Cheat Engine

cannonfodderex · Posted: Wed Apr 05, 2017 10:09 am Post subject: Strange behavior in disassembler

I found disassembler of CE showing complete different code when viewing the same address block.
This happens when I try to modify Sovereignty - Crown of Kings.
The game seems to be written with .net framework, but doesn't look like unity.

I searched and found unit hp, then with "find out what writes to this address", got a code that writes the hp, the line with ** is the code:

**0066A0C0 - 89 51 08 - mov [ecx+08],edx
0066A0C3 - 8B 49 04 - mov ecx,[ecx+04]
0066A0C6 - 85 C9 - test ecx,ecx
0066A0C8 - 74 08 - je 0066A0D2
0066A0CA - 8B 41 0C - mov eax,[ecx+0C]
0066A0CD - 8B 49 04 - mov ecx,[ecx+04]
0066A0D0 - FF D0 - call eax
0066A0D2 - C3 - ret

Then I used "find out what addresses this code writes to", got lots of unit hp addresses, so the code is probably right.

But when I scroll one line up in disassembler, all codes changed to:

0066A0BF - 00 89 51088B49 - add [ecx+498B0851],cl
0066A0C5 - 04 85 - add al,-7B { 133 }
0066A0C7 - C9 - leave
0066A0C8 - 74 08 - je 0066A0D2
0066A0CA - 8B 41 0C - mov eax,[ecx+0C]
0066A0CD - 8B 49 04 - mov ecx,[ecx+04]
0066A0D0 - FF D0 - call eax
0066A0D2 - C3 - ret

And one more line up, it becomes:

0066A0BE - 67 00 89 - add 0066A0BEcl
0066A0C1 - 51 - push ecx
0066A0C2 - 08 8B 490485C9 - or [ebx-367AFBB7],cl
0066A0C8 - 74 08 - je 0066A0D2
0066A0CA - 8B 41 0C - mov eax,[ecx+0C]
0066A0CD - 8B 49 04 - mov ecx,[ecx+04]
0066A0D0 - FF D0 - call eax
0066A0D2 - C3 - ret

No matter how I scroll back or forth, disassembler won't give the right code. The only thing I can do is close the disassembler and reopen it with "open ths disassembler at this location" from advanced options code list or "go to address" and input 0066A0C0.

Is it a bug? What can I do to view the codes before the right code?

CE version: 6.6

Dark Byte · Posted: Wed Apr 05, 2017 11:07 am Post subject:

use the left-right arrows to scroll by 1 byte instead of letting ce guess

cannonfodderex · Posted: Wed Apr 05, 2017 9:28 pm Post subject:

Do you mean arrow keys on the keyboard?
I tried all 4 of them ,the scroll bar and "select funtion", disassembler always change the code.

Dark Byte · Posted: Thu Apr 06, 2017 1:56 am Post subject:

yes, on the keyboard. just press left until it looks good

cannonfodderex · Posted: Thu Apr 06, 2017 7:41 am Post subject:

Unfortunately, the codes change as soon as I press left, and never change back.
The codes is right only when the address of the right code is the first line in disassembler.

Dark Byte · Posted: Thu Apr 06, 2017 7:47 am Post subject:

then that means there is no earlier instruction

Viloresi · Posted: Thu Apr 06, 2017 7:52 am Post subject: