Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Operand and pointer problem

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
pusheax
How do I cheat?
Reputation: 0

Joined: 26 Jan 2016
Posts: 5
Location: Philippines

PostPosted: Tue Jan 26, 2016 7:31 pm    Post subject: Operand and pointer problem Reply with quote

So I'm dealing with this Operand mov [esi+01],edx that gets called at least a thousand times each second to modify different addresses (from interface to in-game resource values, etc). My problem is that it is the only Opcode that gets called to modify my HP.

I've already found the pointer and the offset in my Player structure which means myCode does a cmp so I know it only carries on with the cheat when accessing my own HP so that it does not affect other things in the game.

My bigger problem is that since this opcode is so multi-purpose (almost like those found in some console emulators), the struct keeps changing and doing a cmp with an invalid pointer from random other type of structs causes my game to CTD.

I have already tried

cmp [pointer+offset],0
je _Backtogame

and even doing a

or eax,eax
jz _Backtogame

to no avail. it just keeps crashing when doing the cmp. Here is the code I've been trying to get to work but keeps crashing as soon as I do the cmp:

Code:

_GodMode2:
 push eax

 mov eax,[esi+1A]       
 mov eax,[eax+08]
 or eax,eax
 jz _ExitGM2

 cmp word ptr [eax],1    //My Own HP?
 jne _ExitGM2               //Jump if false

 mov edx,[esi+01]       //Keep my HP as it was

_ExitGM2:
 pop eax
 mov [esi+01],edx         //original code
 mov byte ptr [ebx],00    //original code
 jmp _BackGM2             //back to game

_________________
Stars are holes in the sky from which the light of the infinite shines. ~Confucius
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 137

Joined: 06 Jul 2014
Posts: 4250

PostPosted: Tue Jan 26, 2016 7:59 pm    Post subject: Reply with quote

First of all, mov [esi+01],edx is neither an operand nor an opcode- it's called an instruction.

If "the pointer" is in your player's structure and you try to dereference that pointer, then of course it'll probably crash since not every structure is the same as the one your health is in.

You could also hook an instruction that accesses the address of your health instead. Or hook any instruction that accesses anything else in the same structure as your health. Or find a pointer to your health or anything else in the same structure (doesn't have to be a static pointer) and hook some instruction that accesses the address of that pointer. You should have plenty of instructions to chose from; nevertheless, if it absolutely must be run whenever your health is written to, then you might be able to hook an instruction around the instruction mov [esi+01],edx much easier (i.e. backtracing it to a calling procedure might help).

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
pusheax
How do I cheat?
Reputation: 0

Joined: 26 Jan 2016
Posts: 5
Location: Philippines

PostPosted: Tue Jan 26, 2016 8:20 pm    Post subject: Reply with quote

ParkourPenguin wrote:
First of all, mov [esi+01],edx is neither an operand nor an opcode- it's called an instruction.

If "the pointer" is in your player's structure and you try to dereference that pointer, then of course it'll probably crash since not every structure is the same as the one your health is in.

You could also hook an instruction that accesses the address of your health instead. Or hook any instruction that accesses anything else in the same structure as your health. Or find a pointer to your health or anything else in the same structure (doesn't have to be a static pointer) and hook some instruction that accesses the address of that pointer. You should have plenty of instructions to chose from; nevertheless, if it absolutely must be run whenever your health is written to, then you might be able to hook an instruction around the instruction mov [esi+01],edx much easier (i.e. backtracing it to a calling procedure might help).


Thanks! You are right, it has to be whenever the health is written to since the game can decide to write zero and it would simply be over for my character. I'm very much new to this asm thingy reading tuts on here and was wondering if there is a tut for the backtracing to the calling procedure. Thanks again for the insight!

_________________
Stars are holes in the sky from which the light of the infinite shines. ~Confucius
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 137

Joined: 06 Jul 2014
Posts: 4250

PostPosted: Tue Jan 26, 2016 9:42 pm    Post subject: Reply with quote

I forgot about this- it's probably the easiest thing you could do to solve this problem, but there are a few quirks with it that are mentioned in that topic.

You might also be able to use Ultimap if you just want to prevent taking damage (tutorial). Find the function that's called when you take damage, and NOP it along with any arguments to it.

However, if you really want to try backtracing:
http://forum.cheatengine.org/viewtopic.php?t=530290

Backtracing is a very hard and time-consuming thing for a beginner to do, especially for this kind of an instruction that accesses many different addresses. As such, I would highly recommend against you attempting to backtrace this if it's your first time. Nevertheless, I'll explain the basics of what to do.

First of all, trace that instruction back several callers. The caller (or the subroutine that called that caller, or the one that called the one that called the caller, etc...) might only be run when the game is writing to your health. To test this, you'll have to get creative with your use of conditional breakpoints since that instruction is run so often with so many addresses. After that, look at the instructions leading up to mov [esi+01],edx and find out where it gets edx (and optionally esi) from. Trace it back to that call that's only run when your health gets written to. Then, hook an instruction that's used to calculate edx in that call, and do what you want from there.

Also, if this game is run on an emulator (e.g. desmume), then you probably shouldn't even attempt backtracing. That just complicates things beyond belief.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Jan 26, 2016 9:46 pm    Post subject: Reply with quote

Code:
mov [esi+01],edx


That is your originalcode? Seems odd.

Also...

Code:
 cmp word ptr [eax],1


You're comparing something from a different register? Is this your script?

Anyway, if absolutely all else fails, you can always use a pointer. And if you must write a script, you can use a pointer for your compare, also...but it's not recommended because pointers are less reliable.
Back to top
View user's profile Send private message
pusheax
How do I cheat?
Reputation: 0

Joined: 26 Jan 2016
Posts: 5
Location: Philippines

PostPosted: Tue Jan 26, 2016 10:19 pm    Post subject: Reply with quote

ParkourPenguin wrote:
I forgot about - it's probably the easiest thing you could do to solve this problem, but there are a few quirks with it that are mentioned in that topic.

You might also be able to use Ultimap if you just want to prevent taking damage (). Find the function that's called when you take damage, and NOP it along with any arguments to it.

However, if you really want to try backtracing:


Backtracing is a very hard and time-consuming thing for a beginner to do, especially for this kind of an instruction that accesses many different addresses. As such, I would highly recommend against you attempting to backtrace this if it's your first time. Nevertheless, I'll explain the basics of what to do.

First of all, trace that instruction back several callers. The caller (or the subroutine that called that caller, or the one that called the one that called the caller, etc...) might only be run when the game is writing to your health. To test this, you'll have to get creative with your use of conditional breakpoints since that instruction is run so often with so many addresses. After that, look at the instructions leading up to mov [esi+01],edx and find out where it gets edx (and optionally esi) from. Trace it back to that call that's only run when your health gets written to. Then, hook an instruction that's used to calculate edx in that call, and do what you want from there.

Also, if this game is run on an emulator (e.g. desmume), then you probably shouldn't even attempt backtracing. That just complicates things beyond belief.


Wow thanks! I would definitely look into the isbadreadptr/isbadwriteptr. I have never tried Ultimap though but from the sounds of it there is a chance that the nopping might force a ctd but I'll try that route as well. I think I will leave the backtracing for when I know more about asm coz my vocabulary of it ain't that good yet. Also, this is actually for some old game called X3: Terran Conflict 3.1. I know Recifence made an oustanding script for it, but it lacks a certain GodMode that I would like to have added as well.



++METHOS wrote:
Code:
mov [esi+01],edx


That is your originalcode? Seems odd.

Also...

Code:
 cmp word ptr [eax],1


You're comparing something from a different register? Is this your script?

Anyway, if absolutely all else fails, you can always use a pointer. And if you must write a script, you can use a pointer for your compare, also...but it's not recommended because pointers are less reliable.


Yep! I thought so as well when I first saw it, not the typical add or sub I usually see. It appears as if though the final values are processed somewhere else and this instruction just writes it.

I just thought it was easier if I'd use eax to temporarily store the pointer plus the offset with my attempts to test if it returns a valid pointer. I just saw it though.

_________________
Stars are holes in the sky from which the light of the infinite shines. ~Confucius
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 137

Joined: 06 Jul 2014
Posts: 4250

PostPosted: Tue Jan 26, 2016 10:48 pm    Post subject: Reply with quote

pusheax wrote:
I have never tried Ultimap though but from the sounds of it there is a chance that the nopping might force a ctd...

Actually, if the call is only run once when you take damage and you NOP everything properly, I can't think of any instances off the top of my head in which it would crash the game. I'd be more worried about DBVM causing a BSOD if I were you.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Jan 26, 2016 11:23 pm    Post subject: Reply with quote

pusheax wrote:
++METHOS wrote:
Code:
mov [esi+01],edx


That is your originalcode? Seems odd.


Yep! I thought so as well when I first saw it, not the typical add or sub I usually see.
-Not actually what I meant, but no worries. Mr. Green

pusheax wrote:
++METHOS wrote:
Code:
 cmp word ptr [eax],1


You're comparing something from a different register?
I just thought it was easier
-Okay...I see what you did. My mistake. Have you tried checking the registers to see if you can use anything there?

Anyway, change your script as shown below. Enable your script. When you enable your script, the instruction where you are injecting should show a jump. Right-click on it and select 'follow'. Right-click, as shown below, and check to see what addresses it accesses. If you see more than one, your filter is no good. If you see nothing, even after getting hit, your filter is no good. If it crashes after you enable, see what ParkourPenguin wrote.

Code:
_GodMode2:
push edi
mov edi,[esi+1A]       
mov edi,[edi+08]
cmp word ptr edi,1
pop edi
jne _ExitGM2

mov [esi+01],edx        //right-click here

_ExitGM2:
mov [esi+01],edx
mov byte ptr [ebx],00
jmp _BackGM2
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites