 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
low_density
Expert Cheater
![]() Reputation: 1
Joined: 08 Aug 2009
Posts: 156
|
 Posted: Fri Dec 10, 2010 4:25 am Post subject: Auto Assembler Problems |
 |
|
hi, just wanna ask, i've seen a lot of scripts for games that checks if the base address is the player's, for example, with this code:
| Code: |
cmp word ptr [edi-dc],065C
|
can anyone explain to me how does the checking works? for example, does it compare the value of the pointer stored in [edi+dc] with 065C? if yes, the "cmp word ptr" means what? thanks in advance...
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Fri Dec 10, 2010 4:44 am Post subject: |
|
|
yes, it checks if the value at edi-dc is 065c
the word ptr in front of it means only check the first 2 bytes of the value at that location
this kind of notation is used in object oriented games where the player class is it's own class, but is used for other class objects as well.
e.g: CGameCharacter would be the base class and then you could have CPlayer and CComputer classes that inherit from CGameCharacter.
The CGameCharacter class contains the setHealth routine, so when CPlayer.setHealth is called the CGameCharacter's setHealth is called as well
Because the hook is placed at the setHealth of CGameCharacter you have to find out what the classtype is that called the setHealth routine, and you can often do that using the first pointer in the structure of the class which tends to point to a static address defining either CPlayer or CComputer
Of course, due to memory relocation not all 4 bytes are always the same, but the first 2 are always the same (2 and a half actually)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
low_density
Expert Cheater
![]() Reputation: 1
Joined: 08 Aug 2009
Posts: 156
|
| Posted: Fri Dec 10, 2010 11:04 am Post subject: |
|
|
hi, then if my game has this section:
| Code: |
1800C87C - 74 19 - je 1800c897
1800C87E - 8b 97 24 ff ff ff - mov edx,[edi-000000dc]
1800C884 - 8b 82 d8 01 00 00 - mov eax,[edx+000001d8]
1800C88A - 8d 8f 24 ff ff ff - lea ecx,[edi-000000dc]
1800C890 - 57 - push edi
1800C891 - ff d0 - call eax
1800C893 - 8b 0b - mov ecx,[ebx]
1800C895 - 89 0f - mov [edi],ecx
1800C897 - 8b c7 - mov eax,edi
|
and with "mov [edi],ecx" being the address that writes to the address of the health, so from the code, can you defer out what code is the player structure address? i'm having some troubles finding base player structure address...
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Fri Dec 10, 2010 11:41 am Post subject: |
|
|
I have no idea what you're looking at or why you're looking at that, but this is just a function call in a class
Is this game code or code of a routine you injected ?
anyhow,
edx gets the class info structure (basically a list of pointers to functions)
place in eax the address of function which is stored at edx+1d8
set ecx (the class pointer in c++ ) to the start of the structure (edi-dc)
call the routine
assuming that edi does not get changed by the function call you can assume that the base address of the structure is still edi-dc, and the previous call was just to get the value that has to be set.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
low_density
Expert Cheater
![]() Reputation: 1
Joined: 08 Aug 2009
Posts: 156
|
| Posted: Fri Dec 10, 2010 12:15 pm Post subject: |
|
|
that is a game code, for the game half life 2 episode 1.... no, the value of edi isn't changed at all throughout the routine... if it's like what you said, the base structure address is at edi-dc, how do you compare the digit? for example, when an antlion hit my character, i get these address when i toggle breakpoint at "mov [edi],ecx"...
| Code: |
EAX 18B0A014 CF 0
EBX 0018CAB8 PF 0
ECX 0000005F AF 0
EDX 00000007 ZF 0
ESI 22E15C34 SF 0
EDI 22E15C34 DF 0
EBP 1851E194 OF 0
ESP 0018CA84
EIP 1800C895
CS 0023
SS 002B
DS 002B
ES 002B
FS 0053
GS 002B
|
and when i check out what's the value of edi-dc, it's "BC E6 51 18"... so do i use "cmp word ptr [edi-dc],1851"? i tried that but it doesn't seem to be working.. here below is a script of yours which i adapted from a post for half life 2 episode 2 inf hp...
| Code: |
[ENABLE]
alloc(newmem,256)
label(returnhere)
label(originalcode)
label(exit)
server.dll+2C891:
jmp newmem
nop
returnhere:
newmem:
call eax
mov ecx,[ebx]
cmp word ptr [edi-dc],1851
je exit
originalcode:
mov [edi],ecx
exit:
jmp returnhere
[DISABLE]
dealloc(newmem)
server.dll+2C891:
call eax
mov ecx,[ebx]
mov [edi],ecx
|
can you point out to me what is wrong in the script? i'm really confused...[/code]
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Fri Dec 10, 2010 1:14 pm Post subject: |
|
|
BC E6 51 18 means address 1851e6bc
because the first 3 digits of this address can change quite often do a check for the lower bytes (so bc e6)
So do something like:
cmp word ptr [edi-dc],e6bc
je exit
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
