Cheat Engine

KFUPM

hi,

after some levels of pointers I reached this function that accesses a pointer:
5E853FFF - 85 F0 - test eax,esi
5E854001 - 74 1E - je BrokerMainW+A8A57
5E854003 - 8B 03 - mov eax,[ebx] <<
5E854005 - 8B C8 - mov ecx,eax
5E854007 - 83 E1 07 - and ecx,07

EAX=078A5F10
EBX=09D93B14
ECX=028C3810
EDX=09D93B00
ESI=00000008
EDI=00000002
ESP=0021E9C8
EBP=00000003
EIP=5E854005

i don't know why I can't get any results if I search in hex about ebx. I think the second line of the function which contains "je BrokerMainW+A8A57" has somthing to do with this problem. because it's the first time I see this kind of codes.

another question: in the more info tab it says"the value of the pointer ... is probably ..." why it's probably? when it can be somthing different?

need help please

Dark Byte · Posted: Wed Mar 07, 2012 2:45 pm Post subject:

try looking up a few more instructions. Perhaps ebx get's the value from a previous calculation

as for why it says "probably" is because it's just a guess. Use your brains and look at the disassembler code to find it out for real

one example of when it is different:
mov ebx,[ebx+12]

then the "probably" value is completly wrong and you must use the address you used the "find what accesses" function on -12 to get the real base

KFUPM · Posted: Wed Mar 07, 2012 2:53 pm Post subject:

thank u dark byte. I'll try and tell you what happend.

could you please tell me what "je BrokerMainW+A8A57" means?

Fresco · Posted: Wed Mar 07, 2012 3:43 pm Post subject:

wouldn't it be much easier and simpler and quicker to just pointerscan that address ?

je BrokerMainW+A8A57

if eax = esi (test eax,esi)
execute the code at address "BrokerMainW+A8A57"
till the instruction ret
if not just go on and do not execute the function BrokerMainW+A8A57

Dark Byte · Posted: Wed Mar 07, 2012 3:45 pm Post subject: