 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
KFUPM
How do I cheat?
![]() Reputation: 0
Joined: 02 Mar 2012
Posts: 6
Location: KSA
|
 Posted: Tue Mar 06, 2012 1:46 pm Post subject: problem finding the pointer at level 3 |
 |
|
hi,
Iwas wondering if CE can find all addresses if I search about a value. because sometimes when I put a random address & search about it's value I coudlnt find it.
I was working to hack a game but I couldn't. I don't know what is the problem. I hope you guys will figure out.
I first searched about the shown value. after I changed the value I come up with two similer values as the shown one. then I find what accesses that addresses I got these offsets:
for the first value: 84 - 64 - 7c - x
for the second: 30 - x
after the 7c & 30 I get the same values "for the pointers" but I can't get any more addresses accessing that address!!!
anyone have any idea about that??
I've read many topics before writing this post. i think most similer problems peaple suggest noping the code -- what does that mean?
thanks 
|
|
| Back to top |
|
 |
blackbitshines75
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2012
Posts: 3
|
| Posted: Tue Mar 06, 2012 2:00 pm Post subject: Re: problem finding the pointer at level 3 |
|
|
| KFUPM wrote: | hi,
Iwas wondering if CE can find all addresses if I search about a value. because sometimes when I put a random address & search about it's value I coudlnt find it.
I was working to hack a game but I couldn't. I don't know what is the problem. I hope you guys will figure out.
I first searched about the shown value. after I changed the value I come up with two similer values as the shown one. then I find what accesses that addresses I got these offsets:
for the first value: 84 - 64 - 7c - x
for the second: 30 - x
after the 7c & 30 I get the same values "for the pointers" but I can't get any more addresses accessing that address!!!
anyone have any idea about that??
I've read many topics before writing this post. i think most similer problems peaple suggest noping the code -- what does that mean?
thanks |
Sorry I'm a newbe
Once in the list on the bottom the pointer to the value you found. Press with right button and select "Find out what writes to this address".
Once done, execute the app, wait until value changes. Then return to CE, and look to the list of pointers. Select one, and there is a Button with "Replace", this button it changes the code of modifying the value you searched, with another that does nothing. In assembler a NOP instruction is one that does nothing, just waits the cicle of the CPU to end. Noping is filling the instruction in memory that reduces/increments the value, with another one that maintains the previous value, allowing for instance to gain the GOD mode if it were the life of the hero in the game.
_________________
I do what I can, may be a bit less |
|
| Back to top |
|
|
KFUPM
How do I cheat?
![]() Reputation: 0
Joined: 02 Mar 2012
Posts: 6
Location: KSA
|
| Posted: Tue Mar 06, 2012 2:18 pm Post subject: |
|
|
thank you for replying but that is a dynamic address so if i restart the game the address will change.
the code that writes to the first address:
0D1B8FE1 - 8B 5D BC - mov ebx,[ebp-44]
0D1B8FE4 - 8B 45 A4 - mov eax,[ebp-5C]
0D1B8FE7 - 89 88 84000000 - mov [eax+00000084],ecx <<
0D1B8FED - 8B 50 08 - mov edx,[eax+08]
0D1B8FF0 - 8B 8A D0020000 - mov ecx,[edx+000002D0]
EAX=078250E8
EBX=00000235
ECX=00000235
EDX=026BD3D2
ESI=07E3AF10
EDI=0AAC3F70
ESP=002EEB80
EBP=002EEBF8
EIP=0D1B8FED
for the second:
0C540A84 - FF D0 - call eax
0C540A86 - 83 C4 10 - add esp,10
0C540A89 - 89 5E 30 - mov [esi+30],ebx <<
0C540A8C - C7 45 D0 00000000 - mov [ebp-30],00000000
0C540A93 - E9 A3000000 - jmp 0C540B3B
EAX=00000004
EBX=00000235
ECX=002EEC48
EDX=00400402
ESI=07E3AF10
EDI=0AAC3F70
ESP=002EEC10
EBP=002EECA8
EIP=0C540A8C
|
|
| Back to top |
|
|
blackbitshines75
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2012
Posts: 3
|
| Posted: Wed Mar 07, 2012 5:51 am Post subject: |
|
|
| KFUPM wrote: | thank you for replying but that is a dynamic address so if i restart the game the address will change.
the code that writes to the first address:
0D1B8FE1 - 8B 5D BC - mov ebx,[ebp-44]
0D1B8FE4 - 8B 45 A4 - mov eax,[ebp-5C]
0D1B8FE7 - 89 88 84000000 - mov [eax+00000084],ecx <<
0D1B8FED - 8B 50 08 - mov edx,[eax+08]
0D1B8FF0 - 8B 8A D0020000 - mov ecx,[edx+000002D0]
EAX=078250E8
EBX=00000235
ECX=00000235
EDX=026BD3D2
ESI=07E3AF10
EDI=0AAC3F70
ESP=002EEB80
EBP=002EEBF8
EIP=0D1B8FED
for the second:
0C540A84 - FF D0 - call eax
0C540A86 - 83 C4 10 - add esp,10
0C540A89 - 89 5E 30 - mov [esi+30],ebx <<
0C540A8C - C7 45 D0 00000000 - mov [ebp-30],00000000
0C540A93 - E9 A3000000 - jmp 0C540B3B
EAX=00000004
EBX=00000235
ECX=002EEC48
EDX=00400402
ESI=07E3AF10
EDI=0AAC3F70
ESP=002EEC10
EBP=002EECA8
EIP=0C540A8C |
I'm afraid I can't help more. All I know about this is:
first pointner:
- EBP is a pointer to the Stack (Nothing to do with the thing you ask)
- We need to know which instructions affect de CX (Try option Disassembly in the list of pointers that affect the memory position). In the previous 2 instructions don't see what happens to cx
- Is it 235H the value you try to change? You can try 'noping' the instruction of the move, by putting NOP operation in the dissasembler o 'Replace' in the window with accesses to the pointer. If you can affect the result, may be you can try to change the instruction of assigning cx instead of a pointer to a constant value, but I'm not sure of the instruction to put, it can be something like mov ecx, edi (edi is well above 0)
second pointer:
- We don't have how the ebx is filled. May be the call (N) fills the ebx value. You can try to follow the call to see what it does before the ret, and try to change the ebx to a convinient value.
I hope you understand that I have no idea to do what I'm saying. I have no experience in translating code to assembler and I don't understand the purpose of each instruction in the disassembly window. But I'm trying to learn by exposing ideas and receiving feedback. So take this with a grain of salt (Not sure if it is the correct expression for this situation).
To make the change permanent I suppous you need tools like HexWorkshop and find and replace the positions with the new codes. I have never tried. Don't know how to calculate the positions ... may be the EIP has the offset since the beginning of the file. In the old "com" files worked I think, but the "new" exe files have a structure.
Cheers
_________________
I do what I can, may be a bit less |
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Wed Mar 07, 2012 11:57 am Post subject: |
|
|
to find the pointer of the first address
you have to:
find out the code that accesses the first address
if you find this:
0D1B8FE7 - 89 88 84000000 - mov [eax+00000084],ecx <<
EAX=078250E8
EBX=00000235
ECX=00000235
EDX=026BD3D2
ESI=07E3AF10
EDI=0AAC3F70
ESP=002EEB80
EBP=002EEBF8
EIP=0D1B8FED
then you'll see here that this is the address you searched the codes for
[eax+00000084]
since EAX=078250E8
078250E8+00000084 = 0782516C
0782516C ths was the address you searched the code for
so eax is the "base pointer" (the value in hex (4bytes) of the next pointer)
so search for 078250E8
pick a random result and then continue ... what accessed that address etc...
ah ... and you might want to write down the offsets you find
078250E8+00000084 = 0782516C
in this case base=078250E8 offset=00000084
you need the pointer because eax can change at that location next "game restart"
if you find something like this
0D1B8FE7 - 89 88 84000000 - mov [eax+ebx*4],ecx <<
EAX=078250E8
EBX=00000235
ECX=00000235
EDX=026BD3D2
ESI=07E3AF10
EDI=0AAC3F70
ESP=002EEB80
EBP=002EEBF8
EIP=0D1B8FED
the base will still be eax (in almost all cases the top left register is the "value of the pointer needed....")
[eax+ebx*4]
offset is ebx*4
EBX=00000235
offset is 235*4
do it with a HEX calculator not decimal
235*4=8D4 in hex
235*4=940 in dec
so you see it's not the same
_________________
... Fresco |
|
| Back to top |
|
|
KFUPM
How do I cheat?
![]() Reputation: 0
Joined: 02 Mar 2012
Posts: 6
Location: KSA
|
| Posted: Wed Mar 07, 2012 2:28 pm Post subject: |
|
|
thanks to all of you
I'll put another post to clear this problem.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
