 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
 Posted: Tue Sep 10, 2013 2:50 pm Post subject: Cheat engine questions+bug report! |
 |
|
Cheat engine questions!+little bug
Hello,I'm not new to CE (Used it for 2 years),I have learned many things from tutorials,completed CE tutorial (9 Steps) but I do have some questions:
1-Assembly related :
---How to use the opcodes mul (multiply) and div (divide) correctly?
---How to combine 2 assembler scripts? I'm trying to make a one hit kill script for a game where the code that deals damage to enemies is splitted : there are 8 kinds of enemies and every one has its own code,and there are 5 weapons and every one has its own code,I already made a cheat table with 36 scripts (weapon 4 already does the one hit kill on some enemies),what I want to do is to add only 5 Scripts on my cheat table,one for every weapon,cheat table here attached in this post.
---How to use the opcodes db,dd and such?
---Where to use dword,qword and such?
---How can I know the memory size of a code?I am allocating 2048 Kb for a script,I know it's enough but I want to know its required size.
---Where should I push and pop registers and why?
---How to use the opcodes xor,and such?
---How to use the opcodes call and lea?
---How to mention a long string value in the assembler?for short strings it's "value" but i isn't working for long words like "BT_CHARGE".
---How to use (un)registersymbol and why?
---How to make a cheat table for a flash game?the process name could change by changing the browser+the code and address locations are not static,they change every time you restart the game.
2-Scan related:
Binary:
---How to increase a binary value by any amount?when I try that it falls to 0 and if I don't try to increase it,it becomes 0 but the address does not change,I can perform a scan for the new value and find that it's the same address but with a different value,so what? an address can have more than one value?
---How to perform a range scan on binary?some games store important values like money in binary,and sometimes I need the "unknown initial value" or the next scan option "decreased value","value between" etc.
Array of bytes:
---How does it work?how to know what to scan for?
3-the "Bug" report:
I'm not sure if this is a bug,but when I try to open cheat tables from a folder with unicode characters in its name (in this example folder is named Red‼,it says "Failure loading the trainer. Reason :Unable to open file "D:\Red?\Game cheat tables\SouthPark Cheat table.CT",It doesn't work with all the unicode characters,try naming a folder with something like that (hold alt and type number,then release alt,alt+255 = blank) ☺☻♥♦♣♠•◘○◙♂♀♪♫☼►◄↕‼¶§▬↨↑↓→←∟↔▲ etc.
If you know the answer of any of my questions please post it here,thanks.
Sorry for asking too much 
| Description: |
|
| Filesize: |
149.18 KB |
| Viewed: |
10793 Time(s) |
|
| Description: |
| Southpark (game) cheat table |
|
Download |
| Filename: |
SouthPark Cheat table.CT |
| Filesize: |
45.89 KB |
| Downloaded: |
874 Time(s) |
Last edited by Redouane on Thu Sep 12, 2013 5:41 am; edited 2 times in total |
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Sep 10, 2013 4:52 pm Post subject: Re: Cheat engine questions+bug report! |
 |
|
| Redone wrote: | ---How to use the opcodes mul (multiply) and div (divide) correctly?
---How to use the opcodes xor,and such? |
Consult Intel® 64 and IA-32 Architectures Software Developer’s Manual
| Redone wrote: | | ---How to use the opcodes call and lea? |
call
When you have a function like (in c++) int MyFunction(type1 parameter1,type2 parameter2, type3 parameter3) it becomes:
| Code: | push parameter3
push parameter2
push parameter1
call TheAddressWhereMyFunctionBegins
//here eax=return value of MyFunction
//sometimes you have a add esp,4*number of parameters if the function is a cdecl |
Note1: this doesn't apply to fastcall functions or x64 programs.
Note2: if type1/2/3 is bigger that 4 bytes (like for a class object) you push a pointer instead.
In game hacking you typically want to simply copy the original call instruction unless you're calling a function that YOU wrote.
lea
Means Load Effective Address, in other words evaluate what's between [] and put its value in the first operand.
lea eax,[eax+eax*4] is often used to multiply eax by 5, but beware that only *4 and *8 multipliers are supported (CE will silently fail if you put an invalid factor).
You can also use lea eax,[eax+40] to increase eax; it's exactly like add eax,40.
Hackers use it to pack a multiplication and/or an addition in one instruction.
Compilers use it to access elements in a structure or in an array as in:
| Code: | mov eax,Index
lea eax,[AddressOfFirstElementOfAnArray+eax*4] |
will put in eax the address of the Index-th element of the array. AddressOfFirstElementOfAnArray can be a register or a constant (static address).
| Redone wrote: | | ---How to combine 2 assembler scripts? |
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
//some code1
exit:
jmp returnhere
"test.exe"+123:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"test.exe"+123:
//some code1 |
Combined with: | Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
//some code2
exit:
jmp returnhere
"test.exe"+456:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"test.exe"+456:
//some code2 |
Gives: | Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere1)
label(originalcode1)
label(exit1)
label(returnhere2)
label(originalcode2)
label(exit2)
label(Hack1)
label(Hack2)
///////////////////////////////// this is your code buffer
newmem:
Hack1:
originalcode1:
//some code1
exit1:
jmp returnhere1
Hack2:
originalcode2:
//some code2
exit2:
jmp returnhere2
///////////////////////////////// end of your code buffer/cave, below are the parts where you overwrite the game's code
"test.exe"+123:
jmp Hack1
returnhere1:
"test.exe"+456:
jmp Hack2
returnhere2:
[DISABLE]
dealloc(newmem)
"test.exe"+123:
//some code1
"test.exe"+456:
//some code2 |
| Redone wrote: | | ---How to use the opcodes db,dd and such?? |
| Code: | 123456:
db 11 22 33 44 'omgwtfbbq' 00
147258:
dd aa bb 12345678 |
will write 11 22 33 44 6F 6D 67 77 74 66 62 62 71 00 at address 123456, and AA 00 00 00 BB 00 00 00 78 56 34 12 at address 147258. Basically dd writes one or several dword where it is placed, db write bytes, dw writes words and dq quadwords.
| Redone wrote: | | ---Where to use dword,qword and such?? |
To be correct you should write them before each opening bracket [. But sometimes in cheat engine it's implied, like in mov [1234],eax (if you store eax, you store 32bits=a dword) or in lea (because it doesn't matter)
| Redone wrote: | | ---How can I know the memory size of a code? |
Write your code first, then look at it in the disassembler window.
| Redone wrote: | | I am allocating 2048 Kb for a script,I know it's enough but I want to know its required size.? |
2048 KILO bytes?? Probably not, I guess you meant 2048 bytes, which is also wrong: even if you write alloc(newmem,1), windows will always give you a chunk of memory whose size is a multiple of 0x1000=4096 bytes. You will never write a code that big, at least not util you no longer need my advices. To give you an idea in one of my script I have about 125 lines in a code cave and it takes about 200 bytes in memory.
| Redone wrote: | | ---Where should I push and pop registers and why? |
When you inject some code and write some asm of your own, you may need to use registers, so you push the register you will use (save its value), then you use it, the you pop it (restore its value). When you need to save/restore several registers, you do the pushing/popping in this order: | Code: | push register1
push register2
//use them
pop register2
pop register1 |
Pushing is also used to pass arguments to functions (before the call opcode), in this case you don't have to do the popping, it is either done by the ret 4*NumberOfParameters or the add esp,4*NumberOfParameters opcodes.
| Redone wrote: | | ---How to mention a long string value in the assembler?for short strings it's "value" but i isn't working for long words like "BT_CHARGE". |
I don't understand your question.
| Redone wrote: | | ---How to use (un)registersymbol and why? |
It has 2 typical uses:
A-disable sections of scripts containing aobscans
| Code: | [enable]
aobscan(MyCodeSignature,11 22 33 44)
MyCodeSignature:
//some assembly code
[disable]
MyCodeSignature:
//restore originale code |
This script WILL NOT WORK because MyCodeSignature is only known inside the [enable] section, so you need to register it for the disable section to know what you're talking about. And then you unregister in the disable section for cleanup purposes. Correct script: | Code: | [enable]
aobscan(MyCodeSignature,11 22 33 44)
registersymbol(MyCodeSignature)
MyCodeSignature:
//some assembly code
[disable]
unregistersymbol(MyCodeSignature)
MyCodeSignature:
//restore originale code |
B-Accessing some variables from CE's main UI
Say you found the code that accesses your character's alignment (good/evil) in an RPG, you may not want to be always utter evil or angel-like,so this value has to be player-configurable. Sadly you couldn't find a stable pointer to this variable, so you're going to do a script like that:
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(AlignmentAddress)
registersymbol(AlignmentAddress)
newmem:
originalcode:
//some code1
mov eax, [ebx+ecx*4] //lets say that this reads your alignment
push edx //we're going to use edx, so save it
lea edx, [ebx+ecx*4] //now edx=ebx+ecx*4=the address of your alignment
mov dword [AlignmentAddress],edx //save the address of your alignment in AlignmentAddress
pop edx //restore saved edx
exit:
jmp returnhere
AlignmentAddress:
dd 0 //initialize 4 bytes (size of an address in a 32bit game) at value 0
"test.exe"+123:
jmp newmem
returnhere:
[DISABLE]
unregistersymbol(AlignmentAddress)
dealloc(newmem)
"test.exe"+123:
//some code1 |
Congratulation, you've crafted yourself a pointer to your alignment, after that go to add address manually, tick pointer, and paste AlignmentAddress in the box at the bottom to access it.
| Redone wrote: | | ---How to make a cheat table for a flash game?the process name could change by changing the browser+the code and address locations are not static,they change every time you restart the game. |
First use an AA script to modify the game's code (I've never seen a pointer work in a flash game), and use aobscans to locate code signatures near the parts you need to modify.
| Redone wrote: | Array of bytes:
---How does it work?how to know what to scan for? |
http://forum.cheatengine.org/viewtopic.php?t=561407
Haf, haf haf, what an answerathon... And I didn't ever answer all his questions.
PS: looks like I'm near the post size cap.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Last edited by Gniarf on Fri Jun 13, 2014 1:36 am; edited 1 time in total |
|
| Back to top |
|
|
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
| Posted: Thu Sep 12, 2013 4:36 am Post subject: |
|
|
I''m asking about mul and div this because div [eax+04],2 and mul [eax+04],2 aren''t working,can you give a working example?
---How to combine 2 assembler scripts?
---Thank you very much,tried combining the 8 scripts and it worked! First use an AA script to modify the game''s code (I''ve never seen a pointer work in a flash game), and use aobscans to locate code signatures near the parts you need to modify.
---I found the important values and made a working cheat table,but when I restart the game my codes are no longer working. [quote=\"Redone\"]---How can I know the memory size of a code?
it'ss 2kb not 2mb,sorry for mispelling.
---How to mention a long string value in the assembler?for short strings it''s "value" but i isn''t working for long words like "BT_CHARGE".
I don''t understand your question. When a game has a shared code that deals damage points,I generally look for string values like player names etc. because they are static,then inject a code that compares the string value with the name and jump to original code if the name isn''t mine (enemies) when there are 2 friendly units I use:
Code:
| Code: | Alloc(newmem,2048)
label(originalcode)
label(Code1) label(Code2)
label(exit)
label(returnhere)
newmem:
Code1:
cmp [Offset that contains string value],"Eric"
jne Code2
mov [player health],#100
Code2:
cmp [Same offset that contains string value],"Dave"
jne originalcode
mov [player health],#100
originalcode:
mov [Player health],ebx or anything
exit: jmp returnhere
test.exe+121:
jmp newmem
returnhere: |
that code is just an example,I can easily add the ENABLE and DISABLE sections but they''re useless,it does not work when the player names are long strings like BT_CHARGE or any long word (In a game I''m playing,It''s the name of the 1st friendly player attack,every enemy has its own attack name like BT_TOOTH for vampires etc.,and it wont change.
thanks for everything
2 other questions: Can''t scan for 0 in binary : Invalid binary notation,THERE ARE SOME BINARY ADDRESSES WITH THE VALUE OF 0 so isn''t it possible to filter them?
also,why should I always put exit and returnhere in an AA code?I know that the code must go somewhere but it does not jump to exit,so what is it for?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Thu Sep 12, 2013 10:12 am Post subject: |
|
|
| Redone wrote: | | I''m asking about mul and div this because div [eax+04],2 and mul [eax+04],2 aren''t working,can you give a working example? |
Google "div assembly example", first result.
Q:How to compare strings that are more than 4 letter long?
A:You can find the answer in the first 2 posts here: http://forum.cheatengine.org/viewtopic.php?p=5474066
| Redone wrote: | | 2 other questions: Can''t scan for 0 in binary : Invalid binary notation,THERE ARE SOME BINARY ADDRESSES WITH THE VALUE OF 0 so isn''t it possible to filter them? |
What I do in those cases is that I wait for my bit to be =1 ingame do my first scan for 1 in binary then I can filter with 0.
| Redone wrote: | | also,why should I always put exit and returnhere in an AA code?I know that the code must go somewhere but it does not jump to exit,so what is it for? |
Those labels are past of the standard code injection template but exit is not required. Usually I don't need both an originalcode and an exit so I wipe one and rename the other.
As for the returnhere, you can rename it (I actually recommend doing so) but once the game has executed your injected code you've got to tell it to continue running "normally", that what the returnhere is for. Yes there are ways to work without a returnhere, for example using a call MyHack...ret instead of jmp MyHack but they do not always work.
Note: there are questions from the OP I didn't answer. That wasn't because of the post size cap, it was because I don't know the answer.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
