|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Wed Apr 26, 2017 9:26 am Post subject: Lost_lost_lost....lost Help |
|
|
I was trying to find out a way to get the door-combinations of System-Shock 2(GOG Edition) to print to the screen, or at the very most figure out a way to bypass needing them entirely, I'm talking about the doors that you open by finding the right door-combination in the PDAS, that are scattered around the Level(s). The first thing I tried was to look for the (wrong) door-combination in the memory of the game, by entering a random number and searching for it, but I couldn't find which assembly code in memory checks the RANDOM number i entered, against the RIGHT door-combination. I also wouldn't know how to work out something like that from trial-and-error.
I think i am beginging to realise, that working things out like that from Trial-and-error wont teach me anything at all.
{{I am trying to remember the steps (the best i can) I made to get to the stage where I i found the instruction "00D1C8B0 - 8B 4E 0C - mov ecx,[esi+0C] and ran a "Find out what Addresses this instruction Accesses", I might be mis-remebering some parts of this, bear with me}}
In the end I looked up the door-combination-code online for the the Sub-Armory door in the 2nd level of System shock.
I searched for the door combination 98383 in Cheat-Engine using writable+non-writable SQUARE_MODE and Executable+nonExecutable SQUARE_MODE, before I entered the door-combination in the game, and I had one result. A non-static Address of "0F198AB4"
Then I entered the door combination. This time two results came up. I got the same non-static Address which came up in my previous search, and another one which had the static address "SS2.exe+638AC0"
I ran a "Find out what rights to here" on both these adresses. Then I reloaded the save while the debbuger was still attatched.
The Static Addresses value Zeroes, after I have reloaded the game, but the non static Address value is still the same after I reload from the save.
I got "The following opcodes accessed OF198AB4":
00D1C8A6 - 83 C3 0C - add ebx,0C
00D1C8A9 - 8D A4 24 00000000 - lea esp,[esp+00000000]
00D1C8B0 - 8B 4E 0C - mov ecx,[esi+0C] <<
00D1C8B3 - 8B 03 - mov eax,[ebx]
00D1C8B5 - 8B 50 14 - mov edx,[eax+14]
EAX=00D1C890
EBX=0073CFBC
ECX=0001804F
EDX=00F84EAC
ESI=0F198AA8
EDI=00000000
ESP=0026EB50
EBP=0026EB64
EIP=00D1C8B3
The last time i ran a "Find out what opcode accesses that address" I got:
Something with "mov ecx,[esi+0C]" i forgot to note in down.. ....
Damn It. I thought it would be the same as the bellow only "mov ecx,[esi+0C]" would take the place of "mov eax,[eax+0C]" I kind of thought the game would purpose use different registers for the same purpose as the registers before them.. like I may have mentions i was trying to plan this post in wordpad FIRST
(Writing the steps down in Wordpad AS I DO THEM, what could go wrong...)
before I posted But the F***ing game had other ideas and decide to shuffle the values in the F***** RAM as I wrote down what I did like a deck of cards just to piss me off.
(The game moves a &£$^ton of things around memory so much, so quickly, upon each reload from each save. Its kinda stressfull, and difficult for someone like me)
Here is the whole function that contains the instruction "mov ecx,[ecx+0C]", this function gives me the Address containing the value of the door I am trying to open, if I run "Find out what addresses this instruction accesses":
It didn't pop up at all from my last endevour.
SS2.exe+FC850 - 55 - push ebp
SS2.exe+FC851 - 8B EC - mov ebp,esp
SS2.exe+FC853 - 83 E4 F8 - and esp,-08 { 248 }
SS2.exe+FC856 - 8B 45 08 - mov eax,[ebp+08]
SS2.exe+FC859 - 8B 48 18 - mov ecx,[eax+18]
SS2.exe+FC85C - 85 C9 - test ecx,ecx
SS2.exe+FC85E - 74 27 - je SS2.exe+FC887
SS2.exe+FC860 - 8B 01 - mov eax,[ecx]
SS2.exe+FC862 - 8B 55 0C - mov edx,[ebp+0C] <--I right-click "find out what addresses this code changes", and then put the WRONG code in the door code lock, then the right code comes up in the "adresses accessed" list.
SS2.exe+FC865 - 39 51 08 - cmp [ecx+08],edx
SS2.exe+FC868 - 74 0A - je SS2.exe+FC874
SS2.exe+FC86A - 8B C8 - mov ecx,eax
SS2.exe+FC86C - 85 C0 - test eax,eax
SS2.exe+FC86E - 74 17 - je SS2.exe+FC887
SS2.exe+FC870 - 8B 00 - mov eax,[eax]
SS2.exe+FC872 - EB F1 - jmp SS2.exe+FC865
SS2.exe+FC874 - 8B 49 0C - mov ecx,[ecx+0C]
SS2.exe+FC877 - 8B 55 10 - mov edx,[ebp+10]
SS2.exe+FC87A - 89 0A - mov [edx],ecx
SS2.exe+FC87C - B8 01000000 - mov eax,00000001 { 1 }
SS2.exe+FC881 - 8B E5 - mov esp,ebp
SS2.exe+FC883 - 5D - pop ebp
SS2.exe+FC884 - C2 0C00 - ret 000C { 12 }
This is HAAAAARDDDDD!
Anyway....So now the Static address (SS2.exe+638AC0) has now got a 6 in it, because I suppose it got bored having whatever value was in there previously or something, and needed a change....
At some point I worked out that at some point in the game (eax+24) temporarily has the value of the of the door code. This was when the opcode "mov ecx,[esi+0C]" was "mov ecx,[ecx+0C]" or the debugger decided to focus on some other random thing. Could my debugger pick out random opcodes each time I run a "find out what access this adress"...
If i run a "find out what addresses "mov ecx,[esi+0C]" access each time I want the door code" then there must be a better way surely??
I am so lost guys.
This is all taxing me to my limit.
|
|
Back to top |
|
|
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Sun Apr 30, 2017 6:35 am Post subject: ???? |
|
|
Yes "JUST USE THE SEARCH FUNCTION!" your thinking...*Sigh*
I don't know what keywords to put in the search function of this site, to find the information i need because I do not understand the CE concepts enough to describe CE problem in words.
I don't know what language to use, because the concepts are meaningless to me.
And as I am an Artist I might not know what language to use anyway.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun Apr 30, 2017 8:37 am Post subject: |
|
|
That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.
That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.
Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Sun Apr 30, 2017 5:40 pm Post subject: Erm... |
|
|
ParkourPenguin wrote: | That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.
That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.
Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it. |
Thankyou. That was very detailed.
Now...
What does all that mean. I don't understand.
I will re-read it a few times though, i'm just not sure it will make sense yet...
But I am still grateful though.
|
|
Back to top |
|
|
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Mon May 01, 2017 2:44 am Post subject: Hey? |
|
|
ParkourPenguin wrote: | That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.
That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.
Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it. |
I couldnt see any code after the RET.
There is literally nothing there.
There is this quote from Red Dwarf, which I sense is about to yet again apply to these interations...
Quote: | Rimmer: Kryten, you have a real gift. You make things that are really, really complicated sound really, really complicated. |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
|
Back to top |
|
|
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Tue May 02, 2017 7:05 am Post subject: PLEASE explain that jargon.. |
|
|
Quote: | That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.
That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.
Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it. |
I don't understand any of what that means. Could you please put that Jargon in simple English.
• Whats a conditional branch?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
• Whats a Linked List?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
• What does it mean for something to be iterating over a linked list?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
• Where are these "Parameters", and how are you able to ascertain what a parameter is from from looking at ASM?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
• I am unable to look, or know, what a parameter IS?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
• How are you able to tell that the code is in a module ?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
•I wouldn't know where the "module" begins in that example?
(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)
• Quote: | I'd guess it returns false and might do some other stuff, |
How can you guess this?[/list]
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Tue May 02, 2017 8:39 am Post subject: |
|
|
magellenproject wrote: | Whats a conditional branch? | Branch (Wikipedia); Conditional (Merriam-Webster)
It's pretty much any jcc instruction in the code.
magellenproject wrote: | Whats a Linked List? | Linked List (Wikipedia)
It's a data structure that contains a sequence of nodes. A node contains a pointer to the next node in the sequence, possibly a pointer to the previous node, and some arbitrary data.
magellenproject wrote: | Where are these "Parameters", and how are you able to ascertain what a parameter is from from looking at ASM? | Parameter (Wikipedia); x86 Functions and Stack Frames (Wikibooks)
I would highly recommend you learn any higher-level programming language before you try to learn assembly.
magellenproject wrote: | I am unable to look, or know, what a parameter IS? | Set a breakpoint on an instruction and trigger it to see the values of registers and the data on the stack.
magellenproject wrote: | How are you able to tell that the code is in a module? | The code you posted says those instructions are inside the module SS2.exe.
magellenproject wrote: | I wouldn't know where the "module" begins in that example? | The module begins at the address the OS loads it at. You don't have to worry about where exactly a module is because CE does all that work for you.
magellenproject wrote: | Quote: | I'd guess it returns false and might do some other stuff, | How can you guess this? | If the code finds something, it does stuff and returns true (i.e. mov eax,00000001). If it doesn't find anything, common sense would say it probably does other stuff and returns false.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Tue May 02, 2017 5:36 pm Post subject: and_then_more_elaboration_needed.... |
|
|
Quote: | magellenproject wrote:
Whats a conditional branch?
Branch (Wikipedia); Conditional (Merriam-Webster)
It's pretty much any jcc instruction in the code. |
So, in simple terms...
The things that conditional-jumps, calls, and regular-jumps, make.
Quote: | magellenproject wrote:
Whats a Linked List?
Linked List (Wikipedia)
It's a data structure that contains a sequence of nodes. A node contains a pointer to the next node in the sequence, possibly a pointer to the previous node, and some arbitrary data. |
....whats a node?
Quote: | magellenproject wrote:
Where are these "Parameters", and how are you able to ascertain what a parameter is from from looking at ASM?
Parameter (Wikipedia); x86 Functions and Stack Frames (Wikibooks)
I would highly recommend you learn any higher-level programming language before you try to learn assembly. |
THANKYOU, for the heads-up.
Quote: | magellenproject wrote:
I am unable to look, or know, what a parameter IS?
Set a breakpoint on an instruction and trigger it to see the values of registers and the data on the stack. |
..........When ever I try and do that, the back-plate of my tower ejects from the back of my PC from the strain on my system's CPU, or System and run's around the room screaming "BIG FLAMING B***OCKS!!!"
*EDIT*
Jokes aside I'm being serious, my comp can't handle breakpoints I dont think, my comp just hangs.
[/quote]
magellenproject wrote:
How are you able to tell that the code is in a module?
The code you posted says those instructions are inside the module SS2.exe. Quote: |
So thats what a module is, right.....
Quote: | magellenproject wrote:
Quote:
I'd guess it returns false and might do some other stuff,
How can you guess this?
If the code finds something, it does stuff and returns true (i.e. mov eax,00000001). If it doesn't find anything, common sense would say it probably does other stuff and returns false. |
|
Thank-you, ParkourPenguin.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
|
Back to top |
|
|
magellenproject Advanced Cheater Reputation: 0
Joined: 23 Nov 2011 Posts: 59
|
Posted: Wed May 03, 2017 10:09 am Post subject: Thanks ParkourPenguin. |
|
|
I have a fairly good Idea what the core opcodes mean. I did the first 2-3 learn assembly tutorials on tutorials point.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|