 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Punz1A4
Cheater
![]() Reputation: 0
Joined: 10 Jun 2016
Posts: 25
|
 Posted: Wed Aug 23, 2017 1:45 pm Post subject: Using struct pointed by nearby addr as filter crashes game |
 |
|
There is a lot of addresses going through op code i wanted to alter so I needed to filter them out somehow.
Found a constant value held in a structure pointed by an address nearby to the one I want to modify via script however code below crashes the game very often (not instantly though).
| Code: | push edx
mov edx,[edi-30] // address of structure is in [edi-30]
cmp edx,0 // exit if null
jz @f
cmp [edx+4],0x0000f25a // 0xf25a is a constant
jne @f
movss xmm0,[edi+14] // [edi+14] is max shields
@@:
pop edx
movss [edi],xmm0 // original code
pop edi // original code
jmp return |
Did some testing and the line that crashes the game is cmp [edx+4],0x0000f25a. So it seems like checking if edx is 0 isn't enough - what am I missing?
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Aug 23, 2017 2:13 pm Post subject: |
|
|
0x00 means an address, and im not sure if lua accept this syntax for addressing.
if you wanna compare a value in a register, then you can use these two simple ways:
- cmp [reg+off],imm value
or
- cmp [reg+off],reg
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Punz1A4
Cheater
![]() Reputation: 0
Joined: 10 Jun 2016
Posts: 25
|
| Posted: Wed Aug 23, 2017 2:34 pm Post subject: |
|
|
I've checked - it's not that. I think I remember DB saying that the 0x is just a notation that makes the numbers that follow hexadecimal. The difference is that CE defaults all numbers without # before them to hex, so 0x is optional. I just use it to remind myself the notation is hexadecimal.
As for the problem, I used "find out what addresses this instruction accesses" on the line that causes crashes and just before an other crash there was address listed with value "???".
So while I'm not an expert in assembly, I think it's kinda like, say, using null object in a statement in java, which causes NullPointerException. That's why you have to check if the object being used is null in the first place.
I don't know how to mirror that behaviour for my current problem though....
Also since [edi-30] holds a pointer only in some cases then is there a possibility that [edx+4] will check address that lies outside the currently attached process, resultin in the "???" value? If so how can I prevent that.
Last edited by Punz1A4 on Wed Aug 23, 2017 6:05 pm; edited 1 time in total |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4711
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Aug 23, 2017 3:06 pm Post subject: |
|
|
| Punz1A4 wrote: | | Also since [edi-30] holds a pointer only in some cases then is there a possibility that [edx+4] will check address that lies outside the currently attached process, resultin in the "???" value? If so how can I prevent that. |
this is interesting to me, because i never (and maybe never forever) put my hands into things like this.
like an address holding a pointer in some cases, i never been in this situation.
so i cant be useful at this point, but at least ill learn something new.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
Punz1A4
Cheater
![]() Reputation: 0
Joined: 10 Jun 2016
Posts: 25
|
| Posted: Wed Aug 23, 2017 3:24 pm Post subject: |
|
|
| ParkourPenguin wrote: | | http://forum.cheatengine.org/viewtopic.php?t=511049 |
Much love, cookies and may the bits foster your journey. It appears that I'm bad at googling. Again, thanks a lot! 
If anybody would be interested, this did the job for me:
| Code: | code:
push edx
mov edx,[edi-30]
pushfd //save flags
pushad //not sure which registers get messed with with this api call
push 4 //size in bytes of pointer
lea eax,[edx+4]
push eax
call isbadreadptr
cmp eax,0
popad
jne @f
cmp [edx+4],f25a
jne @f
movss xmm0,[edi+14] // edi+14 is max shields
@@:
popfd
pop edx
movss [edi],xmm0
pop edi
jmp return |
| OldCheatEngineUser wrote: |
this is interesting to me, because i never (and maybe never forever) put my hands into things like this.
like an address holding a pointer in some cases, i never been in this situation.
so i cant be useful at this point, but at least ill learn something new. |
I might have worded it poorly - value at [edi-30] is the base address of structure which holds a constant I was interested in (so practicaly the constant was at [[edi-30]+4] ) - if you use "Dissect data/structures" function you must have stumbled upon it many times 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
