Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Adding Counter to Memory
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
zxar7
Newbie cheater
Reputation: 0

Joined: 13 Jul 2014
Posts: 16

PostPosted: Mon Mar 23, 2020 10:23 am    Post subject: Reply with quote

panraven wrote:
I see, so

1. cmp esi, 185F2CDC is the right code;
3. place the condition check BEFORE the repe movsd should work anyway.

Try modify like this
Code:

newmem:
  call  comparison   //// do the test subroutine before original code
code:

  mov edi,ebx
  repe movsd
  mov eax,[esp+20]

  jmp return    ////// we make comparison before original code, so return game code here


///// make it a subroutine now      ///CONTINUE CAVE CODE
comparison:
  cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
  jne @f              ///// no match, jump to second test
  cmp [counter], 0
  je increase         ///// match 1st condition
@@:   ////// second test
  cmp esi, 185F2CDC   ///// test for second condition
  je  @f          ///// @f this is a unnamed label refer to [b]next label[/b], which is the "@@" below, we's our intent to 'ret' from subroutine
  cmp [counter], 1
  je  decrement       ///// match second condition
@@:
  ret          ///// no match so ret (not return :)

increase:
  mov [counter], 1
  ret          /////

decrement:
  mov [counter], 0
  ret          /////




address:
  jmp newmem
  nop 3   

return:


its accessing the item's name address but the counter is not increasing. and when I disable and enable the AA 3-4 times the game crashes
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 34

Joined: 01 Oct 2008
Posts: 792

PostPosted: Mon Mar 23, 2020 10:51 am    Post subject: Reply with quote

Let's forget crash problem first.

Try make the following change, we might need to check if the code logic right:
Code:

...

alloc(counter,16)    ///// from alloc(counter,4)       //////////////// CHANGED

counter:                     //////////////// CHANGED
dd 0 0 0 0   ////  make sure our counters init values are zero //////////////// CHANGED

...

comparison:
  cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
  jne @f              ///// no match, jump to second test
  cmp [counter], 0
  je increase         ///// match 1st condition
@@:   ////// second test
  cmp esi, 185F2CDC   ///// test for second condition
  je  @f          ///// @f this is a unnamed label refer to [b]next label[/b], which is the "@@" below, we's our intent to 'ret' from subroutine
  cmp [counter], 1
  je  decrement       ///// match second condition
@@:
  inc   [counter+04] //// 'no match' reached count     //////////////// CHANGED
  ret

increase:
  mov [counter], 1
  inc   [counter+08] //// 'inc' reached count        //////////////// CHANGED

  ret          /////

decrement:
  mov [counter], 0
  inc   [counter+0c] //// 'dec' reached count        //////////////// CHANGED
  ret          /////



//// GAME CODE
address:
  jmp newmem
  nop 3   

return:


Then run the game to see if [couter+4/8/c] has non-zero values.

_________________
- Retarded.
Back to top
View user's profile Send private message
zxar7
Newbie cheater
Reputation: 0

Joined: 13 Jul 2014
Posts: 16

PostPosted: Mon Mar 23, 2020 11:07 am    Post subject: Reply with quote

panraven wrote:
Let's forget crash problem first.

Try make the following change, we might need to check if the code logic right:
Code:

...

alloc(counter,16)    ///// from alloc(counter,4)       //////////////// CHANGED

counter:                     //////////////// CHANGED
dd 0 0 0 0   ////  make sure our counters init values are zero //////////////// CHANGED

...

comparison:
  cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
  jne @f              ///// no match, jump to second test
  cmp [counter], 0
  je increase         ///// match 1st condition
@@:   ////// second test
  cmp esi, 185F2CDC   ///// test for second condition
  je  @f          ///// @f this is a unnamed label refer to [b]next label[/b], which is the "@@" below, we's our intent to 'ret' from subroutine
  cmp [counter], 1
  je  decrement       ///// match second condition
@@:
  inc   [counter+04] //// 'no match' reached count     //////////////// CHANGED
  ret

increase:
  mov [counter], 1
  inc   [counter+08] //// 'inc' reached count        //////////////// CHANGED

  ret          /////

decrement:
  mov [counter], 0
  inc   [counter+0c] //// 'dec' reached count        //////////////// CHANGED
  ret          /////



//// GAME CODE
address:
  jmp newmem
  nop 3   

return:


Then run the game to see if [couter+4/8/c] has non-zero values.


04 increase while 08 and 0c stay zero. can you explain me what did you do?

ps. I changed the inc to mov [counter+04], 1 and its stay 0. what is the problem with mov?

another PS. its still has some bugges like when I quit the AA and enable it once more it still counter even thought the item is not on the ground
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 34

Joined: 01 Oct 2008
Posts: 792

PostPosted: Mon Mar 23, 2020 11:32 am    Post subject: Reply with quote

counter+04/08/0c is to tell if the related code where it placed has been reached. +04 has non zero, at least it tell use the code running.


If +04 has non zero, but 08/0c keep zero, it means the two condition always check false, which might means esi never equal 185F2CDC.

