Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Lost_lost_lost....lost Help

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Wed Apr 26, 2017 9:26 am    Post subject: Lost_lost_lost....lost Help Reply with quote

I was trying to find out a way to get the door-combinations of System-Shock 2(GOG Edition) to print to the screen, or at the very most figure out a way to bypass needing them entirely, I'm talking about the doors that you open by finding the right door-combination in the PDAS, that are scattered around the Level(s). The first thing I tried was to look for the (wrong) door-combination in the memory of the game, by entering a random number and searching for it, but I couldn't find which assembly code in memory checks the RANDOM number i entered, against the RIGHT door-combination. I also wouldn't know how to work out something like that from trial-and-error.
I think i am beginging to realise, that working things out like that from Trial-and-error wont teach me anything at all.
{{I am trying to remember the steps (the best i can) I made to get to the stage where I i found the instruction "00D1C8B0 - 8B 4E 0C - mov ecx,[esi+0C] and ran a "Find out what Addresses this instruction Accesses", I might be mis-remebering some parts of this, bear with me}}
In the end I looked up the door-combination-code online for the the Sub-Armory door in the 2nd level of System shock.
I searched for the door combination 98383 in Cheat-Engine using writable+non-writable SQUARE_MODE and Executable+nonExecutable SQUARE_MODE, before I entered the door-combination in the game, and I had one result. A non-static Address of "0F198AB4"
Then I entered the door combination. This time two results came up. I got the same non-static Address which came up in my previous search, and another one which had the static address "SS2.exe+638AC0"
I ran a "Find out what rights to here" on both these adresses. Then I reloaded the save while the debbuger was still attatched.
The Static Addresses value Zeroes, after I have reloaded the game, but the non static Address value is still the same after I reload from the save.
I got "The following opcodes accessed OF198AB4":
00D1C8A6 - 83 C3 0C - add ebx,0C
00D1C8A9 - 8D A4 24 00000000 - lea esp,[esp+00000000]
00D1C8B0 - 8B 4E 0C - mov ecx,[esi+0C] <<
00D1C8B3 - 8B 03 - mov eax,[ebx]
00D1C8B5 - 8B 50 14 - mov edx,[eax+14]

EAX=00D1C890
EBX=0073CFBC
ECX=0001804F
EDX=00F84EAC
ESI=0F198AA8
EDI=00000000
ESP=0026EB50
EBP=0026EB64
EIP=00D1C8B3
The last time i ran a "Find out what opcode accesses that address" I got:

Something with "mov ecx,[esi+0C]" i forgot to note in down..Sad Crying or Very sad ....
Damn It. I thought it would be the same as the bellow only "mov ecx,[esi+0C]" would take the place of "mov eax,[eax+0C]" I kind of thought the game would purpose use different registers for the same purpose as the registers before them.. like I may have mentions i was trying to plan this post in wordpad FIRST

(Writing the steps down in Wordpad AS I DO THEM, what could go wrong...)
before I posted But the F***ing game had other ideas and decide to shuffle the values in the F***** RAM as I wrote down what I did like a deck of cards just to piss me off.

(The game moves a &£$^ton of things around memory so much, so quickly, upon each reload from each save. Its kinda stressfull, and difficult for someone like me)




Here is the whole function that contains the instruction "mov ecx,[ecx+0C]", this function gives me the Address containing the value of the door I am trying to open, if I run "Find out what addresses this instruction accesses":
It didn't pop up at all from my last endevour.

SS2.exe+FC850 - 55 - push ebp
SS2.exe+FC851 - 8B EC - mov ebp,esp
SS2.exe+FC853 - 83 E4 F8 - and esp,-08 { 248 }
SS2.exe+FC856 - 8B 45 08 - mov eax,[ebp+08]
SS2.exe+FC859 - 8B 48 18 - mov ecx,[eax+18]
SS2.exe+FC85C - 85 C9 - test ecx,ecx
SS2.exe+FC85E - 74 27 - je SS2.exe+FC887
SS2.exe+FC860 - 8B 01 - mov eax,[ecx]
SS2.exe+FC862 - 8B 55 0C - mov edx,[ebp+0C] <--I right-click "find out what addresses this code changes", and then put the WRONG code in the door code lock, then the right code comes up in the "adresses accessed" list.
SS2.exe+FC865 - 39 51 08 - cmp [ecx+08],edx
SS2.exe+FC868 - 74 0A - je SS2.exe+FC874
SS2.exe+FC86A - 8B C8 - mov ecx,eax
SS2.exe+FC86C - 85 C0 - test eax,eax
SS2.exe+FC86E - 74 17 - je SS2.exe+FC887
SS2.exe+FC870 - 8B 00 - mov eax,[eax]
SS2.exe+FC872 - EB F1 - jmp SS2.exe+FC865
SS2.exe+FC874 - 8B 49 0C - mov ecx,[ecx+0C]
SS2.exe+FC877 - 8B 55 10 - mov edx,[ebp+10]
SS2.exe+FC87A - 89 0A - mov [edx],ecx
SS2.exe+FC87C - B8 01000000 - mov eax,00000001 { 1 }
SS2.exe+FC881 - 8B E5 - mov esp,ebp
SS2.exe+FC883 - 5D - pop ebp
SS2.exe+FC884 - C2 0C00 - ret 000C { 12 }


This is HAAAAARDDDDD! Crying or Very sad Mad

Anyway....So now the Static address (SS2.exe+638AC0) has now got a 6 in it, because I suppose it got bored having whatever value was in there previously or something, and needed a change....

At some point I worked out that at some point in the game (eax+24) temporarily has the value of the of the door code. This was when the opcode "mov ecx,[esi+0C]" was "mov ecx,[ecx+0C]" or the debugger decided to focus on some other random thing. Could my debugger pick out random opcodes each time I run a "find out what access this adress"...
If i run a "find out what addresses "mov ecx,[esi+0C]" access each time I want the door code" then there must be a better way surely??
I am so lost guys.
This is all taxing me to my limit.
Back to top
View user's profile Send private message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Sun Apr 30, 2017 6:35 am    Post subject: ???? Reply with quote

Yes "JUST USE THE SEARCH FUNCTION!" your thinking...*Sigh*
Rolling Eyes

I don't know what keywords to put in the search function of this site, to find the information i need because I do not understand the CE concepts enough to describe CE problem in words.

I don't know what language to use, because the concepts are meaningless to me.

And as I am an Artist I might not know what language to use anyway.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Apr 30, 2017 8:37 am    Post subject: Reply with quote

That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.

That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.

Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Sun Apr 30, 2017 5:40 pm    Post subject: Erm... Reply with quote

ParkourPenguin wrote:
That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.

That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.

Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it.


Thankyou. That was very detailed. Smile

Now...
What does all that mean. I don't understand. Confused
I will re-read it a few times though, i'm just not sure it will make sense yet...

But I am still grateful though. Smile
Back to top
View user's profile Send private message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Mon May 01, 2017 2:44 am    Post subject: Hey? Reply with quote

ParkourPenguin wrote:
That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.

That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.

Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it.


I couldnt see any code after the RET. Confused
There is literally nothing there. Confused

There is this quote from Red Dwarf, which I sense is about to yet again apply to these interations...

Quote:
Rimmer: Kryten, you have a real gift. You make things that are really, really complicated sound really, really complicated.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Mon May 01, 2017 8:28 am    Post subject: Reply with quote

magellenproject wrote:
I couldnt see any code after the RET. Confused
There is literally nothing there. Confused

You aren't looking at the correct window. Open up the memory viewer by clicking on the button that says "Memory view" in the main CE window. Then, right click the disassembler (top half of the memory viewer) and select "Go to address". Put the address SS2.exe+FC887 into the editbox and select "OK". That is the code after the return.

As I said before, I don't think there's anything too important there. If you want the valid door combination, create a code injection at SS2.exe+FC862 and copy it to a registered symbol. See the "injection copies" section of this topic for a basic overview.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Tue May 02, 2017 7:05 am    Post subject: PLEASE explain that jargon.. Reply with quote

Quote:
That's not the full subroutine since there's two conditional branches to the instruction after ret 000C, but you got the important part.

That subroutine seems to be iterating over a linked list (contained in 1st parameter) looking for some data that's equal to the second parameter (the correct door code as you stated). If it finds something in the list, the code moves some data around (3rd parameter) and returns true. Otherwise (i.e. it reached the end of the list), I'd guess it returns false and might do some other stuff, but that's the code after the ret.

Modify that code however you want. Even though that code is in a module, I'd still recommend using an AoB scan to find it.


I don't understand any of what that means. Could you please put that Jargon in simple English.



Confused Confused Confused

• Whats a conditional branch?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

• Whats a Linked List?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

• What does it mean for something to be iterating over a linked list?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

• Where are these "Parameters", and how are you able to ascertain what a parameter is from from looking at ASM?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

• I am unable to look, or know, what a parameter IS?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

• How are you able to tell that the code is in a module ?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

•I wouldn't know where the "module" begins in that example?

