Cheat Engine

rain-13

Hi!

I am trying to read map data from Warcraft 2. Should be simple as it is old game. In theory it should be x*y WORDs in memory where x and y is map dimensions.
I have looked up memory location by searching for specific tile id values. Tile is basically one square of map. It can either be grass, forest, stone, etc. Each tile type has its own id. For example 0x0082 for stone or 0x0070 for forest. By knowing what tile IDs to look for I searched for tile at coordinates 0,0 assuming that it after that come the rest of the map. I confirmed that idea by browsing this memory location.
When I loaded new map memory viewer also highlighted memory sections before first tile. Now I started to scroll up in memory viewer and found that it is entire map file loaded into memory. It also looks like when I "Find out what accesses this address" I see that it is accessed only once for entire game. When I cause tile to change by chopping the forest the tile is not accessed nor written. Also changing it's value did not change it's visual in game. This makes me assume that after reading map tile data into memory it must copy it to somewhere else where uses it and does stuff with it.

My questions are:
1) Why doesn't "Find out what writes to this address" show anything? Is it because the byte I am looking for is in the middle of string and CE cant detect that? This time I was able to manually locate the first byte of entire map data (which was before first tile) because I used smallest size map I could make. But how do I locate the beginning of byte array when there is too much data between byte I discovered and actual first byte of data? Is there some way to get "Find out what writes to this address" to work in that case?
2) When I used "Find out what accesses this address" then it detected accessing it. Why does "Find out what accesses this address" show results when byte I am looking at is located in the middle of byte array while "Find out what writes to this address" didnt?
3) Now I would like to find out where this data is copied after it is read from file to memory. For that I "Find out what accesses this address" on first tile of map. It highlighted with red 0047FB3E - jb "Warcraft II BNE.exe"+ 7FB0C but when I tried to add address 0047FB3E or "Warcraft II BNE.exe"+ 7FB0C it did not point to location of memory where active copy of map tiles is stored. Below it also says jmp dword ptr [edx*4+"Warcraft II BNE.exe" + 7FBF8] - can anyone explain what it means? And most importantly, how to find out where it is copied after it is accessed?

I'll also attach screenshot for extra clarity.

Dark Byte · Posted: Fri Sep 11, 2020 12:15 am Post subject:

1 and 2: it it is written by a function like loadFile it won't trigger
3: it's the repe movsd
the start address is esi-rcx*4

rain-13 · Posted: Fri Sep 11, 2020 12:45 pm Post subject:

Thank for quick replay!

Why function like loadFile won't trigger it?

How did you know that it is repe movsd? And where did this esi-rcx*4 mean? Like can you explain it in beginner friendly way what does it mean and how to use this info to find address?

Dark Byte · Posted: Fri Sep 11, 2020 1:19 pm Post subject:

readfile doesn't use the cpu to write the memory. It let's the disc-controller write directly to the physical memory

"movsd" will copy the 4 bytes that esi points at and copies them to the address that edi points to and increase esi and edi by 4
repe movsd does the same, but decreases ecx with 1 and repeats that until ecx is 0

read/write breakpoints trigger after the instruction is executed, yo get the right instruction CE has to figure out the previous instruction. 6.7 doesn't recognize repe so it thinks it came from the instruction before

rain-13 · Posted: Mon Sep 21, 2020 3:07 pm Post subject:

Hi!

Thanks for explaining this.

I think I need more help. I found the place where this data gets copied. However just before game starts this memory region gets freed (CE shows question marks).
Since the location where EDI pointed to contained entire map file, not just tile info, on my next try - after repe movsd was finished but before going on - I manually scrolled down in hex view of that freshly copied data to where tile information was stored. Then I added address that contained first byte of tile information to address list and then I "Find out what writes to this address"

I found that this next address that I now found was accessed 3 times (see screenshot). But when I set break point on shr ecx, 02, debugger only went there once. How to understand this? Doesn't count 3 mean that I should expect debugger to visit this line of code 3 times? On Repe movsd line ecx was 200 (hex) so I guess this this count 2 is not related to that.

Basically what I have found so far is map tiles but only the visual part of it. I mean I can manually edit this memory region and replace grass with forest but then all that game does is that it displays forest tile on that location. But the game does not stop me from walking on that tile which means that somewhere there has to be information stored about whether or not it's blocking movement. I also cant chop trees on that location which means that somewhere has to be a separate list of tile flags which tell game that these are trees on that tile that I can cut down. This all made me expect it to be copied multiple times - like one pass for each data layer it tries to extract. But it didnt happen. So I came here to get better understanding what that screenshot tells me with it's count 3 if I only get 1 hit?

Arma103 · How do I cheat? Reputation: 0 Joined: 25 Sep 2020 Posts: 6