 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
prettyoverrated
How do I cheat?
![]() Reputation: 0
Joined: 30 May 2021
Posts: 3
|
 Posted: Thu Jun 03, 2021 3:43 pm Post subject: Adding Ints work but not much else |
 |
|
Hello!
Apologies, I posted this in General Gamehacking but I figured this might be more suited for here instead of there since it isn't specific to a game, so I deleted it. Please let me know if this post is misplaced! Thanks!
So basically, I have an original code like this one that writes to an address. If eax - [r8+44] is 135, then the address is written 135 times. The original code is as follows:
| Code: | mov [r8+44],eax
mov rax,[blahblah.dll+ABCD123]
jmp return |
sub eax,[r8+44] works and I get the difference. I can also add integer values, so | Code: | sub eax,[r8+44]
add eax,#400
add eax,[r8+44]
mov [r8+44],eax |
would work as intended when reversing the steps with the new eax value.
However, adding anything to eax other than integers does not work, pushpopping and assigning value to ecx to add to eax also does not work, also imul eax,2 and shl eax,1 does not duplicate eax (if eax - [r8+44] = 100, and I duplicate it, mov [r8+44],eax will still write 100 instead of 200). Also, when multiplying, anything greater than 3 causes an overflow(?) in the address. Same for shl for any power greater than 1.
After many math gymnastics with no solution, I figure something else is going on I am not realizing. Any ideas? Could it be the line with the .dll? Is it because the address is being written over constantly (despite adding integers working just fine)?
Any help greatly appreciated!
_________________
Forever a nub.
Last edited by prettyoverrated on Thu Jun 03, 2021 5:34 pm; edited 1 time in total |
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4300
|
| Posted: Thu Jun 03, 2021 5:31 pm Post subject: |
|
|
I have no idea what you mean by "the address is written 135 times".
"eax,#400" isn't an instruction.
Integer arithmetic instructions (add, sub, mul, div, etc.) can only operate on integers. If you want to operate on floats, use SSE instructions (e.g. "addsd xmm0,[address]").
You're doing something wrong with imul / shl. I'd need to see the exact code to tell you what you're doing wrong.
Multiplying 100 by any integer less than 21474837 won't overflow eax. It will still overwrite edx, which I'm guessing you didn't look up.
What are you trying to do?
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
prettyoverrated
How do I cheat?
![]() Reputation: 0
Joined: 30 May 2021
Posts: 3
|
| Posted: Thu Jun 03, 2021 6:06 pm Post subject: |
|
|
| ParkourPenguin wrote: | I have no idea what you mean by "the address is written 135 times".
"eax,#400" isn't an instruction.
Integer arithmetic instructions (add, sub, mul, div, etc.) can only operate on integers. If you want to operate on floats, use SSE instructions (e.g. "addsd xmm0,[address]").
You're doing something wrong with imul / shl. I'd need to see the exact code to tell you what you're doing wrong.
Multiplying 100 by any integer less than 21474837 won't overflow eax. It will still overwrite edx, which I'm guessing you didn't look up.
What are you trying to do? |
Oops that was an error in my transcribing. I was supposed to be adding, I fixed it below.
In summary I want to be able to change the instruction to multiply the gain by an arbitrary integer of my choosing.
So when I search and find an address, and seek what writes to this address (F6), I only find one instruction. The count of this instruction, if I understand this correctly, I noticed is exactly the difference between eax and the value in [r8+44] whenever the address changes (hope this make sense). That's to say, the original code will write eax to [r8+44], and if eax is greater than the value in [r8+44] by 250, then when the address changes, the count of this instruction is 250. I don't know if the count has actual significance on what I want to do, but wanted to bring this up.
I don't have the specific dll name in mind since I don't have the .ct file on hand right now, but when setting up AA, the original code shows up as | Code: | mov [r8+44],eax
mov rax,[blahblahblah.dll+ABCD123]
jmp return |
If I want to increase the value in eax by 200 for example, the following works just fine | Code: | sub eax,[r8+44] // the gain
add eax,#200 // this adds 200 to the gain ***
add eax,[r8+44] // reverse what i did in the first line
mov [r8+44],eax // put new value into the address
mov rax,[blahblahblah.dll+ABCD123]
jmp return |
This works fine, so if the address was originally 1000, and the original gain is 100, it will add the 200 on top of that, so new value is 1300.
The problem is the line with the ***, when I try to double the 100 gain, so any one of the following replacing the *** line
A) add eax,eax
B) imul eax,2
C) shl eax,1
D) push ecx -> set ecx to be equal to the gain -> add eax,ecx (this is to double)
E) any creative math I can think of to try to double the gain value
will result in the gain not changing at all (in the example above, the new value will be 1100, not 1300)
Also, anything greater than doubling, like (again, replacing only the *** line)
A) imul eax,3
B) shl eax,2 (multiplying by 4)
results in what I believe is an overflow (example negative numbers of large magnitude)
So I'm just confused as to why "add eax,#200" works but not efforts to double/triple/etc., even when trying add, imul, or shl.
Hope this clarifies a bit!
_________________
Forever a nub. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4300
|
| Posted: Thu Jun 03, 2021 7:02 pm Post subject: |
|
|
So the number of times that instruction is executed is equal to the amount you see it increasing by? That is good information to bring up, and I'm guessing it's why your code is failing.
Note that the values of registers you see by clicking on "more info" or something only represent the last execution of the instruction. If it's executed multiple times, it could be writing something else the other times.
Set a breakpoint somewhere and see what's going on. e.g. assuming you're using an aobscan:
- Enable the script
- Open the "go to address" window in the disassembler (I forget the hotkey, but I'm sure there's a menu item somewhere)
- Go to the symbol of the injection point (e.g. aobscan(INJECT,...) / registersymbol(INJECT) => symbol is INJECT)
- Follow the jump to your code
- Set a breakpoint on "add eax,eax"
- See what eax is and figure out why it's failing
If the code really is being executed 100+ times, you may need to continue execution and let the breakpoint hit many times before you figure out what's actually going on.
- "add eax,eax" - simple, easy to understand, and you should use it until you get it working.
- "imul eax,2" - I don't know which opcode CE uses (F7 or 0F AF), but this might clobber edx.
- "shl eax,1" - This is a good optimization if you're always multiplying by powers of 2.
- "push ecx..." - superfluous.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
prettyoverrated
How do I cheat?
![]() Reputation: 0
Joined: 30 May 2021
Posts: 3
|
| Posted: Thu Jun 03, 2021 11:20 pm Post subject: |
|
|
| ParkourPenguin wrote: | So the number of times that instruction is executed is equal to the amount you see it increasing by? That is good information to bring up, and I'm guessing it's why your code is failing.
Note that the values of registers you see by clicking on "more info" or something only represent the last execution of the instruction. If it's executed multiple times, it could be writing something else the other times.
Set a breakpoint somewhere and see what's going on. e.g. assuming you're using an aobscan:
- Enable the script
- Open the "go to address" window in the disassembler (I forget the hotkey, but I'm sure there's a menu item somewhere)
- Go to the symbol of the injection point (e.g. aobscan(INJECT,...) / registersymbol(INJECT) => symbol is INJECT)
- Follow the jump to your code
- Set a breakpoint on "add eax,eax"
- See what eax is and figure out why it's failing
If the code really is being executed 100+ times, you may need to continue execution and let the breakpoint hit many times before you figure out what's actually going on.
- "add eax,eax" - simple, easy to understand, and you should use it until you get it working.
- "imul eax,2" - I don't know which opcode CE uses (F7 or 0F AF), but this might clobber edx.
- "shl eax,1" - This is a good optimization if you're always multiplying by powers of 2.
- "push ecx..." - superfluous.
|
Tysm! I got some homework to do I see!
_________________
Forever a nub. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
