 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
UserNamex32
How do I cheat?
![]() Reputation: 0
Joined: 11 Oct 2013
Posts: 2
|
 Posted: Fri Oct 11, 2013 3:19 pm Post subject: CE Tutorial Step 9 Questions |
 |
|
Here's what I came up for god mode where team 1 members do not take damage.
I saw a few others from searching google:
/viewtopic.php?t=551314
/viewtopic.php?t=555086
To me theirs seem to be a lot more complex. I wanted to know if I am doing everything properly, which brings me to my next question.
What does fldz do and why do I need it? Without it I had tons of crashes.
I'm sure if I wanted to further simplify this I could just refactor the two fldz into the exit, and remove it from originalcode and completely remove the godmode label. I originally tried just jumping to the exit if it was team 1 but it crashed when I did that.
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(godMode)
newmem:
cmp [ebx+10], 1 // if team 1 goto god mode
je godMode
jmp originalcode
godMode:
// do no damage
fldz // needed so it doesn't crash - not sure why
jmp exit // skip original code
originalcode:
mov [ebx+04],eax // writes new health into given player's health
fldz
exit:
jmp returnhere
"Tutorial-i386.exe"+27E76:
jmp newmem
returnhere:
|
Refactored and Simplified Code:
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [ebx+10], 1 // if team 1 goto exit
je exit
originalcode:
mov [ebx+04],eax // writes new health into given player's health
// removed fldz to exit
exit:
fldz // needed so it doesn't crash - not sure why
jmp returnhere
"Tutorial-i386.exe"+27E76:
jmp newmem
returnhere:
|
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Oct 11, 2013 4:36 pm Post subject: Re: CE Tutorial Step 9 Questions |
|
|
| UserNamex32 wrote: | Here's what I came up for god mode where team 1 members do not take damage.
I saw a few others from searching google:
/viewtopic.php?t=551314
/viewtopic.php?t=555086
To me theirs seem to be a lot more complex. I wanted to know if I am doing everything properly |
Your script works, so it's good enough.
In this topic http://forum.cheatengine.org/viewtopic.php?t=551314 :
-Igor's first script works, but looks like it's done by someone who doesn't fully understands what he does (no offense meant, we all started that way). That being said, it just needs a one line refactoring, and removing that "sub [ebx+04],0".
-Igor's 2nd script could use some HEAVY refactoring, but uses an approach you (and everyone else) should keep in mind: when you can't find a differentiation flag like that ebx+10 (team ID), then find a function that reads the health of the player(s) to protect and use it to log those addresses, then compare the address where we're going to apply damage to the logged addresses to see if we should apply godmode or not.
-Invader's code is good too and minimalistic. Just that it'd more convenient to write "mov eax,(float)100.0" rather than "mov eax,42C80000".
-simonsong90's script (which is the same as balrog_svr's one in the second topic you mentioned) has the funny effect to increase your health when you're getting hit... but might kill you when getting healed (in a real-life game). Minor code refactoring is possible too.
Upon closer inspection of YOUR script:
1-(important) Your script lacks the [enable] tag and [disable] section, if you just removed that to keep you post short, that's fine, but if those are absent from your local copy, that's a flaw. Scripts with enable/disable sections can be added to the cheat table (file->assign to cheat table) which is a lot more convenient than opening an auto assembler window and pressing execute each time.
2-(warning) The originalcode label is not used and could be removed.
3-(perfectionism) When a jump opcode is less than 128 bytes away from its target, you can replace it by a "j** short" which occupies only 2 bytes instead of 5 for a standard jump. Thus "je exit" could become "je short exit".
| UserNamex32 wrote: | | What does fldz do and why do I need it? |
Generic answer to "What does [insert assembly opcode] ?": grab yourself a copy of Intel® 64 and IA-32 Architectures Software Developer’s Manual, it's THE official definition of each and every assembly opcode.
That being said fldz stands for Float LoaD Zero which pushes 0.0 on top of the float stack.
Why do you need it? Well I could tell you that it is part of the next block of code: | Code: | fldz
fld dword ptr [ebx+04]
fcompp |
which basically compares the float at [ebx+04] (hmm that's your health, right?) with 0.0, presumably to check if you're dead.
But actually, I'll simply recommend that you keep the original code the way it is unless removing some opcodes is part of your cheat. If the opcode was there it's for a reason, if you don't understand that reason document yourself or assume this piece of code is vital, but don't go on a optimization crusade trying to nick every bit of junk or rewrite stupid constructs; you WILL be overwhelmed by the task (even though it's sometimes badly itching...).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
UserNamex32
How do I cheat?
![]() Reputation: 0
Joined: 11 Oct 2013
Posts: 2
|
| Posted: Sat Oct 12, 2013 4:23 pm Post subject: |
|
|
Thanks for amazing reply Gniarf, couldn't have asked for anything better!
