Cheat Engine

dnsi0

For example nop is 90 right? And each address has one of that and 16 bytes with opcodes. If each 16 byte containing opcodes and can have 16 nops then what does the next address have?

Example:

00401000 90 90 90 90
00401001 ?
00401002 ?
00401003 ?

00401000 nop
00401001 nop
00401002 nop
00401003 nop

So I dont get how this fits.

appalsap

dnsi0 · Posted: Mon Jan 07, 2008 11:09 am Post subject:

So what would be in those spots if the nops are already defined in the first address. ANd that would not be a real app initialization cause it would not have nops at the start.

samuri25404 · Posted: Mon Jan 07, 2008 11:12 am Post subject:

Ok, one address = 1 byte.

Symbol · Posted: Mon Jan 07, 2008 11:13 am Post subject:

16 bytes? each address represent byte, since cheat engine converts it to instruction it takes more bytes. (Some instructions contains more than 1 byte)

So it would be:
00401000 90
00401001 90
00401002 90
00401003 90

00401000 nop
00401001 nop
00401002 nop
00401003 nop

dnsi0 · Posted: Mon Jan 07, 2008 11:15 am Post subject:

Thank you so much. I knew something was fishy the way it skips.

samuri25404 · Posted: Mon Jan 07, 2008 11:16 am Post subject:

Nothing's fishy, it's just that, as Symbol said, some instructions take more than one byte (like "mov [eax],eax")

dnsi0 · Posted: Mon Jan 07, 2008 11:18 am Post subject:

So If the Address Has something with like 3 bytes then it would kill the addresses under it? ANd they would countinue the preveous address's opcodes?

Symbol · Posted: Mon Jan 07, 2008 11:35 am Post subject:

No, it wouldn't "kill", Cheat Engine just wouldn't show, because then the instruction will be diffrent. Lets say you got:

10 - 00 01 - add [eax],eax (I don't really remember the bytes, but just for the example)
12 - 00 00 - add [eax],al

So if you'll go to 11 you'll the the instruction of the byte 01, if there isn't one you'll see the instruction of 01 + 12's byte (00), if there isn't then checks for the next possible instruction and so on...

dnsi0 · Posted: Mon Jan 07, 2008 11:58 am Post subject:

SO example:

00401000 01 //I dont know the opcodes either... So if this is mov eax, [eax]
00401001 01
00401002 01
00401003 90

In ce it would be:

00401000 Mov eax,[eax]
00401003 Nop

Right? Skipping the bytes on the address.

Symbol · Posted: Mon Jan 07, 2008 12:01 pm Post subject:

Yes.
But actually, 1 byte might belong to the mov, maybe it represents a "Register Parameter" (for example, eax, ebx) or maybe 2 bytes represents a register in brackets, or maybe 4 bytes represents an address/value or maybe 1 byte represents 2 parameters. (Instruction destination like push eax) well, you got me, its complicated...

dnsi0 · Posted: Mon Jan 07, 2008 12:03 pm Post subject:

I think I might topply over in confusion if I keep typing...

samuri25404 · Posted: Mon Jan 07, 2008 12:26 pm Post subject:

Cheat Engine starts at the base addy of the program (usually 00400000) and finds a possible opcode from it. For example:

Uzeil · Moderator Reputation: 6 Joined: 21 Oct 2006 Posts: 2411

db 00 00 is add [eax],al not add [eax],eax

samuri25404 · Posted: Mon Jan 07, 2008 1:41 pm Post subject:

Ah, well my bad. I knew it was something like that, but it doesn't really matter.