Cheat Engine

hcavolsdsadgadsg · Posted: Tue Mar 23, 2010 1:48 am Post subject: What's going on here? ASM

Someone help me here because I'm retarded I think.

I'm messing with a Java game, memory changes constantly and nothing is the same any time it starts up. To deal with this, I do sig scanning.

I found the instructions / function that handles the player movement. Well, actually it ended up being the function that handles the physics for absolutely everything, be it a particle effect or a monster.

One instruction looks something like: movss [ecx+10],xmm3. I figured I could just extract the pointer from ecx+10, but it's changing hundreds of times a second easily, making it difficult to ever really find the player in an automated way, which I'd like to be able to do.

If I use 'find what addresses this instruction accesses', the list will be flooded in seconds, it'll just keep going seemingly forever. Thousands upon thousands. I'd like to deal with this without user input in my program, but I can't think of a way at all.

I guess I'd have to outrun the actual program... which easily runs at hundreds of frames per second since it's graphically somewhat simple... so I guess if I could manage to update my stuff and then do some checks to make sure it's the player a massive amount times a second it would work, but that sounds kind of whacky / overkill.

edit:
Without any checking to try and see if what it's pointing at is really the player, I can actually move every single entity in the game. If I just let it run rampant it definitely works. I can move everything up/down. Sleep() can't be used here so I guess I'll have to limit it's speed myself, but is there a way to get such a frequency and not absolutely saturate whatever core it's running on?

This sounds like such a dumb, brute force way

Dark Byte · Posted: Tue Mar 23, 2010 2:26 am Post subject:

that's the thing with physics engines, every single thing is controlled by the same code (and add to that that it's java, which in some cases even uses the same code to increases values by 1)

Isn't there a way to inspect the structure it points to and determine if it's the player ? (e.g a specific value somewhere?)

Also, it's only overkill if it slows down on your computer

hcavolsdsadgadsg · Posted: Tue Mar 23, 2010 2:53 am Post subject:

I only have some of the structure for whatever entity it's pointing to figured figured out... I think it's something like { z, x, y, horizontal angle of where it's looking, vertical angle of where it's looking, ... } and some other things that I haven't figured out what they do yet. (velocity? maybe, but not sure) I'll have to look more into it later.

But I'm not sure yet there's a way to actually tell what the object is outside of making educated guesses... like the highest point of the level is 64.0f, so if anything is that high, chances are it's the player. But... this would pretty much require the player to do something so I'd have a value I could count on appearing.

hcavolsdsadgadsg · Posted: Tue Mar 23, 2010 8:01 pm Post subject:

Wow, it looks like EAX is the counter.

if EAX is 1, then it seems to be pointing to the player... it doesn't necessarily go 1 2 3 4 5... it can jump around so I assume that's just it updated the physics on a "needs to be updated" basis.

Don't know how I could have missed that.

Now I allocate some memory, replace the instruction jump there (like CE does) and do something like

cmp eax, 1... if yes
push eax
lea eax, [ecx + 10]
mov eax, [allocated memory + 20]
pop eax

now I can just read the correct pointer from the space I allocated at any time. Maybe a strange way of doing it but it seems to work.