 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
DarkDolphin
Newbie cheater
![]() Reputation: 1
Joined: 30 Jan 2014
Posts: 22
|
 Posted: Mon May 13, 2019 4:12 pm Post subject: Modifying a boolean instruction so it always return 0 |
 |
|
Question:
Let's say you found this instruction that is a boolean, determining whether you get attacked or not and you want to make it always return 0:
| Code: |
push rbp
mov ebp,esp
push rbx
push rdi
push rsi
and esp,-10
sub esp,20
|
However, you can't allocate new memory (since it's on emulator), you can only modify or nop some of them. How would you do it?
Explanation:
This game has both ARM library (use on android) and x86 library (use on pc / emulator). I've already managed to mod the android version so I would like to learn how to mod the x86's equivalence.
On android, the aobs of the instruction looks like this:
f0 48 2d e9 10 b0 8d e2, and in ARM is:
| Code: | PUSH {R4, R5, R6, R7, FP, LR}
ADD FP, SP, #0x10 |
The way it is modded is that it is changed to:
00 00 a0 e3 1e ff 2f e1, which is in ARM:
It seems to move 0 into R0 location and then BX LR is like RET in x86, I believe. This makes the boolean always return 0. I can change #0 to #1 if I want it the other way around.
I just want to be able to do this on x86 as well!
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4300
|
| Posted: Mon May 13, 2019 10:04 pm Post subject: |
|
|
Those x86 instructions are the beginning of a function: they have little (if anything) to do with a boolean value. It establishes a stack frame, backs up nonvolatile registers, aligns the stack, and creates space on the stack for local variables.
Assuming there are no parameters and/or it's using caller-cleanup conventions, just xor eax,eax and return:
Otherwise, clean up the arguments using ret 4, ret 8, etc.
PS: isn't that x86 from JIT-compiled ARM?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
DarkDolphin
Newbie cheater
![]() Reputation: 1
Joined: 30 Jan 2014
Posts: 22
|
| Posted: Tue May 14, 2019 3:50 am Post subject: |
|
|
This works! Got invincibility on x86 now! I also tried mov eax,0 or mov eax,1 and then ret and those work too.
| Quote: |
PS: isn't that x86 from JIT-compiled ARM?
|
Not sure if this answers your question, the game has libil2cpp.so in both armeabi-v7a and x86 folders. I decompiled both libil2cpp.so using a dumper, then it showed hex addresses of different functions. I went to this function's address and use https://defuse.ca/online-x86-assembler.htm#disassembly to translate them into op codes. Cheat engine's memory view also translated it similarly.
Another Quick Question:
Let's say that this function is speed multiplier (float):
on ARM I did this:
| Code: |
MOVW R0, #0
MOVT R0, #0x41A0
BX LR |
This moves 20 in float to the register. As for x86, I tried mov eax,0x41A0 or mov eax,0x41A00000 but those cause error. Maybe it has to be rax or xmm0 ? How would you code it?
Update: I tried this but the code isn't valid
| Code: |
push eax
mov [eax],0x41A0
movss xmm0,[eax]
pop eax
ret |
And this crashes:
| Code: |
push ebx
mov ebx,0x41A00000
mov rax,ebx
pop ebx
ret
|
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1587
|
| Posted: Tue May 14, 2019 8:59 am Post subject: |
|
|
first of i dont know how arm cpus treat floating point, but in x86 you need write this way 0x41A00000. (IEEE-754)
second, you cant use 64bit register in 32bit process, nor 64bit in 32-bit litmited cpu.
third, if you are hexediting (patching) then you should be more careful. (as you dont know register contents, i.e. a pointer or a constant)
you should also read little bit about x86 architecture, square brackets [] denotes a pointer i.e. a memory location or simply the value of that address. (so you dont need push eax and pop eax)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4300
|
| Posted: Tue May 14, 2019 9:46 am Post subject: |
|
|
Under windows 32-bit ABI, floating point values are typically returned in st(0):
| Code: | alloc(myFloat, 4)
code:
fld dword ptr[myFloat]
ret
myFloat:
dd (float)20.0 |
In ARM, movt moves a 16-bit value into the top half of a 32-bit register. There's no single-instruction equivalent in x86, so just write out the whole 32-bit value. Also, pushing a register on the stack doesn't magically change its value, so you can't assume you can write to it. You can write to the space on the stack that was created, however:
| Code: | push 41A00000
movss xmm0,[esp]
add esp,4
ret |
You could also allocate memory and use that instead as shown previously.
The second code could be simplified to this:
| Code: | mov eax,41A00000
ret |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
