Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to find what address writes to another in c++? (like ce)

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Xtensity
Newbie cheater
Reputation: 0

Joined: 15 Mar 2010
Posts: 11

PostPosted: Sun Mar 17, 2013 8:17 pm    Post subject: How to find what address writes to another in c++? (like ce) Reply with quote

I have an address that gets written to nearly 100+ per second by about 100+ different other addresses. Cheat Engine only has the ability to show me the addresses writing to it, and since it is happening at such a rapid speed, I have no way of telling when a certain address writes a certain number to the one I am debugging.

For instance I have address 0x12EBFC. It changes about 100x per second. I managed to write something in C++ that tells me when it changes to the number I am looking for (3c)... but I have no way of finding out what address wrote that number to it.

If anyone has any way of finding only the address that writes a certain number, in either Cheat Engine itself or in c++ code.. help meh out Very Happy
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25796
Location: The netherlands

PostPosted: Sun Mar 17, 2013 8:30 pm    Post subject: Reply with quote

I can't currenty write a complex script from here, but look into debug_setBreakpoint("address", 4, bptWrite) and function debugger_onBreakpoint()

On access breakpoints have the added benefit that the break after the write, so when it breaks do a readInteger on the specific address and then if it matches print out EIP. (The actual instruction will be the one in front)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Xtensity
Newbie cheater
Reputation: 0

Joined: 15 Mar 2010
Posts: 11

PostPosted: Sun Mar 17, 2013 11:08 pm    Post subject: Reply with quote

Okay so I made this..... based off your post here (cant post link but it's called "Change register at breakpoint")
Code:

debug_removeBreakpoint(0x0012EBFC)

function debugger_onBreakpoint()
if readInteger(0x0012EBFC)==60 then
print(EIP)
else debug_continueFromBreakpoint(0)
sleep(10)
end
end
debug_setBreakpoint(0x0012EBFC,4, bptWrite)


I am trying to compare the value at my address to 3c(which is 60), am I doing it right, because it never prints even if the value is 3c? The value at my address becomes 3C000000 any time I jump in game, but only for a split second. If that value is hit then the debug_continueFromBreakpoint should never be called and the game should stay frozen on the breakpoint, but that doesn't happen. I can jump many times and it's as if the script never detects it. I tried setting the sleep value to 1 and the game didn't move at all, 10 allowed it to.

Is there any way I can set conditions inside of the debug_setBreakpoint function?

Also I still don't see how I am supposed to see/find the last instruction to write to the address on the breakpoint. Say I am able to get it to breakpoint right when my addys value is 3c/60, how do I find out the instruction that wrote that value?

If you want to know what my overall goal is, read below, it may help you help me :3
This address is the address of an Encrypted Packet Buffer. I have used OllyDbg and IDA Pro extensively but the code instructions are complex to the point where I can't find the source of the pre-encryption buffer. Basically if I can follow the code back 1 at a time to the instructions that write the buffer, it can lead me to the encryption/decryption instructions and even to the unencrypted packet buffer at which point the packets can be modified to alter gameplay.

The programmers of this game have made the encrypted buffer pass through some instructions that handle hundreds of other unrelated data per second, making it very hard to breakpoint the data and trace it back up. The headers of the packets are never encrypted, and all ingame actions have specific packet headers. By knowing the headers, I can use conditional breakpoints to break on these instructions that handles tons of random data to single out the instructions that write the data for the packets. This will enable me to trace to where that packet is initially created, without getting lost in the data traffic.

Once I finally get that static location of where the pre-encrypted packets rest for the split second that they do, then I have a c++ program to hook it and replace certain values that I want. Sort of like WPE filters, but getting to the packets before the encryption.

I'm not sure if knowing any of that helped, but perhaps you might be able to help me tweak the instructions further to make this possible. Logically, it is easily possible, I just need to make it so.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25796
Location: The netherlands

PostPosted: Mon Mar 18, 2013 4:00 am    Post subject: Reply with quote

It also doesn't print anything ? (E.g it might continue as there is no return value specified)

The sleep when nothing happens should be removed. debugger_onBreakpoint() only gets called when a debug event happens, and those only continue when you exit the function

Are you using ce 6.2 or an earlier version? (Or one of the 6.2+ betas?)

As for conditions ,you have to set(program) them inside debugger_onBreakpoint() like the read that checks the value
Also, are you sure that the value is 3c000000 and not 0000003c? Because those are very different values.

Oh yes, i just remembered one thing that you can do as well. Pause the process using the pause button in ce. In memoryview select the 4 bytes that make up your address, rightclick and choose data breakpoint->break on write(or find what writes)
Then go to the breakpointlist, rightclick the new breakpoint and choose "set condition"
In the simple tab write "readInteger( 0x0012EBFC)==0x3c000000" and click ok
Now resume the process with the pause button

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Xtensity
Newbie cheater
Reputation: 0

Joined: 15 Mar 2010
Posts: 11

PostPosted: Mon Mar 18, 2013 11:06 am    Post subject: Reply with quote

I am using 6.2
Dark Byte wrote:

Oh yes, i just remembered one thing that you can do as well. Pause the process using the pause button in ce. In memoryview select the 4 bytes that make up your address, rightclick and choose data breakpoint->break on write(or find what writes)
Then go to the breakpointlist, rightclick the new breakpoint and choose "set condition"
In the simple tab write "readInteger( 0x0012EBFC)==0x3c000000" and click ok
Now resume the process with the pause button

Okay I did that, but it never hit the break. I tried both(not at the same time)
Code:
readInteger( 0x0012EBFC)==0x3c000000
readInteger( 0x0012EBFC)==0x0000003c

The bytes at the address go to 3C 00 00 00 when I jumped, for a split second, as I have also confirmed in Ollydbg, though Cheat Engine never pauses on it. A lot of the times cheat engine will crash and close my game. Other times it lags the game to about 1 frame every 5 seconds(when the breakpoint is active). I'm not sure why it wont break on 3C. Ollydbg has no issue with conditional breakpoints though it has no method of finding out what writes to an address. Sometimes I wish I could combine the 2 but I can't have them both debugging the same process at the same time.

Even if I do manage to get cheat engine to pause when the value hits 3c... how am I supposed to find out the last address that wrote to it? Since the write to list doesn't put them in any kind of order.

Also tried
Code:

debug_removeBreakpoint(0x0012EBFC)

function debugger_onBreakpoint()
if readInteger(0x0012EBFC)==0x3c000000 then
print(EIP)
else debug_continueFromBreakpoint(0)
end
end

debug_setBreakpoint(0x0012EBFC,4, bptWrite)


This also totally prevents my game from moving(even if I try to pause/unpause/resume yet looking at the memory table the values keep changing at the rate they normally do.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25796
Location: The netherlands

PostPosted: Tue Mar 19, 2013 6:57 am    Post subject: Reply with quote

Try a bptAccess
Perhaps the 3C gets written by a kernelmode function (can't break on that) but when it's read out you can break on that

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Xtensity
Newbie cheater
Reputation: 0

Joined: 15 Mar 2010
Posts: 11

PostPosted: Tue Mar 19, 2013 1:41 pm    Post subject: Reply with quote

I've recently found something better and probably easier to do to locate my destination.


I found an address that I know gets passed to the encryption function. Imagine it's 0x0012DBF4. This is the pre-encrypted text buffer. At some point in a specific call that I have found, that address must be passed to the encryption function so the data at it can be encrypted.

Is there any way I can do a breakpoint the instant the EIP of the current instruction = 0x0012DBF4? I'm sure it's possible I'm just unsure how I would set it up. Theoretically this should pause the game immediately when that address is getting passed through a function.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites