Cheat Engine

[aaax10]

I found a base address but I don't know how to find the offset that's on EDI, when scanning for it I get a couple of unreliable addresses only... I want to know how the game gets to this offset. I have "xor ebx,[ebp+edi*4+00]", it seems it's a variable offset. How to determine EDI? Changes without restarting the game. Any attempts to inject code crashes the game as well. Thank you

[DanyDollaro]

I think you are confusing some terms, but if you want to know what the value is in the EDI register you can use the VEH debugger, if instead you want to create an anti-anti-code injection you can use a stealth edit (It consists of setting a breakpoint that changes the value of the EIP register so as to redirect the thread without changing the code) or you could see which code acts on reading the code you are inspecting but on the code you will find there will probably be another code that will verify the integrity of the latter and so on.

The following link shows a very useful tutorial on how to use stealth edit: https://www.youtube.com/watch?v=ajIIlNQ5nSU

[aaax10]

I need to predict the next offset it's going to use because it changes offsets when I change rooms in the game. I would like to find a pointer if possible, since the game must know where the value always is. The idea of changing the code was only to log the current offset, I'm still going to try stealth edit. Send me a PM if you would like to play with me. Thanks for the help

[DanyDollaro]

I don't understand what you want to do, are you giving me a single line of assembly code and would you like to predict the value of EDI? it's certainly not something I can help you with if you don't give more information, and then, you want to get a pointer on what? What value do you want to get?

[aaax10]

Okay, sorry, the player's angle is encrypted but that's not the issue. It's stored at 0255E2D0. Nothing writes to it. I want to read it from a C# program. If I scan for that in hex I get a couple of results, none of which gets updated later.
When I change rooms it gets stored in a different location, so when the room's created by my second account, it's stored at 0255E4F4. If I create the room myself again, it comes back to 0255E2D0. If I go to someone else's room, that address changes. When creating the room again, this is what has accessed 0255E2D0:
It gets updated as soon as the game starts. What's the next information you need? Thanks

[DanyDollaro]

So if I understand correctly, do you want to get the address indicating an "angle" value but you can't use a code injection because the game is protected?

[aaax10]

Yes.

[DanyDollaro]

If through your C# program you don't know how to set breakpoints and read the registers and consequently you want to do it through a code injection you must first disable the integrity check of the code, as I said before just take any byte of the code on which you want to make the injection, and connect a debugger (on read mode) to it because there will be a code that will verify that that code has not been changed.

[aaax10]

I think it might be a shared instruction, the registered EDI keeps changing, although sometimes it appears to have the desired value. How can I overcome this? I'm manually bypassing the integrity checks. The biggest problem is it's still crashing the game when attaching the debugger to write in the EIP registry (setting a breakpoint), even after disabling "override existing breakpoints when setting breakpoints". Is it not possible to find a pointer to the address? Also is stealth edit not being supported anymore? Thank you
i.ibb.co/nkVnSMP/Screenshot-81.png

[DanyDollaro]

[aaax10]

But even with only "myoffset=EDI" myoffset stays at 0. Tried "myoffset=readBytes(EDI,4)" as well.

[DanyDollaro]

Oh I'm sorry, but I don't know Lua, I don't know how to help you

[aaax10]

Isn't there a way to reproduce this with assembly? I want to mov [myoffset],edi only if ebp == 0x26b0048

[DanyDollaro]

[aaax10]

It's always giving me a wrong value that however gets updated properly... I believe what we've done is the same