 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
horsedeg
Cheater
![]() Reputation: 0
Joined: 26 Jun 2017
Posts: 27
|
 Posted: Fri Aug 04, 2017 6:02 pm Post subject: Find out what writes to this address, but in memory region? |
 |
|
Hard to explain. Basically, I'm trying to find a way to change my health in Skyrim, because simply searching for the floating point value and changing it isn't working. So I found two addresses that hold floating point values that are exactly my health. I just can't change them. So they simply must be copies or something. I did "Find out what writes to this address" and found this from the disassembler:
| Code: | mov eax,[esp+04]
mov [esi+2C],eax |
This line runs every single frame. It's taking the value from [esp+04] and copying it to [esi+2C] (which is the value/address I was looking at). So naturally, I look at the registers. ESP = 18FA54. So I add 18FA54+4 into my address list. I do Find out what writes to this address, but it's very clearly not going to help since there are so many things writing to this address many times every frame the game runs. I set a breakpoint on the line:
The game is frozen, and the value at 18FA54+4 is now 83.45405579 (which is my current health value).
So my problem now is that I want to see what writes to 18FA54+4 at that moment. The problem is just that I can't use the normal "Find out what writes to this address." Is there some tool in the debugger/memory viewer that allows me to see what changed the memory at that address when I reach a breakpoint?
|
|
| Back to top |
|
 |
Prehistoricman
Advanced Cheater
![]() Reputation: 0
Joined: 02 Aug 2016
Posts: 80
|
| Posted: Fri Aug 04, 2017 8:05 pm Post subject: |
|
|
You'll want to find the subroutine that called the code you found. Esp is a 32-bit (the 'e') stack pointer (the 'sp'). The stack is what holds arguments and pointers to return calls. It looks a bit like your health values was passed into this sub via the stack.
Usually, you'll find subroutines are structured like this:
| Code: |
push var
push var2
push var 3
...
pop var
pop var2
pop var3
ret
|
ret or retn means return. The processor looks to the stack to find the return address.
so if put your breakpoint down, and hit F8 (step over) until you hit a ret, then you'll find the code which called the health displaying function.
From there, see if you can find anything before the call that put something on the stack. Both mov [esp+x], var and push var will put data on the stack
If there's nothing there, or you can't find the return statement, then the data must have been put on the stack in the current subroutine. Again, look for writes to the stack.
_________________
Er, hi |
|
| Back to top |
|
|
horsedeg
Cheater
![]() Reputation: 0
Joined: 26 Jun 2017
Posts: 27
|
| Posted: Sat Aug 05, 2017 12:59 am Post subject: |
|
|
That sounds reasonable. So I just did that on the line of code I posted.
This is the very first time it returns, so clearly the line before it is where I came from. I step over this line, and it takes me here:
My guess was that eax holds the address that I just came from, and it uses call on that address. Unfortunately on the register it doesn't show. From 4 lines before it, it starts dereferencing a multi-level pointer starting from ebx (which I can see in the register). I make a multi level pointer with 0, 0, and 4 as offsets and it does lead to the address where the first picture does "push 00". So I guess that makes sense. Kind of pointless to check, but just personal reassurance since I'm not too experienced with assembly.
Now I'm just kind of lost, though. I guess that's just due to my limited knowledge of assembly. I'll take a guess though. Since in the original lines of code it's calling the value on the stack at [esp+04] should I be looking for that? My understanding of the stack is minimal, but I'm assuming that what I'm looking for is where the value is stored onto the stack at esp+04. Scrolling up, I can't seem to find any direct references to esp+04. Maybe something I'm not getting?
EDIT: So I've found the line that changes it:
Based off what I googled, fstp is copying the value from the ST(0) register (which I am only now learning about) to that destination, which is the destination I'm looking for (18FA58). Now I'm just wondering what to do with this. What exactly am I going to look for? Is there going to be a fld? I'm not sure how to view the registers either, since the ones I'm looking at don't seem to match.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4291
|
| Posted: Sat Aug 05, 2017 9:51 am Post subject: |
|
|
By 32-bit convention floating point results are returned in st(0). Whatever you're looking for is in the call above fstp.
(right clicking on the mov above the call and selecting "Break and trace instructions" might be helpful)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
