Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Tutorial] Cheating Galactic Civilization 2 (V1.0) - Part 3

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials
View previous topic :: View next topic  
Author Message
Recifense
I post too much
Reputation: 156

Joined: 17 Mar 2008
Posts: 3612
Location: Pernambuco - Brazil

PostPosted: Sun Jan 09, 2011 9:56 pm    Post subject: [Tutorial] Cheating Galactic Civilization 2 (V1.0) - Part 3 Reply with quote


    This is the third part of the tutorial

    The first part can be found at: http://forum.cheatengine.org/viewtopic.php?t=529802
    The second part can be found at: http://forum.cheatengine.org/viewtopic.php?t=529803

    5 - Cheating Ship's Hit Points:


    ___ TutNote 18: Load the game (that we saved in 1.4). Press DONE for the Report, Research and Colony screens.
    ___ Remember that we have concluded that offset 01dc of the Ship structure is the "Hit Points". So let's investigate it.
    ___ Add the flagship HP address to the table. Select the flagship on the game.

    ______ A) Go to CE, right-click on the flagship HP entry and choose "Find out what accesses this address"
    ______ B) Go back to the game. Note that a code line was added to the list;
    ______ C) Select again the flagship. Note that 4 new code lines were added to the list. Let's have a look at them:

    Code:

       C23 0055B7B8 - 83 b9 dc 01 00 00 00          - cmp dword ptr [ecx+000001dc],00
       C24 0055B7D6 - 83 be dc 01 00 00 00          - cmp dword ptr [esi+000001dc],00
       C25 0055A0BE - 39 be dc 01 00 00             - cmp [esi+000001dc],edi
       C26 0055A0CC - 83 be dc 01 00 00 01          - cmp dword ptr [esi+000001dc],01
       C27 0055A0FE - 89 86 dc 01 00 00             - mov [esi+000001dc],eax
       


    ___ TutNote 19: C23[b/] and [b]C24 verify if the ship HP is 0. C25 compares the Ship HP with the content of register EDI.
    ___ C26 compares the Ship HP with the the value 1. C27 updates the Ship HP. Strange! Why is the HP updated if the ship is not in combat?
    ___ Maybe it is only the display value (not the real HP). We have to investigate a little bit more. Let's analyse the disassembler codes around C27:

    ______ A) Select C27 on the list and then click on button "Show disassembler";
    ______ B) Scroll up the code until you see where it starts (right after an INT 3 instruction);

    Code:

       AL21 - 0055A0F0 - 56                         - push esi
       AL22 - 0055A0F1 - 8b f1                      - mov esi,ecx
       AL23 - 0055A0F3 - e8 c8 fe ff ff             - call 00559fc0
       AL24 - 0055A0F8 - 2b 86 e4 01 00 00          - sub eax,[esi+000001e4]
       AL25 - 0055A0FE - 89 86 dc 01 00 00          - mov [esi+000001dc],eax
       AL26 - 0055A104 - 5e                         - pop esi
       AL27 - 0055A105 - c3                         - ret
       


    ______ AssemblerTut 3:
    ______ AL21: The register ESI content is pushed into the stack to be preserved;
    ______ AL22: The register ESI is loaded with the content of register ECX;
    ______ AL23: A sub-routine is called (we probably have to analyse it as well);
    ______ AL24: The value stored at offset 01e4 of the Ship structure is subtracted from the content of register EAX;
    ______ AL25: The "Ship HP" at offset 01dc of the Ship structure is updated with the content of register EAX;
    ______ AL26: The content of ESI is restored from the stack;
    ______ AL27: The instruction RET (return) is executed and the flux goes back to the first code line after the CALL instruction.
    ______ It is the end of this sub-routine.

    ___ TutNote 20: Conclusion: The sub-routine called at AL23 retuns the register EAX with "Ship HP". But before it is stored at offset 01DC,
    ___ the value stored at offset 01E4 is subtracted from it. So the offset 01E4 of the Ship structure is the "damage". Rename the description
    ___ of this offset to "ShipDamage". Add AL25 to the codelist. Add "- HP" to the description. Now let's have a look at the sub-routine called on AL23:

    ______ A) On Memory Viewer, right-click on AL23 and select "Follow";
    ______ B) A new code area is displayer and the first assembler line is highlighted (selected). Nothing
    ______ interesting so far. But note that there is a conditional jump to the first of the following 3 lines;

    Code:

       AL28 - 00559FED - 8b 86 18 03 00 00          - mov eax,[esi+00000318]
       AL29 - 00559FF3 - 03 86 e0 01 00 00          - add eax,[esi+000001e0]
       AL30 - 00559FF9 - 8b 96 00 03 00 00          - mov edx,[esi+00000300]
       


    ______ AssemblerTut 4:
    ______ AL28: The register EAX is loaded with the content stored at offset 0318 of the Ship structure;
    ______ AL29: The content of offset 01e0 is added to the current content of register EAX;
    ______ AL30: The register EDX is loaded with the content stored at offset 0300 of the Ship tructure;

    ___ TutNote 21: Conclusion: The "Ship HP" is the result of the sum of the contents of offsets 0318 and 01e0.
    ___ Looking at the Ship structure, we note that the content of offset 01e0, in most of the cases, is the
    ___ same of offset 01dc (Hit Points). So offset 01E0 is the ship basic HP, then rename it to "Basic HP".
    ___ Note that value stored at offset 0318 for all ships is 0. It is probably each ship's extra Hit Points,
    ___ then rename it to "Extra HP". Try changing these values for the flagship and observe the effects.
    ___ Add AL28 and AL29 to the codelist. Add "- HP" to the description. Now let's see what we can do with
    ___ offset 01e4 of the Ship structure ("Ship Damage"). But note that the flagship and the colony ship don't have
    ___ weapons. So let's play a little:

    ______ A) Load the game (that we saved in 1.4);
    ______ B) Select for reasearching "Galactic Warfare"; And buy a "Basic Factory" on your main planet (EARTH);
    ______ C) Select your colony ship and move it to colonize a class 10 planet. Rename the planet to "TutPlanet I";
    ______ Buy also a "Basic Factory" on this planet.
    ______ D) Select EARTH and click on BUILD SHIP. Select a "Colony ship" and click on BUY NOW, ACCEPTED and DONE.
    ______ E) End turn. Press DONE on "Breaking News" screen. And end turn again.
    ______ F) Close the "Research Complete" screens. Select for next research "Space Weapons". Press DONE on "Breaking News" screen
    ______ (there is a "colony" ship available on EARTH).
    ______ G) Select EARTH and click on LAUNCH SHIP. Move the Bar so the colony ship can have 101 to 103 colonists and click on LAUNCH.
    ______ H) Select the Colony ship. Go to CE and open a new "Memory Dissect" window. Get the address of the ship from the table and replace the
    ______ address on the "Memory Dissect" window. Now select Structure->Ship. Note that at offset 0204 we have the colonist number, so rename it
    ______ to "Colonists". Now colonize Mars (a class 4 planet). Buy an "Entertainment Network". Buy the same on EARTH and on TutPlanet I.
    ______ End turn.
    ______ I) Close the "Research Complete" screens. Select for next research "New Propulsion Techniques". Select EARTH. Click on BUILD SHIP.
    ______ Note that there is a new ship on the list (the Defender). Select it. Note that it has a weapon. Click on BUY NOW,
    ______ ACCEPTED and DONE. End Turn.
    ______ J) Close the "Research Complete" screens. Select for next research "Planetary Improvements". Close the "Breaking News" screen.
    ______ We have a Defender completed on EARTH.
    ______ K) Select EARTH and click on LAUNCH SHIP. Save the game at this point with the name "GodMode".
    ______ L) Select the Defender. Replace the last colony ship address by the Defender's address on the Ship Structure (Memory Dissect - Ship);
    ______ Move it aroud until you find an AI flagship.
    ______ M) Select the AI flagship and add it as an "extra address" to the Ship Structure. Add its "Ship Damage" address to CE's table.
    ______ Right-click on it and select "Find out what accesses this address".
    ______ N) Go back to the game and select the Defender. Right-click on the AI flagship and confirm the attack;
    ______ O) 12 code lines were added to list. Let's add to the "Advanced options" codelist, only the codes that change
    ______ the "Ship Damage". Only 3 codes will be considered. To each description add "- Damage".

    Code:

       C28 00565F6C - 89 86 e4 01 00 00             - mov [esi+000001e4],eax         
       C29 0055A0D5 - 89 be e4 01 00 00             - mov [esi+000001e4],edi
       C30 00566132 - 89 86 e4 01 00 00             - mov [esi+000001e4],eax
       


    ___ TutNote 22: The 3 codes update the "Ship Damage", so let's have a look at each code "More Information".
    ___ Note that on C28, EAX is 1. So it is increasing the "Ship Damage" by one. But note that on codes C29
    ___ and C30, EDI and EAX (respectively) are 17 in decimal. They are the final updates. So our "God Mode"
    ___ should be implemented over C28. Note that the Defender lost its "Moves Left" points after the fight.
    ___ We have enough information for the GodMode, so let's do the following:

    ______ A) Implement a script that does not let the "Ship Damage" of a player's ship increase;
    ______ B) Modify the _MonSelShip script to:
    ______ b.01 - Change the ship total HP to at least 1000;
    ______ b.02 - In case the ship's "Moves Left" points is 0, make it equal to 2;
    ______ b.03 - If there is colonists, make sure it is at least 1500;

    ______ AATut 7: Nothing new in this part. We are gonna use what we have used before.

    ______ He is our script till now:

    Code:

    {
     Script for Galactic Civilization 2 V1.0
     Example on a Tutorial
     Implementing a script to monitor the player's Treasure Value
     Implementing a script to monitor the player's Research Technology
     Implementing a script to monitor the player's Ship Moves Left
     Implementing a God Mode script (new)
    }

    [ENABLE]
    alloc(MyCode,1024)         // Allocating memory. 1024 (1Kb) is enough.

    label(_MonET)              // Declaring a label
    label(_BackME)             // Declaring a label
    label(_ExitME)             // Declaring a label
    label(_MonRT)              // Declaring a label
    label(_BackMR)             // Declaring a label
    label(_ExitMR)             // Declaring a label
    label(_MonSelShip)         // Declaring a label
    label(_BackMSS)            // Declaring a label
    label(_ExitMSS)            // Declaring a label
    label(_MonSS0)             // Declaring a label (new)
    label(_MonSS1)             // Declaring a label (new)
    label(_MonMovesLeft)       // Declaring a label
    label(_BackMML)            // Declaring a label
    label(_ExitMML)            // Declaring a label
    label(_GodMode)            // Declaring a label (new)
    label(_BackGM)             // Declaring a label (new)
    label(_ExitGM)             // Declaring a label (new)
    label(pPlayer)             // Declaring a label
    label(pSelShip)            // Declaring a label
    label(iPlayerID)           // Declaring a label
    label(iEnableME)           // Declaring a label
    label(iEnableMR)           // Declaring a label
    label(iEnableMM)           // Declaring a label
    label(iEnableGM)           // Declaring a label (new)
    label(iEnableMC)           // Declaring a label (new)

    registersymbol(MyCode)     // Registering "MyCode",    so it can be easily find it in the memory viewer.
    registersymbol(pPlayer)    // Registering "pPlayer",   so it can be easily used in a table or structure.
    registersymbol(pSelShip)   // Registering "pSelShip",  so it can be easily used in a table or structure.
    registersymbol(iPlayerID)  // Registering "iPlayerID", so it can be easily used in a table or structure.
    registersymbol(iEnableME)  // Registering "iEnableME", so it can be easily used in a table or structure.
    registersymbol(iEnableMR)  // Registering "iEnableMR", so it can be easily used in a table or structure.
    registersymbol(iEnableMM)  // Registering "iEnableMM", so it can be easily used in a table or structure.
    registersymbol(iEnableGM)  // Registering "iEnableGM", so it can be easily used in a table or structure. (new)
    registersymbol(iEnableMC)  // Registering "iEnableMC", so it can be easily used in a table or structure. (new)
          
    //======================= Just to separate script parts

    MyCode:                    // This is the address of the memory that was allocated

    //======================= Just to separate script parts
    // This script will monitor the player's Treasure to guarantee a minimum value (10000)
    // [Note] The register EBP is modified by the original code, so we are free to use it.

    _MonET:                    // This is the address of this script part (Same as MyCode)
     mov [pPlayer],edi         // Let's save the content of register EDI for debugging

     mov ebp,[edi+04]          // Get the player ID at offset 0004
     mov [iPlayerID],ebp       // Saving it for further use

     cmp dword ptr [iEnableME],0 // The content of variable iEnableME is 0?
     je _ExitME                  // Jump if yes (e = equal to) We assumed that 0 is disabled.

     mov ebp,#10000            // The assemble instruction MOV is used to load value into an address or register
                               // In this case, EBP will be loaded with 10000 (the # indicates that it is a decimal value)
     cmp ebp,[edi+000004f0]    // The assemble instruction CMP is use to compare two values
                               // In this case, the content of the register EBP is compared to the
                               // content of the memory pointed by the content of register EDI plus offset 000004f0
     jle _ExitME               // The assemble instruction Jcc is used to perform conditional jumps.
                               // In this case, the condition is LE which means (less or equal).
     mov [edi+000004f0],ebp    // If the content of EBP is greater than that at the memory
                               // then the value at the memory will be changed to 10000
    _ExitME:                   // This is the label needed because of the conditional jump
     mov ebp,[edi+000004f0]    // Original code should be executed
     jmp _BackME               // Go back to the original code

    //======================= Just to separate script parts
    // This script will monitor the player's Research Progress to guarantee that it is concluded in one turn
    // [Note] The register EDX is modified by the original code, so we are free to use it.

    _MonRT:                    // This is the address of this script part
     cmp dword ptr [iEnableMR],0 // The content of variable iEnableMR is 0?   
     je _ExitMR                // Jump if yes (e = equal to) We assumed that 0 is disabled.

     cmp esi,[pPlayer]         // The register ESI points to a PlayerInfo structure. Is it ours?
     jne _ExitMR               // The code will jump if it is not equal (NE = not equal)

     mov edx,[esi+00000504]    // Get the pointer to the array of research progress values
                               // Remember that at this point: EDX = Base, EDI = Index   and EAX = value needed to complete research
     mov [edx+edi*4],eax       // So let's update the current research progress with the value needed to complete this research

    _ExitMR:                   // This is the label needed because of the conditional jump
     mov edx,[esi+00000504]    // Original code should be executed
     jmp _BackMR               // Go back to the original code
          
    //======================= Just to separate the script parts    (changed)
    // This script will monitor when a ship is selected in order to save its address

    _MonSelShip:               // This is the address of this script part
     push ebx                  // A register will be needed in this script. Since the original code (new)
                               // is not modifying one, we decided to use the register EBX.
                               // But we have to preserve its content. So push it into the stack.
     pushfd                    // Note that the first instruction after the hacking point is a conditional
                               // jump (jE). So we have to preserve the EFLAGS by pushing them into the stack.
     or esi,esi                // ESI or ESI return Zero if the content of register ESI is 0
     jz _ExitMSS               // Jump if content od ESI is 0 (i.e. a NULL pointer)

     mov [pSelShip],esi        // Save in the variable pSelShip, the address of just selected ship
                               // It will be used on the Moves Left script
     mov ebx,[esi+000000c8]    // Get the value stored at offset 00C8 (The OwnerID)           (new)
     cmp ebx,[iPlayerID]       // Compare the ship's OwnerID with the PlayerID                (new)
     jne _ExitMSS              // Jump if they are not equal (NE)                             (new)

     cmp dword ptr [iEnableMM],0 // The content of variable iEnableMM is 0?                     (new)
     je _MonSS0                  // Jump if yes (e = equal to) We assumed that 0 is disabled. (new)

     cmp dword ptr [esi+000001f0],0 // Is the content of offset 01f0 (Moves Left) of the Ship Structure equal to 0?
     jne _MonSS0               // Jump if it is NOT EQUAL

     mov dword ptr [esi+000001f0],2 // Make the Moves Left of selected ship equal to 2

    _MonSS0:                   // This is the label needed because of the conditional jump   (new)
     cmp dword ptr [iEnableGM],0 // The content of variable iEnableMR is 0?
     je _MonSS1                // Jump if yes (e = equal to) We assumed that 0 is disabled.

     cmp dword ptr [esi+00000318],#1000 // Is the content of offset 0318 (Extra HP) of the Ship Structure equal to 1000?
     jge _MonSS1               // Jump if it is GREATER or EQUAL

     mov dword ptr [esi+00000318],#1000 // Make the Extra HP of selected ship equal to 1000

    _MonSS1:                   // This is the label needed because of the conditional jump   (new)
     cmp dword ptr [iEnableMC],0 // The content of variable iEnableMC is 0?
     je _ExitMSS               // Jump if yes (e = equal to) We assumed that 0 is disabled.

     cmp dword ptr [esi+00000204],0 // Is the content of offset 0204 (Colonists) of the Ship Structure equal to 0?
     je _ExitMSS               // Jump if yes (e = equal to).

