| View previous topic :: View next topic |
| Author |
Message |
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
 Posted: Fri Feb 20, 2015 2:24 pm Post subject: fst qword ptr [esi+00000310]??? |
 |
|
| Code: | mov [esi+00000310],0232
fst qword ptr [esi+00000310] |
or
| Code: | fst qword ptr [esi+00000310]
mov [esi+00000310],0232 |
This doesn't work; I'm kinda confused why, can anyone explain it to me?
|
|
| Back to top |
|
 |
aikoncwd
Grandmaster Cheater
 Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Fri Feb 20, 2015 3:15 pm Post subject: |
|
|
try this:
| Code: |
fst qword ptr [esi+00000310]
mov [esi+00000310],(float)232
|
or
| Code: |
fst qword ptr [esi+00000310]
mov [esi+00000310],(double)232
|
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
deama1234
Master Cheater
![]() Reputation: 3
Joined: 20 Dec 2014
Posts: 328
|
| Posted: Fri Feb 20, 2015 5:08 pm Post subject: |
|
|
No, still doesn't work :/
I'm pretty sure it's that code, cause if I "nop" it then the value doesn't go up or down. I tried "nop"-ing other opcodes in the same function, but only that opcode works.
Here's the function:
| Code: | tastyblue.exe+1683BF - int 3
tastyblue.exe+1683C0 - fld qword ptr [esp+04]
tastyblue.exe+1683C4 - push esi
tastyblue.exe+1683C5 - mov esi,ecx
tastyblue.exe+1683C7 - fst qword ptr [esi+00000310]
tastyblue.exe+1683CD - fldz
tastyblue.exe+1683CF - fcomp qword ptr [esi+00000320]
tastyblue.exe+1683D5 - fnstsw ax
tastyblue.exe+1683D7 - test ah,41
tastyblue.exe+1683DA - jne tastyblue.exe+168411
tastyblue.exe+1683DC - cmp byte ptr [esi+68],00
tastyblue.exe+1683E0 - fstp qword ptr [esi+00000320]
tastyblue.exe+1683E6 - je tastyblue.exe+168413
tastyblue.exe+1683E8 - call tastyblue.exe+133CC0
tastyblue.exe+1683ED - mov ecx,eax
tastyblue.exe+1683EF - call tastyblue.exe+1DB140
tastyblue.exe+1683F4 - cmp byte ptr [esi+68],00
tastyblue.exe+1683F8 - je tastyblue.exe+168413
tastyblue.exe+1683FA - fld qword ptr [esi+00000320]
tastyblue.exe+168400 - sub esp,08
tastyblue.exe+168403 - mov ecx,eax
tastyblue.exe+168405 - fstp qword ptr [esp]
tastyblue.exe+168408 - call tastyblue.exe+1EC300
tastyblue.exe+16840D - pop esi
tastyblue.exe+16840E - ret 0008
tastyblue.exe+168411 - fstp st(0)
tastyblue.exe+168413 - pop esi
tastyblue.exe+168414 - ret 0008
tastyblue.exe+168417 - int 3
|
I looked through the "call" ones, same thing :/
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Feb 20, 2015 5:38 pm Post subject: |
|
|
Try this out.
| Code: | alloc(myvar,8)
myvar:
dq (double)232.0
registersymbol(myvar)
//injected code
fstp qword ptr [esi+00000310]
fld qword ptr [myvar]
fst qword ptr [esi+00000310] |
|
|
| Back to top |
|
|
alanze
Advanced Cheater
 Reputation: 3
Joined: 03 Oct 2012
Posts: 50
|
| Posted: Fri Feb 20, 2015 6:48 pm Post subject: |
|
|
I'm not sure what value you trying to put at [esi+00000310].
I assume 232 is a hex value because you put it in assemble (in assemble only hex values are used).
fst qword ptr [esi+00000310] - this code writes a double value at the memory location specified
first you need to convert hex 232 to double, so I used that number to obtain the double (qword) value.
After conversion noted as "intel bytes" looks like this: 00 00 00 00 00 90 81 40
Here is your code:
| Code: |
fst qword ptr [esi+00000310] // this can be nop-ed or replaced
mov [esi+00000310],00000000 // write the first 4 bytes
mov [esi+00000314],40819000 // offset increased with 4, write the last 4 bytes
|
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sat Feb 21, 2015 6:55 pm Post subject: |
|
|
Zanzer and alanze are correct. Notice the "qword"! That means it's a double. If you aren't looking closely you might assume "dword" which would be a float (for fst/fstp instructions)
Since the application is 32-bit only 32-bits can be moved around at a time via regular mov instructions.
I would use Zanzers way but instead of popping with fstp into [esi+310] I would just pop it out into nowhere:
| Code: |
alloc(myvar,8)
myvar:
dq (double)232.0
registersymbol(myvar)
//injected code
fstp st(0)
fld qword [myvar]
fst qword [esi+310]
|
_________________
|
|
| Back to top |
|
|
impu
How do I cheat?
![]() Reputation: 0
Joined: 03 Apr 2015
Posts: 1
|
| Posted: Fri Apr 03, 2015 12:57 am Post subject: |
|
|
| SteveAndrew wrote: | Zanzer and alanze are correct. Notice the "qword"! That means it's a double. If you aren't looking closely you might assume "dword" which would be a float (for fst/fstp instructions)
Since the application is 32-bit only 32-bits can be moved around at a time via regular mov instructions.
I would use Zanzers way but instead of popping with fstp into [esi+310] I would just pop it out into nowhere:
| Code: |
alloc(myvar,8)
myvar:
dq (double)232.0
registersymbol(myvar)
//injected code
fstp st(0)
fld qword [myvar]
fst qword [esi+310]
|
|
Thank you. Very helpful.
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 959
|
| Posted: Fri Apr 03, 2015 5:39 am Post subject: |
|
|
| Code: | | fst qword [esi+310] |
should be
| Code: | | fstp qword [esi+310] |
for integrity, since otherwise the value pushed by fld qword [myvar] is still in fp stack. It may cause erroneous result if the modified instruction is in the middle of some fp calculation.
ADDED:nvm , I missed the fstp st(0) ,sry
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
