Cheat Engine

LongBeardedLion

So basically im reverse engineering a function. I need to understand where a certain value is coming from originally. So i need to go back in time in the function to the very root of this value. I have seen it being passed from register to register. But im in a dead end now, because i got to a function that simply ticks constantly on breakpoint, so i cant really use a breakpoint there to see where is my value being passed. Because it breaks even when my action is not being performed so i dont even have the time to trigger the action in the game that would trigger the breakpoint so that i could see where the value is coming from. So instead it is breaking immediately and with other values that are not related.

Maybe this is not very clear. Ill try more:
What im trying to do is to understand what in assembly responds to the press of a key in the game that changes the stance of a unit. So i got the address of the value that changes when i press that key. But so far that value can be traced back as being passed from function to function and register to register much before.

So i guess i got to the point where the game has a function that i assume its checking what is happening constantly in the game. So i cant really go in the game and press the key, because it breaks constantly.

How do i go around this problem? How can i understand where a value is coming from in assembly if the current function simply breaks constantly and does not allow me to study a specific action?

Help pls.

ParkourPenguin · Posted: Tue Jun 02, 2020 10:36 am Post subject:

Try setting a "break and trace" on the original access, step over calls.

LongBeardedLion · Posted: Thu Jun 04, 2020 11:23 am Post subject:

Thank you ParkourPenguin.

I have been studying it but so far it seems im doing something wrong.

So i have a breakpoint at 43a9db.

And everytime i want it to break the address in the EBP changes to something different. But that address + 0x2 always points at 03 EA, Bytes. As you can see in the image.

So how do i set this condition?

EBP + 0x2 == 0x03?

I tried it and it did not work.

Pls help.
Also is there any way to go back in time and see what the EBP was before without breakpoints? Like a step into but backwards?

ParkourPenguin · Posted: Thu Jun 04, 2020 11:37 am Post subject:

LongBeardedLion · Posted: Thu Jun 04, 2020 3:37 pm Post subject:

Thank you Parkour Penguin.
I succeeded in going back on a huge function and tracing our value very far.
And it all seemed great. But then i came accross [ESP+110]. And dont know how to put a condition on that since its a pointer stored in the stack.
So i went on the stack, and the value does correspond to our value 03.

So how should i put a condition for this?
Perhaps i should read more about conditions where can i learn this in depth so i dont have to annoy you anymore?

Here are the images:

Edit:

readBytes([ESP+110]+2, 1, false) == 3 ??

That didnt work either? :O

ParkourPenguin · Posted: Thu Jun 04, 2020 4:26 pm Post subject:

See the "sub esp,104" and the couple push instructions just above that? 0x110-0x104-4-4 = 4. It's accessing a parameter passed to the function. Go to the caller and it'll be the last thing pushed on the stack before the call.

LongBeardedLion · Posted: Thu Jun 04, 2020 7:57 pm Post subject:

wow it looks like magic. Thank you. Im loving learning about it everyday.