     cmp dword ptr [esi+00000204],#1500 // Compare the content of offset 0204 (Colonists) of the Ship Structure with 1500
     jge _ExitMSS              // Jump if it is GREATER or EQUAL

     mov dword ptr [esi+00000204],#1500 // Make the Colonists of selected ship equal to 1500

    _ExitMSS:
     popfd                     // The stack is a queue type FILO (First In, Last Out). So the POPs should follow
                               // the inverse order of the PUSHes. Remember this!
                               // So we take the EFLAGS back from the stack.
     pop ebx                   // We need to restore the register EBX content.
                               // So we take back its value from the stack.
     mov [edi+0001d15c],esi    // Original code should be executed
     jmp _BackMSS              // Go back to the original code

    //======================= Just to separate script parts
    // This script will monitor a ship movement points and will not let it decrease
    // if it is the player's last select ship

    _MonMovesLeft:             // This is the address of this script part
     push ebx                  // A register will be needed in this script. Since the original code
                               // is not modifying one, we decided to use the register EBX.
                               // But we have to preserve its content. So push it into the stack.
     cmp dword ptr [iEnableMM],0 // The content of variable iEnableMR is 0?
     je _ExitMML               // Jump if yes (e = equal to) We assumed that 0 is disabled.

     cmp esi,[pSelShip]        // The register ESI points to a Ship structure. Is it the selected?
     jne _ExitMML              // The code will jump if it is not equal (NE = not equal)

     mov ebx,[esi+000000c8]    // Get the value stored at offset 00C8 (The OwnerID)
     cmp ebx,[iPlayerID]       // Compare the ship's OwnerID with the PlayerID
     jne _ExitMML              // Jump if they are not equal (NE)

     mov eax,00000000          // Make the content of register EAX = 0
                               // The instruction XOR EAX,EAX could have been used (it is shorter)
    _ExitMML:                  // This is the label needed because of the conditional jump
     pop ebx                   // We need to restore the register EBX content.
                               // So we take back its value from the stack.
     sub [esi+000001f0],eax    // Original code should be executed
                               // It subtracts from Ship's Moves Left the value stored in register EAX
     jmp _BackMML              // Go back to the original code

    //======================= Just to separate script parts   (new)
    // This script will not let a player's ship Damage points increase

    _GodMode:                  // This is the address of this script part
     push ebx                  // A register will be needed in this script. Since the original code
                               // is not modifying one, we decided to use the register EBX.
                               // But we have to preserve its content. So push it into the stack.
     pushfd                    // Note that the first instruction after the hacking point is a conditional
                               // jump (jLE). So we have to preserve the EFLAGS by pushing them into the stack as well. We push
     cmp dword ptr [iEnableGM],0 // The content of variable iEnableMR is 0?
     je _ExitGM                // Jump if yes (e = equal to) We assumed that 0 is disabled.

     mov ebx,[esi+000000c8]    // Get the value stored at offset 00C8 (The OwnerID)
     cmp ebx,[iPlayerID]       // Compare the ship's OwnerID with the PlayerID
     jne _ExitGM               // Jump if they are not equal (NE)

     xor eax,eax               // Make the content of register EAX = Damage = 0 ( A xor A  = 0)
                               // The instruction MOV EAX,00000000 could have been used
    _ExitGM:                   // This is the label needed because of the conditional jump
     popfd                     // The stack is a queue type FILO (First In, Last Out). So the POPs should follow
                               // the inverse order of the PUSHes. Remember this!
                               // So we take the EFLAGS back from the stack.
     pop ebx                   // We need to restore the register EBX content.
                               // So we take back its value from the stack.
     mov [esi+000001e4],eax    // Original code should be executed
                               // It subtracts from Ship's Moves Left the value stored in register EAX
     jmp _BackGM               // Go back to the original code

    //======================= Variables ==============================
    // We can put the variables here, right after the last script.

    pPlayer:                   // The variable name followed by : (in fact, it is a lable)
     dd 0                      // Reserving 4 bytes and initializing its value with 0
    pSelShip:                  // The variable name followed by : (in fact, it is a lable)   
     dd 0                      // Reserving 4 bytes and initializing its value with 0
    iPlayerID:                 // The variable name followed by : (in fact, it is a lable)
     dd #999                   // Reserving 4 bytes and initializing its value with 999
    iEnableME:                 // The variable name followed by : (in fact, it is a lable)   
     dd 1                      // Reserving 4 bytes and initializing its value with 1
    iEnableMR:                 // The variable name followed by : (in fact, it is a lable)   
     dd 1                      // Reserving 4 bytes and initializing its value with 1
    iEnableMM:                 // The variable name followed by : (in fact, it is a lable)   
     dd 1                      // Reserving 4 bytes and initializing its value with 1
    iEnableGM:                 // The variable name followed by : (in fact, it is a lable)   (new)
     dd 1                      // Reserving 4 bytes and initializing its value with 1
    iEnableMC:                 // The variable name followed by : (in fact, it is a lable)   (new)
     dd 1                      // Reserving 4 bytes and initializing its value with 1

    //=================== The Haking Points ==========================
    // It can also be placed before the scripts. But let's put it after them, just to remind us
    // that the script was created and loaded into the computer memory and now can be accessed.

    galciv2.exe+07ebad:        // The address to be intercepted
     jmp _MonET                // Jumping to the script (this instruction is 5 bytes long)
     nop                       // Adding a NOP (90h) instruction to complete 6 bytes (remember this!)
    _BackME:                   // This label is the address to go back. It is galciv2.exe+07ebad plus 6 bytes.

    galciv2.exe+18f0f2:        // The address to be intercepted 
     jmp _MonRT                // Jumping to the script (this instruction is 5 bytes long)
     nop                       // Adding a NOP (90h) instruction to complete 6 bytes (remember this!)
    _BackMR:                   // This label is the address to go back. It is galciv2.exe+18f0f2 plus 6 bytes.

    galciv2.exe+1ce76b:        // The address to be intercepted
     jmp _MonSelShip           // Jumping to the script (this instruction is 5 bytes long)
     nop                       // Adding a NOP (90h) instruction to complete 6 bytes (remember this!)
    _BackMSS:                  // This label is the address to go back. It is galciv2.exe+1ce76b plus 6 bytes.

    galciv2.exe+167198:        // The address to restore the code
     jmp _MonMovesLeft         // Jumping to the script (this instruction is 5 bytes long)
     nop                       // Adding a NOP (90h) instruction to complete 6 bytes (remember this!)
    _BackMML:                  // This label is the address to go back. It is galciv2.exe+167198 plus 6 bytes.

    galciv2.exe+165f6c:        // The address to restore the code    (new)
     jmp _GodMode              // Jumping to the script (this instruction is 5 bytes long)
     nop                       // Adding a NOP (90h) instruction to complete 6 bytes (remember this!)
    _BackGM:                   // This label is the address to go back. It is galciv2.exe+165f6c plus 6 bytes.

    //======================= Just to separate script parts
    // This part is performed when we disable the script by uncking its frozen box.
    // Here we should:
    // - Restore the original codes
    // - Unregister the symbols
    // - Deallocate (free) the memory

    [DISABLE]
    galciv2.exe+07ebad:        // The address to restore the code
     mov ebp,[edi+000004f0]    // The code to be restored (this instruction is 6 bytes long)
                               // = 8b af f0 04 00 00
    galciv2.exe+18f0f2:        // The address to restore the code
     mov edx,[esi+00000504]    // The code to be restored (this instruction is 6 bytes long)
                               // = 8b 96 04 05 00 00
    galciv2.exe+1ce76b:        // The address to restore the code
     mov [edi+0001d15c],esi    // The code to be restored (this instruction is 6 bytes long)
                               // = 89 b7 5c d1 01 00
    galciv2.exe+167198:        // The address to restore the code
     sub [esi+000001f0],eax    // The code to be restored (this instruction is 6 bytes long)
                               // = 29 86 f0 01 00 00
    galciv2.exe+165f6c:        // The address to restore the code    (new)
     mov [esi+000001e4],eax    // The code to be restored (this instruction is 6 bytes long)
                               // = 89 86 e4 01 00 00

    unregistersymbol(MyCode)   // UNregistering "MyCode",    so it cannot be accessed anymore.
    unregistersymbol(pPlayer)  // UNregistering "pPlayer",   so it cannot be accessed anymore.
    unregistersymbol(pSelShip) // UNregistering "pSelShip",  so it cannot be accessed anymore.
    unregistersymbol(iPlayerID)// UNregistering "iPlayerID", so it cannot be accessed anymore.
    unregistersymbol(iEnableME)// UNregistering "iEnableME", so it cannot be accessed anymore.
    unregistersymbol(iEnableMR)// UNregistering "iEnableMR", so it cannot be accessed anymore.
    unregistersymbol(iEnableMM)// UNregistering "iEnableMM", so it cannot be accessed anymore.
    unregistersymbol(iEnableGM)// UNregistering "iEnableGM", so it cannot be accessed anymore. (new)
    unregistersymbol(iEnableMC)// UNregistering "iEnableMC", so it cannot be accessed anymore. (new)

    dealloc(MyCode)            // DE-allocating memory so the system can use it for other purposes.


