 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
 Posted: Thu Feb 23, 2012 11:03 am Post subject: is it possible to track all values of any address ? |
 |
|
cheat engine is able to find out what addresses that instruction wrote on or accessed.
now my code writes on "this address" a special value wich with it, is it possible to activate a feature (give player max ammo), but then the code immediately writes 0 to that address, otherwise the player would continuously receive ammo.
i tried by guessing wich is the value... but the game crashes with some values ... so i need to know exactly that special value.
is it possible to know all possible values that "that address" had during track time ?
_________________
... Fresco |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Thu Feb 23, 2012 11:58 am Post subject: |
|
|
Not by default with ce no, but you could do a code injection at that spot and make it write down all the unique values it writes to a buffer you have allocated
Then after a while check that buffer for the values
alternatively, you could write a lua script that sets a breakpoint at that address and records all the register states
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Thu Feb 23, 2012 2:25 pm Post subject: |
|
|
i have just started to understand CE AA.
It'll be like this ?
| Code: | [ENABLE] // enable tracking
//track in newmem the values
alloc(newmem,2048)
label(newmem4byteinc)
newmem:
inc dword ptr newmem4byteinc
// eax is the register i want to track
push ebx
lea ebx,[newmem+newmem4byteinc]
// value of ebx (address of newmem) will increase every time the code is run with 4 bytes (the max lenght of any x32 register)
mov dword ptr [ebx],eax // store the tracked value
inc word ptr newmem4byteinc //the new address should be x + 6 byes
inc word ptr ebx // give space for 2bytes (new line ascii)
mov ebx,0D0A // 0D0A // the hex value for (new line) in ascii
pop ebx
//run originalcode
ret
newmem4byteinc:
dd 0
"game.exe"+offset: // address location of the register i want to track
call newmem
nop // various nops
[DISABLE] // disable tracking
// notes I'm not deallocating newmem to be able to copy the hex paste into a hex editor and have the result file a txt with all eax values tracked down
"game.exe"+offset:
//originalcode |
will this code work ?
also if you have some good tutorials on LUA and advanced conditional breaking ... please post some link.
Thank you
[EDIT]
what's the problem with this script ... it won't activate in ce table
| Code: | [ENABLE]
alloc(newmem,2048)
label(newmem4byteinc)
label(returnhere)
newmem:
mov ebp,[edi+00000144] // originalcode
push eax
lea eax,[newmem+newmem4byteinc] // make eax = address newmem+loopnumber(+4)
mov dword ptr [eax],ebp // track ebp values into newmem
add word ptr [newmem4byteinc],2 //give 2byte for ascii "new line"
inc eax
inc eax
mov [eax],0D0A // write in newmem+loopnumber(+4)+newline(+2) // ascii new line
add dword ptr [newmem4byteinc],4 // increase loopnumber (newmem offset)
pop eax
jmp returnhere
newmem4byteinc:
dd 0
"game.exe"+base:
jmp newmem
nop
returnhere:
[DISABLE]
"game.exe"+base:
mov ebp,[edi+00000144] |
If i try to execete it ...... it says (X) Invalid Address
_________________
... Fresco |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Thu Feb 23, 2012 5:43 pm Post subject: |
|
|
First of all, what do you think will happens when more than 510 write operations happen?
Place a check in for that so it starts from the beginning
Also,
| Code: |
lea eax,[newmem+newmem4byteinc]
|
is invalid
newmem is the address of newmem and newmem4byteinc is the address of newmem4byteinc
As for the 0d0a stuff you're placing in the code, that's just not going to work like that and will only make things harder. The hexview in ce the hexview can show in 4 byte decimal and 4 byte hex
I was thinking more like:
| Code: |
[ENABLE]
alloc(newmem,2048)
alloc(offset,4)
alloc(buffer,2044)
label(returnhere)
label(normallog)
offset:
dd 0
newmem:
mov ebp,[edi+00000144] // originalcode
push eax
mov eax,buffer //eax gets the address of the buffer
add eax,[offset] //increase the address of the buffer with the current offset
cmp eax,buffer+2040 //check if the buffer has reached the end of the list
jb normallog
//end of the list reached
mov [offset],0 //start from the start
mov eax,buffer
normallog:
mov [eax],ebp
add [offset,4]
pop eax
jmp returnhere
"game.exe"+base:
jmp newmem
nop
returnhere:
[DISABLE]
"game.exe"+base:
mov ebp,[edi+00000144]
dealloc(newmem)
dealloc(counter)
dealloc(buffer)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Fri Feb 24, 2012 10:15 am Post subject: |
|
|
thank you for replaying
but looks like the code returns an error:
| Code: | normallog:
mov [eax],ebp
add [offset,4] //here
//i changed it to:
add offset,4
//and also tried
add [offset],4 // this one works but doesn't return ebp in [eax]
//both doesn't work ... |
i really have no clue on how to make this work.
| Quote: | | alternatively, you could write a lua script that sets a breakpoint at that address and records all the register states |
do you have any lua tutorials ?
_________________
... Fresco |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25807
Location: The netherlands
|
| Posted: Fri Feb 24, 2012 11:01 am Post subject: |
|
|
add [offset],4 should have worked, check the address of offset and confirm it's changing
as for lua, based on this: ( http://forum.cheatengine.org/viewtopic.php?t=530032 )
Modify the count or replace the count system with a unique list if 10 isn't good enough
| Code: |
breakAddress=getAddress(""game.exe"+base+6"); --I recommend placing the breakpoint AFTER mov ebp,....
count=0;
function debugger_onBreakpoint()
if (EIP == breakAddress) then
count = count + 1
print("Value="..EBP);
if count>=10 then
debug_removeBreakpoint(breakAddress);
end
return 1 --I handled it so don't tell the user
else
return 0 --unexpected breakpoint, show the the user
end
end
debug_setBreakpoint(breakAddress);
|
also, are you sure this game uses ebp to store simple values ?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
