Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Tutorial] Dissect data/structures in Cheat Engine
Goto page Previous  1, 2, 3, 4, 5, 6, 7
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Wed Oct 09, 2013 11:03 am    Post subject: Reply with quote

Man, I can't thank you enough for walking me through this. You suggestion make perfect sense, but I was staring at this problem so long I can't think straight. Very Happy

So I'm pretty sure the cmp is the culprit. I used edi instead of eax, and stored its orginal value manually as you suggested. Also removed all the push/pop stuff and the cmp.

No crash.

Reintroduce pushfd popfd = crash

Remove pushfd/popfd, reintroduce cmp = crash

I even tried doing this

Code:

mov [ediStore],edi
lea edi,[eax+24]
mov edi,[edi]
lea edi,[edi+3a8]
pushfd
cmp [edi],00000004
popfd
mov edi,[ediStore]
jmp originalcode


So here I would think I'm quarantining the cmp instruction between pushfd and popfd, keeping from affecting anything else. But it still crashes. If I remove the cmp, but leave the pushfd/popfd it doesn't crash. Confused
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 108

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Wed Oct 09, 2013 12:34 pm    Post subject: Reply with quote

Your code is not correct:

Code:
lea edi,[eax+24]
mov edi,[edi]
lea edi,[edi+3a8]


lea edi,[eax+24] //stores the result of eax+24, aka the pointer's address on edi
mov edi,[edi] //move the value (the pointer) from [edi] (=[eax+24]) to edi
lea edi,[edi+3a8] //store the address of the value on edi

You have to replace the second lea with mov. You need the value, not it's address.

Code:
lea edi,[eax+24]
mov edi,[edi]
mov edi,[edi+3a8]


And if it's still crashing, remove the

mov edi,[edi+3a8]

line. Your cmp will not be correct, but at least you will see that the error is caused by the pointer or not.

If it's caused by the pointer, modify your code to filter out 0 values.

Eg you can use

Code:
lea edi,[eax+24]
mov edi,[edi]
test edi,edi   //basically equal check to cmp edi,0
je originalcode  //you need to jump to a part that will restore edi etc to cleanup if edi is 0
mov edi,[edi+3a8]

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Thu Oct 10, 2013 12:28 am    Post subject: Reply with quote

Eureka!!!! It works!!

It looks likes slop, but it works.
Code:

[enable]
alloc(newmem,2048)
alloc(ediStore,4)
label(returnhere)
label(originalcode)
label(exit)
label(address3)
registersymbol(address3)
aobscan(aob3,DD 45 28 D9 9D 64 FD FF FF D9 85 64 FD FF FF 8B 85 7C FD FF FF D8 A8 0C 02 00 00)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
pushfd
mov [ediStore],edi
//lea edi,[eax+24]
//mov edi,[edi]
//mov edi,[edi+3a8]
lea edi,[eax+24]
mov edi,[edi]
test edi,edi   //basically equal check to cmp edi,0
je originalcode  //you need to jump to a part that will restore edi etc to cleanup if edi is 0
mov edi,[edi+3a8]
cmp edi,00000001
jne originalcode
mov edi,[ediStore]
//fstp dword ptr [eax+0000020C]
fstp st(0)
//fild [eax+00000210]
//fstp [eax+0000020c]
//popfd
jmp exit
originalcode:
popfd
mov edi,[ediStore]
fstp dword ptr [eax+0000020C]

exit:
jmp returnhere

aob3+1b:
address3:
jmp newmem
nop

returnhere:
[disable]
dealloc(newmem)
dealloc(ediStore)
address3:
db D9 98 0C 02 00 00
unregistersymbol(address3)


I think one major problem was "cmp [edi],00000001" instead of "cmp edi,00000001".

I believe the test line fixed something too. So if you have a pointer, say [edi], and edi=0, that will cause a crash?
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 108

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Thu Oct 10, 2013 7:05 am    Post subject: Reply with quote

Telecide wrote:
I think one major problem was "cmp [edi],00000001" instead of "cmp edi,00000001".


I didn't notice that you have used [edi]. So yeah, looking at that way, you have used lea correctly. But it's better this way.

Quote:
I believe the test line fixed something too. So if you have a pointer, say [edi], and edi=0, that will cause a crash?


Yes. In many programs, this will cause an "access violation" crash.

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Fri Oct 11, 2013 2:26 pm    Post subject: Reply with quote

Thanks again. Really learned a lot from this.
Back to top
View user's profile Send private message
Nemexia55
Expert Cheater
Reputation: 0

Joined: 28 Jan 2014
Posts: 158

PostPosted: Tue Jun 23, 2015 1:31 pm    Post subject: Reply with quote

In this code:

Quote:
God Mode script (this is an old script that I have made ages ago):

fstp dword ptr [esi+04] //original code which is changing the health
pushfd //save flags
pushad //save registers
cmp [esi],0 //check if ESI=0
jne +6 //if ESI is not 0, the code will jump over the next 2 lines, jumping to the "popad" instruction
mov eax,[esi+08] //copy the max health on eax
mov [esi+04],eax //copy eax to the health, so max health = health
popad //load registers
popfd //load flags



How did you find out it must be +6?

Quote:
jne +6

_________________
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 148

Joined: 07 Nov 2008
Posts: 4173
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Tue Jun 23, 2015 2:45 pm    Post subject: Reply with quote

module+10500 - 8B 46 08 - mov eax,[esi+08]
module+10503 - 89 46 04 - mov [esi+04],eax


Those two instructions take 6 bytes. To skip them, we can use jCC +6 or jmp +6

(jCC - any conditional jump)

_________________
Back to top
View user's profile Send private message MSN Messenger
Dark Byte
Site Admin
Reputation: 338

Joined: 09 May 2003
Posts: 19898
Location: The netherlands

PostPosted: Tue Jun 23, 2015 2:52 pm    Post subject: Reply with quote

also, instead of counting bytes, it a lot easier to just use labels
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Nemexia55
Expert Cheater
Reputation: 0

Joined: 28 Jan 2014
Posts: 158

PostPosted: Tue Jun 23, 2015 10:53 pm    Post subject: Reply with quote

Yeah, it was just something new, i wanted to know how it works
Thanks

_________________
Back to top
View user's profile Send private message
yukisakura
How do I cheat?
Reputation: 0

Joined: 27 Dec 2011
Posts: 4

PostPosted: Sun Oct 09, 2016 9:26 am    Post subject: How to add dissected structure to address list Reply with quote

Hi guys,

I found a structure which is an array of 196 items. The address of this array is changed when an item is removed. Now I want to add this array to the address list, how can I make it?

Thanks.
Back to top
View user's profile Send private message
Radekx36
How do I cheat?
Reputation: 0

Joined: 23 Mar 2017
Posts: 2

PostPosted: Thu Mar 23, 2017 7:15 pm    Post subject: Reply with quote

Hello!

@Geri where can I find Your tutorials? Link: szemelyesintegracio.hu/cheats/41-game-hacking-articles does not work.
Thank you in advance.
Regards.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 75

Joined: 29 Oct 2010
Posts: 3660

PostPosted: Thu Mar 23, 2017 7:24 pm    Post subject: Reply with quote

http://forum.cheatengine.org/viewtopic.php?p=5603968#5603968
Back to top
View user's profile Send private message
Radekx36
How do I cheat?
Reputation: 0

Joined: 23 Mar 2017
Posts: 2

PostPosted: Thu Mar 23, 2017 7:39 pm    Post subject: Reply with quote

Oh! I did not know ... R.I.P. Geri
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6, 7
Page 7 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites