 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
John_Smith
How do I cheat?
![]() Reputation: 0
Joined: 30 Dec 2019
Posts: 3
|
 Posted: Thu Jan 02, 2020 12:55 am Post subject: CE 64 bit Step 6 Problems |
 |
|
Okay so this is related to a post here by someone else: (just realised I can't post links yet, but it's titled: CE 6.7 64-Bit Tutorial - STEP 6)
But for some reason I cannot post a reply, not sure if it's locked.
So pretty much as the previous poster stated: | Quote: | | I find my value and select "Find out what ACCESSES this address" |
and get four addresses.
So Dark Byte replied with this:
| Quote: | To have an easy time, just pick the writer instruction, but if you wish to understand what happens instead of blindly following a track, pick the read instruction:
Code:
Note the "more info" screen text that states that "registers shown are AFTER the instruction has been executed"
that means that EAX(RAX) has been overwritten by the value in [RAX]
all you know is that mov eax,[rax] accessed 1294d10
which is enough. As that means that the value between [] ended up at 1294d10
so that means that RAX used to have the value 1294d10
since you can rewrite mov eax,[rax] into mov eax,[rax+0000000000000000] that means the pointer had the VALUE 1294d10 and the used offset is 0
that's all you need for that pointer step. So do a 8 byte hexadecimal scan for 1294d10 and use that result with offset 0 and then continue on till a base pointer |
Sorry for all the quoting, but I don't understand Dark Byte's answer.
First Question:
When I pick the read instruction which is:
How do I know that it's a read instruction, is it from the "[rax]"?
Is having an "[rdx]" always a write instruction?
Second Question:
So from my research, mov eax,[rax] moves the value in memory location RAX to EAX, overwriting anything in EAX.
Dark Byte said: | Quote: | all you know is that mov eax,[rax] accessed 1294d10
which is enough. As that means that the value between [] ended up at 1294d10
so that means that RAX used to have the value 1294d10 |
But I'm confused, so "[rax]" means the value at memory address RAX.
So saying a read command with "registers shown AFTER command" accessed 1294d10 means that the final result was changing a value to 1294d10?
So putting that all together, the value at memory location RAX was moved to EAX, the final result was changing a value to 1294d10, so we know the value at memory location RAX that was the value moved is 1294d10?
Third Question:
How can we tell what is the offset?
If the command was mov eax,[rax+000000000000001D], would +1D be the offset in this case?
Fourth Question:
Why do we use an 8 byte scan for the memory location? Can we use a 4 byte scan instead? I looked at the tutorial video and it said because the target was 64 bits, so for 32 bits I can use 4 bytes?
Oooh, wait I think I'm starting to get it after two hours of research why the read instruction is so complicated, compared to the write instruction.
With the WRITE instruction once you've left clicked on it, that is, this one:
You can literally click "More information"> copy "the value of the pointer needed to find this address is probably" > search that with an 8-byte(because it's 64 bit) hexadecimal (because it's a memory address)
Simple.
However with the READ instruction:
You need to work out which memory address to search logically, with the stuff referred to in my second question, because it's replacing the "the value of the pointer needed to find this address is probably" with a new value, so you're left with the old estimated value, thus it is incorrect.
"the value of the pointer needed to find this address is probably" is only right on the write instruction.
Fifth Question:(sorry)
Final thing I was just having trouble with wrapping my head around the final part of this tutorial. So the three things we end up with after finishing this tutorial. The first is a variable health, the second is pointer to the variable health, the third is a pointer to the pointer of the variable health, which can always locate the variable health no matter how many times the game is restarted? (I think I'm wrong here)
Thank you for being patient with me, as I'm a beginner to assembly code and I spent somewhere over two hours puzzling over this task.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Thu Jan 02, 2020 6:35 am Post subject: |
|
|
1:
mov [address],reg = write instruction (goes from reg into [address])
mov reg,[address] = read instruction (goes from [address] into red
2:
mov eax,[rax] will read the address stored at [RAX] and write it in EAX, overwriting RAX
The debugger shows you the register values after the instruction has been executed, so RAX's contents are useless to you
But the debugger did pick up the read of address 1294d10 when doing mov eax,[rax], so that means that rax held the value 1294d10 at the time of execution (or nearby there due to overlap, but that chance is very small)
3: yes, the smallest value is the offset. (Can sometimes be small register values, if they are small enough like 0,1 or 2)
4: Pointers in 64-bit programs are 8 bytes long
5: Only a non-dynamic (green) memory address can be found again by using the modulename+offset notation, so only those kinds of addresses are suitable for pointerstarts
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
