|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
The0neThe0nly Expert Cheater Reputation: 0
Joined: 08 Dec 2009 Posts: 119 Location: In a box
|
Posted: Sun May 12, 2013 8:57 pm Post subject: CMP Issue |
|
|
In my game there is a function that generates multiple strings and I want to change one of them. Normally, I use breakpoints. But I'm going to make a Lua Trainer and make it automated. However, I'm having an issue with my AA code. It's supposed to compare ESI to a certain string, and if that string matches ESI then it moves another string into EDX. After that, it runs the original code at 004DAE3A and jumps to 004DAE43. If ESI does not match the string, it jumps over the part that moves the string into EDX and runs the original code at 004DAE3A and jumps to 004DAE43. However, when I breakpoint the mov that moves the string into EDX, I get no results even though I know that the location string is the same as ESI at one point when the function is ran. Help?
Code: | alloc(newmem,2048)
alloc(string,2048)
alloc(location,2048)
label(goto)
location:
db 47 65 6e 65 72 61 6c
string:
db 54 65 73 74 69 6e 67
newmem:
cmp esi,location
jne goto
mov edx,string
goto:
lea esp,[esp+30]
call 004F6730
jmp 004DAE43
004DAE3A:
jmp newmem
nop
nop
nop
nop |
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Sun May 12, 2013 10:00 pm Post subject: Re: CMP Issue |
|
|
The0neThe0nly wrote: | It's supposed to compare ESI to a certain string, and if that string matches ESI then it moves another string into EDX. | You seem to think ESI contains your string, but remember, ESI is a 32bit=4byte register, so there is not enough room to store a string in a register (unless it is 4 character long or less). When your debugger displays 'esi= 123456= "General"' it means that the string "General" is at address 123456, and esi contains a pointer to that string.
What your code currently does is to check if the string in esi is at the address location.
If you want to compare the actual characters of 2 string there are 2 methods:
1-The quick and dirty:
Code: | alloc(newmem,2048)
label(string) //no need to alloc more memory for those, just put them at the end of your code
label(goto)
newmem:
cmp dword [esi],'Gene' //see if the 4 first characters of the string pointed by esi are 'Gene'
jne goto
cmp dword [esi+4],'ral' //see if the 4 lasts characters of the string pointed by esi are 'ral'then 0.
jne goto
mov edx,string //move into edx the ADDRESS of the string "Testing"
goto:
lea esp,[esp+30]
call 004F6730
jmp 004DAE43
string:
db 'Testing',0 //don't forget the ,0 to mark the end of your strings
004DAE3A:
jmp newmem
nop
nop
nop
nop |
2-The clean way (has several variants):
Code: | alloc(newmem,2048)
label(string) //no need to alloc more memory for those, just put them at the end of your code
label(location)
label(goto)
newmem:
push eax //save eax
push esi //second parameter for lstrcmpA
push location //first parameter for lstrcmpA
call kernel32.lstrcmpA //will return 0 (in eax) if both strings are identical (case sensitive)
test eax,eax //same as: cmp eax,0
jne goto //je goto
mov edx,string
goto:
pop eax //restore saved eax
lea esp,[esp+30]
call 004F6730
jmp 004DAE43
location:
db 'General',0 //don't forget the ,0 to mark the end of your strings
string:
db 'Testing',0
004DAE3A:
jmp newmem
nop
nop
nop
nop |
|
|
Back to top |
|
|
The0neThe0nly Expert Cheater Reputation: 0
Joined: 08 Dec 2009 Posts: 119 Location: In a box
|
Posted: Sun May 12, 2013 11:17 pm Post subject: |
|
|
Thanks Gniarf it seems to be working, but when I do
it doesn't work properly. When I tried
the game crashed, but when I made a breakpoint and looked at edx after the mov, it doesn't move the string the right way. How do I move the string into the value of edx?
I used the dirty way, by the way.
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Mon May 13, 2013 1:34 pm Post subject: |
|
|
Code: | mov dword [edx], 'Test'
mov dword [edx+4], 'ing' |
or
Code: | push eax
push string
push edx
call kernel32.lstrcpyA //copies the content of "string" into the string pointed by edx
pop eax |
Now what do you think you did there ? I'm not asking what you wanted to do, I'm asking you to take your time, look back at what you have written, and try to understand what this instruction actually does. (I don't take "no idea" for an answer)
Some questions to help you:
-In you case, what is edx? What is [edx]?
-What is "string"?
|
|
Back to top |
|
|
The0neThe0nly Expert Cheater Reputation: 0
Joined: 08 Dec 2009 Posts: 119 Location: In a box
|
Posted: Mon May 13, 2013 5:00 pm Post subject: |
|
|
Thanks again for the reply, I want to move something much larger now, but it would be way too annoying to just do
Code: | mov dword [edx], 'Test'
mov dword [edx+4], 'ing' |
every time. I tried your other way by the way (the one that calls kernel32.lstrcpyA), but it wasn't working. Is there any efficient way to move a much longer (629 Characters) string?
Quote: | I'm not asking what you wanted to do, I'm asking you to take your time, look back at what you have written, and try to understand what this instruction actually does. (I don't take "no idea" for an answer)
Some questions to help you:
-In you case, what is edx? What is [edx]?
-What is "string"? |
I believe it moves the address of the string to the value of the address at edx. I realize I messed up
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Mon May 13, 2013 5:44 pm Post subject: |
|
|
The0neThe0nly wrote: | Is there any efficient way to move a much longer (629 Characters) string? | Yes, the one with kernel32.lstrcpyA. If it doesn't work it's that you're doing something wrong, but I don't know what. Are you sure that edx contains the address of the string to overwrite? Are you sure that the buffer at address edx is large enough to hold 629 characters? Does your 629 char string contain one and only one 00, which must be at its end? What happens when you execute the kernel32.lstrcpyA example I posted above ("it wasn't working" is a bit vague, you know)?
The0neThe0nly wrote: | I believe it moves the address of the string to the value of the address at edx. I realize I messed up | Good answer. You actually overwrite the 4 first characters of the string pointed by edx with the address of "Testing".
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|