 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
h3x1c
Master Cheater
 Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
 Posted: Sat Jan 02, 2016 10:46 pm Post subject: I need some help figuring this out. |
 |
|
Hey everyone,
Alright, so, I've got the following bit of code related to ammo in this game I'm hacking:
| Code: | int3
int3
mov eax,[esp+04]
mov [ecx+000002B4],eax //Ammo Inc/Dec Instruction
call DP.exe+19F170
ret 0004
int 3
int 3
|
That is a shared instruction between all weapons in the game. What I WANT to do is write a cheat that moves max ammo into eax, then that value moves into [ecx+000002B4]. The problem is, after dissecting the structure of the address in ecx, I can't seem to find an address storing "max ammo." I'm not even sure if it's there.
So, what I'd like to do is see what instructions are going on that end up putting the value of ammo in [esp+04]. I'm thinking that maybe there's a cmp there or something where a max ammo value is loaded into one register, current ammo loaded into another, then add/sub or whatever, and finally putting that value into the dereferenced address [esp+04].
I tried adding that dereferenced address manually and seeing what writes to it, but it's a TON of instructions that are constantly doing so, so that didn't work.
What should I do from this point?
Note: I'm not interested in the cheat itself; I'm interested in building my skill set with this and seeing how best I could go about finding my way to the instructions handing the one value I'm interested in from [esp+04]. Thanks for any tips!
_________________
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Jan 02, 2016 11:26 pm Post subject: |
|
|
You could backtrace it using the "break and trace instructions" option in the right click menu in the disassembler. Pause the process beforehand and make that a conditional breakpoint using the breakpointlist if you need to.
Topic on backtracing here.
You might also be able to look around the instructions that read from the address of your ammo. You might find that cmp around (likely after) one of them if you're lucky.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
h3x1c
Master Cheater
Reputation: 17
Joined: 27 Apr 2013
Posts: 306
|
| Posted: Sat Jan 02, 2016 11:39 pm Post subject: |
|
|
| ParkourPenguin wrote: | You could backtrace it using the "break and trace instructions" option in the right click menu in the disassembler. Pause the process beforehand and make that a conditional breakpoint using the breakpointlist if you need to.
Topic on backtracing here.
You might also be able to look around the instructions that read from the address of your ammo. You might find that cmp around (likely after) one of them if you're lucky. |
Thanks for the reply. I did try the last thing you noted, but only one instruction is continuously reading from it and when viewing in disassembler, outside of a ret, it's surrounded by a bunch of int 3 opcodes on both sides, lol.
I started messing with break and trace on it as well, but I was only finding my way to that instruction and then everything afterward (basically, not seeing what comes before it; I'm sure that's an error on my behalf via not setting up the break and trace properly).
I did look at the stack and found my way to a pop edi instruction with some interesting code preceding it, so I may be on the right track. Digging around the stack and doing break and trace is all new-ish territory for me, so I just wanted to make sure I was going about this optimally (or as much as I can for as limited as my knowledge is about it at the moment).
_________________
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4702
|
| Posted: Sat Jan 02, 2016 11:57 pm Post subject: |
|
|
That routine being called by call DP.exe+19F170 is probably pretty large. Try selecting "step over instead of single step" when doing the break and trace. That will step over the call (and any other calls). It'll still execute them, but it won't track them.
Then, in the window that pops up, right click in it and select "expand all". Double click on the instruction after the ret 0004, and it'll take you to that instruction in the disassembler. Above the instruction it takes you to should be the call that called the subroutine you posted above, and slightly above that should be whatever instruction pushed the argument [esp+04] onto the stack for that call.
You could also go one step further and (using the break and trace window) look at what called the routine that called this subroutine, then break and trace that routine just before the call to the routine that called your subroutine. It'll give you more information like the value of the registers at the instructions leading up to the call to your subroutine.
PS: backtracing sucks. There might be a better way of doing this that I can't think of right now, but this is a surefire way of doing it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
