 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
hydris
Newbie cheater
![]() Reputation: 0
Joined: 09 Jan 2013
Posts: 19
|
 Posted: Sun Apr 14, 2013 2:20 pm Post subject: In-menu only action, do-able without the menu on a keypress. |
 |
|
Stealth update for an old, old topic:
Something did come from this, though only partially of what I hoped for
YouTube: watch?v=spzFz5zKP70
--------------------------------------------------------------------------------------
Hey,
I'm trying to make a in-menu only action, do-able without the menu on a keypress.
What normally happens in-game/in-menu is that:
-It writes an integer (0 - 5), when a selection is made within the menu.
-Once the menu is exited, somethings appear to access the value stored at the address, then the change actually takes place.
The end result is that a specific button/key will perform different action(s).
(The game's Devil May Cry 3, if you're familiar, I'm talking about changing the active style)
What I've tried is just changing the value at the address outside of the menu, but I need to exit the menu in order for the changes to take place. (Entering the menu does change the value back to what it was before).
Currently I'm trying to just change the value at the address, then calling two of the routines that access the address on exit, but I don't have much of an idea on what to do, and the autoAssemble function has been returning false with past attempts.
I currently have:
| Code: | switchit = [[
[ENABLE]
globalalloc (loadstyle, 2048) //units in bytes
CREATETHREAD(loadstyle)
label(stop)
registersymbol(stop)
loadstyle:
jmp dmc3se.exe+44235 //there's a return 'in-game'
cmp [stop], 1
je loadstyle
ret
stop:
dd 1
[DISABLE]
stop:
dd 0
]]
--I intend to have switchit2 follow the same format as switchit
function loadStyle ()--the part I'm not sure what to do
local autoasm1 = autoAssemble (switchit)
if autoasm1 == false then debuggy ("Failure in autoAssembling of switchit1")
end --end if
local autoasm2 = autoAssemble (switchit2)
if autoasm2 == false then debuggy ("Failure in autoAssembling of switchit2")
end --end if]]--
end --end loadStyle
function switchStyle (tostyle)
debuggy ("switchStyle called")
stylevalue = readInteger(styleaddress) --read & check
if tostyle ~= stylevalue --if wanted style != current style..
then writeInteger (styleaddress, tostyle)
loadStyle()
end --end if tostyle...
end --end switchManager
SMkey = createHotkey(switchStyle (0), VK_F1) --f1
GSkey = createHotkey(switchStyle (1), VK_F2) --f2
TSkey = createHotkey(switchStyle (2), VK_F3) --f3
RGkey = createHotkey(switchStyle (3), VK_F4) --f4
|
If it helps, I can post the two functions/routines I want to call.
Last edited by hydris on Sat Feb 01, 2014 7:04 am; edited 1 time in total |
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Apr 14, 2013 9:40 pm Post subject: |
|
|
1-You only need the "[enable]" keyword and the "[disable]" section when for AA scripts that are directly in you cheat table.
When using the lua autoAssemble function, just put the content of the enable section in switchit.
2-Are you sure that the function at dmc3se.exe+44235 takes 0 parameters?
How to know the number of parameters for a function:
2.1-for cdecl functions, find:
__call dmc3se.exe+44235
__add esp, 0C
2.2-for stdcall functions, they end with ret 0C
number of parameters = blue number/4. If your function ends with retn and there is no add esp,XXX after the call to you function, then it takes 0 parameters.
If your function needs parameters, you'll need to find a way to capture/log them, and then you will have to push (see below) them before calling your function.
3-Your code is going to loop-call dmc3se.exe+44235 as fast as possible until you set stop to 0, and you're going to see one of your cpu cores at max utilization in the task manager with a code like that. Instead I'd recommend creating a thread each time you switch styles, and letting those die as soon as they are done setting styles. Your asm code would become something like that:
| Code: | switchit = [[
globalalloc (loadstyle, 1024)
CREATETHREAD(loadstyle)
loadstyle:
//if there are parameters:
//push LastParameter //"last parameter" = "rightmost" in other languages
//push FirstParameter
call dmc3se.exe+44235
ret
]] |
|
|
| Back to top |
|
|
hydris
Newbie cheater
![]() Reputation: 0
Joined: 09 Jan 2013
Posts: 19
|
| Posted: Mon Apr 15, 2013 9:14 am Post subject: |
|
|
Thanks for the response,
[Correct me if wrong, the way I'm determining that these are functions is seeing what gets highlighted when I click 'Select current function'.]
3- The example code you posted, I gave it a try to see if autoAssemble() would return true, but it's returning false.
If it's any indicator I also tried print(switchit) and saw the output didn't have spaces or line breaks.
2- I notice that the function at dmc3se.exe+44235 doesn't have any of that, and the way the game handles it is by jumping to it.
The other code that accesses the address (dmc3se.exe+45C5C) is also in the middle of a function(?). I'm not sure if it should be handled differently than whats at dmc3se.exe+44235.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Apr 15, 2013 10:04 am Post subject: |
|
|
| hydris wrote: | | [Correct me if wrong, the way I'm determining that these are functions is seeing what gets highlighted when I click 'Select current function'.] |
I don't know what 'Select current function' shows on your screen but if there is a lot of "nop" or "int3" immediately before AND immediately after, then it's doing its job correctly. Otherwise it's BS. Typically functions begin and end that way:
1-A lot of "nop" of "int 3".
2-(optional, frequent) "push ebp" then mov ebp,esp".
