 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
roidmuncher321
How do I cheat?
![]() Reputation: 0
Joined: 28 Jul 2014
Posts: 5
|
 Posted: Mon Jul 28, 2014 4:01 am Post subject: Why does NOPing the DEC cause the game to crash? |
 |
|
I'm currently hacking a game with this routine to place a gadget:
| Code: | CPU Disasm
Address Hex dump Command Comments
00D8CD01 |. 8BEC MOV EBP,ESP ; START OF THROW GADGET
00D8CD03 |. 51 PUSH ECX
00D8CD04 |. 56 PUSH ESI
00D8CD05 |. 8BF1 MOV ESI,ECX
00D8CD07 |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00D8CD0A |. 57 PUSH EDI
00D8CD0B |. 33FF XOR EDI,EDI
00D8CD0D |. 8945 FC MOV DWORD PTR SS:[LOCAL.1],EAX
00D8CD10 |. 85C0 TEST EAX,EAX
00D8CD12 7E 6F JLE SHORT 00D8CD83
00D8CD14 |. 53 PUSH EBX
00D8CD15 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
00D8CD17 |. 8B0CB8 MOV ECX,DWORD PTR DS:[EDI*4+EAX]
00D8CD1A |. 8B55 08 MOV EDX,DWORD PTR SS:[ARG.1]
00D8CD1D |. 8D04B8 LEA EAX,[EDI*4+EAX]
00D8CD20 |. 3B0A CMP ECX,DWORD PTR DS:[EDX]
00D8CD22 |. 75 55 JNE SHORT 00D8CD79
00D8CD24 |. 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
00D8CD27 |. 2BCF SUB ECX,EDI
00D8CD29 |. 8D148D FCFFFF LEA EDX,[ECX*4-4]
00D8CD30 52 PUSH EDX
00D8CD31 8D48 04 LEA ECX,[EAX+4]
00D8CD34 51 PUSH ECX
00D8CD35 50 PUSH EAX
00D8CD36 E8 65C072FF CALL 004B8DA0
00D8CD3B FF4E 04 DEC DWORD PTR DS:[ESI+4] ; DEC GADGET COUNT
00D8CD3E |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00D8CD41 |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
00D8CD44 |. 8D1409 LEA EDX,[ECX+ECX]
00D8CD47 |. 8D1C40 LEA EBX,[EAX*2+EAX]
00D8CD4A |. 83C4 0C ADD ESP,0C
00D8CD4D |. 3BDA CMP EBX,EDX
00D8CD4F |. 7C 10 JL SHORT 00D8CD61
00D8CD51 |. 8BD1 MOV EDX,ECX
00D8CD53 |. 2BD0 SUB EDX,EAX
00D8CD55 |. 03D2 ADD EDX,EDX
00D8CD57 |. 03D2 ADD EDX,EDX
00D8CD59 |. 81FA 00400000 CMP EDX,4000
00D8CD5F |. 7C 17 JL SHORT 00D8CD78
00D8CD61 |> 2BC8 SUB ECX,EAX
00D8CD63 |. 83F9 40 CMP ECX,40
00D8CD66 |. 7F 04 JG SHORT 00D8CD6C
00D8CD68 |. 85C0 TEST EAX,EAX
00D8CD6A |. 75 0C JNE SHORT 00D8CD78
00D8CD6C |> 6A 04 PUSH 4 ; Arg1 = 4
00D8CD6E |. 8BCE MOV ECX,ESI
00D8CD70 |. 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
00D8CD73 E8 380D6AFF CALL 0042DAB0
00D8CD78 |> 4F DEC EDI
00D8CD79 |> 47 INC EDI
00D8CD7A |. 3B7E 04 CMP EDI,DWORD PTR DS:[ESI+4]
00D8CD7D |.^ 7C 96 JL SHORT 00D8CD15
00D8CD7F |. 8B45 FC MOV EAX,DWORD PTR SS:[LOCAL.1]
00D8CD82 |. 5B POP EBX
00D8CD83 |> 2B46 04 SUB EAX,DWORD PTR DS:[ESI+4]
00D8CD86 |. 5F POP EDI
00D8CD87 |. 5E POP ESI
00D8CD88 |. 8BE5 MOV ESP,EBP
00D8CD8A |. 5D POP EBP
00D8CD8B \. C2 0400 RETN 4 ; END OF THROW GADGET
|
Problem is when the line ; DEC GADGET COUNT is filled with NOPs, the game crashes. The DEC instruction there is indeed the one that decrements the ammo count.
