Cheat Engine

vng21092 · Posted: Tue Sep 01, 2015 2:39 pm Post subject: Question about comparing values

Hey guys, lets say I have some hex value such as "ABCDXXXX" where XXXX always seems to be random, but ABCD is constant. How can I use a compare to figure out if such a value contains ABCD in it? And vice versa, if the order was "XXXXABCD" (I'd imagine comparing the first 4 bits vs the last 4 bits would be different)? Thanks.

Dark Byte · Posted: Tue Sep 01, 2015 2:56 pm Post subject:

scan for a 2 byte hexvalue "ABCD" the xxxx part will be 2 bytes in front of it

vng21092 · Posted: Tue Sep 01, 2015 3:06 pm Post subject:

Thanks DB, but finding the address is not the issue, I've got the address. But it just so happens that the instruction writing to it writes to a whole ton of other addresses that I have absolutely no clue what they are. I've dissected data structures and there is nothing to pick out the address I need, I only know that 4 bytes from it holds a value that usually starts with "F0F6" and then 4 other numbers (not sure what they mean, but it ALWAYS starts with F0F6, so it could be something like F0F62468). So in a script, can I have something like

-Compare [esi+4] with F0F6****, if the value contains "F0F6" as the first 2 byes (or last? not sure), jump to a different part of the code, else continue executing original code.

deama1234 · Posted: Tue Sep 01, 2015 3:13 pm Post subject:

if eax = FFFF 459F
then you can shift or rotate eax's address, then access ax for the lower half.

I think
ror eax,04 //will rotate it to the right, so the first half will swap with the lower half then you can just use "ax".

EDIT:
ror eax,10 //04 will just rotate it "once", 10 (16) will rotate a half.

vng21092 · Posted: Tue Sep 01, 2015 3:19 pm Post subject:

huh, interesting stuff. I'll definitely look into that. I never knew that but, is that was "ax" is? The last 4 bits of eax? If so, could I do something like "si" for the last 4 bits of esi? Thanks for mentioning that instruction though, I think I could work with that.

deama1234 · Posted: Tue Sep 01, 2015 3:22 pm Post subject:

Oh, forgot to mention; rotate it by 16 not 4 lol; that'll be too small.

si? Not sure about esi; try transfering it over to eax or ebx, or something with an "x" at the end (ax,bx,cx...).

EDIT: just tried it with "si", seems to work fine; guess it does work lol.

vng21092 · Posted: Tue Sep 01, 2015 3:25 pm Post subject:

deama1234 · Posted: Tue Sep 01, 2015 3:26 pm Post subject:

Yeah, I'm sure; just tested it out; 04 just "shifts" it once to the right.

vng21092 · Posted: Tue Sep 01, 2015 3:28 pm Post subject:

hmm ok, so I should be doing something like this?

Dark Byte · Posted: Tue Sep 01, 2015 3:33 pm Post subject:

use the ax registers or just use the word size, it makes things so much easier

deama1234 · Posted: Tue Sep 01, 2015 3:34 pm Post subject:

vng21092 · Posted: Tue Sep 01, 2015 3:37 pm Post subject:

@DB, can you explain a little what "word" is? And why is the offset +6 and not +4?

@deama1234, why would I move the address if I want to compare the value? I'm not really familiar with lea.

deama1234 · Posted: Tue Sep 01, 2015 3:44 pm Post subject:

vng21092 · Posted: Tue Sep 01, 2015 3:46 pm Post subject:

lol, well considering you said it worked with esi. I probably won't have to move it into eax, but I gotta step out for a moment, thank you both for now though Very Happy

deama1234 · Posted: Tue Sep 01, 2015 3:49 pm Post subject: