Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


need some help

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
corky12831
How do I cheat?
Reputation: 0

Joined: 06 Nov 2012
Posts: 7
PostPosted: Tue Nov 06, 2012 6:10 pm    Post subject: need some help Reply with quote
Solved. thanks again man

Last edited by corky12831 on Mon Nov 12, 2012 9:44 am; edited 1 time in total
Back to top
View user's profile Send private message
corky12831
How do I cheat?
Reputation: 0

Joined: 06 Nov 2012
Posts: 7
PostPosted: Fri Nov 09, 2012 11:52 pm    Post subject: Reply with quote
anyone? please
Back to top
View user's profile Send private message
SteveAndrew
Master Cheater
Reputation: 30

Joined: 02 Sep 2012
Posts: 323
PostPosted: Sat Nov 10, 2012 1:54 am    Post subject: Re: need some help Reply with quote
corky12831 wrote:
Hi i just made this account after reading some auto assembler tutorials so i started out and found this so far and i got some questions a few games iv been trying to do this on warcraft 3 "not online" and Dwarf fortress to modify values of dwarfs stats Razz

but yeh i hope you guys can help Razz

originalcode:
fstp dword ptr [edi+eax*8+04]
pop edi

now what i want to do with this is have EAX which would be the "stored value"
The Acculmulator register. It can also be used as storage. <

now i know pop EDI means is going to take the value that is in edi "transfer the number" to something

but what i want to do is add the value of iunno 10 or somthing so EAX now reads EAX

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(amount)
label(type_coins)


newmem:
pushad
mov [amount],(float)10 // the amount i want EAX to be


push [amount]
push type_coins
push 01
add esp,0c


popall

mov eax,-1000 // i am under the impression of it that this is the problem.
originalcode:
fstp dword ptr [edi+eax*8+04] // the code i need to edit.
pop edi


exit:
jmp returnhere


amount:
db 00 00 00 00
type_coins:
db 'coins'
db 00



this above is the code i have so far i just wonder how i would make it so i have 10 in EAX any tips or help? forgot to add the fact that right now all it does is freeze the value @ its current state 5 and if i build somthing or sell somthing it remains at one but still spends the coins so im not sure what i did wrong =(


so in a nutshell i want edi+eax*8+04 < to edit this so that it will
newmem:
pushad
mov [amount],(float)10
accept this.


Okay here's whats wrong... You are not actually even modifying the value at all. [edi+eax*8+4] is the memory location where your value is located (whatever it is lives/health/money etc)

EAX is not where your value is stored so moving '-1000' into eax doesn't do anything except throw off the offset (eax is being used as an offset here)

What that's doing here is taking the value of edi and adding it to the value of eax multiplied by eight and four added to it after that... That gets to the memory location where the real value is actually stored...

As you can see -1000 multiplied by 8 is equal to: FFFF8000 (which is a negative number) And that negative number is used in the calculation of the address... So it throws it off, and the original instruction 'fstp dword ptr [edi+eax*8+4]' does not even write ANYTHING to your values address (to make it change/ be modified to your desired 'amount' [you are writing to a completely wrong and different address which will give unexpected results {possibly a crash}]) since you screwed eax... That explains why it just 'freezes' your value at whatever you had, since it changed the games code which wrote to it correctly before and made it not write to it at all.. (at least from this location you hooked... it could still be modified elsewhere, like you've experienced) If you want your value to be changed to your desired value when you lose some normally (buy something, lose a life, etc) then do a 'find what writes' and buy something, or whatever and the code should come up that's writing to it on decrease, make your hook there instead!

So to fix it try something like this:

Replace 'XXXXXXXX' with the hook address, the actual address where 'fstp dword ptr [edi+eax*8+4]' is located.

change line 'dd (float)10' to desired value, that is the value it will set...

Code:

[enable]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(amount)
label(DummyMemoryLocation)


newmem:
//Pop off original value from the FPU stack into somewhere that doesn't matter
fstp dword ptr [DummyMemoryLocation]
//Load desired value into the top of the FPU stack
fld dword ptr [amount]

originalcode:
//Pops off our newly loaded value, and moves it into the dynamic memory address
//Of your game's value you are modifying...
fstp dword ptr [edi+eax*8+04] // the code that needs to stay the same ;)
pop edi

exit:
jmp returnhere

amount:
dd (float)10

DummyMemoryLocation:
dd 0

XXXXXXXX:
jmp newmem
returnhere:

[disable]

XXXXXXXX:
fstp dword ptr [edi+eax*8+04]
pop edi

dealloc(newmem)



It looked like you had extra junk in there which wasn't necessary:
Code:

push [amount]
push type_coins
push 01
add esp,0c


That isn't really doing anything. I see what you were going for, but you needed to have a 'call SomeFunction' like 'call SetCoinAmount' after pushing in the final parameter (which happens to be the first parameter '01' [parameters are pushed into the stack in reverse order] It's really uneccessary to make a call like that though in this case so I wouldn't recommend doing it like that

That was basically equivalent to: (which you can see doesn't really do anything)
Code:

sub esp,0c
add esp,0c


The key to the problem is understanding what the FSTP instruction is actually doing

What it does it pop the value off of the top of the FPU stack, which is a completely different stack then the standard stack (pointed to by ESP register)and place it into the memory location specified... It's the extended floating point stack... You can see this extended stack by clicking ->S after clicking 'more info' after doing a 'find what accesses or writes', then select FPU from the drop down list, and from the second drop down select 'Extended' or when you've set a breakpoint and are single stepping through code, and there are other times you can click it too.

The top shown floating point is the top of the stack know as ST0...

So by getting rid of the value that's on the top of the stack and putting it somewhere unimportant (we remove that value like what the game would've originally done to not screw up the extended stack) [Remember just like you had to add to esp to remove some left over junk on the stack, here we still want to remove that original value that the game was originally going to set it to, same reason why we are leaving 'pop edi' instruction which is overwritten to not screw up the stack] (though again the stack where you push and pop and deal with ESP is different from these Extended Floating Points!)

Then we load our desired value/amount using 'FLD' which can basically be though of as 'floating point load' which is loads your value and puts it on the top of the stack, you can't load a value directly it has to be a memory location.

Then when the original code executes ('fstp dword ptr [edi+eax*8+4]' and 'pop edi' it then pops the value we just loaded with 'fld' and places it into the memory location which effects the real value...

This should work to give you 10 always, depending on which hook location you've chosen you might get 10 when you normally would for example lose some... or maybe you hooked somewhere that constantly reads from the address which then it would take effect instantly (not requiring you to lose some first to trigger the value to be modified to 10 or whatever, but its also constantly setting the value which may not always be what you want).


Some people will say its fine to just use something like 'mov [edi+eax*8+4],(float)10'

And since we don't need to do any arithmetic with floating points (adding one float to another say for example), we are just setting the value this can work, HOWEVER we can't forget to pop that undesired value off the top of the extended fpu stack, as its just sitting there, and will screw up the extended stack if you don't remove it (possibly causing a crash) even if you go with the 'mov' instruction instead don't forget to still FSTP that value off the floating point stack!

So under newmem it would look like this (going the 'mov' route):
Code:

newmem:
//This line would stay
fstp dword ptr [DummyMemoryLocation]
//fld instruction removed...
//since were just going to do a 'mov' now


Then change the 'fstp dword ptr [edi+eax*8+4]' line which is the main original instruction, into 'mov [edi+eax*8+4],(float)10'! Doing so will have the same effect. Razz
_________________
Back to top
View user's profile Send private message
corky12831
How do I cheat?
Reputation: 0

Joined: 06 Nov 2012
Posts: 7
PostPosted: Sat Nov 10, 2012 10:51 pm    Post subject: Reply with quote
thanks very much Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites