Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Text Pointer Help Needed

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
bobbyHead
How do I cheat?
Reputation: 0

Joined: 20 May 2010
Posts: 2
PostPosted: Thu May 20, 2010 10:52 pm    Post subject: Text Pointer Help Needed Reply with quote
Hi all
I’m trying to track down a pointer to a some text.
I can find it through the text scan and get an Address Like
0917824C of Type Text[2]
And it show the text as it changes, so i find out what writes to this address
And i get the following four

Code:
00408bee - c6 00 00 - mov byte ptr [eax],00
00408c16 - 83 e1 03 - and ecx,03
00408c19 - f3 a4 - repe movsb
00408c26 - c6 04 28 00 - mov byte ptr [eax+ebp],00


So im thinking “repe movsb” is the one I’m after, so i open more info’ and get

Code:
00408c14 - mov ecx,edx
00408c16 - and ecx,03
00408c19 - repe movsb
00408c1b - cmp dword ptr [ebx+18],10
00408c1f - mov [ebx+14],ebp

EAX=0917824C EDX=00000002 EBP=00000002
EBX=09178248 ESI=1181F2CA ESP=1181F22C
ECX=00000000 EDI=0917824E EIP=00408C1B


With a little googling I find out that “repe movsb” moves the data in esi to edi (could be wrong here)
So i go back to scan for “1181F2CA” and it returns nothing!!!


Having a quick look at the disassemble i find
Code:
00408C05 - eb 02                      - jmp 00408c09
00408C07 - 8b f8                      - mov edi,eax
00408C09 - 03 f2                      - add esi,edx
00408C0B - 8b cd                      - mov ecx,ebp
00408C0D - 8b d1                      - mov edx,ecx
00408C0F - c1 e9 02                   - shr ecx,02
00408C12 - f3 a5                      - repe movsd
00408C14 - 8b ca                      - mov ecx,edx
00408C16 - 83 e1 03                   - and ecx,03
00408C19 - f3 a4                      - repe movsb
00408C1B - 83 7b 18 10                - cmp dword ptr [ebx+18],10
00408C1F - 89 6b 14                   - mov [ebx+14],ebp
00408C22 - 72 02                      - jb 00408c26
00408C24 - 8b 00                      - mov eax,[eax]

Not knowing ASM i can only assume that edi and esi get set at 00408c07 and 00408c09,
but thats where i get stuck again don’t know how to bring up more info on address 00408c07 or 00408c09


Where am i going wrong plz help
Thanks
Back to top
View user's profile Send private message
bobbyHead
How do I cheat?
Reputation: 0

Joined: 20 May 2010
Posts: 2
PostPosted: Sun May 23, 2010 8:02 pm    Post subject: Reply with quote
Ok, So I’m back at it this time I go a little deeper into the ASM code and now know how to use Debug->Toggle Breakpoint
Code:
>>00408BF8 - 8d 57 04                 - lea edx,[edi+04]
00408BFB - 39 43 18                   - cmp [ebx+18],eax
00408BFE - 8d 43 04                   - lea eax,[ebx+04]
00408C01 - 72 04                      - jb 00408c07
00408C03 - 8b 38                      - mov edi,[eax]
00408C05 - eb 02                      - jmp 00408c09
00408C07 - 8b f8                      - mov edi,eax
00408C09 - 03 f2                      - add esi,edx
00408C0B - 8b cd                      - mov ecx,ebp
00408C0D - 8b d1                      - mov edx,ecx
00408C0F - c1 e9 02                   - shr ecx,02
00408C12 - f3 a5                      - repe movsd
00408C14 - 8b ca                      - mov ecx,edx
00408C16 - 83 e1 03                   - and ecx,03
00408C19 - f3 a4                      - repe movsb

Registers
EAX 00000010
EBX 06B5B0EC
ECX 0000000F
EDX 01A80048
ESI 00000000
EDI 0012F7E4
EBP 00000009
ESP 0012F74C
EIP 00408BF8

Flags
CF 1
PF 1
AF 0
ZF 0
SF 1
DF 0
OF 0

So as before I come to the
Code:
 repe movsd

Trace back to
Code:
add esi,edx

Trace that back to
Code:
lea edx,[edi+04]

Do a Breakpoint , and find the Address of EDI is “0012F7E4”. Done a scan for “0012F7E4” and got one result “0012F760” so I do an “Add Address Manually” and add “0012F760” as a Pointer with an offset of 4 (type both text and 4 bytes) but all i get is a scrolling value and not one of them is equal to the text I’m looking for.

Can any point out what I’m doing wrong, Have any Hints on how to find this text Pointer?
Thanks for Reading again

Edit:
Found an error myself, Embarassed
Code:
lea edx, [edi+4]

Means if EDI = “0012F7E4” then I should be looking for “0012F7E8”, which just happens to be the value of ESI at
Code:
repe movsd

Who would have thought it! Question
So back to square one, I’m unable to find the value of ESI when I scan for it after I do a more info on
Code:
repe movsd
Back to top
View user's profile Send private message
Skull Kid
Expert Cheater
Reputation: 2

Joined: 03 Jul 2009
Posts: 146
PostPosted: Thu Jun 03, 2010 4:31 pm    Post subject: I got this too! Reply with quote
I'm also having problems with this! I play a game called Robot Wars Extreme Destruction and in the game, when you're about to start fighting, the status/info screen pops up before every robot, telling info about them. It's the "Weight" info I want to change and freeze to 100KG but it seems every time the status/info screen jumps back to my own robot, the address to the "Weight" Value has changed! Is there any way to find a pointer to this "Text" and freeze it?
_________________
Regards,

Skull Kid

Originally known as "saken".
Back to top
View user's profile Send private message
kantoboy69
Advanced Cheater
Reputation: 2

Joined: 31 Mar 2010
Posts: 71
Location: Manila
PostPosted: Sat Jun 12, 2010 2:25 am    Post subject: Reply with quote
Quote:
@bobbyHead

00408C0D - 8b d1 - mov edx,ecx
00408C0F - c1 e9 02 - shr ecx,02
00408C12 - f3 a5 - repe movsd
00408C14 - 8b ca - mov ecx,edx
00408C16 - 83 e1 03 - and ecx,03
00408C19 - f3 a4 - repe movsb


ecx is the length of string

example "Hello world" without quotes is 11

notice that ecx value is copied to edx
then the next instruction is shr ecx, 2 which in result divides the ecx value by 4 much light dividing integers with an integer result.

repe movsd moves 4 bytes at a time from esi (the source) to edi (the destination) so it would move 8 bytes since ecx value is now two.

next instruction is mov ecx, edx copying back the value of ecx from before which is 11. Uses AND ecx, 03 which in result is something like modulus of 4 (getting the remainder of a division) thus the value of ecx will become 3 and the instruction repe movsb moves 1 byte at a time from esi (the source) to edi (the destination)


Note:
* if ecx is zero repe will not get triggered
* repe means repeat instruction and the counter is in ecx register and also directional (I forgot which flag triggers the direction). Depending on flag it may look like this using movsd

sub esi, 4
sub edi, 4

or

add esi, 4
add edi, 4

Automatically esi and edi is incremented/decremented whenever a movsd and movsb is used.
_________________
Cheater always prosper Hitler
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites