 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Mr. Starman
Newbie cheater
![]() Reputation: 0
Joined: 09 Oct 2012
Posts: 16
|
 Posted: Wed Oct 10, 2012 12:35 am Post subject: Can't find pointer |
 |
|
| Code: | 0041C9A8 - 8B 01 - mov eax,[ecx]
0041C9AA - 8B 51 04 - mov edx,[ecx+04]
0041C9AD - 29 03 - sub [ebx],eax <<
0041C9AF - 19 53 04 - sbb [ebx+04],edx
0041C9B2 - E9 B9000000 - jmp TPW2nd._GetExceptDLLinfo+1BA17
EAX=000003FB
EBX=08715F78
ECX=104B4300
EDX=00000000
ESI=00000004
EDI=08715F78
ESP=0012DB9C
EBP=0012DBF8
EIP=0041C9AF
|
When I searched for EBX's value to find the pointer, nothing comes up. How come?
I've tried using Pointer Scan but it ended up with the same result (no pointer points to the right adress).
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Wed Oct 10, 2012 1:59 am Post subject: |
|
|
Perhaps ebx gets it's value from somewhere else, so look up in the assembler code
as for the pointerscan, try a bigger level and structure size.
Make sure this isn't an emulator like a PS2, N64, Java or Flash though as you won't be able to find it then
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Mr. Starman
Newbie cheater
![]() Reputation: 0
Joined: 09 Oct 2012
Posts: 16
|
| Posted: Wed Oct 10, 2012 2:58 am Post subject: |
|
|
Well, the value of EBX was exactly the same as the address that I was searching the pointer for. Not sure what that means.
And don't worry, it's a PC game.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Wed Oct 10, 2012 3:40 am Post subject: |
|
|
What I meant is that perhaps before the code shown is an "ADD EBX,1234"
meaning that ebx is actually your address-1234
Anyhow, another method to find the offset is to try and find the start of the structure the address is in. Perhaps it's nicely aligned on a page boundary, or it starts with a functionpointer field
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Mr. Starman
Newbie cheater
![]() Reputation: 0
Joined: 09 Oct 2012
Posts: 16
|
| Posted: Wed Oct 10, 2012 6:15 am Post subject: |
|
|
I believe I have found the solution to this problem.
| Code: | 0041C9AD - 29 03 - sub [ebx],eax <<
|
That address is static, so I can just use some code injection to freeze the value.
Problem is, I don't know how to make the enable/disable parts if all I want is to change that line of code to NOP.
Here's the auto-assemble script.
| Code: |
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
sub [ebx],eax
sbb [ebx+04],edx
exit:
jmp returnhere
"TPW2nd.exe"+1C9AD:
jmp newmem
returnhere:
|
I just need to change sub [ebx],eax into NOP and I can't figure it out with the enable/disable script since I want to put it straight into the codelist.
Yeah, I know I'm a noob at Auto Assembly. Never really used it before.
Edit:
Yay, it works!
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
add [ebx],eax
originalcode:
sub [ebx],eax
sbb [ebx+04],edx
exit:
jmp returnhere
"TPW2nd.exe"+1C9AD:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"TPW2nd.exe"+1C9AD:
sub [ebx],eax
sbb [ebx+04],edx
|
Silly me, not noticing that you can just counter the sub code with an add code.
Edit 2:
And somehow it also affects HP in battle, meaning it can't never decrease. Guess the game uses the same codes only with a different register.
Well, I can just turn it off in battle so not a problem.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Oct 10, 2012 8:27 am Post subject: |
|
|
Since you're not familiar with the auto-assembler here's the proper way of nopping your sub [ebx],eax:
| Code: | [ENABLE]
"TPW2nd.exe"+1C9AD:
nop
nop
[DISABLE]
"TPW2nd.exe"+1C9AD:
sub [ebx],eax |
|
|
| Back to top |
|
|
Mr. Starman
Newbie cheater
![]() Reputation: 0
Joined: 09 Oct 2012
Posts: 16
|
| Posted: Sun Oct 14, 2012 5:04 am Post subject: |
|
|
About nopping your code, I still don't understand how you decide how many nops you will use in the enable part.
For example:
| Code: | 00420960 - C7 05 18574A00 09000000 - mov [004A5718],00000009
0042096A - EB 1E - jmp 0042098A
|
I want to nop the mov so I use
| Code: | [ENABLE]
"th11e.exe"+20960:
nop
[DISABLE]
"th11e.exe"+20960:
mov [004A5718],00000009
|
What I got was this
| Code: | 00420960 - 90 - nop
00420961 - 05 18574A00 - add eax,004A5718 : [00000004]
00420966 - 09 00 - or [eax],eax
00420968 - 00 00 - add [eax],al
0042096A - EB 1E - jmp 0042098A
|
A bunch of instructions pop out of nowhere like that. Pretty sure that would cause errors or something.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Oct 14, 2012 7:13 am Post subject: |
|
|
Number of nops = the number of bytes the instruction takes.
29 03 - sub [ebx],eax takes 2 bytes (one is 29, the second 03)
C7 05 18574A00 09000000 - mov [004A5718],00000009 takes 10 bytes.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
