Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


ASM - Replace pointer location string value with static code

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
DamagedPacket
How do I cheat?
Reputation: 0

Joined: 03 Oct 2010
Posts: 6
PostPosted: Tue Oct 23, 2012 8:57 am    Post subject: ASM - Replace pointer location string value with static code Reply with quote
I have a pointer to a DMA that contains a value of "Hello". I would like to modify the game.DLL to change that value to "GoodBye" at startup.

What I know:

Pointer says:

game.dll + 0004F9D4 (Opcode = enter 445D,09) = 09445DC8 + 4B = 09445E13 <- Contains "Hello"

If I trace what calls game.dll + 0004F9D4, I find game.dll + 1A06, MOV EDI, DWORD PTR DS:[EDI]

So, this is static code in game.dll that refrences the beginning address of my pointer. If I inject a code cave here, how would I instruct the dll to set the value at the end of my pointer to "Goodbye"? In other words, CE makes it easy to generate a trainer that allows me to change the value of the pointer, but I would like to make this change permanent within the game.dll itself.

Thanks for anyone's suggestions.

Regards,
Back to top
View user's profile Send private message
SteveAndrew
Master Cheater
Reputation: 30

Joined: 02 Sep 2012
Posts: 323
PostPosted: Fri Oct 26, 2012 3:57 pm    Post subject: Reply with quote
Well it looks like that instruction moves 4 bytes of the string at a time into the edi register for whatever it does with the string...

So you're trying to change the string at that address that does somethiing with it, instead of changing the string directly with the pointer separately?

Try something like this: It's an ANSI string right? or is it a wide/unicode string? This will only work for ANSI but with slight modification it would work with unicode instead...

Code:

[enable]
alloc(StringChanger,128)
label(GoodbyeString)
label(StringChangerRet)

StringChanger:
pushad
mov esi,GoodbyeString //esi/source now contains GoodbyeString address
mov edi,[game.dll+4f9d4]
lea edi,[eax+4b] //edi/destination now contains dynamic address of 'Hello' string
mov ecx,8 //length of the string (including null terminator)
repe movsb
popad
mov edi,[edi]
//other instruction(s) you overwrote goes here
jmp StringChangerRet

GoodbyeString:
db 'GoodBye',0

game.dll+1a06:
jmp StringChanger
nop //however many nops you need if any
StringChangerRet:

[disable]

game.dll+1a06:
mov edi,[edi]
//any other overwritten instructions go here

dealloc(StringChanger)


The only thing I see is, it will keep making the string that pointer points to 'GoodBye' everytime it accesses the string 4 bytes at a time... So you could do a check so it changes the string one time like so:

Code:

[enable]
alloc(StringChanger,128)
label(GoodbyeString)
label(ChangedAlready)
label(RegularCode)
label(StringChangerRet)

StringChanger:
cmp [ChangedAlready],1
je RegularCode

pushad
mov esi,GoodbyeString
mov edi,[game.dll+4f9d4]
lea edi,[eax+4b]
mov ecx,8
repe movsb
xor [ChangedAlready],1
popad

RegularCode:
mov edi,[edi]
//other instruction(s) you overwrote goes here
jmp StringChangerRet

GoodbyeString:
db 'GoodBye',0

ChangedAlready:
dd 0

game.dll+1a06:
jmp StringChanger
nop //however many nops you need if any
StringChangerRet:

[disable]

game.dll+1a06:
mov edi,[edi]
//any other overwritten instructions go here

dealloc(StringChanger)


Furthermore if you didn't want to have to have the 'GoodBye' string in memory at all you could do something like:

Code:

[enable]
alloc(StringChanger,128)
label(ChangedAlready)
label(RegularCode)
label(StringChangerRet)

StringChanger:
cmp [ChangedAlready],1
je RegularCode

push eax
mov eax,[game.dll+4f9d4]
lea eax,[eax+4b]

mov [eax],'Good'
mov [eax+4],'Bye'

xor [ChangedAlready],1
pop eax

RegularCode:
mov edi,[edi]
//other instruction(s) you overwrote goes here
jmp StringChangerRet

ChangedAlready:
dd 0

game.dll+1a06:
jmp StringChanger
nop //however many nops you need if any
StringChangerRet:

[disable]

game.dll+1a06:
mov edi,[edi]
//any other overwritten instructions go here

dealloc(StringChanger)


CE is smart enough to put the null byte after 'Bye' when we directly modified it like that...

something to note: If your not using CE you'll have to write the string in reverse order and make sure that last byte is null yourself like this:

Code:

mov [eax],'dooG'
mov [eax+4],'xeyB'
mov byte ptr [eax+7],0


I used 'x' as a place holder in the Bye so its you could still be copying it as a dword/4 bytes then make that 'x' byte into a null byte... with the last instruction... Not doing that it would have to be like this maybe:

Code:

mov [eax],'dooG'
mov word ptr [eax+4],'yB'
mov byte ptr [eax+6],'e'
mov byte ptr [eax+7],0


But don't write it backwards if using CE, thats only if your not using CE and using MASM perhaps, or C++ inline assembler for example...

And just to cover all bases, say you didn't even want to use that pointer you found in order to change this and / or you only want to change that string if it equals 'Hello'

Try this:
Code:

[enable]
alloc(StringChanger,128)
label(RegularCode)
label(StringChangerRet)

StringChanger:
cmp [edi],'Hell'
jne RegularCode

mov [edi],'Good'
mov [edi+4],'Bye'

RegularCode:
mov edi,[edi]
//other instruction(s) you overwrote goes here
jmp StringChangerRet

game.dll+1a06:
jmp StringChanger
nop //however many nops you need if any
StringChangerRet:

[disable]

game.dll+1a06:
mov edi,[edi]
//any other overwritten instructions go here

dealloc(StringChanger)


LOL I think this is the most ways I've explained something so simple, forgive me! haha

Hopefully I didn't make any typos! Very Happy
_________________
Back to top
View user's profile Send private message
DamagedPacket
How do I cheat?
Reputation: 0

Joined: 03 Oct 2010
Posts: 6
PostPosted: Fri Nov 09, 2012 1:36 pm    Post subject: Reply with quote
That's great info and detail. The biggest revolation is the fact you pointed out that it reads the string 4 bytes at a time. I should figure out how to calculate the DMA at run time and then just add an instruction to overwrite the contents.

Thanks for all the great examples!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites