Cheat Engine

Hand · How do I cheat? Reputation: 0 Joined: 15 Mar 2024 Posts: 4

[ENABLE]
aobscanmodule(Exp,Z2TAOL_P03.exe,DD 45 00 5F DD 1E) // should be unique
alloc(newmem,$1000)
alloc(expz,4)

label(code)
label(originalcode)
label(return)
label(playerExp)

expz:
dq (double)9998

newmem:

code:
push edx
mov edx, [ebp-9948E1C]
pushf
cmp edx,99D7ED0
jo playerExp
jmp originalcode

playerExp:
fstp st[0]
fld qword ptr [expz]
jmp originalcode

originalcode:
popf
pop edx
fld qword ptr [ebp+00]
pop edi
fstp qword ptr [esi]
jmp return

Exp:
jmp newmem
nop
return:
registersymbol(Exp)

[DISABLE]

Exp:
db DD 45 00 5F DD 1E

unregistersymbol(Exp)
dealloc(newmem)
dealloc(expz)

ParkourPenguin · Posted: Fri Mar 15, 2024 10:12 pm Post subject:

`jo` = jump if overflow. If you don't know what that means, you should be using something else. Perhaps you meant `je` / `jne` (equality), `ja` / `jb` (unsigned comparison), or `jg` / `jl` (signed comparison).

Your code is assuming there's already a value on the FPU stack. It doesn't do anything relating to the original code at all. Maybe you should execute the instruction `fld qword ptr [ebp+00]` first?

Hand · How do I cheat? Reputation: 0 Joined: 15 Mar 2024 Posts: 4

"execute the instruction `fld qword ptr [ebp+00]` first?." how to execute? I'm more confuse when this line show when the instruction/tutorial i'm following doesn't have those line.

and also the address always changes when going to next screen/room, so Idk when to check whats the right address to pick in the Stack view.

Z2TAOL_P03.exe+151148:
0055113A - 0FB6 88 38165500 - movzx ecx,byte ptr [eax+Z2TAOL_P03.exe+151638]
00551141 - FF 24 8D 1C165500 - jmp dword ptr [ecx*4+Z2TAOL_P03.exe+15161C]
00551148 - DD 45 00 - fld qword ptr [ebp+00] <<
0055114B - 5F - pop edi
0055114C - DD 1E - fstp qword ptr [esi]

EAX=00000000
EBX=099CFEE4
ECX=00000000
EDX=00000000
ESI=099CFEE4
EDI=00000000
EBP=09AD5120
ESP=0019EB60
EIP=0055114B

Then I'm more confuse where to choose what address to pick when there's a lot of same address, but when I assign the auto assemble script and check the game crash or instantly close it.

I'm really bad at this.

ParkourPenguin · Posted: Fri Mar 15, 2024 11:56 pm Post subject:

Change the stackview to ESP+X (right click menu, I think). EBP is probably being used as a general purpose register instead of the stack frame pointer.

What are you trying to do? Why are you accessing the stack?

Hand · How do I cheat? Reputation: 0 Joined: 15 Mar 2024 Posts: 4

the tutorial said to go to stack view and find a ebp- address then put this code below :

code:
push edx
mov edx, [ebp-9948E1C]
pushf
cmp edx,99D7ED0
je playerExp
jmp originalcode

oh and this is the video im following
youtu. be/ 5fJFSOPGZyQ

but I got confuse in the stack view section as to where/what to use address to put on the code above

and also I change the stackview to Esp+ like from you're direction and change some code then try to activate it and it did not work but the game did not crash.

code:
push edx
mov edx, [esp+34]
pushf
cmp edx,99CFED0
je playerExp
jmp originalcode

I will try more experiments, and I know there still some wrongs here and there.

ParkourPenguin · Posted: Sat Mar 16, 2024 2:05 am Post subject:

The `push` instruction modifies ESP. Account for that, if you haven't. (i.e. ESP+38)

Maybe look up a tutorial on x86 assembly before looking at something that specific.

Hand · How do I cheat? Reputation: 0 Joined: 15 Mar 2024 Posts: 4

I will look some and I will also try to ask here to make script from the game Zelda 2 Remastered, so the experts here will do miracles in my worthless effort.

Thank you much! Very Happy