 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
vng21092
Grandmaster Cheater
 Reputation: 15
Joined: 05 Apr 2013
Posts: 644
|
 Posted: Sat Apr 25, 2015 12:27 am Post subject: Using compares? |
 |
|
ok, just to keep it short. In some games where instructions access many other things then its suppose to, it can be tricky to find consistent filters to grab the correct values. So I thought, why not use the current in-game value as a filter because it ALWAYS has to be correct right? So, if I do something like this | Code: | [Enable]
.
.
.
label(money)
registersymbol(money)
someInstruction:
cmp [eax],money
jne originalcode
mov [eax],#999999
jmp returnhere
originalcode:
mov [eax],ebx
jmp returnhere
money:
dd 0
.
.
.
[Disable]
.
.
. |
and in game, add "money" to the address list, and change it's value to the current in-game value, the compare doesn't work out and it ends up jumping to the original code. But THIS works | Code: | [Enable]
.
.
.
someInstruction:
cmp [eax],#xx
jne originalcode
mov [eax],#999999
jmp returnhere
originalcode:
mov [eax],ebx
jmp returnhere
.
.
.
[Disable]
.
.
. |
where #xx (not a registered symbol, just a value) would be the current in-game value, why doesn't the first solution work but the second one does? When I change the value of "money" in the address list to what #xx is in the second one, shouldn't it work? Even if I initialize "money" as the value of #xx it still doesn't work, why? How can I get the first solution to work?
|
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5636
|
| Posted: Sat Apr 25, 2015 12:51 am Post subject: |
|
|
Because "money" is the address, not the value. The value is [money], that's what you have to compare to [eax].
So you have to do something like this:
mov ebx,[money]
cmp [eax],ebx
Of course don't forget to push and pop the register that you use.
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Apr 25, 2015 4:29 am Post subject: |
|
|
+1
Also, check what's in "original code" and below. There could be a register which you can use.
example:
| Code: | 89 18 - mov [rax],ebx <--- hackpoint
48 83 C4 20 - add rsp,20
8B 72 40 - mov esi,[rdx+40] |
as you see, ESI register will change anyway, and it's not used in line 1 and 2
script will be:
| Code: | newmem:
mov esi,[money]
cmp [rax],esi
jne originalcode
mov ebx,#999999
originalcode:
mov [rax],ebx
add rsp,20
jmp returnhere
money:
dd 0
"game"+00124568:
jmp newmem
nop
returnhere:
//mov [rax],ebx <--- hackpoint
//add rsp,20
//mov esi,[rdx+40] |
_________________
|
|
| Back to top |
|
|
vng21092
Grandmaster Cheater
Reputation: 15
Joined: 05 Apr 2013
Posts: 644
|
| Posted: Sat Apr 25, 2015 7:15 am Post subject: |
|
|
ahh I got it to work, thanks a lot guys, this is what I ended up with
| Code: | ic_1:
cmp [setMoney_status],0
je notMoney
push eax
mov eax,[oldMoney]
cmp [rbx],eax
pop eax
jne notMoney
movss xmm5,[newMoney]
movss [rbx],xmm5
add rsp,20
mov [setMoney_status],0
jmp returnhere_ic_1 |
one more question... how do I know which registers I can use? Like I just used eax for this one and it worked but, whats wrong with using esi,edi, or other ones, is there a difference?
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5636
|
| Posted: Sat Apr 25, 2015 9:10 am Post subject: |
|
|
Don't use EBP and ESP, because they are often used for stack calculations. In some cases you can use EBP, but better not do it if you don't have to. You should absolutely not use ESP, because some instructions, such as push or pop is affecting ESP, because they are using the stack.
Don't use EIP, because that's a special pointer which is pointing to the next code line which will be executed. (Eg changing the value of EIP to a certain address is equal to doing a jump, you can use this trick if you are debugging and you want to alter the flow of the program without adding a jump instruction.)
The other registers are used freely for all kinds of general purposes, so you can play with them.
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Apr 25, 2015 9:26 am Post subject: |
|
|
| Code: | | whats wrong with using esi,edi, or other ones, is there a difference? |
If it doesn't break the flow, nothing wrong.
| Code: | mov [rax],ebx <--- hackpoint
add rsp,20
mov esi,[rdx+40] |
you highlight this line and create AA script by using templates or manually.
| Code: | | mov [rax],ebx <--- hackpoint |
this part will be added to 'originalcode' section, because "jump newmem" takes 5 bytes and "mov [rax],ebx" is 2 bytes long
this line doesn't show up in the automatically created AA script. But we can still analyze it.
And of course other lines below....
line1 - mov [rax],ebx
line2 - add rsp,20
line3 - mov esi,[rdx+40]
line4 - something (not a call or jump)
line5 - something (not a call or jump)
line6 - mov r15,r10
If you need a CPU register, because you don't want to use too many push and pops or code doesn't allow to mess with stack, you can try to look for 'free to use register'.
And that means a register which can be changed without side effects, because it's value is re-written anyway.
line 1 - we need both registers
line 2 - do not touch RSP, only when you really know what you are doing
line 3 - we see that content of [RDX+40] is written to ESI. And ESI does not show up in line 1 and line 2. Candidate #1.
line 6 - if R15 doesn't show up in line1-line5, we can safely use R15, candidate #2.
Sometimes it is better to analyze 20 lines above and 20 lines below our hackpoint.
_________________
|
|
| Back to top |
|
|
vng21092
Grandmaster Cheater
Reputation: 15
Joined: 05 Apr 2013
Posts: 644
|
| Posted: Sat Apr 25, 2015 12:39 pm Post subject: |
|
|
| mgr.inz.Player wrote: | If you need a CPU register, because you don't want to use too many push and pops or code doesn't allow to mess with stack, you can try to look for 'free to use register'.
And that means a register which can be changed without side effects, because it's value is re-written anyway. |
If I write code that pushes something onto the stack and then pops it at the end of my code, wouldn't the stack look the same as it was before my code executed? How does the stack get messed up? Also, is there anyway to find "free" registers? I usually toggle a breakpoint and if on the right the register stays black, I just assume it is "free", is this bad practice?
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Sat Apr 25, 2015 1:19 pm Post subject: |
|
|
| vng21092 wrote: | | mgr.inz.Player wrote: | If you need a CPU register, because you don't want to use too many push and pops or code doesn't allow to mess with stack, you can try to look for 'free to use register'.
And that means a register which can be changed without side effects, because it's value is re-written anyway. |
If I write code that pushes something onto the stack and then pops it at the end of my code, wouldn't the stack look the same as it was before my code executed? How does the stack get messed up? Also, is there anyway to find "free" registers? I usually toggle a breakpoint and if on the right the register stays black, I just assume it is "free", is this bad practice? |
Yes, if you push and pop correctly you can restore the stack (save messing w/ eip or esp as Geri mentioned above). In a tightly nested game loop or some other area where performance is crucial, it will be computationally expensive to push/pop registers versus simply making use of unused registers. You can identify unused/free registers by looking for those which are written before they are read following your injection point.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
