Cheat Engine

oyy5408 · How do I cheat? Reputation: 0 Joined: 28 Apr 2010 Posts: 9

When I couldn't find my hp in 4byte, double, float and through the method:
Unknown Initial value-> increased/decreased,
I used 'unknown Initial value->unchanged/changed' method.

I finally got a set of values (about 10 identical values), but I don't know how I could convert it to the actual value.
I found the pointer, but it nothing 'accesses or writes memory' on the pointer.

When I searched the forum, it seemed like I had to understand the function that the address is calling to.

Amongst the 10 identical values, I looked at what's writing to this address, and when I clicked on more information, I saw 'call 0047c7b4' so I went to that address to see what it's doing.

When I did, in the memory viewer, it looked like this:

0047C7B4 - 55 - push ebp
0047C7B5 - 8b ec - mov ebp,esp
0047C7B7 - 83 ec 20 - sub esp,20
0047C7BA - 83 e4 f0 - and esp,f0
0047C7BD - d9 c0 - fld st(0)
0047C7BF - d9 54 24 18 - fst dword ptr [esp+18]
0047C7C3 - df 7c 24 10 - fistp qword ptr [esp+10]
0047C7C7 - df 6c 24 10 - fild qword ptr [esp+10]
0047C7CB - 8b 54 24 18 - mov edx,[esp+18]
0047C7CF - 8b 44 24 10 - mov eax,[esp+10]
0047C7D3 - 85 c0 - test eax,eax
0047C7D5 - 74 3c - je 0047c813
0047C7D7 - de e9 - fsubp st(1),st(0)
0047C7D9 - 85 d2 - test edx,edx
0047C7DB - 79 1e - jns 0047c7fb
0047C7DD - d9 1c 24 - fstp dword ptr [esp]
0047C7E0 - 8b 0c 24 - mov ecx,[esp]
0047C7E3 - 81 f1 00 00 00 80 - xor ecx,80000000
0047C7E9 - 81 c1 ff ff ff 7f - add ecx,7fffffff
0047C7EF - 83 d0 00 - adc eax,00
0047C7F2 - 8b 54 24 14 - mov edx,[esp+14]
0047C7F6 - 83 d2 00 - adc edx,00
0047C7F9 - eb 2c - jmp 0047c827
0047C7FB - d9 1c 24 - fstp dword ptr [esp]
0047C7FE - 8b 0c 24 - mov ecx,[esp]
0047C801 - 81 c1 ff ff ff 7f - add ecx,7fffffff
0047C807 - 83 d8 00 - sbb eax,00
0047C80A - 8b 54 24 14 - mov edx,[esp+14]
0047C80E - 83 da 00 - sbb edx,00
0047C811 - eb 14 - jmp 0047c827
0047C813 - 8b 54 24 14 - mov edx,[esp+14]
0047C817 - f7 c2 ff ff ff 7f - test edx,7fffffff
0047C81D - 75 b8 - jne 0047c7d7
0047C81F - d9 5c 24 18 - fstp dword ptr [esp+18]
0047C823 - d9 5c 24 18 - fstp dword ptr [esp+18]
0047C827 - c9 - leave
0047C828 - c3 - ret
0047C829 - 56 - push esi
0047C82A - ff 35 60 87 66 00 - push [00668760] : [1E5E19D8]
0047C830 - e8 a0 48 00 00 - call 004810d5
0047C835 - 59 - pop ecx
0047C836 - 8b 0d 5c 87 66 00 - mov ecx,[0066875c] : [1E5E1C10]
0047C83C - 8b f0 - mov esi,eax
0047C83E - a1 60 87 66 00 - mov eax,[00668760] : [1E5E19D8]
0047C843 - 8b d1 - mov edx,ecx
0047C845 - 2b d0 - sub edx,eax
0047C847 - 83 c2 04 - add edx,04
0047C84A - 3b f2 - cmp esi,edx
0047C84C - 73 4e - jae 0047c89c
0047C84E - b9 00 08 00 00 - mov ecx,00000800
0047C853 - 3b f1 - cmp esi,ecx
0047C855 - 73 02 - jae 0047c859
0047C857 - 8b ce - mov ecx,esi
0047C859 - 03 ce - add ecx,esi

I don't know when I had to stop, so I copied quite alot.
What are some thoughts on this?

Please help me out!

Edit1*: I saw xor at 0047C7E3 ... maybe that has something to do with the encryption?

noko_112 · Posted: Sat Oct 30, 2010 7:44 pm Post subject:

What game are we talking about?

And XOR if often used in encryption

oyy5408 · How do I cheat? Reputation: 0 Joined: 28 Apr 2010 Posts: 9

It's called Metin 2 i'm trying to read the memory so I can do something else while it's hitting a stone (there's a stone inside a game which takes forever to be killed, so it's a waste of time if i just sit there and watch).
So i was just going to use cheat engine to read the hp and when it's dangerous, do some micro etc.

How do I 'un'XOR it from above call?

Geri · Moderator Reputation: 111 Joined: 05 Feb 2010 Posts: 5627

It is messing with ecx a lot:

0047C7E0 - 8b 0c 24 - mov ecx,[esp]
0047C7E3 - 81 f1 00 00 00 80 - xor ecx,80000000
0047C7E9 - 81 c1 ff ff ff 7f - add ecx,7fffffff

and so on.
I would check that register in the debugger. Probably that is the health. If You are in the right function...

oyy5408 · How do I cheat? Reputation: 0 Joined: 28 Apr 2010 Posts: 9

So... the thing is, I lost the track of old values because computer shut down on me all of a sudden.

But here's something new I found.
I ended up with 30 addresses regarding my HP.

I added all of them to my address list, and separated them in groups to distinguish similar things together.

When I click on "what writes to this address" these are the values show up in the list box ONLY after once I get hit: (That means these are truly regarding my HP)

Group Address Value(When my hp is full)

1-1. 4261EF9D = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

1-2. 4261F04D = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

1-3. 4261F0A5 = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

1-4. 4261F0FD = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

1-5. 4261F155 = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

1-6. 4261F1AD = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

1-7. 4261F205 = 0
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

*When m hp is full, all the group 1 values are at zero.
When I go up to weak monster and get hit, I see no change in group 1 values, therefore I believe thse would represent the health bar 'image' only.

2-1. 1E31FD1D = -2.1327328023119E21
00439bbc - 89 b4 9f 54 39 00 00 - mov [edi+ebx*4+00003954],esi

2-2. 1E31FD1E = -29043.615234375
00439bbc - 89 b4 9f 54 39 00 00 - mov [edi+ebx*4+00003954],esi

2-3. 1E31FD1F = 0.00151738233398646
00439bbc - 89 b4 9f 54 39 00 00 - mov [edi+ebx*4+00003954],esi

2-4. 1E31FD20 = -8.82028906156601E23
00439bbc - 89 b4 9f 54 39 00 00 - mov [edi+ebx*4+00003954],esi

(Example of "more information" for Group 2)
*************************************
00439bb3 - ret 0008
00439bb6 - xor esi,e73ac1da
00439bbc - mov [edi+ebx*4+00003954],esi
00439bc3 - pop esi
00439bc4 - pop edi

Probable base pointer =1E31C3B8

EAX=00000004
EBX=00000005
ECX=00000001
EDX=425EB5F0
ESI=E73AC682
EDI=1E31C3B8
EBP=00000011
ESP=0018EF84
EIP=00439BC3
*************************************

3-1. 424CBAD1 = 34359214080
7733e266 - f0 0f c7 0f - lock cmpxchg8b [edi],
7733e177 - f0 0f c7 0f - lock cmpxchg8b [edi],

3-2. 424CBAD2 = 4.53196475011716E-17
7733e266 - f0 0f c7 0f - lock cmpxchg8b [edi],
7733e177 - f0 0f c7 0f - lock cmpxchg8b [edi],

3-3. 424CBAD3 = 3.33513378534546E-39
7733e266 - f0 0f c7 0f - lock cmpxchg8b [edi],
7733e177 - f0 0f c7 0f - lock cmpxchg8b [edi],

3-4. 424CBAD4 = 1.30264705243635E-41
7733e266 - f0 0f c7 0f - lock cmpxchg8b [edi],
7733e177 - f0 0f c7 0f - lock cmpxchg8b [edi],

(Example of "more information" for Group 3)
*************************************
7733e171 - mov ebx,[ebp-6c]
7733e174 - mov ecx,[ebp-68]
7733e177 - lock cmpxchg8b [edi],
7733e17b - cmp eax,[ebp-54]
7733e17e - jne alldiv+3ff

Probable base pointer =424CBAD0

EAX=0F200002
EBX=0F1A0001
ECX=00002892
EDX=00002892
ESI=424D48A8
EDI=424CBAD0
EBP=0018E99C
ESP=0018E918
EIP=7733E17B
*************************************

4-1. 424D4879 = -2.47394251823425
7733e238 - 66 89 47 08 - mov [edi+08],ax
0047c00c - 89 44 8f e8 - mov [edi+ecx*4-18],eax
0047c014 - 89 44 8f ec - mov [edi+ecx*4-14],eax

4-2. 424D487A = 1.94831289750119E33
0047c00c - 89 44 8f e8 - mov [edi+ecx*4-18],eax
0047c014 - 89 44 8f ec - mov [edi+ecx*4-14],eax

4-3. 424D487E = 4.26231111621222E32
0047c014 - 89 44 8f ec - mov [edi+ecx*4-14],eax
0047c01c - 89 44 8f f0 - mov [edi+ecx*4-10],eax

(Example of "more information" for 4-1)
*************************************
7733e235 - lodsb
7733e236 - rcl byte ptr [eax],1
7733e238 - mov [edi+08],ax
7733e23c - sub edi,[ebp-0c]
7733e23f - xor eax,eax

Probable base pointer =424D4870

EAX=28DEFFFF
EBX=00000001
ECX=000028DF
EDX=000028DE
ESI=424CBAC8
EDI=424D4870
EBP=0018EA60
ESP=0018EA2C
EIP=7733E23C
*************************************

5-1. 4254314E = 4.22010161855724E-5
00404275 - c1 e9 02 - shr ecx,02

5-2. 4254314F = 1.71541614690796E-7
00404275 - c1 e9 02 - shr ecx,02

5-3. 42543150 = 4.29676765634213E-5
00404275 - c1 e9 02 - shr ecx,02

5-4. 42543151 = 1.67532543393634E-10
00404275 - c1 e9 02 - shr ecx,02
00404278 - f3 a5 - repe movsd

5-5. 425647A3 = 4.22301018261351E-5
00404275 - c1 e9 02 - shr ecx,02

5-6. 425647A4 = 1.71542069438146E-7
00404275 - c1 e9 02 - shr ecx,02

5-7. 425647A5 = 4.29676765634213E-5
00404275 - c1 e9 02 - shr ecx,02

5-8. 425647A6 = 1.56026839645238E-19
00404275 - c1 e9 02 - shr ecx,02

(Example of "more information" for Group 5)
*************************************
00404271 - mov ecx,ebp
00404273 - mov eax,ecx
00404275 - shr ecx,02
00404278 - repe movsd
0040427a - mov ecx,eax

Probable base pointer =00000000

EAX=00000009
EBX=4254314C
ECX=00000001
EDX=0000000F
ESI=301E6570
EDI=42543154
EBP=00000009
ESP=0018EB3C
EIP=00404278
*************************************

6-1. 4261FA1D = -2.47394251823425
0047bf31 - 72 29 - jb 0047bf5c

6-2. 4261FA1E = 1.94831289750119E33
0047bf31 - 72 29 - jb 0047bf5c

6-3. 4261FA22 = 4.26231111621222E32
0047bf31 - 72 29 - jb 0047bf5c

(Example of "more information" for Group 6)
*************************************
0047bf2b - and edx,03
0047bf2e - cmp ecx,08
0047bf31 - jb 0047bf5c
0047bf33 - repe movsd
0047bf35 - jmp dword ptr [edx*4+0047c04c]

Probable base pointer =00000000

EAX=397941AC
EBX=397941AC
ECX=00000007
EDX=00000000
ESI=39794190
EDI=4261FA20
EBP=0018E888
ESP=0018E880
EIP=0047BF33
*************************************

7. 42621BF5 = 0.0078125
005013e4 - 89 46 3c - mov [esi+3c],eax
005013f0 - 89 46 40 - mov [esi+40],eax

(Example of "more information" for Group 6)
*************************************
005013dc - fld dword ptr [esp+04]
005013e0 - fmul dword ptr [esp+18]
005013e4 - mov [esi+3c],eax
005013e7 - call 0047c7b4
005013ec - fmul dword ptr [esp+1c]

Probable base pointer =42621BB8

EAX=00000000
EBX=00000000
ECX=1E6A8178
EDX=00000000
ESI=42621BB8
EDI=4263D168
EBP=0052E3B0
ESP=0018EB4C
EIP=005013E7
*************************************

It took forever to write this.. I hope I can learn something from you guys through this...

Thanks