Cheat Engine

HiSaZuL · Posted: Tue Aug 09, 2011 10:14 am Post subject: need some ce assembler help

trying to move to assembler for the pointers and the like... read through the help files and some tutorials. but to be honest i'm more of a monkey see monkey does type Razz

could someone just post a whole assembler table script for ... i dont know xp pinball ball counter disabler or simple a check if ball count is below 3 set it to 3
preferably with cmp or test function so i can see how it SUPPOSE to work >_> just as simple as it gets so i can stop banging my head on the table. tried running thru scripted tables but all the scripts are either aobscans which seems even more complicated or they are so.... uhh... far beyond the starting level i don't understand most of the script anyway.
if u got no pinball underhand the opcode instruction for ball reduction is
pinball.exe+175b7 mov[esi+00000146],eax
much appreciate the help in advance.

Geri · Moderator Reputation: 111 Joined: 05 Feb 2010 Posts: 5627

Here is one for the CE 6.1 tutorial, step 2. If the value is lower than 50, it will be set back to 100.

HiSaZuL · Posted: Sat Aug 13, 2011 8:58 pm Post subject:

either im really bad at this or there's a single tiny mistake i keep making and don't see it. what you gave me as template isn't much different from what i was doing yet still doesn't work
using same pinball
code for ball change is "PINBALL.EXE"+175b7 Code:mov [esi+00000146],eax
so the table script is this:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
pushfd
cmp [esi+00000146],(int)3
jg originalcode
mov [esi+00000146],(int)3

originalcode:
popfd
mov [esi+00000146],eax

exit:
jmp returnhere

"PINBALL.EXE"+175B7:
jmp newmem
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"PINBALL.EXE"+175B7:
mov [esi+00000146],eax
//Alt: db 89 86 46 01 00 00

Dark Byte · Posted: Sat Aug 13, 2011 9:08 pm Post subject:

instead of comparing against and writing to [esi+00000146] you must compare and write to eax

That is because the original code does:
mov [esi+00000146],eax

so whatever value you write to esi+146 will immediately get overwritten with the value in eax

so either do:

HiSaZuL · Posted: Sat Aug 13, 2011 9:42 pm Post subject:

thanks geri and dark byte
after some tweaking and explanations i got 2 scripts that do work. and as i thought before i was just making some core dumb mistake of changing esi+146 just so it would get changed by eax anyway -_-

i do have an odd question
in this version:

Dark Byte · Posted: Sat Aug 13, 2011 10:05 pm Post subject:

At that spot in the code injection eax will ALWAYS contain the number of balls

The original code was

Geri · Moderator Reputation: 111 Joined: 05 Feb 2010 Posts: 5627

EAX is not changing until you see an instruction which is actually changing it.
Like mov eax,[xxxxxxxx] or something like that. Registers are not changing by themselves, only when you see a code which is changing it. (Except for EIP which is always pointing to the next instruction thus it is changing by itself without any specific instruction.)