I have a lot of experience programming, nothing too official though, but this was my real first time playing with ASM; I've seen it before, tried to learn it, but never actually gave it a try until this, which is why I was really excited to see a step 9 in the tutorial - which left some more learning to be done with ASM.
| Quote: | | "mov eax,(float)100.0" rather than "mov eax,42C80000" |
I did not know you could do casting, that is great to know. Is the casting native to ASM or just to CE's AutoASM (hopefully 'casting' is called that in the auto ASM). Speaking of which is this just plain "ASM" or does CE have its own flavor and compilation magic - I noticed it detects errors in code before allowing an inject/execute (I guess it would since it's ASM to opcodes?). Are there different types of ASM out there if I recall right? I would like to get the jargon correct, since I am fairly new to this.
| Quote: | | Your script lacks the [enable] tag and [disable] section |
I was using the auto assembler window and then hitting save in there, but it sounds like the method you're talking about links it to the CT file and of course is much more convenient. I didn't know about that so I will have to give that a try, thanks : )
| Quote: | | The originalcode label is not used and could be removed |
Since that was my first time with CE's AASM, for some reason I thought that was required, but from originally writing that to now, I definately have a better understanding, that it does not need that, and how the execution of it runs from top to bottom, for some reason I thought it would start at a specific label & that they were required for normal execution. But yeah I see that I do not need it now, because it is never referenced.
| Quote: | | When a jump opcode is less than 128 bytes away from its target, you can replace it by a "j** short" |
Did not know, this, thanks for the tip. Is there any real way to know how many bytes away the jump is going to be? I'm sure looking at the compiled opcodes would be the way to tell, and I'm sure there's some fancy IDE out there?
Speaking of byte consumption, in today's technology with so much RAM is it really that important to worry about the consumption of 3 more bytes? I'm sure if it was a large piece of code it could add up, but RAM nowadays seems to not be such a big problem, but none the less it is a good optimization technique to know exists (as you did label it perfectionism ; ) )
Yeah I tried searching about it on google, but did not have much luck, ran across this which didn't help:
mathemainzel.info /files/x86asmref
and this simple one:
jegerlehner.ch /intel/opcode
but now that you told me what to search for I have found this:
intel /content/www/us/en/processors/architectures-software-developer-manuals
That manual is amazing, tells everything. It's huge and scary, but nothing ctrl-f can't manage.
Yeah I was kind of assuming the crash had something to do with the code outside of the scope of the AASM window's code.
I did think it was odd how the fldz was brought in with the original code segment, I don't remember it being on the same line in the memory browser. Is that normal or was it a special case for the tutorial?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sat Oct 12, 2013 5:30 pm Post subject: |
|
|
| UserNamex32 wrote: | | Quote: | | "mov eax,(float)100.0" rather than "mov eax,42C80000" |
I did not know you could do casting, that is great to know. Is the casting native to ASM or just to CE's AutoASM (hopefully 'casting' is called that in the auto ASM). |
It's not casting - at least not what I call casting -, it's just telling CE how to interpret the next characters you typed, exacty like the 0x prefix in C. This synthax is afaik CE-specific (but I don't know how you do with other asm "compilers" (actually I should say "assemblers")).
| UserNamex32 wrote: | | Speaking of which is this just plain "ASM" or does CE have its own flavor and compilation magic |
CE has its own keywords, like alloc/dealloc, registersymbol, aobscan... Lookup CE's F1 help file, search for "alloc" and read a topic called "Auto Assembler help".
| UserNamex32 wrote: | | Are there different types of ASM out there if I recall right? I would like to get the jargon correct, since I am fairly new to this. |
I know 2 names: MASM (Microsoft Macro ASseMbler, yes there is an extra M) and TASM (Turbo ASseMbler) which have a slightly different syntax, but I don't know the specifics of either, and I don't know/think CE's assembler follows any.
| UserNamex32 wrote: | | Quote: | | When a jump opcode is less than 128 bytes away from its target, you can replace it by a "j** short" |
Did not know, this, thanks for the tip. Is there any real way to know how many bytes away the jump is going to be? |
Trial and error. Personally I use short jumps when I jump within the same function, and when my function gets more than a screen long (about 50 lines) I start thinking that maybe I might have jump range issues.
| UserNamex32 wrote: | | when I write a function I'm sure looking at the compiled opcodes would be the way to tell, and I'm sure there's some fancy IDE out there? |
Probably, google it if you want one, personally CE built-in IDE is enough to type my code and if needs be I can go check it in the disassembler window (after injecting it).
| UserNamex32 wrote: | | Speaking of byte consumption, in today's technology with so much RAM is it really that important to worry about the consumption of 3 more bytes? |
Most hackers out there don't give a damn about the size of their code and don't even know what a short jump is, after all with the alloc keyword you can tell CE to allocate megabytes into your target and there 3 bytes hardly matter. BUT when you're a weirdo like myself who likes to hardcode his hacks into the .exe file you cannot use the memory allocation routines and you have to repurpose padding bytes (called "code caves"), and there, 3 bytes DO matter.
Finding a code that does what you want and fits within a given number of bytes can be a fun challenge...
(Some?) High-class hackers here use short jumps, but it's more a matter of style and/or perfectionism than real need.
| UserNamex32 wrote: | I have found this:
intel /content/www/us/en/processors/architectures-software-developer-manuals
That manual is amazing, tells everything. It's huge and scary, but nothing ctrl-f can't manage. |
Or even better, use chapter tree on the left ("bookmarks") and find where the asm instructions are alphabetically sorted.
| UserNamex32 wrote: | | I did think it was odd how the fldz was brought in with the original code segment, I don't remember it being on the same line in the memory browser. Is that normal or was it a special case for the tutorial? |
Tssk, tssk, tssk, you're still thinking in terms of lines, but in asm you should think in BYTES. A normal jump uses 5 bytes and mov [ebx+04],eax uses 3 bytes, so when you replace that mov with a jmp, you overwrite all its 3 bytes plus the 2 bytes immediately after, which belong to the next instruction, which in your case happened to be fldz.
Now what do you do when you wanna overwrite a 3 byte instruction followed by a 4 byte one? You write your jump over the 5 first bytes and add 2 nop's (nop=No OPeration=0x90=an instruction that takes 1 byte and does nothing).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
