 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Lötlampe
How do I cheat?
![]() Reputation: 0
Joined: 30 May 2010
Posts: 2
|
 Posted: Sun May 30, 2010 2:16 pm Post subject: finding basepointer in drakensang2 |
 |
|
Hi folks!
First of all, i gotta admit that i am generally new to pointer search since i never felt the need for it anyway.
For Drakensang however I'd like such a gimmick as freezing stamina/mana for the players without searching for them every time i start the game. Hence i made the pointer Tutorials from CE which seemed ... well ... actually quite easy and tried to find what points to the players attributes but i got stuck.
edit: i am sorry that i had to cripple the image urls but since this is my first posting i am not allowed to do it right...
Here's what I've done:
1. upgraded to CE 5.6 
2. searched for the actual value (it's exp here, not mana, but with exp i have exactly the same problem)
(the value 10 was searched for, then changed ingame to 3, added, then changed in CE to 30000 and ingame reduced sometimes, so that explains the differences in the plain value)
3. then right clicked on the value, clicked "find what writes to this adress", attached the debugger, went back to the game, changed the value and the debugger found the corresponding opcode:
which contained:
i must admit here, that i am lacking the proper x86 assembler knowledge to fully understand the meaning of the base pointer register, but what made me curious is that unlike in the tutorials there is no adding to the adress containing register in the opcode itself. (nothing live MOV [edx+somthing], value) instead there is ebp-04 that actually results in the adress for exp.
Anyway, i continued with what CE suggested me, namely the adress 21F4F830 and did a hex search for this adress and got some:
aaalright methinks, next step
4. i chose the first one of them and added the pointer:
then right clicked the pointer (!), find out what "accesses" this adress and then "find out what is accesssing this pointer" (the pointer itself).
5. now here comes the funky part! i switched back into the game, opened the character panel and decreased the exp again, when i switched back to CE i saw this:
this is when i began writing this posting here.
6. i switched back to drakensang and just moved my character around a bit (nothing that inflicts the exp), switched back to CE and now saw this! (and this is what makes me REALLY curious):
all pointers that first pointed to my exp are now pointing to the first of them which itself points to ... itself???? 
is that some kind of memory protection i ran into? have i not understood something?
are there any informations missing to reproduce or understand what's going on?
i'd really like some help on this.
Thanks in advance,
lötlampe[/b]
|
|
| Back to top |
|
 |
Lötlampe
How do I cheat?
![]() Reputation: 0
Joined: 30 May 2010
Posts: 2
|
| Posted: Wed Jun 02, 2010 7:59 pm Post subject: what i found out so far |
|
|
Hei, it's me again, i wanted to post an update to my "research" about drakensang.
I played around with the pointer scanner but had no luck so far, so i took a deeper look at the disassembly to find out, what was going on. I already found the piece of code that was altering the memory address accordingly, and the full function that is called is this:
| Code: |
0143C590 - 55 - push ebp
0143C591 - 8b ec - mov ebp,esp
0143C593 - 83 ec 14 - sub esp,14
0143C596 - 89 4d ec - mov [ebp-14],ecx
0143C599 - 8b 45 08 - mov eax,[ebp+08]
0143C59C - 50 - push eax
0143C59D - 8b 4d ec - mov ecx,[ebp-14]
0143C5A0 - 83 c1 08 - add ecx,08
0143C5A3 - e8 48 5c ff fe - call 004321f0
0143C5A8 - eb 13 - jmp 0143c5bd
0143C5AA - cc - int 3
[...]
0143C5BC - cc - int 3
0143C5BD - 89 45 f4 - mov [ebp-0c],eax
0143C5C0 - 8b 4d f4 - mov ecx,[ebp-0c]
0143C5C3 - 83 39 00 - cmp dword ptr [ecx],00
0143C5C6 - 75 25 - jne 0143c5ed
0143C5C8 - 68 fd 00 00 00 - push 000000fd
0143C5CD - 90 - nop
0143C5CE - 68 20 a7 ef 00 - push 00efa720 : ["c:\radonlabs\code\mangalore\attr/attrid.h"]
0143C5D3 - 68 54 b1 ef 00 - push 00efb154 : ["0 != this->defPtr"]
0143C5D8 - e8 c3 92 fc fe - call 004058a0
0143C5DD - eb 0b - jmp 0143c5ea
0143C5DF - cc - int 3
[...]
0143C5E9 - cc - int 3
0143C5EA - 83 c4 0c - add esp,0c
0143C5ED - 8b 55 f4 - mov edx,[ebp-0c]
0143C5F0 - 8b 02 - mov eax,[edx]
0143C5F2 - 8b 48 3c - mov ecx,[eax+3c]
0143C5F5 - 89 4d f8 - mov [ebp-08],ecx
0143C5F8 - 83 7d f8 01 - cmp dword ptr [ebp-08],01
0143C5FC - 74 20 - je 0143c61e
0143C5FE - 68 79 02 00 00 - push 00000279
0143C603 - 68 68 b1 ef 00 - push 00efb168 : ["c:\radonlabs\code\mangalore\attr/attributetable.h"]
0143C608 - 68 e0 b6 ef 00 - push 00efb6e0 : ["this->GetColumnValueType(colIndex) == IntType"]
0143C60D - e8 8e 92 fc fe - call 004058a0
0143C612 - eb 07 - jmp 0143c61b
0143C614 - cc - int 3
[...]
0143C61A - cc - int 3
0143C61B - 83 c4 0c - add esp,0c
0143C61E - 8b 55 0c - mov edx,[ebp+0c]
0143C621 - 52 - push edx
0143C622 - 8b 45 08 - mov eax,[ebp+08]
0143C625 - 50 - push eax
0143C626 - 8b 4d ec - mov ecx,[ebp-14]
0143C629 - e8 12 5c ff fe - call 00432240
0143C62E - eb 10 - jmp 0143c640
0143C630 - cc - int 3
[...]
0143C63F - cc - int 3
0143C640 - 89 45 fc - mov [ebp-04],eax
0143C643 - 8b 4d fc - mov ecx,[ebp-04]
0143C646 - 8b 01 - mov eax,[ecx] <- this is the actual memory access that writes the target memory
|
So far, so good, but i got stuck again here. this is obviously not a direct access within any kind of structure. The whole magic lies within that function at 00432240. I have also traced back the assembly at the memory where my value is read, and it also calls this function (00432240) right before the actual read happens! so methinks this is some sort of getter function that yields the actual adress. if i understood this right, a c equivalent to this last part was something like:
| Code: |
attributePointer = getAttributeLocation(X, Y); // with some magic value passed in ECX
|
So, i looked deeper into it and found this:
| Code: |
00432240 - e9 2b 92 00 01 - jmp 0143b470
[...]
0143B470 - 55 - push ebp
0143B471 - 8b ec - mov ebp,esp
0143B473 - 83 ec 08 - sub esp,08
0143B476 - 56 - push esi
0143B477 - 89 4d f8 - mov [ebp-08],ecx
0143B47A - 8b 4d f8 - mov ecx,[ebp-08]
0143B47D - 83 c1 08 - add ecx,08
0143B480 - e8 4b 6d ff fe - call 004321d0
0143B485 - eb 10 - jmp 0143b497
0143B487 - cc - int 3
[...]
0143B496 - cc - int 3
0143B497 - 39 45 08 - cmp [ebp+08],eax
0143B49A - 7d 0e - jnl 0143b4aa
0143B49C - 8b 45 f8 - mov eax,[ebp-08]
0143B49F - 8b 4d 0c - mov ecx,[ebp+0c]
0143B4A2 - 3b 88 80 00 00 00 - cmp ecx,[eax+00000080]
0143B4A8 - 7c 29 - jnge 0143b4d3
0143B4AA - 68 1c 02 00 00 - push 0000021c
0143B4AF - 90 - nop
0143B4B0 - 68 68 b1 ef 00 - push 00efb168 : ["c:\radonlabs\code\mangalore\attr/attributetable.h"]
0143B4B5 - 68 08 b2 ef 00 - push 00efb208 : ["(colIndex < this->columns.Size()) && (rowIndex < this->numRows)"]
0143B4BA - e8 e1 a3 fc fe - call 004058a0
0143B4BF - eb 0f - jmp 0143b4d0
0143B4C1 - cc - int 3
[...]
0143B4CF - cc - int 3
0143B4D0 - 83 c4 0c - add esp,0c
0143B4D3 - 8b 55 f8 - mov edx,[ebp-08]
0143B4D6 - 8b 75 0c - mov esi,[ebp+0c]
0143B4D9 - 0f af 72 7c - imul esi,[edx+7c]
0143B4DD - 8b 45 08 - mov eax,[ebp+08]
0143B4E0 - 50 - push eax
0143B4E1 - 8b 4d f8 - mov ecx,[ebp-08]
0143B4E4 - 83 c1 08 - add ecx,08
0143B4E7 - e8 04 6d ff fe - call 004321f0
0143B4EC - eb 13 - jmp 0143b501
0143B4EE - cc - int 3
[...]
0143B500 - cc - int 3
0143B501 - 03 70 04 - add esi,[eax+04]
0143B504 - 89 75 fc - mov [ebp-04],esi
0143B507 - 8b 4d f8 - mov ecx,[ebp-08]
0143B50A - 8b 81 88 00 00 00 - mov eax,[ecx+00000088]
0143B510 - 03 45 fc - add eax,[ebp-04]
0143B513 - 5e - pop esi
0143B514 - 8b e5 - mov esp,ebp
0143B516 - 5d - pop ebp
0143B517 - c2 08 00 - ret 0008
|
Now this code i dont understand. again, the magic happens at the end. I thought it was a win because i finally detected my register+offset schema at 0143B50A, but this leads me nowhere as esi and hence this first local variable [ebp - 04] contains tons of different values at this time all in different game situations. even walking around and doing nothing else calls this method thousands of times!
Plus, at 0143B4E7 there happens a call again, here's the code to it:
| Code: |
004321D0 - 55 - push ebp
004321D1 - 8b ec - mov ebp,esp
004321D3 - 51 - push ecx
004321D4 - 89 4d fc - mov [ebp-04],ecx
004321D7 - 8b 45 fc - mov eax,[ebp-04]
004321DA - 8b 40 08 - mov eax,[eax+08]
004321DD - 8b e5 - mov esp,ebp
004321DF - 5d - pop ebp
004321E0 - c3 - ret
[...]
004321F0 - 55 - push ebp
004321F1 - 8b ec - mov ebp,esp
004321F3 - 51 - push ecx
004321F4 - 89 4d fc - mov [ebp-04],ecx
004321F7 - 8b 45 fc - mov eax,[ebp-04]
004321FA - 83 78 0c 00 - cmp dword ptr [eax+0c],00
004321FE - 74 0b - je 0043220b
00432200 - 8b 4d fc - mov ecx,[ebp-04]
00432203 - 8b 55 08 - mov edx,[ebp+08]
00432206 - 3b 51 08 - cmp edx,[ecx+08]
00432209 - 7c 17 - jnge 00432222
0043220B - 68 12 02 00 00 - push 00000212
00432210 - 68 60 83 ef 00 - push 00ef8360 : ["c:\nebula3\code\foundation\util/array.h"]
00432215 - 68 88 83 ef 00 - push 00ef8388 : ["this->elements && (index < this->size)"]
0043221A - e8 81 36 fd ff - call 004058a0
0043221F - 83 c4 0c - add esp,0c
00432222 - 8b 45 fc - mov eax,[ebp-04]
00432225 - 8b 48 0c - mov ecx,[eax+0c]
00432228 - 8b 55 08 - mov edx,[ebp+08]
0043222B - 8d 04 d1 - lea eax,[ecx+edx*8]
0043222E - 8b e5 - mov esp,ebp
00432230 - 5d - pop ebp
00432231 - c2 04 00 - ret 0004
|
now i am lost: what is this all? i read the code, i understand the commands but what i dont see is the logic behind it. i also read the comments, parts of program code that seems to be useful i have no idea which parts of the asm code represent the snippets in the comments.
Another thing i dont get is at 0143B4D9: integer multiply to ESI ... okay, ESI is just a register, but was it not supposed to be used for string manipulation? in this, clearly esi is added to the pointer value in eax at 0143B504 and then at 0143B510.
Sooooooo .... what i found out is that this is some kind of getter function that "calculates" the adress of the value?
Does anyone feel like having a look at this code and giving me a hint? i will not even shut down my computer and let drakensang2 stay in the background so that the adresses still match (well, for some time at least).
Maybe someone could give me hints on the big picture what this method actually does, or has already seen such thing. I would appreciate any hint/advice on how to proceed from here.
Thanks a lot in advance already, i understand this is not easy
PS:
One more block of code i ommited but which might be interesting:
| Code: |
004321D0 - 55 - push ebp
004321D1 - 8b ec - mov ebp,esp
004321D3 - 51 - push ecx
004321D4 - 89 4d fc - mov [ebp-04],ecx
004321D7 - 8b 45 fc - mov eax,[ebp-04]
004321DA - 8b 40 08 - mov eax,[eax+08]
004321DD - 8b e5 - mov esp,ebp
004321DF - 5d - pop ebp
004321E0 - c3 - ret
|
Other code blocks are omitted because they are (okay, seem to me) like error handlers.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