3-the function body.
4-"retn" or "ret Number".
5-Again, lots of "nop" of "int 3".
| hydris wrote: | 3- The example code you posted, I gave it a try to see if autoAssemble() would return true, but it's returning false.
If it's any indicator I also tried print(switchit) and saw the output didn't have spaces or line breaks. |
My bad, cheat engine doesn't like when you put a space between a "special" AA commands and their parenthesis. So you should replace "globalalloc (loadstyle, 1024)" by "globalalloc(loadstyle,1024)".
| hydris wrote: | | 2- I notice that the function at dmc3se.exe+44235 doesn't have any of that, and the way the game handles it is by jumping to it. |
That is extremely strange (unless you're in obfuscated code but that shouldn't be the case, at least for that part of the code).
| hydris wrote: | | The other code that accesses the address (dmc3se.exe+45C5C) is also in the middle of a function(?). I'm not sure if it should be handled differently than whats at dmc3se.exe+44235. |
My gut feeling is that you didn't properly identify the beginning and end of that function.
If you see a pattern like:
1-the function body.
2-some jump to item 5.
3-more code
4-"retn"/"ret Number".
5-even more code.
6-"retn"/"ret Number".
7-again more code.
8-"retn"/"ret Number".
9-A lot of "nop" of "int 3".
Then it's one single function that has several ways of ending, like in this example:
| Code: | float GetShapeArea(ShapeType Type)
{
if (Type==SQUARE)
{
return Dimension*Dimension;
}
else if (Type==DISK)
{
return Dimension*PI*Dimension;
}
else
{
return 0.0;
}
} |
|
|
| Back to top |
|
|
hydris
Newbie cheater
![]() Reputation: 0
Joined: 09 Jan 2013
Posts: 19
|
| Posted: Mon Apr 15, 2013 6:13 pm Post subject: |
|
|
I'm taking a look in the Memory Viewer again, since I agree with your gut feeling.
What I do notice after clicking 'Dissect Code' I see '(some address) [Con, Call, Un]', the address leading to where the jump or call comes from. (Though I don't know what "Un" and "Con" are)
And I get lead to something that fits what you've listed ('nop's before and after, pushes, jumps) closely; except the indicators for parameters you've listed.
So Memory Viewer kind of looks like (looking around from dmc3se.exe+44235)
(Before call)
| Code: |
Address Bytes Opcode
dmc3se.exe+44089 - 8B CE - mov ecx,esi
dmc3se.exe+4408B - E8 F0000000 - call dmc3se.exe+44180 ;!
dmc3se.exe+44090 - 3C 01 - cmp al,01
|
[A couple segments with [Con]
| Code: |
dmc3se.exe+441CE - 75 65 - jne dmc3se.exe+44235 ;!
|
(The End)
| Code: |
dmc3se.exe+44269 - 5B - pop ebx
dmc3se.exe+4426A - C3 - ret
dmc3se.exe+4426B - 90 - nop
dmc3se.exe+4426C - 90 - nop
...; 3 other nops
|
It doesn't seem like I can treat this as a parameter less function either since calling dmc3se.exe+44180 results in a crash. Though it is from only one of the instructions that access the address.
dmc3se.exe+45C5C, the same issues with parameters, and the section 'Dissect Code' made says:
[No preceding groups of 'nop' or 'int3']
0044409E(Call) 004440b0(Call) 005E2FBB(Call)
| Code: |
dmc3se.exe+45C20 - 53 - push ebx
....
dmc3se.exe+45C5C - B9 21000000 - mov ecx,00000021
|
| Quote: | | If your function ends with retn and there is no add esp,XXX after the call to you function, then it takes 0 parameters. |
So it doesn't end with retn and it doesn't have an 'add esp, XXX after the call, then ?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Apr 15, 2013 8:56 pm Post subject: |
|
|
| hydris wrote: | | What I do notice after clicking 'Dissect Code' I see '(some address) [Con, Call, Un]', the address leading to where the jump or call comes from. (Though I don't know what "Un" and "Con" are) |
Looks like "Un" is for "Unconditional Jump" and "Con" for "Conditional Jump".
| hydris wrote: |
(Before call)
| Code: |
Address Bytes Opcode
dmc3se.exe+44089 - 8B CE - mov ecx,esi
dmc3se.exe+4408B - E8 F0000000 - call dmc3se.exe+44180 ;!
dmc3se.exe+44090 - 3C 01 - cmp al,01
|
|
Fu-, hadn't thought about it: a "mov ecx,RegisterOr[Address]" before a function call usually means that the function is a class method and ecx contains the "this" pointer, so you should capture ecx somewhere, and set ecx to that value in your asm script before calling dmc3se.exe+44180. One simple way of doing so is to use the pointerscanner to find a pointer to that ecx value. I suggest putting a breakpoint at the beginning of dmc3se.exe+44180 and doing the pointerscans while the game is stopped at this point.
| hydris wrote: | | No preceding groups of 'nop' or 'int3' |
Rare, but happens.
| hydris wrote: | | Quote: | | If your function ends with retn and there is no add esp,XXX after the call to you function, then it takes 0 parameters. |
So it doesn't end with retn and it doesn't have an 'add esp, XXX after the call, then ? |
"Ret" with no number is an alias for "Retn". Some softwares display it as "ret" others "retn", I learned with one that uses "retn"... Anyway dmc3se.exe+44180 is a parameterless class method (that return a boolean btw, but it's not your problem).
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
