Cheat Engine

rog9001

Ok so I found this funny cheat which lets cars spin rapidly and then fly up in Asphalt 8 but I am having issues with this stuff... I am trying to make a read and then write trainer where it reads whats in the address and then it writes to it. Here is the code:

ParkourPenguin · Posted: Fri Apr 22, 2016 12:47 pm Post subject:

You can't just read and write from the start of an instruction and expect to get a coherent value for the immediate operand.

An instruction's machine code is broken up into two parts: the opcode and the operand(s). The opcode specifies what it's suppose to do (i.e. move data), and the operands specify the data it's working with (i.e. the r/m32 and the imm32). So, target the address of the immediate operand instead.

If you look at the bytes, you'll see C7 40 10 01 00 00 00 for the instruction mov [eax+10],00000001. It should be clear from looking at this that the immediate starts 3 bytes after the start of the instruction. So, instead of reading/writing from/to 00D1FD6C, use 00D1FD6F.

As for an explanation of those numbers you're getting:
17842375 (decimal) = 011040C7 (hex) = C7 40 10 01 (AoB)
1065159 (decimal) = 001040C7 (hex) = C7 40 10 00 (AoB)

rog9001 · Posted: Fri Apr 22, 2016 2:30 pm Post subject:

ParkourPenguin Thanks for the help but could you explain what you mean by this

ParkourPenguin · Posted: Fri Apr 22, 2016 2:51 pm Post subject:

It's how data is stored. A 4-byte integer decimal number is stored into bits in the form of powers of 2, or the binary number system (e.g. 138 = 2^7 + 2^3 + 2^1). These bits are grouped together into bytes to form hexadecimal numbers (e.g. 138 = 10001010 (binary) = 8A (hex)). Sequences of multiple bytes are usually stored in the little endian format, where the least significant byte comes first.

If you understand that and you look at the mnemonic mov [eax+10],00000001, then it should be clear that the immediate 1 will be represented as 01 00 00 00 in the machine code. After you get some experience in asm, you can look at machine code and be able to tell what's what without even needing to think about it. For example, I know that the byte C7 is the opcode of the mov instruction, the byte 40 represents [eax+offs8], 10 is the offs8, and the rest is the imm32.