 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
 Posted: Thu Jul 01, 2010 8:33 am Post subject: Why doesn't the value in my registered symbol match...? |
 |
|
Hi folks,
I've been having a blast playing with CE the last couple of days (thanks DB and friends!). It's so versatile, and yet so specialized - things that are a real chore with Olly or even Ice are made so easy! I'm currently learning the powerful auto-assembler and script-engine features, and they are just amazing! Unfortunately, I've hit a little snag and I'm not quite sure how to interpret what I'm seeing. Thus, my plea for help.
So, my target game displays the player-character's wealth on the screen. The value it reads from changes from time to time (game reloads, reboots, etc). Since finding a static address for the money is a tremendous challenge, even with the outstanding pointer-scanning tool, I looked for the code that is constantly called to read this value and update it hoping to snag an address there. I think that I've done this properly, because if I enable my injection in the CE table and choose to "find what writes" the variable my symbol references, then I can see that the correct address to player-character gold is being stored with the disassembly view. Unfortunately, setting a "watch" on the symbol in the table editor never shows me the address I'm expecting. I'm a little confounded, to say the least.
The only thing I can think of that would cause the discrepancy is if the code that I've targeted updates values other than money. Unfortunately, I can't set a breakpoint because it's a direct-x game and will prevent me from alt-tabbing back to the cheat engine. I have watched the original code, though, and I've never seen it use the values I'm seeing in my symbol. Anyone have ideas as to what's going wrong or how I might approach the problem from another angle?
Thanks in advance,
adude
| Description: |
| Snapshot of the table-view. |
|
| Filesize: |
23.49 KB |
| Viewed: |
5472 Time(s) |
|
| Description: |
|
| Filesize: |
21.19 KB |
| Viewed: |
5472 Time(s) |
|
|
|
| Back to top |
|
 |
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Fri Jul 02, 2010 7:28 pm Post subject: |
|
|
| Anyone have any guesses? Is my cave getting executed from somewhere else the only possibility?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25864
Location: The netherlands
|
| Posted: Fri Jul 02, 2010 8:00 pm Post subject: |
|
|
that code that accessed the money is probably also used by the comp player (or it's actually a multi-purpose piece of code, e.g scripting and used by almost everything for showing ammo, to determining the color of a brick)
example: If it's done in a loop e.g first player 1(user), then player 2, player 3, etc... then the address you'll see at money_base_address will be that of the last player
easiest way to find out if it's used by multiple things is rightclicking the code and choose "Find what addresses this code accesses"
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Sat Jul 03, 2010 5:11 pm Post subject: |
|
|
Thank you for taking the time to look at my issue, DB. You suggest right-clicking the code and choosing, "find what addresses this code accesses." The only thing I see is the same value that's in the money_base_address variable. And this value never seems to match the address that I see in the disassembly snapshot. If I were setting breakpoints, would the two values always be the same?
Also, sometimes when I go back and view my code, it has been changed. I only have one script that is active, and the code is pretty trivial:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
registersymbol(money_base_address)
alloc(money_base_address,4)
somegame.exe+ABC123:
jmp newmem
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push esi
lea esi,[ecx+10]
mov [money_base_address],esi
pop esi
originalcode:
mov eax,[ecx+10]
ret
int 3
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem,2048) //2kb should be enough
unregistersymbol(money_base_address)
dealloc(money_base_address,4)
somegame.exe+ABC123:
mov eax,[ecx+10]
ret
int 3 |
If I start CE, start the game, attach CE to the game, click the check-box next to the above script, attach the debugger and ask CE to show me what writes to money_base_address, I sometimes get a snapshot like the one in my original post - the code matches what I expect, only the address in money_base_address doesn't match the value that was in ESI. Sometimes, though, the code has been inexplicably changed. It seems like, given the above script, there should only be one place where money_base_address is written, and it should always be preceded with the same few lines of asm - saving registers and flags, manipulating the address in esi, etc. Where is this other stuff coming from? Am I misusing the auto-assembler with bad code? Should I not be using ESI for storage? Hah - I know there are a lot of questions here, and I apologize, but if you could help me make sense out of what I'm seeing, I'd sure appreciate it!
Thanks in advance,
adude
| Description: |
|
| Filesize: |
24.85 KB |
| Viewed: |
5357 Time(s) |
|
|
|
| Back to top |
|
|
XaLeX
Expert Cheater
![]() Reputation: 0
Joined: 19 Aug 2008
Posts: 226
|
| Posted: Sat Jul 03, 2010 7:41 pm Post subject: |
|
|
Just a little note about your code: not sure if this can be a problem, but dealloc takes only one parameter, that is, the label. No size as CE already knows it.
| justa_dude wrote: | | Code: | [DISABLE]
dealloc(newmem,2048) // <-- should be dealloc(newmem)
unregistersymbol(money_base_address)
dealloc(money_base_address,4) //same: should be dealloc(money_base_address) |
|
Also, if you're constantly using the symbol "money_base_address" maybe you shouldn't unregister it.. but i'm not sure as i'm not familiar with them 
Anyway, your piece of code is like a breakpoint. It just saves all the values that assumes every time the flow of the program reaches that bit of code. If, as DB has already pointed out, that piece of code is a general one (in the worst case, something that paints stuff on the screen), you'll get tons of different values.
P.S. setting a watch on the symbol doesn't work because what writes to the symbol is not the original code (e.g. somegame.exe+123ABC) but your allocated code.
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Tue Jul 06, 2010 7:38 pm Post subject: |
|
|
Thanks, guys. You were 100% correct.
I added a little sanity check to see if the value was in a reasonable range, and now I'm grabbing the correct address 100% of the time.
Thanks for the help!
Regards,
Adude
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
