Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Reading a register at a specified memory address?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Tatsu808
Newbie cheater
Reputation: 0

Joined: 15 Nov 2014
Posts: 20

PostPosted: Sat Nov 15, 2014 9:25 pm    Post subject: Reading a register at a specified memory address? Reply with quote

Hi Everyone,

I am trying to read the value of register ecx at a specified memory address which contains the following code:

Code:

mov eax, [edx+ecx*4+08]


In this case, that specified memory address is at 00BFB432("FxCore.dll"+1B432). The contents of the "extra info" window of memory address 00BFB432 is shown below. As you can see, the extra info window shows that ECX=000053C4.

Code:

  00BFB42C - movzx eax, al
  00BFB42F - lea ecx, [eax+ecx*4]
>>00BFB432 - mov eax, [edx+ecx*4+08]
  00BFB436 - pop edi
  00BFB437 - pop esi

copy memory
The value of the pointer needed to find this address is probably 4A507548

EAX = 3608EAE0    EDX = 4A507548   EBP = 0018F398
EBX = 3A7E85C8    ESI = 3A7E8610   ESP = 0018F02C
ECX = 000053C4    EDI = 000014F1   EIP = 00BFB436


I want to be able to read the value of register ECX at memory address 00BFB432 ("FxCore.dll"+1B432) via code injection. I wrote the following script to do this:

Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
registersymbol(myAddress)
alloc(myAddress,4)
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
mov [myAddress],ecx // <---- Copying the value of ecx to myAddress
mov eax,[edx+ecx*4+08]
pop edi

// Note: The only difference between the original code and newmem is the added "mov" command.
originalcode:
//mov eax,[edx+ecx*4+08]
//pop edi

exit:
jmp returnhere

"FxCore.dll"+1B432:
jmp newmem
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(myAddress)
dealloc(newmem)
"FxCore.dll"+1B432:
mov eax,[edx+ecx*4+08]
pop edi


So basically, all I'm doing is copying the value of ecx to a newly allocated memory address called "myAddress". I added this script to my cheat engine table, and enabled it. I then added the address "myAddress" to my cheat engine table. The address of "myAddress" was allocated to 02F80000. What I noticed is that the value of "myAddress" does not match the ECX value shown in the Extra Info window? For example, in the cheat engine table, myAddress=5660 and the Extra Info window shows ECX=000053C4. Why is that? How can I retrieve the same value of ECX which is shown by the Extra Info window?

Please feel free to discuss this with me. Going forward, I will try to figure this out. If I find a solution, I will post it.

Thank you.



extraInfo.png
 Description:
A screenshot of the "Extra Info" window mentioned in this post.
 Filesize:  11.24 KB
 Viewed:  15543 Time(s)

extraInfo.png



cheatTable.png
 Description:
My cheat engine table where myAddress was allocated to address 02F80000.
 Filesize:  35.58 KB
 Viewed:  15578 Time(s)

cheatTable.png




Last edited by Tatsu808 on Sun Nov 16, 2014 3:34 pm; edited 12 times in total
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sat Nov 15, 2014 10:07 pm    Post subject: Reply with quote

Did you set the actual address as myAddress? (e.g. 02F80000)
Back to top
View user's profile Send private message
Tatsu808
Newbie cheater
Reputation: 0

Joined: 15 Nov 2014
Posts: 20

PostPosted: Sat Nov 15, 2014 11:22 pm    Post subject: Reply with quote

Thank you for your reply ++METHOS. Yes, the address of myAddress is 02F80000. In the attachment, I decided to set the description of address 02F80000 to "myAddress" for clarity reasons.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Nov 16, 2014 12:19 am    Post subject: Reply with quote

Set the address value to myAddress.
Back to top
View user's profile Send private message
Tatsu808
Newbie cheater
Reputation: 0

Joined: 15 Nov 2014
Posts: 20

PostPosted: Sun Nov 16, 2014 12:50 am    Post subject: Reply with quote

Yes, the address value is set to myAddress. When viewed in the cheat table, it is shown as 02F80000. This is what you mean right?


myAddress.png
 Description:
 Filesize:  3.96 KB
 Viewed:  15508 Time(s)

myAddress.png


Back to top
View user's profile Send private message
Tatsu808
Newbie cheater
Reputation: 0

Joined: 15 Nov 2014
Posts: 20

PostPosted: Sun Nov 16, 2014 5:14 pm    Post subject: Reply with quote

Okay so I think I know why the ECX value stored in myAddress keeps changing and is not equal to the ECX value that is being shown in the extra info window.

It's probably because register values are not guaranteed to be preserved even though I am storing the value of ecx at a specific code line. The code in the game is re-using the ecx register and thus, the value is constantly changing.
Thus, it seems that the allocated "myAddress" is actually a pointer to register ECX. As the value within ECX changes, myAddress which points to ECX will change too.

I need to ponder and think about this for a bit.... will let you know if I find any solutions.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Nov 16, 2014 8:08 pm    Post subject: Reply with quote

Here's the thing...if the value of the register is constantly changing, then it's accessing multiple addresses. When that happens, you have to filter out the unwanted addresses. You may have to set a breakpoint to see the register values for your targeted address to see if there is anything that you can use as a filter. You can also check to see which addresses the instruction is accessing...from there, you can compare your targeted address with the others by dissecting data structures to find a suitable ID for filtering purposes. Once you've done that, grabbing the correct value of ECX should not be a problem.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites