Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Pointer in ASM

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
GweiLi
How do I cheat?
Reputation: 0

Joined: 11 Oct 2018
Posts: 3

PostPosted: Thu Oct 11, 2018 12:57 am    Post subject: Pointer in ASM Reply with quote

Hello, I'm new to CE and I'm learning it right now.

There is a cheat program that a friend of my friend made it long time ago, now I'm trying to re-create cheat from that program so I can get use to ASM.

This is what the memory look like after activate the cheat program:
(please check cheat.png attachment)


This is what the memory look like after activate my script:
(please check myscript.png attachment)


I think it is quite good so far but the problem is the code call dword ptr [0A520000] in the cheat program image, I look at Tracer and know 0A520000 is a pointer to main.exe+71FF74 , 0A520000 change everytime the cheat program active so I know the author must have write a script to make it to be the pointer of main.exe+71FF74.

I dont know how to do like he so I think I will use the pointer of the game.
I found out ["main.exe"+00F12AEC]+5AC is the pointer for main.exe+71FF74 so I try put it in the call opcode but as you can see in the image, it point to another address main.exe+71F9C8.

Then I try another way:
Quote:
pointer:
push eax
mov eax,["main.exe"+00F12AEC]
mov eax,[eax+5AC]
mov [pointer],eax
pop eax

call dword ptr[pointer]+0


But the result is still the same
(please check pointer.png attachment)

This is my script:
Quote:
define(address,"main.exe"+9F1B45A)
define(bytes,6A 00 6A 01 8D 8D BC C2 FF FF)

[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(test1,4)
alloc(pointer,4)
label(loop)
label(oricode)
label(return)

test1:
db 00 00 00 00

pointer:
push eax
mov eax,["main.exe"+00F12AEC]
mov eax,[eax+5AC]
mov [test2],eax
pop eax

newmem:
add dword ptr[test1],01
push 00
push 01
lea ecx,[ebp-00003D44]
call dword ptr [pointer]+0
pop eax
pop eax
push edx
mov edx,[main.exe+2C4]
cmp [test1],edx
jl loop

oricode:
mov [test1],00000000
pop edx
push 00
push 01
lea ecx,[ebp-00003D44]
jmp return

loop:
pop edx
jmp newmem


address:
jmp newmem
nop
nop
nop
nop
nop
return:

[DISABLE]

address:
db bytes
// push 00
// push 01
// lea ecx,[ebp-00003D44]

dealloc(newmem)
dealloc(test1)
dealloc(pointer)


I know it will be easier to just call [main.exe+71FF74], but after I did it the game crash so I think there must be some reason the author call a pointer.

Sorry for this long post and my bad english, but I hope somebody can help me.



cheat.PNG
 Description:
This is what the memory look like after activate the cheat program:
 Filesize:  24.62 KB
 Viewed:  148 Time(s)

cheat.PNG



myscript.png
 Description:
This is what the memory look like after activate my script:
 Filesize:  20.12 KB
 Viewed:  148 Time(s)

myscript.png



pointer.png
 Description:
my pointer script result
 Filesize:  3.99 KB
 Viewed:  148 Time(s)

pointer.png


Back to top
View user's profile Send private message
sbryzl
Expert Cheater
Reputation: 5

Joined: 25 Jul 2016
Posts: 152

PostPosted: Thu Oct 11, 2018 2:58 am    Post subject: Reply with quote

Under your pointer label you have assembly instructions which would be fine if you didn't have an instruction trying to use it as a pointer. If those are the instructions you want to call then you would use
call pointer
instead of
call dword ptr [pointer]

Also there should be a 'ret' at the end of your called function to return from the function and reset the stack.

Also your derived address in
mov eax,["main.exe"+00F12AEC]
will likely be wrong since there's a good chance the allocated memory you're trying to read will probably be different every time you enable the script. You probably are trying to load the value in test1 which would look like this
mov eax,[test1]
Back to top
View user's profile Send private message
GweiLi
How do I cheat?
Reputation: 0

Joined: 11 Oct 2018
Posts: 3

PostPosted: Thu Oct 11, 2018 4:04 am    Post subject: Reply with quote

Thank you for your reply

I dont know why he use call dword ptr either but the cheat does work so I think call dword ptr have it purpose

I'm trying to find the ret opcode but I cant find it out even with break and trace.

About "main.exe"+00F12AEC, I didnt see it change after I enabled my script, cause without offset 5AC it will point to main.exe+71F9C8 , after I enabled my script the comment alway showing : ->main.exe+71F9C8
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 19

Joined: 24 Feb 2017
Posts: 619
Location: 'Merica

PostPosted: Thu Oct 11, 2018 6:26 am    Post subject: Reply with quote

sbryzl is right, you're not calling the code at "pointer" you're calling the address stored at "pointer" and you don't have an address stored there.

There is no return at the end of the code at "pointer" so the call return is unbalanced and will cause a crash most likely; but since you never really call it, it won't matter til you actually do call it.

And you're using a lot of hardcoded addresses like they're static but there don't seem to be any static addresses in the code you posted, and you even say that it changes at each startup so this will cause so problems too.

_________________
Back to top
View user's profile Send private message
sbryzl
Expert Cheater
Reputation: 5

Joined: 25 Jul 2016
Posts: 152

PostPosted: Thu Oct 11, 2018 6:26 am    Post subject: Reply with quote

I think there is some injected code from the other cheat somewhere you are missing. In the first picture call dword ptr[a520000], a520000 is likely an injected memory location.

If you are just beginning to learn you should probably start with the tutorial under the help menu.
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 19

Joined: 24 Feb 2017
Posts: 619
Location: 'Merica

PostPosted: Thu Oct 11, 2018 6:32 am    Post subject: Reply with quote

^ I second that. The CE tutorial is a great place to start and has a lot to teach.
_________________
Back to top
View user's profile Send private message
GweiLi
How do I cheat?
Reputation: 0

Joined: 11 Oct 2018
Posts: 3

PostPosted: Thu Oct 11, 2018 7:40 am    Post subject: Reply with quote

Thank you for you guys replies, I'm really appreciated for it.

I have completed the tutorial, I haven't tried different methods for each steps so I'm still lacking knowledge , I will try it again.

I'm understand there should be a ret after the call so I'm trying to look for it

About a520000 in the Tracer wrote it is a pointer and the code in the located memory didn't really make sense, but I will take more time looking at it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites