|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Zhoul Master Cheater Reputation: 1
Joined: 19 Sep 2005 Posts: 394
|
Posted: Mon Dec 05, 2005 2:34 pm Post subject: Turtle Asks - "How-To on pointer" |
|
|
Turtle wrote: | How do you deal with pointer code that looks like:
fstp dword ptr [esi+1A3]
Is that even pointer code? |
By-the-by. What game? What version? Cracked or not?
First and foremost: You do not want to "Replace with code that does nothing".
Second: You probably don't need to find a pointer. There is probably an FSUB or FADD or FMUL line just above that one that you can 'add to the code list' then 'Replace with code that does nothing'.
Next: In this situation, you want to find out how ESI became ESI, if you wanted to find a pointer, but there is an easier way, im sure.
I'm going to paste in part of a tutorial I wrote, on how to find a pointer path for a register, then add it to CE.
What you need to do, is imagine that *this* line, is the line you found...
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
Moi wrote: | - Got address of current money.
- Find out "What Writes to this value" (You could even find out what accesses this value. It doesn't matter which way you go. But for this example, do writes...)
- Buy up a new car color, then click on one of the codes that accessed the value.
- Open Disassembler at this location, scroll up a bit, we see...
[a whole bunch of int 3's here, which is 'nothing' code]
0056d610 - mov eax,[ecx+0c]
0056d613 - mov edx,[esp+04]
0056d617 - cmp edx,eax
0056d619 - jna 0056d625
0056d61b - mov [ecx+0c],00000000
0056d622 - ret 0004
0056d625 - sub eax,edx
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
0056d62a - ret 0004
[more int 3's, which is 'nothing' code]
- Again, we still don't see where ECX was 'created'.
- Select mov [ecx+0c],eax
- Click "Debug" then "Toggle Break Point" (also F5)
- Buy something, at which point the game will seem to lock up. It's CE freezing the game, at the line you chose your break point on.
- Click "Debug" then "step" (or F7). You'll notice it goes to the ret line below the mov line.
- Hit F7 again to return to where this chunk was called from.
- It will jump to this line...
007BAB6D - jmp 007babad
- Obviously, it wasn't this that called our previous code chunk, but the line above it.
- If we scroll up a bit, we see this...
007bab59 - mov eax,[0091bf50] <--- get master pointer, put it in EAX
007bab5e - mov ecx,[eax+10] <--- Get DMA pointer, using EAX+10
007bab61 - push esi
007bab62 - add ecx,000000a8 <--- Add a8 to ECX
007bab68 - call 0056d610 <-- the line that called our original code chunk
007BAB6D - jmp 007babad
Bam, Right here, we have the entire path.
[0091BF50] + 10 = ECX
ECX + (a8+0c) = Money Address
Then, we just add that pointer path to CE's list and we're done.
-------------------------------------------------- |
|
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Dec 06, 2005 7:24 am Post subject: Re: Turtle Asks - "How-To on pointer" |
|
|
Why would I imagine that line? My question was about "fstp dword ptr [esi+1A3]"
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Tue Dec 06, 2005 8:17 am Post subject: |
|
|
fstp dword ptr [esi+1A3]
look at the [xxxxxxxx] part, in this case [esi+1a3]
esi will probably hold the value the pointer has, and 1a3 is the offset
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Dec 06, 2005 11:43 am Post subject: |
|
|
Dark Byte wrote: | fstp dword ptr [esi+1A3]
look at the [xxxxxxxx] part, in this case [esi+1a3]
esi will probably hold the value the pointer has, and 1a3 is the offset |
I know.
But why is "fstp dword ptr" used? Is it because there is a float value?
Are "float" and "real" the same thing?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Tue Dec 06, 2005 11:51 am Post subject: |
|
|
fstp dword ptr [esi+1a3], stores the floating point value value in st(0) to the 4 byte (dword size) at esi+1a3
that means that at esi+1a3 is a 4 byte floating point value (float in ce)
http://podgoretsky.com/ftp/Docs/Hardware/Processors/Intel/24547111.pdf (page 321)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Zhoul Master Cheater Reputation: 1
Joined: 19 Sep 2005 Posts: 394
|
Posted: Tue Dec 06, 2005 6:27 pm Post subject: Re: Turtle Asks - "How-To on pointer" |
|
|
Turtle wrote: | Why would I imagine that line? My question was about "fstp dword ptr [esi+1A3]" |
Because...
Turtle wrote: | How do you deal with pointer code that looks like:
fstp dword ptr [esi+1A3]
Is that even pointer code? |
The word 'pointer' was used so much, I thought you were more asking how to find a pointer to the value, and not about floating point numbers, which are indeed two entirely different things
Also, Im pretty sure the P in FSTP stands for "Pop", as it will then auto-pop the regisers in the stack it used. Someone, please correct me if i'm wrong here.
There are other FS commands, like FS, or FST, which wouldnt auto-pop.
Turtle wrote: | Are "float" and "real" the same thing? |
( from http://www.mathwords.com/n/nonreal_numbers.htm )
===============================================
Nonreal Numbers
The complex numbers that are not real. That is, the complex numbers with a nontrivial imaginary part.
For example, 3 + 2i is nonreal, 2i is nonreal, but 3 is real.
===============================================
Also, floating point numbers, at least in 4 byte forms, are sometimes, not "exact" (which i suppose would be different from real/non-real).
Often times, you'll go to type in a very specific decimal number like.
1.32132132132132 - Will be converted to 1.32132136821747 , because 4 bytes of data wouldn't be enough to describe every possible 'situation' of longer decimal numbers.
All whole numbers are exact however (from my experience).
I think though, when you 'store real' - it will store a float that doesnt contain the E notation. Once again, I'm open to corrections.
|
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Tue Dec 06, 2005 8:24 pm Post subject: |
|
|
well no need to get too involved with pythagoras theorem and imaginary numbers
just use the same sort of methods to trace back to the floating point adresses as you would the 4 byte addresses, the same rules apply for --> the value held in the registers + the offset --> pointing to the address you need,,,,,,,,,,
advanced maths can be risky you can lose count of your bedspreads
_________________
|
|
Back to top |
|
|
Zhoul Master Cheater Reputation: 1
Joined: 19 Sep 2005 Posts: 394
|
Posted: Thu Dec 08, 2005 11:55 pm Post subject: |
|
|
me wrote: | advanced maths can be risky you can lose count of your bedspreads
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|