Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AoB/Bytecode/Instruction Hacking Assistance

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
WTFsandwich
How do I cheat?
Reputation: 0

Joined: 28 May 2012
Posts: 2
Location: United States
PostPosted: Mon May 28, 2012 1:53 pm    Post subject: AoB/Bytecode/Instruction Hacking Assistance Reply with quote
In order to rekindle my interest in ASM, I'm attempting to hack some bytecodes. I have a little bit of knowledge on the subject, just a semester's worth of an assembly programming class.

However, it seems I've ran into a bit of a snag in my current venture, and could use some help.

I'm playing through Sonic 1 for the Genesis again. What I am attempting to hack, is the number of rings I have.

I tried a simple value search, and turned up the address for rings, however, it is a 1 byte data type. This piqued my interest, as I know rings can go much higher than 255.

So far, what I've managed is to find the address of whatever instruction runs when a ring is picked up.

It is:

Code:

mov [edi+01],dl


Now, I've also noticed that once you pick up rings past 255, the actual address that stores the number rolls over and starts back at 0 with ring 256. This leads me to believe there's some sort of incrementation variable stored somewhere, that allows the game to know how many "sets" of 255 one has, though that's speculation and could be entirely wrong.

I looked through some of the tutorials in the tutorial section, but I didn't find much in terms of actual AoB hacking or changing instructions and the like. I tried the pointer tutorial in "COMPLETE Cheat Engine Tutorial" by YoungDragon (Tutorial 5) but at the point where I search for the "address that probably points here" I keep getting scan errors when I use a sufficiently large data type for said address.

To sum it up, there's a few things I'd like to do, most for the sake of learning. I'd like to know what to do with said instruction now that I've found it to make it say, count each ring 15 times, or to set the number of rings I have to 999. I'd also like to figure out how the game handles the rings in excess of 255, if it is indeed an incrementing variable that counts "sets" of 255 rings or if it's something else.

Any sort of insight to anything about would be grand, and much appreciated.

Oh, and one more thing. Not sure if the terms AoB Bytecode and Instruction are interchangable. I'm a bit rusty on my terminology, so if I'm wrong, please don't hesitate to correct me. Smile

I will attach screenshots in a few minutes, to help clarify anything I may have goofed up describing.

Thank you.

EDIT: Forgot to mention, it's on an emulator, though I'm pretty sure that's implied. Kega Fusion 3.64, if it matters at all. Screenshot added.

CE Sonic Stuff.png
 Description:
On the left is the memory region of the instruction, next to that is the counter for the instruction, which runs every time a ring is picked up, and in the main CE window is the option I chose to find the instruction highlighted from right clicking the ad
 Filesize:  243.89 KB
 Viewed:  7239 Time(s)

CE Sonic Stuff.png
Back to top
View user's profile Send private message
Corruptor
Advanced Cheater
Reputation: 3

Joined: 10 Aug 2011
Posts: 82
PostPosted: Tue May 29, 2012 10:16 am    Post subject: Reply with quote
Intuitively, i would advise you to look into the disassembled code, set a breakpoint at the instruction and look what it does when you have 255 rings and pick up another one. Now, i somehow experience emulators to look kinda weird beeing dissassembled. Anyhow, you might give it a try.

As for the code you posted, i see this:

Code:
mov [edi],dh
mov [edi+01],dl ;<--- code accessing your ring count


now, knowing that dh his the hibyte of the loword and dl the lobyte of the loword (down with the last letter) it looks like the "255-set" is standing directly in front of the value you found, which would mean that it is a 2 byte variable. What i personally think is that the genesis - which is kinda common for consoles, once ran into that pit with a gameboy emulator - uses big endian variables ("01 00" would be 256 in big endian, while "00 01" would be 256 in little endian), which would explain why you didnt find the counter using 2 byte scan, but only using a 1 byte scan. May want to check this first.
Back to top
View user's profile Send private message
WTFsandwich
How do I cheat?
Reputation: 0

Joined: 28 May 2012
Posts: 2
Location: United States
PostPosted: Wed May 30, 2012 2:24 am    Post subject: Reply with quote
Ah, endianness *shivers* Not my favorite concept in the world.

To clarify, little endian is typically the format used when doing binary arithmetic, correct? IE, the rightmost bit is the 2^0 place, second to rightmost is 2^1 place, etc. Big endian is esentially the reverse of that, where the leftmost bit is 2^0, second to leftmost is 2^1 etc. Is that correct?

Also, I'm unfamiliar with the dl and dh portions of the instructions, though based on your explanation I'm going to assume it has to do with bit order. Is hibyte another term for most significant bit?

Once I understand endianness better, what would be a good way to check said counter and see which order it follows? Can I reverse the endianness of the 2 byte search to find it?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25817
Location: The netherlands
PostPosted: Wed May 30, 2012 2:54 am    Post subject: Reply with quote
Nope, I think that even in big endian if you want to show it as binary it still goes from right to left

For a 2 byte value:
In little endian, bits 0 to 7 are stored on the first byte and bits 8 to 15 on the second byte

in big endian bits 0 to 7 are stored on the second byte and bits 8 to 15 on the first byte
---

dx is a 16 bit register. It can be split up into 2 8 bit registers: dl and dh
dl is bits 0 to 7 and dh is bits 8 to 15

---
But to the point: This is an emulator you're debugging, not the game. The instruction you're getting is that of the emulator emulating a write to a specific address, this instruction is used for everything, from updating the timer to writing the pixels of sonic to the display adapter

Perhaps one of the registers, or a pointer path found in one of the registers, points to the rom's bytecode in the native assemblercode of the emulator cpu but you won't be able to change it easily with ce (it doesn't know that assemblercode)


Also, if you just wish to set values in big endian check this topic: http://forum.cheatengine.org/viewtopic.php?t=544988
It contains a script that adds big endian support to ce
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites