|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Telecide Cheater Reputation: 0
Joined: 30 Sep 2012 Posts: 42
|
Posted: Wed Oct 09, 2013 11:03 am Post subject: |
|
|
Man, I can't thank you enough for walking me through this. You suggestion make perfect sense, but I was staring at this problem so long I can't think straight.
So I'm pretty sure the cmp is the culprit. I used edi instead of eax, and stored its orginal value manually as you suggested. Also removed all the push/pop stuff and the cmp.
No crash.
Reintroduce pushfd popfd = crash
Remove pushfd/popfd, reintroduce cmp = crash
I even tried doing this
Code: |
mov [ediStore],edi
lea edi,[eax+24]
mov edi,[edi]
lea edi,[edi+3a8]
pushfd
cmp [edi],00000004
popfd
mov edi,[ediStore]
jmp originalcode
|
So here I would think I'm quarantining the cmp instruction between pushfd and popfd, keeping from affecting anything else. But it still crashes. If I remove the cmp, but leave the pushfd/popfd it doesn't crash.
|
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Wed Oct 09, 2013 12:34 pm Post subject: |
|
|
Your code is not correct:
Code: | lea edi,[eax+24]
mov edi,[edi]
lea edi,[edi+3a8] |
lea edi,[eax+24] //stores the result of eax+24, aka the pointer's address on edi
mov edi,[edi] //move the value (the pointer) from [edi] (=[eax+24]) to edi
lea edi,[edi+3a8] //store the address of the value on edi
You have to replace the second lea with mov. You need the value, not it's address.
Code: | lea edi,[eax+24]
mov edi,[edi]
mov edi,[edi+3a8] |
And if it's still crashing, remove the
mov edi,[edi+3a8]
line. Your cmp will not be correct, but at least you will see that the error is caused by the pointer or not.
If it's caused by the pointer, modify your code to filter out 0 values.
Eg you can use
Code: | lea edi,[eax+24]
mov edi,[edi]
test edi,edi //basically equal check to cmp edi,0
je originalcode //you need to jump to a part that will restore edi etc to cleanup if edi is 0
mov edi,[edi+3a8] |
_________________
|
|
Back to top |
|
|
Telecide Cheater Reputation: 0
Joined: 30 Sep 2012 Posts: 42
|
Posted: Thu Oct 10, 2013 12:28 am Post subject: |
|
|
Eureka!!!! It works!!
It looks likes slop, but it works.
Code: |
[enable]
alloc(newmem,2048)
alloc(ediStore,4)
label(returnhere)
label(originalcode)
label(exit)
label(address3)
registersymbol(address3)
aobscan(aob3,DD 45 28 D9 9D 64 FD FF FF D9 85 64 FD FF FF 8B 85 7C FD FF FF D8 A8 0C 02 00 00)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
pushfd
mov [ediStore],edi
//lea edi,[eax+24]
//mov edi,[edi]
//mov edi,[edi+3a8]
lea edi,[eax+24]
mov edi,[edi]
test edi,edi //basically equal check to cmp edi,0
je originalcode //you need to jump to a part that will restore edi etc to cleanup if edi is 0
mov edi,[edi+3a8]
cmp edi,00000001
jne originalcode
mov edi,[ediStore]
//fstp dword ptr [eax+0000020C]
fstp st(0)
//fild [eax+00000210]
//fstp [eax+0000020c]
//popfd
jmp exit
originalcode:
popfd
mov edi,[ediStore]
fstp dword ptr [eax+0000020C]
exit:
jmp returnhere
aob3+1b:
address3:
jmp newmem
nop
returnhere:
[disable]
dealloc(newmem)
dealloc(ediStore)
address3:
db D9 98 0C 02 00 00
unregistersymbol(address3)
|
I think one major problem was "cmp [edi],00000001" instead of "cmp edi,00000001".
I believe the test line fixed something too. So if you have a pointer, say [edi], and edi=0, that will cause a crash?
|
|
Back to top |
|
|
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Thu Oct 10, 2013 7:05 am Post subject: |
|
|
Telecide wrote: | I think one major problem was "cmp [edi],00000001" instead of "cmp edi,00000001".
|
I didn't notice that you have used [edi]. So yeah, looking at that way, you have used lea correctly. But it's better this way.
Quote: | I believe the test line fixed something too. So if you have a pointer, say [edi], and edi=0, that will cause a crash? |
Yes. In many programs, this will cause an "access violation" crash.
_________________
|
|
Back to top |
|
|
Telecide Cheater Reputation: 0
Joined: 30 Sep 2012 Posts: 42
|
Posted: Fri Oct 11, 2013 2:26 pm Post subject: |
|
|
Thanks again. Really learned a lot from this.
|
|
Back to top |
|
|
Nemexia55 Expert Cheater Reputation: 0
Joined: 28 Jan 2014 Posts: 160
|
Posted: Tue Jun 23, 2015 1:31 pm Post subject: |
|
|
In this code:
Quote: | God Mode script (this is an old script that I have made ages ago):
fstp dword ptr [esi+04] //original code which is changing the health
pushfd //save flags
pushad //save registers
cmp [esi],0 //check if ESI=0
jne +6 //if ESI is not 0, the code will jump over the next 2 lines, jumping to the "popad" instruction
mov eax,[esi+08] //copy the max health on eax
mov [esi+04],eax //copy eax to the health, so max health = health
popad //load registers
popfd //load flags |
How did you find out it must be +6?
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Jun 23, 2015 2:45 pm Post subject: |
|
|
module+10500 - 8B 46 08 - mov eax,[esi+08]
module+10503 - 89 46 04 - mov [esi+04],eax
Those two instructions take 6 bytes. To skip them, we can use jCC +6 or jmp +6
(jCC - any conditional jump)
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Tue Jun 23, 2015 2:52 pm Post subject: |
|
|
also, instead of counting bytes, it a lot easier to just use labels
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Nemexia55 Expert Cheater Reputation: 0
Joined: 28 Jan 2014 Posts: 160
|
Posted: Tue Jun 23, 2015 10:53 pm Post subject: |
|
|
Yeah, it was just something new, i wanted to know how it works
Thanks
_________________
|
|
Back to top |
|
|
yukisakura How do I cheat? Reputation: 0
Joined: 27 Dec 2011 Posts: 4
|
Posted: Sun Oct 09, 2016 9:26 am Post subject: How to add dissected structure to address list |
|
|
Hi guys,
I found a structure which is an array of 196 items. The address of this array is changed when an item is removed. Now I want to add this array to the address list, how can I make it?
Thanks.
|
|
Back to top |
|
|
Radekx36 How do I cheat? Reputation: 0
Joined: 23 Mar 2017 Posts: 2
|
Posted: Thu Mar 23, 2017 7:15 pm Post subject: |
|
|
Hello!
@Geri where can I find Your tutorials? Link: szemelyesintegracio.hu/cheats/41-game-hacking-articles does not work.
Thank you in advance.
Regards.
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
|
Back to top |
|
|
Radekx36 How do I cheat? Reputation: 0
Joined: 23 Mar 2017 Posts: 2
|
Posted: Thu Mar 23, 2017 7:39 pm Post subject: |
|
|
Oh! I did not know ... R.I.P. Geri
|
|
Back to top |
|
|
jordaldo How do I cheat? Reputation: 0
Joined: 09 Jul 2019 Posts: 1
|
Posted: Tue Jul 09, 2019 6:50 pm Post subject: |
|
|
When I activate mono features, it totally removes the ability to really navigate all the nearby addresses, is there a way to turn off the mono features or is there a better method?
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|