We might add more reached counter to see what happend.

Only [counter] is for your original code purpose, [counter+xx] is for debug purpose, please keep it as suggested.

Try make following change?
Code:

alloc(counter,32)    ///// 32 bytes now

counter:                     //////////////// CHANGED
dd 0 0 0 0 0 0 0 0  ////  make sure our counters init values are zero //////////////// CHANGED
....
comparison:
  cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
  jne @f              ///// no match, jump to second test
  inc  [counter+1c]  //   how many time esi==185F2CDC? //////////////// CHANGED 
  cmp [counter], 0
  je increase         ///// match 1st condition
@@:   ////// second test
  mov  [counter+10],esi    /// what is esi if not 185F2CDC ?  //////////////// CHANGED 
  cmp esi, 185F2CDC   ///// test for second condition
  je  @f     
...


Quote:

...
another PS. its still has some bugges like when I quit the AA and enable it once more it still counter even thought the item is not on the ground
...


One of the [+04/08/0c] will increase if your code cave reached.

That [+08/0c] not counting, it probably the code logic not right, hopefully we can check where is wrong and fix it.
What's the 185F2CDC actually btw. The item's/location structure?
Can you see what has changed if any near 185F2CDC when picking up etc?

_________________
- Retarded.
Back to top
View user's profile Send private message
zxar7
Newbie cheater
Reputation: 0

Joined: 13 Jul 2014
Posts: 16

PostPosted: Mon Mar 23, 2020 11:45 am    Post subject: Reply with quote

panraven wrote:
counter+04/08/0c is to tell if the related code where it placed has been reached. +04 has non zero, at least it tell use the code running.


If +04 has non zero, but 08/0c keep zero, it means the two condition always check false, which might means esi never equal 185F2CDC.

We might add more reached counter to see what happend.

Only [counter] is for your original code purpose, [counter+xx] is for debug purpose, please keep it as suggested.

Try make following change?
Code:

alloc(counter,32)    ///// 32 bytes now

counter:                     //////////////// CHANGED
dd 0 0 0 0 0 0 0 0  ////  make sure our counters init values are zero //////////////// CHANGED
....
comparison:
  cmp esi, 185F2CDC // if don't work change this line with: cmp esi, [185F2CDC]
  jne @f              ///// no match, jump to second test
  inc  [counter+1c]  //   how many time esi==185F2CDC? //////////////// CHANGED 
  cmp [counter], 0
  je increase         ///// match 1st condition
@@:   ////// second test
  mov  [counter+10],esi    /// what is esi if not 185F2CDC ?  //////////////// CHANGED 
  cmp esi, 185F2CDC   ///// test for second condition
  je  @f     
...


the esi is the problem but how can I fix it? cause when I checked on the code of the game when the esi = xxxx then the item is on the floor cause the esi = the address that contain part of the name of the item
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 34

Joined: 01 Oct 2008
Posts: 792

PostPosted: Mon Mar 23, 2020 12:01 pm    Post subject: Reply with quote

zxar7 wrote:

...

the esi is the problem but how can I fix it? cause when I checked on the code of the game when the esi = xxxx then the item is on the floor cause the esi = the address that contain part of the name of the item


No change when item picked up?
Is it an actual loot?
ie. the item name at esi might means your last item you selected in inventory tried to dropped or any other meaning...
And what happens if two or more item, if possible, on the ground?

For the code, what's the result of the modified code ([counter+04/.../1c])?

ADDED:
Can you paste a picture of the generated assembler in code cave, at least from
comparison: to the end of the code cave (should be last 'ret').

_________________
- Retarded.
Back to top
View user's profile Send private message
zxar7
Newbie cheater
Reputation: 0

Joined: 13 Jul 2014
Posts: 16

PostPosted: Mon Mar 23, 2020 12:59 pm    Post subject: Reply with quote

panraven wrote:
zxar7 wrote:

...

the esi is the problem but how can I fix it? cause when I checked on the code of the game when the esi = xxxx then the item is on the floor cause the esi = the address that contain part of the name of the item


No change when item picked up?
Is it an actual loot?
ie. the item name at esi might means your last item you selected in inventory tried to dropped or any other meaning...
And what happens if two or more item, if possible, on the ground?

For the code, what's the result of the modified code ([counter+04/.../1c])?

ADDED:
Can you paste a picture of the generated assembler in code cave, at least from
comparison: to the end of the code cave (should be last 'ret').


I let you know how I came to the address. I found the address of the name of the item and than checked which address is accsess to it. and I found that there is one address for all the items the it is accsess to each of the item's name and the only thing that is change between each item is the registry esi that contian the address of the name of the item. so I wanted to check when the address has esi with the address of the item's name so the item in the ground.

PS. I discover that after all 'repe movsd' the ESI value changes


Last edited by zxar7 on Mon Mar 23, 2020 6:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 34

Joined: 01 Oct 2008
Posts: 792

PostPosted: Mon Mar 23, 2020 5:44 pm    Post subject: Reply with quote

WAIT!!!!

Could you try replace all instance of 185F2CDC to 185F2CD8. (-4)

It seems the debugging snapshot of registers is record after ONE copy of [EDI]->[EDI], ie. EBX == EDI before repe movsd, but it has a +4 difference,
same should be the ESI, it be -4 of 185F2CDC, so 185F2CD8 should be the right address.
If the previous inc [counter+04] still in the code, it should at least non-zero.


-------- previous content
ok, let me try to sum it up...

from this
Code:

01EB0000 - 8B FB  - mov edi,ebx <<
01EB0002 - F3 A5 - repe movsd
01EB0004 - 8B 44 24 20  - mov eax,[esp+20]

EAX=0019E154
EBX=0019E600
ECX=00000112
EDX=012A381C
ESI=185F2CDC
EDI=0019E604
ESP=0019E144
EBP=181DE288
EIP=01EB0002


then let's look what happened when the game code hack point reached, when ESI == 185F2CDC
Code:

======================
copy ECX = 0x112 block (4 bytes per blocks???)
from [ESI=185F2CDC] to [EDI=19E604]

Stack:::
ESP        19E144
           ...
esp +  20  19E164         ??? 01EB0004 - mov eax,[esp+20]
           ... 
EDI        19E604 :       ESI : <some ptr> to item name???
           ...    : <--copy-- :
esp +4x112 19Ea4c :           :


You can see that EDI is part of the pc stack at that moment.
And EDI likely not represent the actual item.
There may be many possible, I would make up some fake scenario like:

1. ESI == 185F2CDC is controlled by a item/loot spawner;
2. the spawner fetch the item definition/template and place in ESI;
3. then it want to COPY this item data to the actual item container;
4. so it call 1EB0000 ONE time at the event of spawning item, moving content in ESI to part of stack of EDI;
5. then the content at EDI probably has to move to ANOTHER address, which might be the actual item container;
6. after the spawn, the ESI == 185F2CDC is probably unrelated to the actual item;
7. 1EB0000 has been executed so many times (400x~5000x), it not likely part of the spawner code, but a more general purpose one, like a structure copier.

It seems you need to dig more deep to achieve your goal.

_________________
- Retarded.
Back to top
View user's profile Send private message
zxar7
Newbie cheater
Reputation: 0

Joined: 13 Jul 2014
Posts: 16

PostPosted: Mon Mar 23, 2020 6:45 pm    Post subject: Reply with quote

panraven wrote:
WAIT!!!!

Could you try replace all instance of 185F2CDC to 185F2CD8. (-4)

It seems the debugging snapshot of registers is record after ONE copy of [EDI]->[EDI], ie. EBX == EDI before repe movsd, but it has a +4 difference,
same should be the ESI, it be -4 of 185F2CDC, so 185F2CD8 should be the right address.
If the previous inc [counter+04] still in the code, it should at least non-zero.


-------- previous content
ok, let me try to sum it up...

from this
Code:

01EB0000 - 8B FB  - mov edi,ebx <<
01EB0002 - F3 A5 - repe movsd
01EB0004 - 8B 44 24 20  - mov eax,[esp+20]

EAX=0019E154
EBX=0019E600
ECX=00000112
EDX=012A381C
ESI=185F2CDC
EDI=0019E604
ESP=0019E144
EBP=181DE288
EIP=01EB0002


then let's look what happened when the game code hack point reached, when ESI == 185F2CDC
Code:

======================
copy ECX = 0x112 block (4 bytes per blocks???)
from [ESI=185F2CDC] to [EDI=19E604]

Stack:::
ESP        19E144
           ...
esp +  20  19E164         ??? 01EB0004 - mov eax,[esp+20]
           ... 
EDI        19E604 :       ESI : <some ptr> to item name???
           ...    : <--copy-- :
esp +4x112 19Ea4c :           :


You can see that EDI is part of the pc stack at that moment.
And EDI likely not represent the actual item.
There may be many possible, I would make up some fake scenario like:

1. ESI == 185F2CDC is controlled by a item/loot spawner;
2. the spawner fetch the item definition/template and place in ESI;
3. then it want to COPY this item data to the actual item container;
4. so it call 1EB0000 ONE time at the event of spawning item, moving content in ESI to part of stack of EDI;
5. then the content at EDI probably has to move to ANOTHER address, which might be the actual item container;
6. after the spawn, the ESI == 185F2CDC is probably unrelated to the actual item;
7. 1EB0000 has been executed so many times (400x~5000x), it not likely part of the spawner code, but a more general purpose one, like a structure copier.

It seems you need to dig more deep to achieve your goal.



its work when I tried to remove 4 from the address. and now I understand that increasing is the only way cause to chage from 0 to 1 that each time its change will be 0 1 0 1 cause the same function is for every item Smile

thanks so much you helped a lot

By the way when I opened my main inv the game crashes (I have 7 inv) but the other not making the game crash
how can I debug it?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites