 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
h3x1c
Master Cheater
 Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
 Posted: Sat Mar 14, 2015 6:54 pm Post subject: I've an alternate solution to Step 9. Is this optimal code? |
 |
|
After a week of studying FPU instructions, I FINALLY achieved what I was looking to do with Step 9: compare the health value on first load, and if it equals 500, then insta-kill the player. I know this isn't the best solution, but I was trying to find my own different way to win the game, so that's what I wanted to do. =)
Those of you who are experienced enough will know what the following code does, so I'm not going to bother explaining it. What I'm wanting to know is if this code is optimized for the solution I came up with, or if I could have coded this a better way:
| Code: | cmp [ebx+04],(float)500.0
jne originalcode
fld dword ptr [ebx+04]
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
jmp exit |
Where good coding practice is concerned, should I have preserved whatever was in st(0) (or the whole FPU stack maybe, for that matter) before loading [ebx+04] into it? If so, what would be the best way to go about that?
Any thoughts/recommendations would be greatly appreciated! Thanks!  |
|
| Back to top |
|
 |
vng21092
Grandmaster Cheater
 Reputation: 15
Joined: 05 Apr 2013
Posts: 644
|
| Posted: Sat Mar 14, 2015 8:04 pm Post subject: |
|
|
I'm gonna assume this is what you started with. Here are my thoughts
| Code: | cmp [ebx+04],(float)500.0 <--Not practical compare
jne originalcode
fld dword ptr [ebx+04] <-- Did not need changing
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
mov [ebp-30],0 <--All you had to do was insert that
jmp exit |
So why is your compare impractical? Well, when you apply this to an actual game, without a doubt there will be a variety of enemies, which is where your code falls short... Your code would only apply to enemies with a max health of 500, excluding all other enemies. Also, what if YOUR max health also happens to be 500? See? Not practical. Not only that, there may not even be a pretty little offset holding characters max health. What you do is look for an ID that distinguishes enemies from player, from dissecting the data structures of all the players as shown:
Here we see that offset 10 separates players from enemies, Players having an ID of "1" and enemies having an ID of "2", so in the end your code should have looked like | Code: | cmp [ebx+10],1
je originalcode
fild dword ptr [ebp-34]
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
mov [ebp-30],0
jmp exit |
This is basically what the code would do:
1)Check character in question's ID
2)Is it 1? If so, jump to original code (no instant kill for player), else, continue (instant kill at last line)
Hope this helps 
As far as preserving the stack, you didn't load anything onto the stack so you didn't ruin anything. |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Sat Mar 14, 2015 11:02 pm Post subject: Re: I've an alternate solution to Step 9. Is this optimal co |
|
|
| h3x1c wrote: | After a week of studying FPU instructions, I FINALLY achieved what I was looking to do with Step 9: compare the health value on first load, and if it equals 500, then insta-kill the player. I know this isn't the best solution, but I was trying to find my own different way to win the game, so that's what I wanted to do. =)
Those of you who are experienced enough will know what the following code does, so I'm not going to bother explaining it. What I'm wanting to know is if this code is optimized for the solution I came up with, or if I could have coded this a better way:
| Code: | cmp [ebx+04],(float)500.0
jne originalcode
fld dword ptr [ebx+04]
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
jmp exit |
Where good coding practice is concerned, should I have preserved whatever was in st(0) (or the whole FPU stack maybe, for that matter) before loading [ebx+04] into it? If so, what would be the best way to go about that?
Any thoughts/recommendations would be greatly appreciated! Thanks! :D |
Nothing jumps out at me as being broken, and you don't report crashsing (which is what will generally happen if you rape the fpu stack), so I think congratulations are in order! Good job.
Creativity is a huge part of creating cunning hacks - you were able to correctly predict something that the machine was doing and identify an exploitable weakness. That's significant. You have a bright future, and I'm looking forward to using your future hacks.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Sun Mar 15, 2015 12:47 pm Post subject: |
|
|
| vng21092 wrote: | Here are my thoughts
As far as preserving the stack, you didn't load anything onto the stack so you didn't ruin anything. |
Thanks for the feedback! My original solution was only intended for the win condition in this particular game. I knew it wasn't an optimal one to apply across all games, but I basically wanted to come up with some other way to "win" Step 9 than basing code on comparing the team number.
What your solution did was help me solidify how wrapped-up I was in worrying about the value stored in [ebx+04]. Man, I was going NUTS last week trying to mess with FPU instructions and the general registers. I kept getting error after error and just not understanding why! Ultimately, I was fixated on making this specific logic happen:
| Quote: | See if health is equal to 500. (This, alone, was giving me a headache until I finally found (float) to use.  )
If it is, then load the current value of health into ST(0).
Keep the reverse-subtract instruction, so [ebx+04]-ST(0).
Cross my fingers and hope the resulting value of 0 created insta-death for players 3 and 4. |
For the purpose of the thought exercise, I could have kept my health compare, but after that, all I needed was your suggestion of mov [ebp-30],0 at the end, like you said.
I'll tell you, before last week, I hadn't even heard of the FPU registers, so it was a really great (see: frustrating) learning experience, even if my solution was completely unnecessary, lol.
My question about the stack was pertaining to the FPU stack when I loaded [ebx+04] into ST(0). I didn't know if I should have preserved what was in ST(0) beforehand (perhaps for some calculation that needed that original value of ST(0) after my code injection). I still have a lot to learn about the FPU and its instructions (and assembly in general, for that matter, lol), so I may not even be asking a valid question there. 
Anyway, thanks again for the feedback. I appreciate the help!
--------------------------------------------------------------------------------
| justa_dude wrote: | Nothing jumps out at me as being broken, and you don't report crashsing (which is what will generally happen if you rape the fpu stack), so I think congratulations are in order! Good job.
Creativity is a huge part of creating cunning hacks - you were able to correctly predict something that the machine was doing and identify an exploitable weakness. That's significant. You have a bright future, and I'm looking forward to using your future hacks. |
Hey, thanks a lot for the kind words, man! That kind of feedback really, really means a lot and helps to inspire someone like me to keep pressing forward. I *still* have to get into your WINDBG tutorials with Terraria and all; I'm really looking forward to that this week.
It's great that this forum is such a supportive community. These kinds of responses are really awesome for helping people to continue building their skills. I hope that I can put out some good stuff one of these days for you all to enjoy. =) |
|
| Back to top |
|
|
vng21092
Grandmaster Cheater
Reputation: 15
Joined: 05 Apr 2013
Posts: 644
|
| Posted: Sun Mar 15, 2015 12:58 pm Post subject: |
|
|
| yep, no problem, glad I could help. On another note, here's a great reference page http://x86.renejeschke.de/ If you don't understand an instruction, find it on there and it goes into great detail of what it actually does. Have fun |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Sun Mar 15, 2015 2:41 pm Post subject: |
|
|
| h3x1c wrote: | | My question about the stack was pertaining to the FPU stack when I loaded [ebx+04] into ST(0). |
Yes, you can crash games badly if you change the fpu stack. But loading something new into the stack doesn't erase the old value necessarily. It's like loading a bullet into a revolver. As long as there is an empty chamber, the whole thing just spins around once. If you arbitrarily load multiple values but still only pop one off (or fst vs fstp, for example), then maybe you'd have a problem. You can always step through some code with the debugger and watch the fpu stack to better understand what's going on.
edit: here's a doc that describes the x87 FPU stack more eloquently than I do.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
