Cheat Engine

[mordax]

hi. its hard to explain, so i just put example what i would like to do.

in game, there is value, that keeps changing. i dont want to freeze it, i want to write my own value there and then keep it frozen.

so i find the value, breakpoint it and find the breakpoint. usually i use Tsearch and its easywrite (asm) to write a script, but im lost here.

cheat engine shows this instruction "fst dword ptr [edi]"
how can i replace this, with my own value ?
in Tsearch i usually did something like "mov dword ptr [eax+8C],0xFFFF"
where FFFF is my value i want it to be, how would it look like with my example ?

i hope its not too much of a mess.

[killmanx27]

i think the code says [store float at edi] you could try this

[Geri]

Yes, it is a float, but if You use #, it will be an integer.

This will give You 100 in float.

[mordax]

instant crash, tried all 3 of them, not working.

here's more info.

this is the instruction in cheat engine's memory viewer.

[Geri]

Yes, You need to use code injection. As it is done in Step 7 of the Cheat Engine tutorial.

[mordax]

plz guys, i have wrote trainers before and i know what code injection is and how to do it.
it is no use to me, if i dont know the specifc instruction that i need to inject, but thanks for offering.


nevermind this anyway, it is impossible to make what i tried, because this instruction is used for many other things too, this is why game crashes.

now new question, how do i replace a specifc thing ?
here's example.

[kemicza]

First of all if you want to inject something into [edi] make sure that you do it after the fst instruction, because if you do it before fst will "oversave" it again, so nothing will happen basically.

Second; is if it's shared, the first thing you need to look for is an instruction that is NOT shared. You do this by putting a read/write/access breakpoint and analyzing all returned addresses. If you can't find it then you try to analyze the registers (eax,ebx,ecx,edx,etc) by setting a breakpoint at that current instruction. You try to look for a value in a register that will only be the same for a certain value for edi (which is your address/pointer to your health,ammo,etc). For example, if eax is always 1 when your edi is your ammo value, then you can make a code injection to make a "cmp eax,1" etc

Then there's other methods, where you trace back the calls where it came from. Usually health/ammo/etc will be called from a different location (not always tho), so you can set a flag (one byte in memory) from where ammo is called from, then compare it in your actual cave, when your flag value is 1, then you will know ammo was being called, and you can inject anything you want.

A third method is to actually figure out where the value of edi comes from. So you analyze the assembly code and try to understand it. If before you had something like this:

[mordax]

i dont understand it, i need more details.
as said before, i know how memory works. what comes from where and where it goes, but i need details. like WHAT do i click in cheat engine, where do i click ? what i select ?
i know best way is to find source address, where the value comes from, but i dont know how to find it.

[kemicza]

Where did you find the address that's currently in your "Memory Viewer": 1012A3B1 ?

EDIT: ah I think I see it. I'm using version 5.6. What version are you, because when I set "Find out what accesses this address", I get another type of window than you.

EDIT: lol you are also using 5.6, it says on the top. Maybe reinstall it or get 6.0?

[Geri]

[Dacnomania]

If there's a value that keeps changing just put a hot key for pausing the game, then pause it.

[Labyrnth]

HI YAH KEMI!

mordax, i think you are in allocated memory.
Right Click on first address in lower window and select goto address. The type in 1012A3B1 in the lower memory window.
If you see allocation instead of being inside of a module then you need to find what ,read,write or access's that address before you can move on.

[Psy]

@mordax: That actually looks like java (from the screeny), with the code been dynamically allocated on each load. I think that's what you were getting at Lab? Hey btw, long time If this is the case, you haven't picked a very good game to train at your current understanding. The code spot will move, your injection will effectively break etc..

At any rate, that code spot is heavily shared with other stuff, so i'd suggest you go and look over code-injection tutorials and also those which cover compares. You need to be able to make a distinction between the variable you're trying to hack and all the other crap which is piped through that spot.

As for the breakpoint confusion, allow me to clarify a little bit. There are two different places where you can use a BP. You can place one on DATA, game variables that you have found, IE. health/ammo etc. Or you can BP on CODE, that is game instructions that you have found after your initial debugging.

Now, depending on what debugger it is your using, will determine what actual 'types' of BP you can place and where. For example, Olly will allow you to place memory breakpoints or hardware breakpoints in the memory pane view (generally used initially to find what accesses a given variable), and uses INT3 software BP's for standard BPs in code. Useful when actually reversing and tracing etc. CE has always allowed you to use the same method for finding code (memory access exceptions and debug regs), but I believe it only offers the debug regs (HW BP's) in the latest ver. For BP'ing in the assembler view, again it used to allow both hardware bp's and software bp's (int3's), but I think it's now just the HW bp's in v6.

I'm guessing some of that didn't make sense. This is why you need to read. People can only put so much help up here before it becomes a waste of time. After every post there will be a new question

~Psych

[Dark Byte]

just to clarify, when you set a breakpoint on data variables it is an hardware breakpoint, but if you set one at the code it depends on the setting you have chosen. If t's set to hardware breakpoints it will use hw breakpoint until they are used up and then asks if you want to use a int3 bp instead. And if you have it set to int3 bp's it will use int3 bp's