 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
 Posted: Wed Apr 24, 2013 11:28 am Post subject: Re: Is it possible to calculate the following within a scrip |
 |
|
| Shrooms wrote: | | Code: | aobscan(HealthAddress,89 44 9A ? ? ? 5E ?)
[Enable]
alloc(CodeBuffer,2048)
alloc(HP,4)
label(PlayerHealthReader_end)
registersymbol(HP)
HP:
dd 0
HealthAddress:
jmp CodeBuffer
nop
nop
nop
PlayerHealthReader_end:
CodeBuffer:
mov [edx+ebx*4+0C],eax
mov [HP],eax
movzx ebx,byte ptr [esi+01]
jmp PlayerHealthReader_end
[Disable]
dealloc(CodeBuffer)
dealloc(HP)
HealthAddress:
mov [edx+ebx*4+0C],eax
movzx ebx,byte ptr [esi+01]
// how to get the address of [edx+ebx*4+0C] |
|
Well I think I know what you mean, since you said 'how to get the address of [edx+ebx*4+0C]'... So I assume you mean how to get the address that instruction evaluates out to!
Well let's take it apart a bit... It appears that EDX contains the base address to work from, and EBX contains our main offset.
EBX is multiplied by 4, then 0x0c is added to it, so it now has it's calculated offset, EDX is added to it and now we're at your HP address, which it then writes EAX to.
Now you could output the edx register, and the ebx register and do the math yourself, or I like to use a little instruction called 'LEA' / Load Effective Address
This will take an instruction with a calculation like that, and give you it's effective address! 
I modified your script very slightly, just to add a new registered symbol which your HP's address get's copied into 'CurrentDynamicHPAddress' which you can add to your CT after enabling...
So now 'HP' will show your current HP, and 'CurrentDynamicHPAddress' will show your HP's current address
| Code: |
alloc(CodeBuffer,2048)
alloc(HP,4)
label(PlayerHealthReader_end)
label(CurrentDynamicHPAddress)
registersymbol(HP)
registersymbol(CurrentDynamicHPAddress)
HP:
dd 0
HealthAddress:
jmp CodeBuffer
nop
nop
nop
PlayerHealthReader_end:
CodeBuffer:
mov [edx+ebx*4+0C],eax
mov [HP],eax
//Lets use EBX here since it's about to be overwritten anyway, alternatively push and pop a register
lea ebx,[edx+ebx*4+0c] //load the effective address into ebx
mov [CurrentDynamicHPAddress],ebx //store it for reading on your CT add 'CurrentDynamicHPAddress' to it
movzx ebx,byte ptr [esi+01]
jmp PlayerHealthReader_end
CurrentDynamicHPAddress:
dd 0
[Disable]
dealloc(CodeBuffer)
dealloc(HP)
unregistersymbol(HP)
unregistersymbol(CurrentDynamicHPAddress)
HealthAddress:
mov [edx+ebx*4+0C],eax
movzx ebx,byte ptr [esi+01]
|
_________________
|
|
| Back to top |
|
 |
iroku
Advanced Cheater
![]() Reputation: 0
Joined: 18 Oct 2012
Posts: 54
|
| Posted: Wed Apr 24, 2013 6:02 pm Post subject: |
|
|
i dont really understand you, but.
'Find what accesses this address' gives you mov [edx+ebx*4+0C],eax (this function is stored at 1CAA0000)
edx=06d9a048
ebx = 03
0c = 0c ,lol
so, [edx+ebx*4+0C] = 06d9a048 + ( 03*4=0C) + 0C = 06D9A060
how do you want this to be spitted out ?
like user SteveAndrew said
| Quote: | | It appears that EDX contains the base address to work from, and EBX contains our main offset. |
edx=06d9a048 - base address to work from
ebx = 03 -main offset
| Quote: | EBX is multiplied by 4, then 0x0c is added to it, so it now has it's calculated offset, EDX is added to it and now we're at your HP address, which it then writes EAX to.
|
( (ebx=03)*4=0C) + 0C = [24] + 06d9a048(edx) = 06D9A060
| Quote: |
Now you could output the edx register, and the ebx register and do the math yourself, or I like to use a little instruction called 'LEA' / Load Effective Address
This will take an instruction with a calculation like that, and give you it's effective address! Wink |
|
|
| Back to top |
|
|
iroku
Advanced Cheater
![]() Reputation: 0
Joined: 18 Oct 2012
Posts: 54
|
| Posted: Wed Apr 24, 2013 6:19 pm Post subject: |
|
|
i dunno... code injection ?
getNameFromAddress(address): Returns the given address as a string. Registered symbolname, modulename+offset, or just a hexadecimal string depending on what address
c:/program files/cheat engine/ main.Lua
control+f "address" and take a look
c:/program files/cheat engine/ tutorial1386.exe helps ?
im new so yea... not really sure what you want...
whats wrong with code that user SteveAndrew posted ?
cant you use the CurrentDynamicHPAddress ? that seems to be pretty much what you want
|
|
| Back to top |
|
|
eax.qbyte
Advanced Cheater
![]() Reputation: 3
Joined: 25 Jun 2011
Posts: 59
Location: CEDisasmView
|
| Posted: Thu Apr 25, 2013 6:39 am Post subject: multiple addresses |
|
|
why don't you try using "Find out what addresses this instruction accesses" option? you will probably see there are more than one address found.
I guess they are HPs of other players or AI bots. You should find a way to run the hooker code only when it is writing your HP. may be back tracing some functions or finding index of your player between others. also as this code shows i think pointer scanner can help you here.
_________________
My special thanx to Cheat Engine and its developers. It helps me do the hard and boring but valuable process of understanding the code, easily and with fun.
Last edited by eax.qbyte on Thu Apr 25, 2013 12:17 pm; edited 2 times in total |
|
| Back to top |
|
|
iroku
Advanced Cheater
![]() Reputation: 0
Joined: 18 Oct 2012
Posts: 54
|
| Posted: Thu Apr 25, 2013 7:28 am Post subject: |
|
|
go to add adress manually(on CE main window) and input your Base adress and the remaining offsets.
remember,
edx=06d9a048 - base address to work from
ebx = 03 -main offset
adress: 06d9a048 , offset 1: 0C offset 2: 0C. = EAX(that seems to be where HP value is stored)
you will now have a pointer to your HP.
if the register values on that function is static you re done..
if not, you have to trace back and find what writes the value of edx or ebx on function mov [edx+ebx*4+0C],eax
what does this mean ? somewhere behind that function is another function that defines the value of edx and ebx for function mov [edx+ebx*4+0C],eax. Most likely one is static and the other is not. So you ll have to find what function wrote the value that keeps changing :p
i take it pointer scan didnt work ? what game is this ? does your ebx keep changing on game restart ?
|
|
| Back to top |
|
|
Pingo
Grandmaster Cheater
![]() Reputation: 8
Joined: 12 Jul 2007
Posts: 571
|
| Posted: Thu Apr 25, 2013 1:26 pm Post subject: |
|
|
That instruction is shared by about 20-30 other addresses.
You'l be better off finding something unique to your player.
_________________
|
|
| Back to top |
|
|
TsTg
Master Cheater
 Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Thu Apr 25, 2013 3:44 pm Post subject: |
|
|
If you are sure that the values for edx (for your player's health) and the ebx register are: edx=06d9a048 , ebx = 03 , then you can try this code
| Code: | alloc(CodeBuffer,2048)
alloc(HP,4)
label(PlayerHealthReader_end)
label(CurrentDynamicHPAddress)
registersymbol(HP)
registersymbol(CurrentDynamicHPAddress)
label(Health_Not_mine)
HP:
dd 0
HealthAddress:
jmp CodeBuffer
nop
nop
nop
PlayerHealthReader_end:
CodeBuffer:
cmp ebx,0003
jne Health_Not_mine
cmp edx,06d9a048
jne Health_Not_mine
mov [HP],eax
push eax
lea eax,[edx+ebx*4+0c]
mov [CurrentDynamicHPAddress],eax
pop eax
Health_Not_mine:
mov [edx+ebx*4+0C],eax
movzx ebx,byte ptr [esi+01]
jmp PlayerHealthReader_end
CurrentDynamicHPAddress:
dd 0
[Disable]
dealloc(CodeBuffer)
dealloc(HP)
unregistersymbol(HP)
unregistersymbol(CurrentDynamicHPAddress)
HealthAddress:
mov [edx+ebx*4+0C],eax
movzx ebx,byte ptr [esi+01] |
this will filter out the values, so that it executes the hack code for player's health only, if not yours, it will execute normal code only (at Health_Not_mine).
also in your cheat table, make sure you right click on the 'CurrentDynamicHPAddress' entry and choose 'Show as Hexadecimal'
|
|
| Back to top |
|
|
TsTg
Master Cheater
Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Thu Apr 25, 2013 5:02 pm Post subject: |
|
|
you can try comparing only the value of EBX,remove the:
cmp edx,06d9a048
jne Health_Not_mine
and take alook in the original game code before the mov [edx+ebx*4+0C],eax instruction, you should find something like mov edx,[somewhere] or whatever.
if not, you can try ranged search, let's say your pointer is 06d9a048 for now, search 'Value between' and type in left box: 06d9a000 and in the right box: 06d9a048, see if you find a green colored address in the result
for a bigger range, try 06d90000 in the left box, and keeping the right one: 06d9a048
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Sun Apr 28, 2013 6:38 am Post subject: Re: Is it possible to calculate the following within a scrip |
|
|
| SteveAndrew wrote: | | Shrooms wrote: | | Code: | aobscan(HealthAddress,89 44 9A ? ? ? 5E ?)
[Enable]
alloc(CodeBuffer,2048)
alloc(HP,4)
label(PlayerHealthReader_end)
registersymbol(HP)
HP:
dd 0
HealthAddress:
jmp CodeBuffer
nop
nop
nop
PlayerHealthReader_end:
CodeBuffer:
mov [edx+ebx*4+0C],eax
mov [HP],eax
movzx ebx,byte ptr [esi+01]
jmp PlayerHealthReader_end
[Disable]
dealloc(CodeBuffer)
dealloc(HP)
HealthAddress:
mov [edx+ebx*4+0C],eax
movzx ebx,byte ptr [esi+01]
// how to get the address of [edx+ebx*4+0C] |
|
Well I think I know what you mean, since you said 'how to get the address of [edx+ebx*4+0C]'... So I assume you mean how to get the address that instruction evaluates out to!
Well let's take it apart a bit... It appears that EDX contains the base address to work from, and EBX contains our main offset.
EBX is multiplied by 4, then 0x0c is added to it, so it now has it's calculated offset, EDX is added to it and now we're at your HP address, which it then writes EAX to.
Now you could output the edx register, and the ebx register and do the math yourself, or I like to use a little instruction called 'LEA' / Load Effective Address
This will take an instruction with a calculation like that, and give you it's effective address!
I modified your script very slightly, just to add a new registered symbol which your HP's address get's copied into 'CurrentDynamicHPAddress' which you can add to your CT after enabling...
So now 'HP' will show your current HP, and 'CurrentDynamicHPAddress' will show your HP's current address
| Code: |
alloc(CodeBuffer,2048)
alloc(HP,4)
label(PlayerHealthReader_end)
label(CurrentDynamicHPAddress)
registersymbol(HP)
registersymbol(CurrentDynamicHPAddress)
HP:
dd 0
HealthAddress:
jmp CodeBuffer
nop
nop
nop
PlayerHealthReader_end:
CodeBuffer:
mov [edx+ebx*4+0C],eax
mov [HP],eax
//Lets use EBX here since it's about to be overwritten anyway, alternatively push and pop a register
lea ebx,[edx+ebx*4+0c] //load the effective address into ebx
mov [CurrentDynamicHPAddress],ebx //store it for reading on your CT add 'CurrentDynamicHPAddress' to it
movzx ebx,byte ptr [esi+01]
jmp PlayerHealthReader_end
CurrentDynamicHPAddress:
dd 0
[Disable]
dealloc(CodeBuffer)
dealloc(HP)
unregistersymbol(HP)
unregistersymbol(CurrentDynamicHPAddress)
HealthAddress:
mov [edx+ebx*4+0C],eax
movzx ebx,byte ptr [esi+01]
|
|
this is correct, however, he needs to add 'CurrentDynamicHPAddress" as a pointer
cuz the value of "CurrentDynamicHPAddress" is the address of hp
so you need "CurrentDynamicHPAddress" to be a pointer.
not to mention that the pointer will only work after the code has been executed at least once.
_________________
... Fresco |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
