 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
zxar7
Newbie cheater
![]() Reputation: 0
Joined: 13 Jul 2014
Posts: 16
|
 Posted: Mon Mar 23, 2020 10:23 am Post subject: |
 |
|
| panraven wrote: | I see, so
1. cmp esi, 185F2CDC is the right code;
3. place the condition check BEFORE the repe movsd should work anyway.
Try modify like this
| Code: |
newmem:
call comparison //// do the test subroutine before original code
code:
mov edi,ebx
repe movsd
mov eax,[esp+20]
jmp return ////// we make comparison before original code, so return game code here
///// make it a subroutine now ///CONTINUE CAVE CODE
comparison:
cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
jne @f ///// no match, jump to second test
cmp [counter], 0
je increase ///// match 1st condition
@@: ////// second test
cmp esi, 185F2CDC ///// test for second condition
je @f ///// @f this is a unnamed label refer to [b]next label[/b], which is the "@@" below, we's our intent to 'ret' from subroutine
cmp [counter], 1
je decrement ///// match second condition
@@:
ret ///// no match so ret (not return :)
increase:
mov [counter], 1
ret /////
decrement:
mov [counter], 0
ret /////
address:
jmp newmem
nop 3
return:
|
|
its accessing the item's name address but the counter is not increasing. and when I disable and enable the AA 3-4 times the game crashes
|
|
| Back to top |
|
 |
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Mon Mar 23, 2020 10:51 am Post subject: |
|
|
Let's forget crash problem first.
Try make the following change, we might need to check if the code logic right:
| Code: |
...
alloc(counter,16) ///// from alloc(counter,4) //////////////// CHANGED
counter: //////////////// CHANGED
dd 0 0 0 0 //// make sure our counters init values are zero //////////////// CHANGED
...
comparison:
cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
jne @f ///// no match, jump to second test
cmp [counter], 0
je increase ///// match 1st condition
@@: ////// second test
cmp esi, 185F2CDC ///// test for second condition
je @f ///// @f this is a unnamed label refer to [b]next label[/b], which is the "@@" below, we's our intent to 'ret' from subroutine
cmp [counter], 1
je decrement ///// match second condition
@@:
inc [counter+04] //// 'no match' reached count //////////////// CHANGED
ret
increase:
mov [counter], 1
inc [counter+08] //// 'inc' reached count //////////////// CHANGED
ret /////
decrement:
mov [counter], 0
inc [counter+0c] //// 'dec' reached count //////////////// CHANGED
ret /////
//// GAME CODE
address:
jmp newmem
nop 3
return:
|
Then run the game to see if [couter+4/8/c] has non-zero values.
_________________
- Retarded. |
|
| Back to top |
|
|
zxar7
Newbie cheater
![]() Reputation: 0
Joined: 13 Jul 2014
Posts: 16
|
| Posted: Mon Mar 23, 2020 11:07 am Post subject: |
|
|
| panraven wrote: | Let's forget crash problem first.
Try make the following change, we might need to check if the code logic right:
| Code: |
...
alloc(counter,16) ///// from alloc(counter,4) //////////////// CHANGED
counter: //////////////// CHANGED
dd 0 0 0 0 //// make sure our counters init values are zero //////////////// CHANGED
...
comparison:
cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
jne @f ///// no match, jump to second test
cmp [counter], 0
je increase ///// match 1st condition
@@: ////// second test
cmp esi, 185F2CDC ///// test for second condition
je @f ///// @f this is a unnamed label refer to [b]next label[/b], which is the "@@" below, we's our intent to 'ret' from subroutine
cmp [counter], 1
je decrement ///// match second condition
@@:
inc [counter+04] //// 'no match' reached count //////////////// CHANGED
ret
increase:
mov [counter], 1
inc [counter+08] //// 'inc' reached count //////////////// CHANGED
ret /////
decrement:
mov [counter], 0
inc [counter+0c] //// 'dec' reached count //////////////// CHANGED
ret /////
//// GAME CODE
address:
jmp newmem
nop 3
return:
|
Then run the game to see if [couter+4/8/c] has non-zero values. |
04 increase while 08 and 0c stay zero. can you explain me what did you do?
ps. I changed the inc to mov [counter+04], 1 and its stay 0. what is the problem with mov?
another PS. its still has some bugges like when I quit the AA and enable it once more it still counter even thought the item is not on the ground
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Mon Mar 23, 2020 11:32 am Post subject: |
|
|
counter+04/08/0c is to tell if the related code where it placed has been reached. +04 has non zero, at least it tell use the code running.
If +04 has non zero, but 08/0c keep zero, it means the two condition always check false, which might means esi never equal 185F2CDC.
We might add more reached counter to see what happend.
Only [counter] is for your original code purpose, [counter+xx] is for debug purpose, please keep it as suggested.
Try make following change?
| Code: |
alloc(counter,32) ///// 32 bytes now
counter: //////////////// CHANGED
dd 0 0 0 0 0 0 0 0 //// make sure our counters init values are zero //////////////// CHANGED
....
comparison:
cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
jne @f ///// no match, jump to second test
inc [counter+1c] // how many time esi==185F2CDC? //////////////// CHANGED
cmp [counter], 0
je increase ///// match 1st condition
@@: ////// second test
mov [counter+10],esi /// what is esi if not 185F2CDC ? //////////////// CHANGED
cmp esi, 185F2CDC ///// test for second condition
je @f
...
|
| Quote: |
...
another PS. its still has some bugges like when I quit the AA and enable it once more it still counter even thought the item is not on the ground
...
|
One of the [+04/08/0c] will increase if your code cave reached.
That [+08/0c] not counting, it probably the code logic not right, hopefully we can check where is wrong and fix it.
What's the 185F2CDC actually btw. The item's/location structure?
Can you see what has changed if any near 185F2CDC when picking up etc?
_________________
- Retarded. |
|
| Back to top |
|
|
zxar7
Newbie cheater
![]() Reputation: 0
Joined: 13 Jul 2014
Posts: 16
|
| Posted: Mon Mar 23, 2020 11:45 am Post subject: |
|
|
| panraven wrote: | counter+04/08/0c is to tell if the related code where it placed has been reached. +04 has non zero, at least it tell use the code running.
If +04 has non zero, but 08/0c keep zero, it means the two condition always check false, which might means esi never equal 185F2CDC.
We might add more reached counter to see what happend.
Only [counter] is for your original code purpose, [counter+xx] is for debug purpose, please keep it as suggested.
Try make following change?
| Code: |
alloc(counter,32) ///// 32 bytes now
counter: //////////////// CHANGED
dd 0 0 0 0 0 0 0 0 //// make sure our counters init values are zero //////////////// CHANGED
....
comparison:
cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
jne @f ///// no match, jump to second test
inc [counter+1c] // how many time esi==185F2CDC? //////////////// CHANGED
cmp [counter], 0
je increase ///// match 1st condition
@@: ////// second test
mov [counter+10],esi /// what is esi if not 185F2CDC ? //////////////// CHANGED
cmp esi, 185F2CDC ///// test for second condition
je @f
...
|
|
the esi is the problem but how can I fix it? cause when I checked on the code of the game when the esi = xxxx then the item is on the floor cause the esi = the address that contain part of the name of the item
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Mon Mar 23, 2020 12:01 pm Post subject: |
|
|
| zxar7 wrote: |
...
the esi is the problem but how can I fix it? cause when I checked on the code of the game when the esi = xxxx then the item is on the floor cause the esi = the address that contain part of the name of the item |
No change when item picked up?
Is it an actual loot?
ie. the item name at esi might means your last item you selected in inventory tried to dropped or any other meaning...
And what happens if two or more item, if possible, on the ground?
For the code, what's the result of the modified code ([counter+04/.../1c])?
ADDED:
Can you paste a picture of the generated assembler in code cave, at least from
comparison: to the end of the code cave (should be last 'ret').
_________________
- Retarded. |
|
| Back to top |
|
|
zxar7
Newbie cheater
![]() Reputation: 0
Joined: 13 Jul 2014
Posts: 16
|
| Posted: Mon Mar 23, 2020 12:59 pm Post subject: |
|
|
| panraven wrote: | | zxar7 wrote: |
...
the esi is the problem but how can I fix it? cause when I checked on the code of the game when the esi = xxxx then the item is on the floor cause the esi = the address that contain part of the name of the item |
No change when item picked up?
Is it an actual loot?
ie. the item name at esi might means your last item you selected in inventory tried to dropped or any other meaning...
And what happens if two or more item, if possible, on the ground?
For the code, what's the result of the modified code ([counter+04/.../1c])?
ADDED:
Can you paste a picture of the generated assembler in code cave, at least from
comparison: to the end of the code cave (should be last 'ret'). |
I let you know how I came to the address. I found the address of the name of the item and than checked which address is accsess to it. and I found that there is one address for all the items the it is accsess to each of the item's name and the only thing that is change between each item is the registry esi that contian the address of the name of the item. so I wanted to check when the address has esi with the address of the item's name so the item in the ground.
PS. I discover that after all 'repe movsd' the ESI value changes
Last edited by zxar7 on Mon Mar 23, 2020 6:37 pm; edited 1 time in total |
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Mon Mar 23, 2020 5:44 pm Post subject: |
|
|
WAIT!!!!
