
00492e2c - 01 89 8e 7c 61 00 - add [ecx+00617c8e],ecx
00492e32 - 00 74 22 8b - add [edx-75],dh
00492e36 - cf - iretd
00492e37 - e8 6b 28 4b 00 - call 009456a7
00492e3c - 83 c0 34 - add eax,34
00492e3f - 8b 08 - mov ecx,[eax]
00492e41 - 8d 96 80 61 00 00 - lea edx,[esi+00006180]
00492e47 - 89 0a - mov [edx],ecx
00492e49 - 8b 48 04 - mov ecx,[eax+04]
00492e4c - 89 4a 04 - mov [edx+04],ecx
00492e4f - 8b 40 08 - mov eax,[eax+08]
00492e52 - 89 42 08 - mov [edx+08],eax
00492e55 - eb 1f - jmp 00492e76
00492e57 - 8b 15 88 ff ed 00 - mov edx,[00edff88]
00492e5d - 8d 8e 80 61 00 00 - lea ecx,[esi+00006180]

This looks like to me that edx is being created by 00492e41 (esi + 00006180). Therefore, I need to determine what sets esi to 2542E230. Would be it safe to assume that esi is being set by line 00492e37 somewhere inside the 'call' to 009456a7?

Lemme know if I am on the right track. Any info would be greatly appreciated...

[Dark Byte]

thats correct.

you could also add 00492e47 to the codelist and then the option "find out what addresses this code writes to" to get the address next time you play.

or to automate it you could probably also use a autoassembler script that hooks 00492e47, saves the value of edx to a known address and then use that address to find the real address

[Future_Shock]

Thank you for input. I appreciate it. Your second comment about hooking is beyond me at this point, though I am going to take it under advisement and research your suggestion.

In the meantime..

My system happened to freeze in the middle of the analysis and therefore I had to reboot. Guess what? All the values changed on me. Woot!

Anyways here's where I'm at:

Found the value I'm looking for..it's moved to 03675580.
00493037 now writes to this location.

The code at 00493037 is the same as it was up top in my previous message:

00493022 - 00 74 22 8b - add [edx-75],dh
00493026 - cf - iretd
00493027 - e8 56 1f 4b 00 - call 00944f82
0049302c - 83 c0 34 - add eax,34
0049302f - 8b 08 - mov ecx,[eax]
00493031 - 8d 96 80 61 00 00 - lea edx,[esi+00006180]
00493037 - 89 0a - mov [edx],ecx
00493039 - 8b 48 04 - mov ecx,[eax+04]
0049303c - 89 4a 04 - mov [edx+04],ecx
0049303f - 8b 40 08 - mov eax,[eax+08]
00493042 - 89 42 08 - mov [edx+08],eax

Again, I must assume I hunting for what sets edx and therefore I need to determine what gives esi it's value.

Opening the code at the 'call' of line 00493027 we see this:

00944f7e - c9 - leave
00944f7f - c2 08 00 - ret 0008
00944f82 - 56 - push esi
00944f83 - 8b b1 94 00 00 00 - mov esi,[ecx+00000094]
00944f89 - 85 f6 - test esi,esi
00944f8b - 74 15 - je 00944fa2
00944f8d - f6 46 0a 08 - test byte ptr [esi+0a],08
00944f91 - 74 07 - je 00944f9a
00944f93 - 8b ce - mov ecx,esi
00944f95 - e8 72 e6 f6 ff - call 008b360c
00944f9a - 8d 86 c0 00 00 00 - lea eax,[esi+000000c0]
00944fa0 - 5e - pop esi

Ah HA! We've found it!

Not.

My interpertation of this code indicates that esi is set by this portion of the code and it's set by taking ecx and adding 00000094, then moving it into esi. I would assume (correct me if I'm wrong) that the code after line 00944f83 is irrelevent at this time.

So now, I'm back to square one.

edx holds the location to sent my value.
edx is set by esi+00006180
esi is set by ecx+00000094
can't see where ecx would get manipulated..


Did I missing something..maybe..something before and after the displayed code...?..

[Dark Byte]

you can 't be sure.
notice the push esi at the start and pop esi at the end of the snipet.

I don't know if after that pop is a ret, but if it is that will restore esi to the original. So my guess is that esi is already set before the call

[Future_Shock]

It is infact a 'ret' as you mentioned.

I did not catch the push - pop thing, so thanks.

Because of your input, I attempted to follow the code through to determine where ESI is set, unfortunately the program continues to split and turn into a mess, so I won't find it this way.

Which means, I'm going to try what you suggested second, and somehow intercept the process and write ESI to an empty known location.

Would inserting a 'jump' at 00493031 be okay?

I think I could then jump down to an area and write some code to dump ESI (somehow - i'll have to figure that part out still), complete the code that was overwritten (lea edx,[esi+00006180]) and then jump back.

Then I can reference the area where I dumped ESI and finally determine it.

Any advice on getting esi stored in memory without messing up the code you've seen in the snippets? I am worried about messing up registers, or can I avoid using registers all together to store ESI?

[Future_Shock]

Ok. Here we go..

Inserted my intercept using CE's 'create jump and initialize code cave' ability (sweet!):

00493031 - e9 0a d5 f6 ff - jmp 00400540
00493036 - 90 - nop

It created a block of room for me at 00400540 for which I coded:

00400540 - 8d 96 80 61 00 00 - lea edx,[esi+00006180] //line that was overwritten
00400546 - 89 35 a0 05 40 00 - mov [004005a0],esi //give it to me baby!
a bunch of other NOP's
00400563 - e9 ce 2a 09 00 - jmp 00493036 //go back

I did some things in my game and it stored:

00 F4 66 03 at address 004005a0.

Therefore I must conclude that ESI = 00F46603 or 0366F400 or something like that..

Does this make sense?

[Dark Byte]

yes, that is 0366F400 (you can also add 004005a0 to the cheattable and use the option to display it as hex)

[Future_Shock]

After spending some time reviewing this code, I've come to the inexplicable conclusion that:

Since, edx = esi + 00006180

Then, esi = edx - 00006180

And since I can find edx by using CE's search tools, esi is actaully easy to find each time the code changes.

However, esi's base address still needs to be found...

I will contine to sort through the code...I've got some more ideas centered around a larger set of data.

This is the byte pattern of the full set info I've been seeking inside the exe:

AAAA?XXXX?YYYY?ZZZZ?DDDD where,

AAAA is some 4 btye code that I can't find a meaning for
XXXX is the 4 byte float I've been speaking about up top...
YYYY is the second 4 byte float I am interested in.
ZZZZ is the third 4 byte float I am interested in and finally
DDDD is the fourth 4 byte pattern containing a float I'm interested in.
? is an unknown static byte (44h) that's always in between each set of 4 bytes.


I have no luck determining where XXXX or YYYY or ZZZZ is allocated each time the exe is run, but I might be able to determine where AAAA lands and thus use an offset from AAAA each time.


Stay tuned..

[Future_Shock]

The saga continues...

00492e36 - cf - iretd
00492e37 - e8 6b 28 4b 00 - call 009456a7 <<---
00492e3c - 83 c0 34 - add eax,34
00492e3f - 8b 08 - mov ecx,[eax]
00492e41 - 8d 96 80 61 00 00 - lea edx,[esi+00006180]
00492e47 - 89 0a - mov [edx],ecx

Is there any way CE can help me determine how the program 'gets to' at a certain section of code?

I need to determine what 'comes' before the bold line in the code above, or if you word it differently, I need to find out where the program 'jumps' from to arrive at 00492e37...my methods are not working.

Method 1:

I've changed the bolded line to a 'ret' and inserted a break point using CE to 'step' through the process to see where it jumps back...but when it hits the 'ret' it jumps to an area with nothing but question marks...which would indicate there's nothing to return to, which means there's no 'call' being used...and it's more likely a jump....Am I on the right path?

Method 2:

I've searched for an array of hex that would find the code 'jmp 00492e37' or 'call 00492e37' but nothing comes up....is it possible to have code like jmp [eax] ??

My knowledge is not good enough to develop a method to determine how the program arrives at 00492e37.

Know of any good methods of determining how one gets sent to a specifc address?

And while we're at it..is there such a thing as 'logging' program path flow? i.e. keeping track of the EIP register while a program runs?


Any info you be greatly appreciated...

[Future_Shock]

Update:

00492e37 - e8 6b 28 4b 00 - call 009456a7 <<---
00492e3c - 83 c0 34 - add eax,34
00492e3f - 8b 08 - mov ecx,[eax]
00492e41 - 8d 96 80 61 00 00 - lea edx,[esi+00006180]
00492e47 - 89 0a - mov [edx],ecx
(code)
00492XXX - ret

I injected a code cave just after 00492e37.

The code I injected jumped to an unused area, then simply 'ret'. I've found the code that brings me to this area cause I used a break point to figure out where it returns to.

The pointers are many levels deep, so I'll never find them. Custom made code is the only way to go.

"And while we're at it..is there such a thing as 'logging' program path flow? i.e. keeping track of the EIP register while a program runs?"

- I found this answer as well. Some programs can trace registers and log them. Using them I've yet to figure out..

Can anyone care to explain program 'threads' to me?