|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Andrej730 How do I cheat? Reputation: 0
Joined: 20 Jan 2024 Posts: 4
|
Posted: Thu Feb 08, 2024 1:49 pm Post subject: Compiling c++ code and investigating it with Cheat Engine |
|
|
Hi! To test my assumptions on how Cheat Engine interact with software, as an experiment I've compiled simple C++ code below to program myprogram.exe with g++ -o myprogram main.cpp.
And then dumped it's assembler code to myprogram.asm using objdump -d -Mintel .\myprogram.exe > myprogram.asm.
I've started the program, ran a few steps of it (entered new i values a few times) and I've found 3 things I cannot explain and looking for clues why they occur. Appreciate any help.
1) At the beginning of the program it prints an address of i variable. E.g. it's 0x212ffffa1c. I've tried to add this address to both the list in CE and search for it manually in Memory View and it seems empty. Shouldn't it contain i value?
2) I've tried to find i value in the memory by entering new values and exact value search them in CE but I always end up with 0 matching addresses. I've also tried to use all value types.
3) I assume when we launch the program it's code is loaded to the memory. So taking some assembly byte code I've found using `objdump`, I should be able to find it somewhere in memory. But it doesn't seem the case - e.g. I've tried to search 48 83 ec 30 as array of bytes (which is one of the first instructions in the main() ) and it cannot be found anywhere.
C++ Code
Code: |
#include <stdio.h>
#include <iostream>
int main(int argc, char *argv[]) {
int i;
std::cout << "i address is " << &i << std::endl;
do {
std::cin >> i;
std::cout << i << std::endl;
if (i == 100)
goto print;
} while (i != 100);
print:
printf("We're done here");
return 0;
} |
Part of myprogram.asm with main()
Code: | 0000000140001450 <main>:
140001450: 55 push rbp
140001451: 48 89 e5 mov rbp,rsp
140001454: 48 83 ec 30 sub rsp,0x30
140001458: 89 4d 10 mov DWORD PTR [rbp+0x10],ecx
14000145b: 48 89 55 18 mov QWORD PTR [rbp+0x18],rdx
14000145f: e8 8c 01 00 00 call 1400015f0 <__main>
140001464: 48 8d 05 95 2b 00 00 lea rax,[rip+0x2b95] # 140004000 <.rdata>
14000146b: 48 89 c2 mov rdx,rax
14000146e: 48 8b 05 5b 2f 00 00 mov rax,QWORD PTR [rip+0x2f5b] # 1400043d0 <__fu1__ZSt4cout>
140001475: 48 89 c1 mov rcx,rax
140001478: e8 93 00 00 00 call 140001510 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc>
14000147d: 48 89 c1 mov rcx,rax
140001480: 48 8d 45 fc lea rax,[rbp-0x4]
140001484: 48 89 c2 mov rdx,rax
140001487: e8 9c 00 00 00 call 140001528 <_ZNSolsEPKv>
14000148c: 48 89 c1 mov rcx,rax
14000148f: 48 8b 05 4a 2f 00 00 mov rax,QWORD PTR [rip+0x2f4a] # 1400043e0 <.refptr._ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_>
140001496: 48 89 c2 mov rdx,rax
140001499: e8 92 00 00 00 call 140001530 <_ZNSolsEPFRSoS_E>
14000149e: 48 8d 45 fc lea rax,[rbp-0x4]
1400014a2: 48 89 c2 mov rdx,rax
1400014a5: 48 8b 05 14 2f 00 00 mov rax,QWORD PTR [rip+0x2f14] # 1400043c0 <__fu0__ZSt3cin>
1400014ac: 48 89 c1 mov rcx,rax
1400014af: e8 84 00 00 00 call 140001538 <_ZNSirsERi>
1400014b4: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
1400014b7: 89 c2 mov edx,eax
1400014b9: 48 8b 05 10 2f 00 00 mov rax,QWORD PTR [rip+0x2f10] # 1400043d0 <__fu1__ZSt4cout>
1400014c0: 48 89 c1 mov rcx,rax
1400014c3: e8 58 00 00 00 call 140001520 <_ZNSolsEi>
1400014c8: 48 89 c1 mov rcx,rax
1400014cb: 48 8b 05 0e 2f 00 00 mov rax,QWORD PTR [rip+0x2f0e] # 1400043e0 <.refptr._ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_>
1400014d2: 48 89 c2 mov rdx,rax
1400014d5: e8 56 00 00 00 call 140001530 <_ZNSolsEPFRSoS_E>
1400014da: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
1400014dd: 83 f8 64 cmp eax,0x64
1400014e0: 74 0a je 1400014ec <main+0x9c>
1400014e2: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
1400014e5: 83 f8 64 cmp eax,0x64
1400014e8: 75 b4 jne 14000149e <main+0x4e>
1400014ea: eb 01 jmp 1400014ed <main+0x9d>
1400014ec: 90 nop
1400014ed: 48 8d 05 1a 2b 00 00 lea rax,[rip+0x2b1a] # 14000400e <.rdata+0xe>
1400014f4: 48 89 c1 mov rcx,rax
1400014f7: e8 04 11 00 00 call 140002600 <printf>
1400014fc: b8 00 00 00 00 mov eax,0x0
140001501: 48 83 c4 30 add rsp,0x30
140001505: 5d pop rbp |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4307
|
Posted: Thu Feb 08, 2024 2:18 pm Post subject: |
|
|
Works fine for me. Are you sure you attached to the correct process? Did you make a typo? Did you compile without optimizations?
To search for code, you'll need to scan through all memory, not just writable. Right click the area in the main window with Writable / Executable / CoW checkboxes and select "Preset: scan all memory"
(if you want to compile with optimizations, make `i` volatile; otherwise, the compiler could elide all accesses to that address)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25298 Location: The netherlands
|
Posted: Thu Feb 08, 2024 2:57 pm Post subject: |
|
|
use the processlist, not the window list
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Andrej730 How do I cheat? Reputation: 0
Joined: 20 Jan 2024 Posts: 4
|
Posted: Fri Feb 09, 2024 12:18 am Post subject: |
|
|
Thank you!
Dark Byte wrote: | use the processlist, not the window list |
this was it! Variable address is now have a value in address list, was abble to find it by scan and instructions byte code now can be found through memory view.
Didn't know that process list vs window list are any different besides just the names and appearance but in this case it process id is different from window id. Should I always just prefer the processes?
ParkourPenguin wrote: | Right click the area in the main window with Writable / Executable / CoW checkboxes and select "Preset: scan all memory" |
That helped to find byte code through scan 👍
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25298 Location: The netherlands
|
Posted: Fri Feb 09, 2024 2:45 am Post subject: |
|
|
Quote: | Should I always just prefer the processes? |
If you know the process name it helps. But it's mostly just a visual studio thing as it reuses the console window for different runs
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|