Why would NOPing the DEC that subtracts ammo cause the game to crash? Is there something im missing?
If it helps, the game is Splinter Cell Blacklist.
|
|
| Back to top |
|
 |
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
| Posted: Mon Jul 28, 2014 4:24 am Post subject: Re: Why does NOPing the DEC cause the game to crash? |
|
|
What is in [esi + 8] ?(just after the line that you NOPed).
Can you breakpoint without crashing the game?If yes,then NOP it,set a breakpoint on it,and keep stepping over to know what caused the crash.
OR
Just attach ollydbg to the game,nop that instruction and cause the crash,olly dbg will catch the exception.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25836
Location: The netherlands
|
| Posted: Mon Jul 28, 2014 4:35 am Post subject: |
|
|
Perhaps that code is also used for other things, like setting your position.
Splinter cell blacklist makes use of the unreal engine. This engine makes use of it's own scripting language/interpreter. It's very possible they used the scripting engine to implement one of the not default implemented features (like gadgets)
So when you find what accesses the amount of gadgets, you'll find the interpreter code instead.
Try finding out what other addresses that code accesses and then write a filter based on the stack or vtable of the object (esi+0)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
roidmuncher321
How do I cheat?
![]() Reputation: 0
Joined: 28 Jul 2014
Posts: 5
|
| Posted: Mon Jul 28, 2014 4:46 am Post subject: |
|
|
| Redone wrote: | What is in [esi + 8] ?(just after the line that you NOPed).
Can you breakpoint without crashing the game?If yes,then NOP it,set a breakpoint on it,and keep stepping over to know what caused the crash.
OR
Just attach ollydbg to the game,nop that instruction and cause the crash,olly dbg will catch the exception. |
I set a hardware breakpoint, it pauses the game but pressing step over (f does nothing in Olly, am I doing something wrong?
| Dark Byte wrote: | Perhaps that code is also used for other things, like setting your position.
Splinter cell blacklist makes use of the unreal engine. This engine makes use of it's own scripting language/interpreter. It's very possible they used the scripting engine to implement one of the not default implemented features (like gadgets)
So when you find what accesses the amount of gadgets, you'll find the interpreter code instead.
Try finding out what other addresses that code accesses and then write a filter based on the stack or vtable of the object (esi+0) |
That code path is definitely only executed when I throw a gadget, as I put a breakpoint on it and it was never reached until I tried to place a gadget. I have a feeling maybe this number isn't just standalone and may be part of a bigger structure, such as std::vector<Gadget*>::size and because size was changed but the rest of it was not, it tries to access invalid memory (just what im thinking)
If that is the case, how would I work around it? I'm pretty new to assembly.
|
|
| Back to top |
|
|
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
| Posted: Mon Jul 28, 2014 5:06 am Post subject: |
|
|
| In olly,you step into with F7,and step over with F8,you must remove the breakpoint before stepping (F2 to toggle),or at least disable it.
|
|
| Back to top |
|
|
roidmuncher321
How do I cheat?
![]() Reputation: 0
Joined: 28 Jul 2014
Posts: 5
|
| Posted: Mon Jul 28, 2014 5:12 am Post subject: |
|
|
| Redone wrote: | | In olly,you step into with F7,and step over with F8,you must remove the breakpoint before stepping (F2 to toggle),or at least disable it. |
Ah ok thanks.
Interesting thing I noticed was if I NOP the DEC, it will keep working until I exhaust the amount of gadgets that I'm supposed to have.
For example, if I started with 3 gadgets and I NOP the DEC, the number won't change but after I try to place my 4th gadget, the game crashes. The first, second and third gadget placements don't crash even though I NOP'd the instruction. Why do you think this is?
|
|
| Back to top |
|
|
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
| Posted: Mon Jul 28, 2014 6:05 am Post subject: |
|
|
| roidmuncher321 wrote: | | Redone wrote: | | In olly,you step into with F7,and step over with F8,you must remove the breakpoint before stepping (F2 to toggle),or at least disable it. |
Ah ok thanks.
Interesting thing I noticed was if I NOP the DEC, it will keep working until I exhaust the amount of gadgets that I'm supposed to have.
For example, if I started with 3 gadgets and I NOP the DEC, the number won't change but after I try to place my 4th gadget, the game crashes. The first, second and third gadget placements don't crash even though I NOP'd the instruction. Why do you think this is? |
You first need to know where the problem comes from,is it a jmp or call to a non allocated memory block?is it an attempt to read/write non-allocated memory?
If the game crashes while olly dbg is attached to it,you'll get a message containing the type of exception (the yellow bar,at the bottom).
So you are trying to change the ammo value?can you change the value from the address list or freeze it? (Maybe it is accessed by something else that causes the problem).
(I have never played that game)
|
|
| Back to top |
|
|
roidmuncher321
How do I cheat?
![]() Reputation: 0
Joined: 28 Jul 2014
Posts: 5
|
| Posted: Mon Jul 28, 2014 6:17 am Post subject: |
|
|
| Redone wrote: | | roidmuncher321 wrote: | | Redone wrote: | | In olly,you step into with F7,and step over with F8,you must remove the breakpoint before stepping (F2 to toggle),or at least disable it. |
Ah ok thanks.
Interesting thing I noticed was if I NOP the DEC, it will keep working until I exhaust the amount of gadgets that I'm supposed to have.
For example, if I started with 3 gadgets and I NOP the DEC, the number won't change but after I try to place my 4th gadget, the game crashes. The first, second and third gadget placements don't crash even though I NOP'd the instruction. Why do you think this is? |
You first need to know where the problem comes from,is it a jmp or call to a non allocated memory block?is it an attempt to read/write non-allocated memory?
If the game crashes while olly dbg is attached to it,you'll get a message containing the type of exception (the yellow bar,at the bottom).
So you are trying to change the ammo value?can you change the value from the address list or freeze it? (Maybe it is accessed by something else that causes the problem).
(I have never played that game) |
I just tried that in Olly and when it crashes, it still says Running at the bottom of Olly, but the game becomes completely unresponsive and once I Detach olly from the game, it becomes "Not responding"
This is what Olly looks like when the game "crashes", including the NOP that I put in:
puu.sh/auni2/c0a266825f.png
(sorry I can't post URLs yet)
I take this as the game isn't actually crashing, but because I NOP'd the DEC instruction the UI thread has entered an infinite loop?
Changing the ammo value works, however after you use the amount that you're supposed to have (say, 3), change it to say 100, (even if it's frozen) the game crashes.
How would I begin to debug this?
EDIT:
tried a few more times and eventually got an access violation instead of freezing:
puu.sh/auoQR/27be801d29.png
would this help at all?
|
|
| Back to top |
|
|
NanoByte
Expert Cheater
![]() Reputation: 1
Joined: 13 Sep 2013
Posts: 222
|
| Posted: Mon Jul 28, 2014 7:28 am Post subject: |
|
|
Right after
DEC DWORD PTR DS:[ESI+4]
add
INC DWORD PTR DS:[ESI+4]
Might Work
|
|
| Back to top |
|
|
roidmuncher321
How do I cheat?
![]() Reputation: 0
Joined: 28 Jul 2014
Posts: 5
|
| Posted: Mon Jul 28, 2014 10:05 am Post subject: |
|
|
| NanoByte wrote: | Right after
DEC DWORD PTR DS:[ESI+4]
add
INC DWORD PTR DS:[ESI+4]
Might Work |
Tried that, same problem.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
