 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Ralicht
Newbie cheater
![]() Reputation: 0
Joined: 08 Feb 2015
Posts: 20
Location: United States
|
 Posted: Wed Jan 13, 2016 2:08 am Post subject: Finding hex values when you don't know the op codes writing? |
 |
|
I have a region where a huge selection of functions write values temporarily. From that area, they are passed on to other places. I am tracing some values back to this region where all data is temporarily stored.
I have the address that the values are written to but I can't just watch it and see what accesses/writes because there is too many. Is there any way to see what specific function is writing to the address when the value is XX?
I thought about using normal breakpoints but it seems like you have to know or have a good idea where the value is being stored to begin with.
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Wed Jan 13, 2016 10:31 am Post subject: |
|
|
Conditional breakpoints.
First of all, click on "Advanced Options" in the bottom left of the main CE window and pause the process.
Then, set whatever type of breakpoint you want on whatever you want, and open up the breakpoint list (Memory View -> View -> Breakpointlist).
Right click on the breakpoint you just made and select "Set/change condition".
I'd recommend switching over to the easy mode. For most conditions, you don't need to do anything complex. Then just write a condition.
For example, if the instruction accessing your address is mov [ebx+5],eax and your address is 0876ABDC, then the condition would be EBX+5 == 0x0876ABDC.
If you want to do that by value and the instruction is writing to your address, then just use whatever's on the right side in the instruction: EAX == 777
If you want to do that by value and it's reading from your address (i.e. mov eax,[ebx+5]), then use one of the readX functions defined in main.lua: readInteger(EBX+5) == 777
Now unpause the process, and it'll only trigger when that condition is true.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Ralicht
Newbie cheater
![]() Reputation: 0
Joined: 08 Feb 2015
Posts: 20
Location: United States
|
| Posted: Wed Jan 13, 2016 2:42 pm Post subject: |
|
|
I've tried custom breakpoints and it seemed like the answer at first. Maybe II am not using them correctly? However, this region is written to by hundreds of functions and the source is different each time. It could be any register writing and any address+offet writing.
Is there no way to watch a specific address for just hex values to change to a specific value and then see what wrote to those values? I don't know any of the registers. I know that a certain hex value will become the RSI for the data I am trying to trace.
Here is a screenshot of what it looks like in that area (the top starts the move for another area of code that I have traced to this: https://gyazo.com/681c4483ff288e21c606a4889cc50007
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4697
|
| Posted: Wed Jan 13, 2016 3:21 pm Post subject: |
|
|
lol, that's the stack. You'd be much better off using break and trace to backtrace the original instruction to some call that only runs when that value changes. Then break and trace that call when it's run, find the instruction that accesses your address, and backtrace it from there.
| Ralicht wrote: | | Is there no way to watch a specific address for just hex values to change to a specific value and then see what wrote to those values? |
If you don't know the instruction that's writing to the value, it's a bit harder. Since the condition is tested before the instruction is executed (I think), any writes to the address will probably be invalid; however, it should be able to get reads from the address just fine. Just make the condition something like readInteger(0x1BDE60) == 0xDEADBEEF or whatever value you want on the right. If that address is suppose to store another address, then use readQword since that's a 64 bit process.
If you need the writes to that address and you don't want to use break and trace, then I think you can use Lua to do that by keeping track of the last EIP that wrote to that address, look at if the value has changed to the one you're looking for, and if it has, return the last EIP that wrote to that address since that one should be the one that wrote that new value to it. However, you'll need to make sure the only breakpoint you have is that one, since debugger_onBreakpoint() is called for all breakpoints.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