(That wasn't a rhetorical or "knowing question". Its not "Delusion", I have no idea what you mean, I have no prior knowledge of this)

Quote:
I'd guess it returns false and might do some other stuff,


How can you guess this?[/list]
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue May 02, 2017 8:39 am    Post subject: Reply with quote

magellenproject wrote:
Whats a conditional branch?
Branch (Wikipedia); Conditional (Merriam-Webster)
It's pretty much any jcc instruction in the code.
magellenproject wrote:
Whats a Linked List?
Linked List (Wikipedia)
It's a data structure that contains a sequence of nodes. A node contains a pointer to the next node in the sequence, possibly a pointer to the previous node, and some arbitrary data.
magellenproject wrote:
Where are these "Parameters", and how are you able to ascertain what a parameter is from from looking at ASM?
Parameter (Wikipedia); x86 Functions and Stack Frames (Wikibooks)
I would highly recommend you learn any higher-level programming language before you try to learn assembly.
magellenproject wrote:
I am unable to look, or know, what a parameter IS?
Set a breakpoint on an instruction and trigger it to see the values of registers and the data on the stack.
magellenproject wrote:
How are you able to tell that the code is in a module?
The code you posted says those instructions are inside the module SS2.exe.
magellenproject wrote:
I wouldn't know where the "module" begins in that example?
The module begins at the address the OS loads it at. You don't have to worry about where exactly a module is because CE does all that work for you.
magellenproject wrote:
Quote:
I'd guess it returns false and might do some other stuff,
How can you guess this?
If the code finds something, it does stuff and returns true (i.e. mov eax,00000001). If it doesn't find anything, common sense would say it probably does other stuff and returns false.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Tue May 02, 2017 5:36 pm    Post subject: and_then_more_elaboration_needed.... Reply with quote

Quote:
magellenproject wrote:
Whats a conditional branch?
Branch (Wikipedia); Conditional (Merriam-Webster)
It's pretty much any jcc instruction in the code.

So, in simple terms...
The things that conditional-jumps, calls, and regular-jumps, make.
Cool
Quote:
magellenproject wrote:
Whats a Linked List?
Linked List (Wikipedia)
It's a data structure that contains a sequence of nodes. A node contains a pointer to the next node in the sequence, possibly a pointer to the previous node, and some arbitrary data.

....whats a node? Smile Question
Quote:
magellenproject wrote:
Where are these "Parameters", and how are you able to ascertain what a parameter is from from looking at ASM?
Parameter (Wikipedia); x86 Functions and Stack Frames (Wikibooks)
I would highly recommend you learn any higher-level programming language before you try to learn assembly.

THANKYOU, for the heads-up. Wink
Quote:
magellenproject wrote:
I am unable to look, or know, what a parameter IS?
Set a breakpoint on an instruction and trigger it to see the values of registers and the data on the stack.

..........When ever I try and do that, the back-plate of my tower ejects from the back of my PC from the strain on my system's CPU, or System and run's around the room screaming "BIG FLAMING B***OCKS!!!" Laughing
*EDIT*
Jokes aside I'm being serious, my comp can't handle breakpoints I dont think, my comp just hangs.
[/quote]
magellenproject wrote:
How are you able to tell that the code is in a module?
The code you posted says those instructions are inside the module SS2.exe.
Quote:

So thats what a module is, right..... Neutral
Quote:
magellenproject wrote:
Quote:
I'd guess it returns false and might do some other stuff,
How can you guess this?
If the code finds something, it does stuff and returns true (i.e. mov eax,00000001). If it doesn't find anything, common sense would say it probably does other stuff and returns false.



Thank-you, ParkourPenguin. Smile
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue May 02, 2017 5:53 pm    Post subject: Reply with quote

magellenproject wrote:
whats a node?
Node (Wikipedia)
It's basically the abstract idea of a thing.

magellenproject wrote:
..........When ever I try and do that, the back-plate of my tower ejects from the back of my PC from the strain on my system's CPU, or System and run's around the room screaming "BIG FLAMING B***OCKS!!!" Laughing
*EDIT*
Jokes aside I'm being serious, my comp can't handle breakpoints I dont think, my comp just hangs.

If the game stops responding after you set a breakpoint, then the breakpoint probably got triggered. This stops what the game is doing and lets you view the current state of the program.


You should really take this slowly and figure out what it is you want to do. If you don't know anything about assembly, doing stuff randomly isn't going to accomplish anything useful the vast majority of the time. Try changing jcc instructions to either jmp instructions or NOPs and see what happens.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
magellenproject
Advanced Cheater
Reputation: 0

Joined: 23 Nov 2011
Posts: 59

PostPosted: Wed May 03, 2017 10:09 am    Post subject: Thanks ParkourPenguin. Reply with quote

I have a fairly good Idea what the core opcodes mean. I did the first 2-3 learn assembly tutorials on tutorials point. Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites