| View previous topic :: View next topic |
| Author |
Message |
elusiveness
Newbie cheater
 Reputation: 1
Joined: 16 Feb 2016
Posts: 22
|
 Posted: Sun Feb 28, 2016 7:08 am Post subject: Why is CE rewriting opcodes on the fly on memory viewer |
 |
|
Hi there,
I'm using Cheat Engine since a while now, and i finally decided to "understand" how to make cheats instead of using these mindlessly. Until now I managed to find my way by myself with help file/yt/google, but now i'm a little confused, and struggling to understand the behavior of Cheat Engine inside the memory viewer. So here is my problem, when i follow an opcode who writes (find out what writes this address) and end up to the memory viewer i see this:
1) Before I scroll up:
i.imgur com/VScAVVT.png
And scrolling up into the memory viewer to understand what the code does, CE start to behave in a weird way by rewriting opcodes on the fly with nonsense values.
2) After I scrolled up:
i.imgur com/yLDW7U9.png
Why does CE behave this way?
Last thing, not really much related, but can somebody explain me how does CE do translate a 3 hex values into such a complex instruction?
i.imgur com/aAK0gS7.png
Is there some kind of register table or hidden logic behind this? Please, explain 
|
|
| Back to top |
|
 |
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Feb 28, 2016 8:11 am Post subject: Re: Why is CE rewriting opcodes on the fly on memory viewer |
|
|
| elusiveness wrote: | Hi there,
I'm using Cheat Engine since a while now, and i finally decided to "understand" how to make cheats instead of using these mindlessly. Until now I managed to find my way by myself with help file/yt/google, but now i'm a little confused, and struggling to understand the behavior of Cheat Engine inside the memory viewer. So here is my problem, when i follow an opcode who writes (find out what writes this address) and end up to the memory viewer i see this:
1) Before I scroll up:
And scrolling up into the memory viewer to understand what the code does, CE start to behave in a weird way by rewriting opcodes on the fly with nonsense values.
2) After I scrolled up:
Why does CE behave this way? |
Normal thing. After scrolling up sometimes you have to adjust it by using arrows on keyboard.
Press left arrow few times until you see found opcode again.
Also, it could be a bug inside CheatEngine's disassembler unit - it could disassemble instruction incorrectly causing other lines to be disassembled at wrong offsets.
Or, they (developers) intentionally added garbage between 30D2468 and 30D246C to fool disassembler.
| elusiveness wrote: | Last thing, not really much related, but can somebody explain me how does CE do translate a 3 hex values into such a complex instruction?
Is there some kind of register table or hidden logic behind this? Please, explain |
Disassembler. Google it.
_________________
Last edited by mgr.inz.Player on Sun Feb 28, 2016 9:01 am; edited 1 time in total |
|
| Back to top |
|
|
elusiveness
Newbie cheater
Reputation: 1
Joined: 16 Feb 2016
Posts: 22
|
| Posted: Sun Feb 28, 2016 9:00 am Post subject: Re: Why is CE rewriting opcodes on the fly on memory viewer |
|
|
| mgr.inz.Player wrote: |
Why does CE behave this way?
Normal thing. After scrolling up sometimes you have to adjust it by using arrows on keyboard.
Press left arrow few times until you see found opcode again.
Also, it could be a bug inside CheatEngine's disassembler unit - it could disassemble instruction incorrectly causing other lines to be disassembled at wrong offsets.
|
Thank you for your answer, so i did press the left arrow few times which have decremented the top window value (whatever.exe+30D241C then whatever.exe+30D241B) and scrolled up the memory view, but still the wrong value (mov eax,[49481C894466E337]) remain.
| mgr.inz.Player wrote: | | Disassembler. Google it. |
I already began reading the IDA book who explains how disassembling works, i must say it is a very deep and complicated subject for the humble beginner i am, i belive its probably the same for CE, no i was just looking for a simple hint so i can continue experiencing more comfortable in the cheat tables without having to read a whole bible, but anyway, thank you. 
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Feb 28, 2016 9:13 am Post subject: |
|
|
Double click line at address 30D2468
and type:
db 90 90 90 90
Looks like they added garbage there.
_________________
|
|
| Back to top |
|
|
elusiveness
Newbie cheater
Reputation: 1
Joined: 16 Feb 2016
Posts: 22
|
| Posted: Sun Feb 28, 2016 9:42 am Post subject: |
|
|
So i did as you wish
before: i.imgur com/sB2b4fD.png
and as a result the soft did crash.
after: i.imgur com/0hDEZTD.png
|
|
| Back to top |
|
|
Meas
Newbie cheater
![]() Reputation: 0
Joined: 31 Oct 2015
Posts: 17
|
| Posted: Sun Feb 28, 2016 10:26 am Post subject: |
|
|
Ye, seems like Cheat Engine is shifting the byte order and thus instructions change because it starts reading at the middle of a WORD.
EDIT: if you look at the hex editor (below disassembler) you'll see that the yellow lines shift horizontally when you scroll. But only under a certain condition.. maybe if the process is currently writing close to it?
|
|
| Back to top |
|
|
elusiveness
Newbie cheater
Reputation: 1
Joined: 16 Feb 2016
Posts: 22
|
| Posted: Sun Feb 28, 2016 11:19 am Post subject: |
|
|
| Measurity wrote: | Ye, seems like Cheat Engine is shifting the byte order and thus instructions change because it starts reading at the middle of a WORD.
EDIT: if you look at the hex editor (below disassembler) you'll see that the yellow lines shift horizontally when you scroll. But only under a certain condition.. maybe if the process is currently writing close to it? |
Hello, thank you for your answer, so i did as asked, and i noticed nothing moving on the hex editor.
Also I don't know if this is relevant, but i changed the following
whatever.exe+30D246D - 44 89 1C 48 - mov [rax+rcx*2]r11d
by
whatever.exe+30D246D - 44 89 2C 48 - mov [rax+rcx*2]r13d
Maybe its just luck but I got more or less the expected behavior (the value was replaced by a static 0x????6490 which is higher than zero, can see only 2 bytes).
Last edited by elusiveness on Sun Feb 28, 2016 12:19 pm; edited 2 times in total |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Feb 28, 2016 11:19 am Post subject: |
|
|
| elusiveness wrote: | | and as a result the soft did crash. |
It asked you to add nops, click "no".
_________________
|
|
| Back to top |
|
|
elusiveness
Newbie cheater
Reputation: 1
Joined: 16 Feb 2016
Posts: 22
|
| Posted: Sun Feb 28, 2016 11:30 am Post subject: |
|
|
| mgr.inz.Player wrote: | | elusiveness wrote: | | and as a result the soft did crash. |
It asked you to add nops, click "no". |
no crash this time.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