Could you try replace all instance of 185F2CDC to 185F2CD8. (-4)
It seems the debugging snapshot of registers is record after ONE copy of [EDI]->[EDI], ie. EBX == EDI before repe movsd, but it has a +4 difference,
same should be the ESI, it be -4 of 185F2CDC, so 185F2CD8 should be the right address.
If the previous inc [counter+04] still in the code, it should at least non-zero.
-------- previous content
ok, let me try to sum it up...
from this
| Code: |
01EB0000 - 8B FB - mov edi,ebx <<
01EB0002 - F3 A5 - repe movsd
01EB0004 - 8B 44 24 20 - mov eax,[esp+20]
EAX=0019E154
EBX=0019E600
ECX=00000112
EDX=012A381C
ESI=185F2CDC
EDI=0019E604
ESP=0019E144
EBP=181DE288
EIP=01EB0002
|
then let's look what happened when the game code hack point reached, when ESI == 185F2CDC
| Code: |
======================
copy ECX = 0x112 block (4 bytes per blocks???)
from [ESI=185F2CDC] to [EDI=19E604]
Stack:::
ESP 19E144
...
esp + 20 19E164 ??? 01EB0004 - mov eax,[esp+20]
...
EDI 19E604 : ESI : <some ptr> to item name???
... : <--copy-- :
esp +4x112 19Ea4c : :
|
You can see that EDI is part of the pc stack at that moment.
And EDI likely not represent the actual item.
There may be many possible, I would make up some fake scenario like:
1. ESI == 185F2CDC is controlled by a item/loot spawner;
2. the spawner fetch the item definition/template and place in ESI;
3. then it want to COPY this item data to the actual item container;
4. so it call 1EB0000 ONE time at the event of spawning item, moving content in ESI to part of stack of EDI;
5. then the content at EDI probably has to move to ANOTHER address, which might be the actual item container;
6. after the spawn, the ESI == 185F2CDC is probably unrelated to the actual item;
7. 1EB0000 has been executed so many times (400x~5000x), it not likely part of the spawner code, but a more general purpose one, like a structure copier.
It seems you need to dig more deep to achieve your goal.
_________________
- Retarded. |
|
| Back to top |
|
|
zxar7
Newbie cheater
![]() Reputation: 0
Joined: 13 Jul 2014
Posts: 16
|
| Posted: Mon Mar 23, 2020 6:45 pm Post subject: |
|
|
| panraven wrote: | WAIT!!!!
Could you try replace all instance of 185F2CDC to 185F2CD8. (-4)
It seems the debugging snapshot of registers is record after ONE copy of [EDI]->[EDI], ie. EBX == EDI before repe movsd, but it has a +4 difference,
same should be the ESI, it be -4 of 185F2CDC, so 185F2CD8 should be the right address.
If the previous inc [counter+04] still in the code, it should at least non-zero.
-------- previous content
ok, let me try to sum it up...
from this
| Code: |
01EB0000 - 8B FB - mov edi,ebx <<
01EB0002 - F3 A5 - repe movsd
01EB0004 - 8B 44 24 20 - mov eax,[esp+20]
EAX=0019E154
EBX=0019E600
ECX=00000112
EDX=012A381C
ESI=185F2CDC
EDI=0019E604
ESP=0019E144
EBP=181DE288
EIP=01EB0002
|
then let's look what happened when the game code hack point reached, when ESI == 185F2CDC
| Code: |
======================
copy ECX = 0x112 block (4 bytes per blocks???)
from [ESI=185F2CDC] to [EDI=19E604]
Stack:::
ESP 19E144
...
esp + 20 19E164 ??? 01EB0004 - mov eax,[esp+20]
...
EDI 19E604 : ESI : <some ptr> to item name???
... : <--copy-- :
esp +4x112 19Ea4c : :
|
You can see that EDI is part of the pc stack at that moment.
And EDI likely not represent the actual item.
There may be many possible, I would make up some fake scenario like:
1. ESI == 185F2CDC is controlled by a item/loot spawner;
2. the spawner fetch the item definition/template and place in ESI;
3. then it want to COPY this item data to the actual item container;
4. so it call 1EB0000 ONE time at the event of spawning item, moving content in ESI to part of stack of EDI;
5. then the content at EDI probably has to move to ANOTHER address, which might be the actual item container;
6. after the spawn, the ESI == 185F2CDC is probably unrelated to the actual item;
7. 1EB0000 has been executed so many times (400x~5000x), it not likely part of the spawner code, but a more general purpose one, like a structure copier.
It seems you need to dig more deep to achieve your goal. |
its work when I tried to remove 4 from the address. and now I understand that increasing is the only way cause to chage from 0 to 1 that each time its change will be 0 1 0 1 cause the same function is for every item 
thanks so much you helped a lot
By the way when I opened my main inv the game crashes (I have 7 inv) but the other not making the game crash
how can I debug it?
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
