Cheat Engine

[navarone]

I can't understand a single thing when it comes to memory and memory allocation.

What are addresses lol? Sounds like a stupid question but I understand that RAM is split to addresses each can hold 1 byte.

So a 1gb RAM should have more addresses than a 512 Mb ram? Shouldn't OP codes + arguments take space more than 1 byte anyway? So it's impossible assembly wise to put Mov Eax,ECX in a single address. 0_o?

I did my homework honestly, I am trying to read lots of stuff to hopefully get how memory works but with no luck.

Why do we use Endians anyway? Why do we have to reverse everything single thing we read from Dump?

If someone have a tutorial intended for absolute retards about memory allocation, I would be grateful lol

[Radiation]

no, addresses are stored as bits (1001001111001010001)

then, you can translate them into bytes (85 C0 89 91 78 01 00 00)

and then you can take that apart and translate it into HUMAN-READY-to-Read ASM (opcodes as you said). (mov eax,ecx)


so yeah, memory is not letters like "mov eax,ecx", it's bits (1001001111001010001)


i hope explained that well enough

[Slugsnack]

one of the main functions of an operating system is resource management and one of the things that comes under this is to abstract the memory system thereby making it so it doesn't make a difference what physical constraints are there. it does this by virtual memory. there are plenty of places where you can read up on that but if you do come across something you don't understand post back here and i'll explain.

some opcodes take 1 byte, other's take more. when we say what address an instruction is on, we say where the START of that instruction is. then say the instruction is 5 bytes, then the next instruction will be the address of that instruction + 5.

here's a nice article on endianness and a suggestion as to why intel uses little endian :
http://www.noveltheory.com/techpapers/endian.asp

and none of your questions are stupid. what do you want to know about memory allocation then ?

[navarone]

[hcavolsdsadgadsg]

[navarone]

lulz. How the hell did I not notice that before.

Edit: Yep, command like RETN is C3 in hex and takes a single address. While MOV ECX,DWORD PTR SS:[ESP+4] is 8B4C2404 in hex, and occupies 4 addresses.

Everything is making sense now !

Thanks Slovach.

[Slugsnack]

[navarone]

Yea, thats why clicking EIP register in Olly takes us where the code is executing.

Sorry if my last question is a little unrelated.

Why Olly will let me go step by step when excuting a program from the start, when its GUI appears, olly automatically minimizes and I am left with the program's gui (Click menu buttons doesn't cause exceptions so Olly would debug again)

tl;dr Olly wont follow the execution path and lets the game run by itself soon as its gui shows up. lol?

[Slugsnack]

When a disassembler is stepping a program, a trap flag in the processor is set such that only one instruction executes at once and then OllyDbg catches the debug interrupt. When you run it, the trap flag is not set. To get to the point where you're able to step it again, you can set a breakpoint somewhere. When the code reaches there, it will break and you can step again. Breakpoints are set with F2 or double clicking the address. You need to find the handler for the clicks and breakpoint there or else find a function which is called by the handler and break on that.

[navarone]

Alright, thanks again Slug. You're one of a helpful person.

I will keep in mind to +rep as soon as I can. (If you care about your rep anyway).