 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Jiehfeng
Expert Cheater
 Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
 Posted: Thu May 26, 2016 8:21 am Post subject: push eax to cmp a long address (FFFFFFFFFFFF)? |
 |
|
I'll start with the script:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealtheditex(itembase,"ACU.exe"+FDA3C4,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048,itemadd)
registersymbol(newmem)
globalalloc(money,5)
label(dumpmoney)
label(returnhere)
label(originalcode)
label(exit)
label(exit2)
newmem:
push ebx
mov eax,7FF5F8C47380
cmp rax,ebx
je dumpmoney
jmp originalcode
originalcode:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
exit:
jmp exit2
dumpmoney:
mov [money],rax
jmp originalcode
itembase:
itemadd:
jmp newmem
exit2:
pop eax
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70
|
For those unfamiliar with the stealtheditex line, just ignore it and know that from the original opcode it still jumps to the allocated newmem, so you can check the rest of the script ignoring those parts.
The purpose of this script is I want the newmem to emulate (or do the same thing) as the original address of the two opcodes. So basically to carry on things as normal (don't ask, I'm testing stuff). The problem is that it doesn't carry out the opcodes at originalcode:.
The two opcodes are related to setting money values (the first one being it, and the second being the second opcode of that address). And the money value isn't decreasing, which means the originalcode part isn't running.
I believe it has something to do with the push eax part, cause in the memory viewer, it doesn't show it:
Scrolled down:
Please help... 
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
 |
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Thu May 26, 2016 8:42 am Post subject: |
|
|
You know that the value you assign to eax is too big for the 32bit part of that register?
As you can see in the MemoryViewer it does not store the intended value (7FF5F8C47380) in eax, but only (F8C47380) because eax can't take more than 4 bytes.
|
|
| Back to top |
|
|
Cake-san
Grandmaster Cheater
 Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
| Posted: Thu May 26, 2016 8:50 am Post subject: |
|
|
1. Why did you push ebx instead of rax/eax ?
2.Like @hhhuut had mention, why did your copy value larger than 4 bytes onto register that can hold maximum of 4 bytes value ?
3.You don't have to put unnecessary jump (eg:jmp originalcode) ,when your originalcode label just below it. -_-
Don't know if this's right. 
| Code: |
[ENABLE]
stealtheditex(itembase,"ACU.exe"+FDA3C4,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048,itemadd)
registersymbol(newmem)
globalalloc(money,8)
label(returnhere)
label(originalcode)
newmem:
push rax
mov rax,7FF5F8C47380
cmp rax,rbx
pop rax
jne originalcode
mov [money],rax
originalcode:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
jmp returnhere
itembase:
itemadd:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70
|
_________________
... |
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
| Posted: Thu May 26, 2016 9:06 am Post subject: |
|
|
| Cake-san wrote: | 1. Why did you push ebx instead of rax/eax ?
2.Like @hhhuut had mention, why did your copy value larger than 4 bytes onto register that can hold maximum of 4 bytes value ?
3.You don't have to put unnecessary jump (eg:jmp originalcode) ,when your originalcode label just below it. -_-
Don't know if this's right.
| Code: |
[ENABLE]
stealtheditex(itembase,"ACU.exe"+FDA3C4,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048,itemadd)
registersymbol(newmem)
globalalloc(money,8)
label(dumpmoney)
label(returnhere)
label(originalcode)
newmem:
push rax
mov rax,7FF5F8C47380
cmp rax,rbx
pop rax
je dumpmoney
jmp originalcode
dumpmoney:
mov [money],rax
originalcode:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
jmp returnhere
itembase:
itemadd:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70
|
|
1. I made many scripts, trying different registers and I did use eax too, this one is just the last one out of sheer hopelessness.
2. After it happened I checked on it and found a thread which explained that the normal registers can't store such addresses, so your question, why did I do it, is cause I didn't know... (I'm still learning...)
3. The last script I made was only that, all the previous ones didn't have that unnecessary jump, I just did that along with a few other tweaks thinking somehow that made the game crash; all my scripts so far are just tests.
So judging by your code, RAX can store a 16 digit address? Since I now know this, I will try it out, thanks for that.
@hhhut - Yeah I know, but since cake-san posted his script, my question has been answered as to how I can store a 64bit type address into a register, thank you both. 
EDIT: Also @Cake-San, I'd rather push something other than RAX (maybe rbx?) since the cmp opcode is supposed to be using the actual RAX register.
----------------------------------------------------------------------------------------------
Bingo.
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealtheditex(itembase,"ACU.exe"+FDA3C4,1)
registersymbol(itemadd)
label(itemadd)
alloc(newmem,2048)
registersymbol(newmem)
globalalloc(money,5)
label(dumpmoney)
label(returnhere)
label(originalcode)
label(exit)
newmem:
push rbx
mov rbx,7FF5F8C47380
cmp rax,rbx
pop rbx
je dumpmoney
originalcode:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
exit:
jmp returnhere
dumpmoney:
mov [money],rax
jmp originalcode
itembase:
itemadd:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"ACU.exe"+FDA3C4:
mov [rax+28],ecx
movzx eax,byte ptr [rsp+70]
//Alt: db 89 48 28 0F B6 44 24 70
|
And it does as intended, the original code gets executed, now to find a proper cmp opcode to get my address, thanks again.
_________________
I know you're reading this, Hitler. |
|
| Back to top |
|
|
Cake-san
Grandmaster Cheater
Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
|
| Back to top |
|
|
Cake-san
Grandmaster Cheater
Reputation: 8
Joined: 18 Dec 2014
Posts: 541
Location: Semenanjung
|
|
| Back to top |
|
|
Jiehfeng
Expert Cheater
Reputation: 0
Joined: 03 Jan 2014
Posts: 107
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
and I think you're just tired.