Cheat Engine

stomperz · Posted: Wed Oct 13, 2004 11:20 pm Post subject: Codecaves

Dark Byte any chance of implementing a codecave search tool?

The Allocate memory only seems to work on certain games,
and the Search memory is not practical for codecaving.

All the old codecave tools don't work on the newer games.

me · Posted: Thu Oct 14, 2004 2:35 pm Post subject: sheep

have you used sas V1.3
off
www.sheeprec.cjb.net

might have tips on his site for code caving newer games,
have to have another peek there myself,,

stomperz · Posted: Thu Oct 14, 2004 5:43 pm Post subject: Re: sheep

stomperz · Posted: Sat Oct 16, 2004 6:34 pm Post subject: code cave

Auto Assemble works great DB but

i'm having a problem with the following code, is you see anything wrong
please let me know. (the code seems valid and if the addresses are not being used or scanned buy process or protection )

001A52FA8: code cave
mov eax,[esp+04] restore original code (would this be pointer to my bonus
mov [009d9a0c],eax restore original code (wright bonus amount)
mov [001a52fe8],esp store esp for later read (far enough away)
ret

460ec1: jmp to code cave
call 001A52FA8
nop balance out code
nop
nop
nop

it looks like they are using ESP as a general register and is used to move stack variables into EAX
but my mov [1a52fe8], esp - crashes the game

i hexedit the exe file with a nop to the whole sub with no problem, but whenever i fool with the ESP...... boom

btw - a good tool to learn assembler http://emu8086.com/
only 8086 but it lets you follow your little code snippets in real time

Dark Byte · Posted: Sat Oct 16, 2004 6:46 pm Post subject:

The call instruction you put in decreases the ESP register with 4 (it stores the call address on the stack and sets the stack pointer to the next available spot)
you need to replace the call with a jmp and instead of a ret put in a jump to the nop (or the instruction after it)

thats why my automatic code injector uses jmp's

Also, this is a standard call mechanism. the function gets called and then looks up the variables it got by using esp+xxx and when it jumps back to the caller there's usually a ret xxxx where xxxx is the number of bytes all parameters had. It's no use to save the value of esp because that can change each time. (especially if the game has a memory leak)
But you can save the parameters of the function by saving [esp+4], [esp+8] etc.. (wich you are doing when you save eax)

stomperz · Posted: Sun Oct 17, 2004 5:44 pm Post subject:

it seems your right about the CALL changing the ESP register. Shocked

funny.. i always CALL in my codecaves because of the JMP taking more bytes
i was trying to capture the ESP (+ 4) thinking it was the pointer to the EAX

Then I woke up!!

wrong it just stores the variable

Code Snippet:

00460e10 - c3 - ret
00460e11 - 8b 44 24 04 - mov eax,[esp+04]
00460e15 - a3 88 99 9d 00 - mov [009d9988],eax =LVL
00460e1a - c3 - ret
00460e1b - 8b 44 24 04 - mov eax,[esp+04]
00460e1f - a3 90 99 9d 00 - mov [009d9990],eax =STR
00460e24 - c3 - ret
00460e25 - 8b 44 24 04 - mov eax,[esp+04]
00460e29 - a3 9c 99 9d 00 - mov [009d999c],eax=Bonus
00460e2e - c3 - ret
00460e2f - 8b 44 24 04 - mov eax,[esp+04]
00460e33 - a3 a8 99 9d 00 - mov [009d99a8],eax=ToHit
00460e38 - c3 - ret

any idea on how to trace this back or what to look for?

Oh well back to IDA Pro

Dark Byte · Posted: Mon Oct 18, 2004 6:09 am Post subject:

If it'm reading the code correctly [esp] contains the address of the function that called that subroutine.

stomperz · Posted: Mon Oct 18, 2004 8:59 am Post subject:

Dark Byte · Posted: Mon Oct 18, 2004 9:18 am Post subject:

.text:004369D3 push esi //this decreases esp with 4 and put on [esp] the value of esi
.text:004369D4 call bonus_write //this decreases esp with 4 and puts on [esp] the value 004369d9

so at 00460ec1 the stack will hold:
[esp]=004369d9
[esp+4]=value of esi

it then loads the value at [esp+4] on eax
and puts that on the static address 9d9a0c

it then does a ret. this means it jumps to the address at [esp] and increases esp with 4

so at 004369d9 [esp] holds the value of esi
then nullsub_2 gets called (wich could change esi or not)
after that it takes of the values it pushed on the stack (004369c6,004369d3,004369d9) and gives a ret instruction

so, if the values pished didn't get changed in the routines it called:
ecx will hold 16h
ecx will hold the value of esi
esi will hold the value of he esi it started out with

wh1t3y · Posted: Tue Oct 19, 2004 12:43 pm Post subject:

i don't know what the crap you guys are talking about.. but i just wanted to say thanks stomperz for the link to that assembly tutor program.. good stuff Smile

stomperz · Posted: Tue Oct 19, 2004 5:59 pm Post subject:

Dark Byte · Posted: Tue Oct 19, 2004 6:25 pm Post subject:

You know, you can allocate memory with cheat engine
in that memory write your assembler code
then set a breakpoint at the start of your code
and create a thread at that address. you can then step through your code. (even modify it a little while stepping through)

stomperz · Posted: Tue Oct 19, 2004 6:52 pm Post subject:

Dark Byte · Posted: Tue Oct 19, 2004 6:58 pm Post subject:

I was talking about experimenting with assembler. you can use any process for that (even cheat engine's own)

you can create a thread using extra->create thread.

stomperz · Posted: Tue Oct 19, 2004 7:59 pm Post subject:

DB ... i think i may give the impression that i know what I'm talking about Laughing

I Don't
i get it after i read it 20 or 30 times though Wink

i read your CE hlp file from front to back and i have the basics of how to use you program, but my skills need a lot more polishing
i try google and other sites before asking but sometimes i get stuck

can you give me a example of code that could be used and how i would implement it?