Cheat Engine

[ionut_baluca]

I noticed some trainers have that function that when you buy something for gold for example, instead of your money going down that sum just adds up.

Example:
U have 100 gold
Item cost 28 gold
You but the item
New gold total is 128 gold.

[mgr.inz.Player]

Simple command change:
- from dec to inc,
- sub to add,
- fsub to fadd,
- fsubp to faddp,
- lea reg1,[reg2-01] to lea reg1,[reg2+01],
etc.

Example, step two of "Cheat Engine Tutorial 64bit". This decreases the health:

[ionut_baluca]

I did it, I had to "Show disassembler" and do it. And your explanation is really friendly, guess i got the idea

Thanks a lot mate




About this game, is a little different:

Instruction:

4DEF4AEE603 - 42 89 04 27 - mov [rdi+r12],eax

Disassembler:

4DEF4AEE5FD - 0F83 04000000 - jae 4DEF4AEE607
4DEF4AEE603 - 42 89 04 27 - mov [rdi+r12],eax
4DEF4AEE607 - 41 83 C3 54 - add r11d,54 { 84 }
4DEF4AEE60B - 4D 3B D8 - cmp r11,r8
4DEF4AEE60E - 0F83 38010000 - jae 4DEF4AEE74C
4DEF4AEE614 - 42 8B 3C 1F - mov edi,[rdi+r11]
4DEF4AEE618 - 4C 8B 45 D0 - mov r8,[rbp-30]
4DEF4AEE61C - 41 8D 40 5C - lea eax,[r8+5C]
4DEF4AEE620 - 48 89 7D D8 - mov [rbp-28],rdi
4DEF4AEE624 - 33 D2 - xor edx,edx



In the lea it's an addition, but in the game value decreased because i spent some.

If i have to guess, i found the wrong address?

[mgr.inz.Player]

In this case you should copy more instructions before 4DEF4AEE603, not after. I can not see what happens with EAX before "mov [rdi+r12],eax"

People usually just copy autogenerated generic script.

you can do this like this:
- highlight instruction inside disassembler window, press CTRL+A
- then in new window: SHIFT+CTRL+F, then click ok
- copy paste the script here

Or highlight more instructions. Select address, then second address with shift key pressed then press CTRL+C, then click "copy" button. Then paste it here or pastebin like site.


PS:
LEA instructions stands for: "load effective address".It calculates its src operand in the same way as the mov instruction does, but rather than loading the contents of that address into the dest operand, it loads the address itself. Compilers with enabled optimizations often use this instruction for addition or subtraction of small values.

[ionut_baluca]

Okay, so i copied a longer version of the script here:

Before the instruction:

3B00B07DAF8C - 0F85 07000000 - jne 3B00B07DAF99
3B00B07DAF92 - 33 FF - xor edi,edi
3B00B07DAF94 - E9 23000000 - jmp 3B00B07DAFBC
3B00B07DAF99 - 4D 8B E3 - mov r12,r11
3B00B07DAF9C - 41 83 E4 FC - and r12d,-04 { 252 }
3B00B07DAFA0 - 41 83 C4 60 - add r12d,60 { 96 }
3B00B07DAFA4 - 4D 3B E0 - cmp r12,r8
3B00B07DAFA7 - 0F83 E9010000 - jae 3B00B07DB196
3B00B07DAFAD - 42 8B 3C 27 - mov edi,[rdi+r12]
3B00B07DAFB1 - 83 FF 00 - cmp edi,00 { 0 }
3B00B07DAFB4 - 40 0F94 C7 - sete dil
3B00B07DAFB8 - 40 0FB6 FF - movzx edi,dil
3B00B07DAFBC - 83 FF 00 - cmp edi,00 { 0 }
3B00B07DAFBF - 0F84 14000000 - je 3B00B07DAFD9
3B00B07DAFC5 - 48 8B FE - mov rdi,rsi
3B00B07DAFC8 - 49 8B C3 - mov rax,r11
3B00B07DAFCB - E8 3A60E6FE - call 3B00AF64100A
3B00B07DAFD0 - 48 8B 75 F0 - mov rsi,[rbp-10]
3B00B07DAFD4 - C5FB1045 C0 - vmovsd xmm0,[rbp-40]
3B00B07DAFD9 - C5FB1055 C8 - vmovsd xmm2,[rbp-38]
3B00B07DAFDE - C5EA5EC8 - vdivss xmm1,xmm2,xmm0
3B00B07DAFE2 - C5F828C9 - vmovaps xmm1,xmm1
3B00B07DAFE6 - 48 8B FE - mov rdi,rsi
3B00B07DAFE9 - 33 C0 - xor eax,eax
3B00B07DAFEB - 48 8B D0 - mov rdx,rax
3B00B07DAFEE - E8 5CA5E6FE - call 3B00AF64554F
3B00B07DAFF3 - 48 8B 75 F0 - mov rsi,[rbp-10]
3B00B07DAFF7 - 48 8B 7E 0B - mov rdi,[rsi+0B]
3B00B07DAFFB - 4C 8B 46 13 - mov r8,[rsi+13]
3B00B07DAFFF - 4C 8B 5D D8 - mov r11,[rbp-28]
3B00B07DB003 - 45 8D 63 60 - lea r12d,[r11+60]
3B00B07DB007 - 4D 3B E0 - cmp r12,r8
3B00B07DB00A - 0F83 8D010000 - jae 3B00B07DB19D
3B00B07DB010 - 46 8B 24 27 - mov r12d,[rdi+r12]
3B00B07DB014 - 45 8D 73 64 - lea r14d,[r11+64]
3B00B07DB018 - 4D 3B F0 - cmp r14,r8
3B00B07DB01B - 0F83 84010000 - jae 3B00B07DB1A5
3B00B07DB021 - 42 8B 3C 37 - mov edi,[rdi+r14]
3B00B07DB025 - 44 29 E7 - sub edi,r12d
3B00B07DB028 - C5822AC7 - vcvtsi2ss xmm0,r15d,edi
3B00B07DB02C - C5F259C0 - vmulss xmm0,xmm1,xmm0
3B00B07DB030 - C4C1022AD4 - vcvtsi2ss xmm2,r15d,r12d
3B00B07DB035 - C5EA58C8 - vaddss xmm1,xmm0,xmm2
3B00B07DB039 - 48 8B FE - mov rdi,rsi
3B00B07DB03C - 33 C0 - xor eax,eax
3B00B07DB03E - 48 8B D0 - mov rdx,rax
3B00B07DB041 - E8 F1A4E6FE - call 3B00AF645537
3B00B07DB046 - 48 8B 75 F0 - mov rsi,[rbp-10]
3B00B07DB04A - 48 8B 7E 0B - mov rdi,[rsi+0B]
3B00B07DB04E - 4C 8B 46 13 - mov r8,[rsi+13]
3B00B07DB052 - 4C 8B 5D D8 - mov r11,[rbp-28]
3B00B07DB056 - 45 8D 63 5C - lea r12d,[r11+5C]
3B00B07DB05A - 45 3B E0 - cmp r12d,r8d
3B00B07DB05D - 0F83 04000000 - jae 3B00B07DB067

This is the instruction:

3B00B07DB063 - 42 89 04 27 - mov [rdi+r12],eax

And this is after the instruction:

3B00B07DB067 - 41 83 C3 54 - add r11d,54 { 84 }
3B00B07DB06B - 4D 3B D8 - cmp r11,r8
3B00B07DB06E - 0F83 38010000 - jae 3B00B07DB1AC
3B00B07DB074 - 42 8B 3C 1F - mov edi,[rdi+r11]
3B00B07DB078 - 4C 8B 45 D0 - mov r8,[rbp-30]
3B00B07DB07C - 41 8D 40 5C - lea eax,[r8+5C]
3B00B07DB080 - 48 89 7D D8 - mov [rbp-28],rdi
3B00B07DB084 - 33 D2 - xor edx,edx
3B00B07DB086 - 4C 8B C6 - mov r8,rsi
3B00B07DB089 - E8 5AB4E6FE - call 3B00AF6464E8
3B00B07DB08E - 6A 00 - push 00 { 0 }
3B00B07DB090 - 48 8B 75 F0 - mov rsi,[rbp-10]
3B00B07DB094 - 48 8B D0 - mov rdx,rax
3B00B07DB097 - 48 8B 45 D8 - mov rax,[rbp-28]
3B00B07DB09B - 33 C9 - xor ecx,ecx
3B00B07DB09D - 48 8B D9 - mov rbx,rcx
3B00B07DB0A0 - 4C 8B C9 - mov r9,rcx
3B00B07DB0A3 - E8 7B60E7FE - call 3B00AF651123
3B00B07DB0A8 - 48 8B 7D E8 - mov rdi,[rbp-18]
3B00B07DB0AC - 4C 8B 45 E0 - mov r8,[rbp-20]
3B00B07DB0B0 - 44 89 47 24 - mov [rdi+24],r8d
3B00B07DB0B4 - 48 8B E5 - mov rsp,rbp
3B00B07DB0B7 - 5D - pop rbp
3B00B07DB0B8 - C3 - ret
3B00B07DB0B9 - E8 B2D0EBFE - call 3B00AF698170 { ->->chrome.dll+2156C80 }
3B00B07DB0BE - 48 8B 75 F0 - mov rsi,[rbp-10]
3B00B07DB0C2 - 48 8B 45 D0 - mov rax,[rbp-30]
3B00B07DB0C6 - E9 91FAFFFF - jmp 3B00B07DAB5C
3B00B07DB0CB - 33 C9 - xor ecx,ecx
3B00B07DB0CD - 4C 8B F1 - mov r14,rcx
3B00B07DB0D0 - E9 C0FAFFFF - jmp 3B00B07DAB95
3B00B07DB0D5 - 33 FF - xor edi,edi
3B00B07DB0D7 - E9 D6FAFFFF - jmp 3B00B07DABB2
3B00B07DB0DC - 33 FF - xor edi,edi
3B00B07DB0DE - E9 25FBFFFF - jmp 3B00B07DAC08
3B00B07DB0E3 - 33 FF - xor edi,edi
3B00B07DB0E5 - E9 61FBFFFF - jmp 3B00B07DAC4B
3B00B07DB0EA - 45 31 E4 - xor r12d,r12d
3B00B07DB0ED - E9 A4FBFFFF - jmp 3B00B07DAC96
3B00B07DB0F2 - 45 31 E4 - xor r12d,r12d
3B00B07DB0F5 - E9 C2FBFFFF - jmp 3B00B07DACBC
3B00B07DB0FA - 45 31 E4 - xor r12d,r12d
3B00B07DB0FD - E9 E0FBFFFF - jmp 3B00B07DACE2
3B00B07DB102 - 45 31 E4 - xor r12d,r12d
3B00B07DB105 - E9 FEFBFFFF - jmp 3B00B07DAD08
3B00B07DB10A - 45 31 E4 - xor r12d,r12d
3B00B07DB10D - E9 1CFCFFFF - jmp 3B00B07DAD2E
3B00B07DB112 - 45 31 E4 - xor r12d,r12d
3B00B07DB115 - E9 3AFCFFFF - jmp 3B00B07DAD54
3B00B07DB11A - C5F976C0 - vpcmpeqd xmm0,xmm0,xmm0
3B00B07DB11E - C5F972F0 17 - pslld ,xmm0,xmm0,17 { 23 }
3B00B07DB123 - C5F972D0 01 - vpsrld ,xmm0,xmm001 { 1 }


The disassembler shows way more script, i just nitpicked this thinking maybe it is enough, If i have to search for specific things on disassembler no problem, just tell me
What is find strange is all these xor > jmp > xor > jmp. It looks like a sort of protection.

[ionut_baluca]

Bump

[ParkourPenguin]

xor/jmp section is a jump table; ignore it for now.

The new value written to the address (eax) likely comes from the previous call (i.e. call 3B00AF645537). Go to that code and figure out what it's doing.

[mgr.inz.Player]

I see there's "chrome.dll". The game is running in an internet browser?

[ionut_baluca]

Checked the previous call as u said parkour and i managed to do it, thanks all for help
Yes mgr is a browser game, but not a multiplayer one. I could change the value easily, but i wanted to learn to do that trick because the next cost increase exponentially and didn't want to put a specific value but to stop whenever i like