    ______ A) Time to save the script. On the Auto Assemble, click on File and then select Save.
    ______ B) Let's add the script to CE table. Click on File and then select "Assigned to current cheat table".
    ______ CE will check the script and, if everything is ok, it will be added to the table with the discription "Auto assemble cheat".
    ______ Change it to "Tutorial_MET_MRT_MSS_MML_GM_MC".
    ______ C) Save the table;
    ______ D) Disable the previous script by unchecking its frozen box.
    ______ E) Now enable the new script;
    ______ F) Add the new variables to the table: iEnableGM and iEnableMC
    ______ G) For testing God Mode, we have to play a little bit more until the AI have combat ships, but
    ______ the rest can be tested. Please do it

    ______ TutNote 22: That concludes the tutorial. As homework you can implement:

    ______ A) A minimum colony population on selecting a player's planet (with individual enable/disable);
    ______ B) Invation without loosing troop (with individual enable/disable);
    ______ C) Defend from a invation without loosing population (the enable/disable can be the same as in B);
    ______ D) Modify the script _MonRT to permit a maximum of 2 researches per turn;

    Here is also a table with the scripts, codelist and structures.

    That's it!

    Cheers!
Back to top
View user's profile Send private message Send e-mail
lolOkayBailolOkayBailolOk
Master Cheater
Reputation: 1

Joined: 23 Jun 2007
Posts: 307

PostPosted: Sun Feb 06, 2011 7:18 pm    Post subject: Reply with quote

First of all, sorry for the bump of this thread, I'm shocked no one has replied about questions, comments, or even gratitude towards this excellent three part tutorial.

I just completed the three threads on creating hacks for this game and I would like questions that have been bothering me to be answered:

Question 1:
Is the jump to a label always five bytes for every label in every game?
Code:
jmp MyLabel // = 5 Bytes


Question 2:
This is sort of a follow up from the previous question. What should I do if I find a 'hacking point' that is less than 5 bytes in length?

Question 3:
You mentioned we need to save the EFLAGS when a conditional jump proceeds a 'hacking point', but in the hacking point 'galciv2.exe+167198' for script '_MonMovesLeft', the instruction is followed by jns. Yet in your script there is no 'pushfd' or 'popfd'. Please explain why we should not save not place these commands in the script.
[/code]

Question 4:
During the Research Hack, you analyzed a hacking point that contained the command lea. You mentioned that lea does not load a value from an address, but instead it takes the result of an address. I was a little confused about what this meant, so if you clarify that I would appreciate it.

If you, or if someone else could aid me with these questions, I would greatly appreciate it. Thanks!
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 373

Joined: 09 May 2003
Posts: 22009
Location: The netherlands

PostPosted: Sun Feb 06, 2011 8:16 pm    Post subject: This post has 1 review(s) Reply with quote

1:
Yes, in 32-bit the jump is always 5 bytes

2: save the instruction that comes after it as well

3: he replaces the sub [esi+1f0], eax and executes it at the end again.
The sub instruction in this case modifies the eflag the JNS instruction is looking for so no need to save it
He could of course have saved it and restored it right before executing the original sub instruction, but that would be useless. (And restoring it AFTER the sub would be even worse)

4:
Let's say that you have the instruction "mov eax,[ebx+esi*4+3c]"
ebx=00500000 and esi=100 (so the address it's accessing is

When executed EAX gets the value of the address stored at 50043C (e.g 100)


when using the command "lea eax,[ebx+esi*4+3c]" eax will get the value 50043C

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
lolOkayBailolOkayBailolOk
Master Cheater
Reputation: 1

Joined: 23 Jun 2007
Posts: 307

PostPosted: Mon Feb 07, 2011 7:30 pm    Post subject: Reply with quote

Thanks for the clarification Dark Byte, I am truly seeing the capabilities of the auto assembler (and the structure builder which recently became my favorite tool)!

Still a tiny confused about the EFLAGS conditions, however I am beginning to understand how they are saved and restored.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Auto Assembler tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites