Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Finding hex values when you don't know the op codes writing?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Ralicht
Newbie cheater
Reputation: 0

Joined: 08 Feb 2015
Posts: 20
Location: United States

PostPosted: Wed Jan 13, 2016 2:08 am    Post subject: Finding hex values when you don't know the op codes writing? Reply with quote

I have a region where a huge selection of functions write values temporarily. From that area, they are passed on to other places. I am tracing some values back to this region where all data is temporarily stored.

I have the address that the values are written to but I can't just watch it and see what accesses/writes because there is too many. Is there any way to see what specific function is writing to the address when the value is XX?

I thought about using normal breakpoints but it seems like you have to know or have a good idea where the value is being stored to begin with.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4697

PostPosted: Wed Jan 13, 2016 10:31 am    Post subject: Reply with quote

Conditional breakpoints.

First of all, click on "Advanced Options" in the bottom left of the main CE window and pause the process.
Then, set whatever type of breakpoint you want on whatever you want, and open up the breakpoint list (Memory View -> View -> Breakpointlist).
Right click on the breakpoint you just made and select "Set/change condition".
I'd recommend switching over to the easy mode. For most conditions, you don't need to do anything complex. Then just write a condition.
For example, if the instruction accessing your address is mov [ebx+5],eax and your address is 0876ABDC, then the condition would be EBX+5 == 0x0876ABDC.
If you want to do that by value and the instruction is writing to your address, then just use whatever's on the right side in the instruction: EAX == 777
If you want to do that by value and it's reading from your address (i.e. mov eax,[ebx+5]), then use one of the readX functions defined in main.lua: readInteger(EBX+5) == 777
Now unpause the process, and it'll only trigger when that condition is true.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Ralicht
Newbie cheater
Reputation: 0

Joined: 08 Feb 2015
Posts: 20
Location: United States

PostPosted: Wed Jan 13, 2016 2:42 pm    Post subject: Reply with quote

I've tried custom breakpoints and it seemed like the answer at first. Maybe II am not using them correctly? However, this region is written to by hundreds of functions and the source is different each time. It could be any register writing and any address+offet writing.

Is there no way to watch a specific address for just hex values to change to a specific value and then see what wrote to those values? I don't know any of the registers. I know that a certain hex value will become the RSI for the data I am trying to trace.

Here is a screenshot of what it looks like in that area (the top starts the move for another area of code that I have traced to this: https://gyazo.com/681c4483ff288e21c606a4889cc50007
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4697

PostPosted: Wed Jan 13, 2016 3:21 pm    Post subject: Reply with quote

lol, that's the stack. You'd be much better off using break and trace to backtrace the original instruction to some call that only runs when that value changes. Then break and trace that call when it's run, find the instruction that accesses your address, and backtrace it from there.
Ralicht wrote:
Is there no way to watch a specific address for just hex values to change to a specific value and then see what wrote to those values?

If you don't know the instruction that's writing to the value, it's a bit harder. Since the condition is tested before the instruction is executed (I think), any writes to the address will probably be invalid; however, it should be able to get reads from the address just fine. Just make the condition something like readInteger(0x1BDE60) == 0xDEADBEEF or whatever value you want on the right. If that address is suppose to store another address, then use readQword since that's a 64 bit process.

If you need the writes to that address and you don't want to use break and trace, then I think you can use Lua to do that by keeping track of the last EIP that wrote to that address, look at if the value has changed to the one you're looking for, and if it has, return the last EIP that wrote to that address since that one should be the one that wrote that new value to it. However, you'll need to make sure the only breakpoint you have is that one, since debugger_onBreakpoint() is called for all breakpoints.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites