 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
GSmith84
Newbie cheater
![]() Reputation: 0
Joined: 12 Mar 2009
Posts: 10
|
 Posted: Fri Aug 23, 2019 8:20 pm Post subject: Find out what address this instruction accesses |
 |
|
Hey Guys
I'm trying to get better at manipulating things with Cheat Engine watching tutorials and the like. I've found a lot of if not most videos showcase best-case scenarios that I rarely run into.
This particular example I'm using is Mount and Blade Warband and I was looking to create the ability to increase reputation. I wasn't always able to consistently find the address for the NPC I was interacting with in the game, but I did find it on occasion so I just checked what wrote to that address.
Here is the breakdown in disassembler where esi is the base address for executing whatever relationship change happens (either up or down and by however many points).
| Code: |
mb_warband.exe+14E8A6 - 89 14 C6 - mov [esi+eax*8],edx
mb_warband.exe+14E8A9 - 8B 49 04 - mov ecx,[ecx+04]
|
Now I targeted mov [esi+eax*8],edx and chose select the current function. I am not sure how that is relevant but I wanted to add it here for being thorough.
(Entire Function)
| Code: |
mb_warband.exe+14E880 - 56 - push esi
mb_warband.exe+14E881 - 57 - push edi
mb_warband.exe+14E882 - 8B 7C 24 0C - mov edi,[esp+0C]
mb_warband.exe+14E886 - 8B 07 - mov eax,[edi]
mb_warband.exe+14E888 - 8B F1 - mov esi,ecx
mb_warband.exe+14E88A - 8D 4C 24 0C - lea ecx,[esp+0C]
mb_warband.exe+14E88E - 40 - inc eax
mb_warband.exe+14E88F - 51 - push ecx
mb_warband.exe+14E890 - 8B CE - mov ecx,esi
mb_warband.exe+14E892 - 89 44 24 10 - mov [esp+10],eax
mb_warband.exe+14E896 - E8 D5FEFFFF - call mb_warband.exe+14E770
mb_warband.exe+14E89B - 8B 4C 24 10 - mov ecx,[esp+10]
mb_warband.exe+14E89F - 8B 76 04 - mov esi,[esi+04]
mb_warband.exe+14E8A2 - 8B 07 - mov eax,[edi]
mb_warband.exe+14E8A4 - 8B 11 - mov edx,[ecx]
mb_warband.exe+14E8A6 - 89 14 C6 - mov [esi+eax*8],edx
mb_warband.exe+14E8A9 - 8B 49 04 - mov ecx,[ecx+04]
mb_warband.exe+14E8AC - 5F - pop edi
mb_warband.exe+14E8AD - 89 4C C6 04 - mov [esi+eax*8+04],ecx
mb_warband.exe+14E8B1 - 5E - pop esi
mb_warband.exe+14E8B2 - C2 0800 - ret 0008 { 8 }
|
---
Using this I wanted to create a simple AOB Injection with the template to just always give positive rep. I've learned enough with tutorials that I push edx, move 99 into edx and the this code that moves edx into that address should get 99. Now I am not certain if this is moving 99 into edx or it its moving 153 (HEX 99). This code does mostly work but it creates a lot of script errors starting to pop up and I wasn't able to keep it enabled all the time because what I found later through another tutorial is, this operation runs for tons of shit.
| Code: |
code:
push edx
mov edx,99
mov [esi+eax*8],edx
mov ecx,[ecx+04]
pop edx
jmp return
|
---
So I found in another tutorial to right click on the instruction in disassembler and choose "Find out what addresses this instruction accesses". Of course in the tutorial video it only comes up with one, but in my tests it comes up with thousands. I know that I don't have permission to post URLs, I've been registered to this site for years but never posted: Here is the URL in code its not overly useful I don't know but it shows this instruction is used for tons of crap in the game.
So ultimately my question is... when encountering something like this, how exactly should / would I go about doing specifically what I'm looking at because I've tested multiple times and this is the only instruction that comes up with looking what writes to the reputation of an NPC. (It may be the solution is way over my head). Any helpful direction on this would be greatly appreciated.
|
|
| Back to top |
|
 |
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Sat Aug 24, 2019 3:07 am Post subject: |
|
|
You have tried to see if there is any register that changes in particular when the code:
| Code: | | mb_warband.exe+14E8A6 - 89 14 C6 - mov [esi+eax*8],edx |
acts on reputation?
because you could set a breakpoint and when that code acts on the reputation you can see if some register has a particular value of the type:
when the code acts on reputation: EAX = 1
and when it acts on something else: EAX = 0
and from there you can create a script that does:
| Code: | cmp EAX,1
jne originalcode
mov edx,99 |
PS:I advise you to use JNE if there are many values that use that code.
or if you can you might as well use:
| Code: |
cmp ESI+offset, Your Reputation addres
jne originalcode
mov edx,99 |
and in any case the instruction
99 is a hexadecimal value
Last edited by DanyDollaro on Mon Aug 26, 2019 8:29 am; edited 2 times in total |
|
| Back to top |
|
|
GSmith84
Newbie cheater
![]() Reputation: 0
Joined: 12 Mar 2009
Posts: 10
|
| Posted: Sat Aug 24, 2019 6:10 pm Post subject: |
|
|
Thanks for providing some more details. I went back through and did a break and trace to see if I could find any noticeable change in the registers.
The first instruction which is where the rep changes, there isn't any difference from what I can see for any of them except EIP (which I learned is just the address of the next instruction and thats visible in the trace next to each instruction). Of course the change in whatever value is being run.
| Code: |
0054E8A6 - mov [esi+eax*8],edx
980430F8 = (dword)0000005E(94)
EAX=00000016
EBX=6E3ECBB0
ECX=031391F0
EDX=00000064
ESI=98043048
EDI=031391C8
EBP=0314DAC8
ESP=0313919C
EIP=0054E8A6
EFLAGS=00000287
-
0054E8A9 - mov ecx,[ecx+04]
031391F4 = (dword)00000000(0)
EAX=00000016
EBX=6E3ECBB0
ECX=031391F0
EDX=00000064
ESI=98043048
EDI=031391C8
EBP=0314DAC8
ESP=0313919C
EIP=0054E8A9
EFLAGS=00000287
-
0054E8AC - pop edi
EAX=00000016
EBX=6E3ECBB0
ECX=00000000
EDX=00000064
ESI=98043048
EDI=031391C8
EBP=0314DAC8
ESP=0313919C
EIP=0054E8AC
EFLAGS=00000287
-
0054E8AD - mov [esi+eax*8+04],ecx
980430FC = (dword)00000000(0)
EAX=00000016
EBX=6E3ECBB0
ECX=00000000
EDX=00000064
ESI=98043048
EDI=00000016
EBP=0314DAC8
ESP=031391A0
EIP=0054E8AD
EFLAGS=00000287
-
0054E8B1 - pop esi
EAX=00000016
EBX=6E3ECBB0
ECX=00000000
EDX=00000064
ESI=98043048
EDI=00000016
EBP=0314DAC8
ESP=031391A0
EIP=0054E8B1
EFLAGS=00000287
-
0054E8B2 - ret 0008
EAX=00000016
EBX=6E3ECBB0
ECX=00000000
EDX=00000064
ESI=0000037E
EDI=00000016
EBP=0314DAC8
ESP=031391A4
EIP=0054E8B2
EFLAGS=00000287
|
I'm sure there is a fairly simple approach to this that someone with more expertise could find. I think it might be better to try and track the address of the NPC you're talking to so you could manually change the value of the reputation.
While diving into this I found when dissecting the data the offset for the reputation was always B0. Here is a url to a screenshot of 3 different NPCs where the reputation is at the same offset.
I'm not entirely sure yet what I would do with this. I'm going to look around for some tutorials to see if its possible to check if the value of an address at offset B0 is being affected, and if so then do something. I'm not sure if something like this is possible.
But I appreciate you giving me some useful tips on making a script that can remain active and only alter what you're looking to do. I haven't quite gotten to the point of making it only alter what I want... but now I know a more sophisticated way of possibly doing it.
|
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Sun Aug 25, 2019 2:01 am Post subject: Dissect data structure |
|
|
I have another idea, open the disassembler on the code:
| Code: | | mb_warband.exe + 14E8A6 - 89 14 C6 - mov [esi + eax * 8], edx |
(By right clicking on the code) click on "Find out what addresses this istruction accesses" and from there you have a list of all the addresses that use that code, you could dissect the data structure and put the reputation value in a secondary group and look for the values highlighted in purple or leave it in the same group and look for those in red, after finding a unique value you can create a script that acts only in the case of reputation.
for example:
| Code: | Addres: [Addres 1] [Addres 2] [Addres 3] [Reputation's Addres]
0000 - 4 Bytes (Hex) 2DB1F0 : 4C040B01 2DB1F8 : 02040DC2 2DB200 : 74040B28 2DB208 : B80406C8
0004 - 4 Bytes 2DB1F4 : 0 2DB1FC : 0 2DB204 : 0 2DB20C : 0
0008 - 4 Bytes (Hex) 2DB1F8 : 02040DC2 2DB200 : 74040B28 2DB208 : B80406C8 2DB210 : 2F04098C
000C - 4 Bytes 2DB1FC : 0 2DB204 : 0 2DB20C : 0 2DB214 : 0
0010 - 4 Bytes (Hex) 2DB200 : 74040B28 2DB208 : B80406C8 2DB210 : 2F04098C 2DB218 : 15040CE6
0014 - 4 Bytes 2DB204 : 0 2DB20C : 0 2DB214 : 0 2DB21C : 0
0018 - 4 Bytes 2DB208 : 3087271624 2DB210 : 788793740 2DB218 : 352586982 2DB220 : 1292111056
001C - 4 Bytes 2DB20C : 0 2DB214 : 0 2DB21C : 0 2DB224 : 0
0020 - 4 Bytes (Hex) 2DB210 : 2F04098C 2DB218 : 15040CE6 2DB220 : 4D040CD0 2DB228 : 00000000
0024 - 8 Bytes 2DB214 : 0 2DB21C : 0 2DB224 : 0 2DB22C : 0
0030 - 4 Bytes (Hex) 2DB220 : 4D040CD0 2DB228 : 00000000 2DB230 : 00000000 2DB238 : 2CD25320
0034 - 4 Bytes 2DB224 : 0 2DB22C : 0 2DB234 : 0 2DB23C : 32762
0038 - 4 Bytes 2DB228 : 0 2DB230 : 0 2DB238 : 751981344 2DB240 : 66060287
003C - 4 Bytes 2DB22C : 0 2DB234 : 0 2DB23C : 32762 2DB244 : 0
0040 - 4 Bytes 2DB230 : 0 2DB238 : 751981344 2DB240 : 66060287 2DB248 : 0 |
In this case it is not highlighted however on the offset 0034 there is a unique value (Because is 0 on all but not on reputation).
so in the case of this data structure you would do a script like:
| Code: | newmem:
cmp [ESI+34],7FFA {7FFA is the hexadecimal value of 32762}
jne original code
mov [esi+eax*8],99 {99 in is 153 but if you want to move 99 decimal you can write "#99" or 63 on hexadecimal}
mov ecx,[ecx+04]
jmp return
originalcode:
mov [ESI+EAX*8],EDX
mov ecx,[ecx+04]
jmp return |
|
|
| Back to top |
|
|
GSmith84
Newbie cheater
![]() Reputation: 0
Joined: 12 Mar 2009
Posts: 10
|
| Posted: Mon Aug 26, 2019 5:20 am Post subject: |
|
|
Thanks again for the follow-up information. Unfortunately there are thousands of entries for the "find out what addresses this instruction accesses".
I tried drilling further up in the Break & Trace output to figure out exactly when it pulls the Reputation Address in and to someone like myself it seems to just come out of thin air.
After this point ESI has the Address in that register. But I have no idea how the value of ESI + 04 becomes the reputation address because before this point ESI has the same address from the top of the call (mb_warband.exe+14E880 - 56 - push esi )
| Code: |
mb_warband.exe+14E89F - 8B 76 04 - mov esi,[esi+04]
|
I looked even further up the instructions but ESI only has that address after this call and I couldn't figure out from before that point with a jmp dword ( I forget, it kind of all crashed on me when digging around).
I tried selecting some various instructions and using the find out what addresses this accesses. This particular one above also has hundreds and some of the others further up have none at least based on me trying to interact with reputation changes.
I'm going to do some tinkering with your script suggestions and see if it just works with me turning it on / off when a reputation change is going to happen, similarly to what I did originally but with a much cleaner possibility of only affecting the reputation.
|
|
| Back to top |
|
|
DanyDollaro
Master Cheater
![]() Reputation: 3
Joined: 01 Aug 2019
Posts: 334
|
| Posted: Mon Aug 26, 2019 9:00 am Post subject: |
|
|
Regarding the fact that you get hundreds of values when you "find out what addresses this instruction accesses" you can use at least 10 of those values to see if there is one in particular that distinguishes the reputation from the others.
In addition, I don't know the game so I can't reverse it but I propose a script in which you will have to enter the address of the reputation:
| Code: | [ENABLE]
aobscanmodule(INJECT,mb_warband.exe, 89 14 C6 8B 49 04 5F 89 4C C6 04 5E C2 08 00)
alloc(newmem, $ 1000)
label(code)
label(return)
newmem:
push ebp //I need a register in which I will save the address on which the code will act
mov esi,ebp
add ebp,B0 //B0 is eax*8 because eax is 16
cmp ebp,"Your reputation addres" //Compare the address on which the code will act with the address of the reputation
pop ebp //Ebp has done its job and I can restore it
jne code //If the address on which the code will act is your reputation will carry the code below, otherwise it will go to the original code
mov ecx,#99 //This is the hack for the reputation, but in this case 99 is a decimal value because there is the "#"
code:
mov [esi+eax*8],edx
mov ecx, [ecx+04]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol (INJECT)
[DISABLE]
INJECT:
db 89 14 C6 8B 49 04
unregistersymbol(INJECT)
dealloc (newmem) |
I don't know if it will work but try at least one try
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
