Cheat Engine

supercharger · Posted: Fri Apr 01, 2011 8:41 am Post subject: very strange problem - ASM codes

today i wrote some codes in a game, as below

1000030C - 56 - push esi
1000030D - 57 - push edi
1000030E - 8b b6 58 06 00 00 - mov esi,[esi+00000658]
10000314 - 8b 79 20 - mov edi,[ecx+20]
10000317 - 83 c7 70 - add edi,70
1000031A - d9 46 08 - fld dword ptr [esi+08]
1000031D - d9 05 4c 26 40 00 - fld dword ptr [0040264c] 0.5
10000323 - ff 15 30 03 40 00 - call dword ptr [00401330] <-just a comparison module
10000329 - d9 5f fc - fstp dword ptr [edi-04]
......
pop edi
pop esi
ret

just after i wrote it, i did a quick test, and the value of [edi-4] was right.
then i added some other codes below.
when i finished the whole module, i did a lot of test, any other function was correct (including lots of floating point value operations), but the value of [edi-4] stayed at 0x00000000.
i tried modifying that specific paragraph into:

mov eax,[esi+8]
mov [edi-4],eax

it still stayed at 0x00000000! but in CE, i used "find what writes to this address", that was the only line that wrote into [edi-4], and at the moment, eax=3fxxxxxx, not 0x00000000 .

then i change it into:

mov [edi-4],3f000000

now it works.

i don't know what would have caused that problem. if the codes are right, the result can be wrong?
i restarted the game several times, with or without CE running, it still had wrong result. so i am sure this is not a joke of CE, although it's April 1st today.
what is wrong then? has someone encountered similar problems?

atom0s · Posted: Fri Apr 01, 2011 8:47 am Post subject:

Are you sure that EAX is containing a value other then 0 when you are attempting to store it back into the [EDI-4]? If you setting it with a raw value works but not with EAX, it seems that EAX has no value at the time you are attempting to set it.

supercharger · Posted: Fri Apr 01, 2011 8:53 am Post subject:

"
it still stayed at 0x00000000! but in CE, i used "find what writes to this address", that was the only line that wrote into [edi-4], and at the moment, eax=3fxxxxxx, not 0x00000000 .
"

thanks for your reply, but i think eax contains a value since CE says eax=3fxxxxxx.
and is it possible that [esi+8] can't be read? but in my module, [esi] and [esi+4] are working correctly.
my CPU is a pentium M 1.7G, the whole game is working fine. i don't think the CPU or RAM has flaws.

atom0s · Posted: Fri Apr 01, 2011 9:02 am Post subject:

It could be something with the code you are injecting. Care to post the full thing that you are altering? If it were a read/write issue you'd probably crash with an access violation exception.

supercharger · Posted: Fri Apr 01, 2011 9:30 am Post subject:

here is the whole module i wrote today. its purpose is FPS-game-like movement control, with jump and crouch capabilities.
where [esi] [esi+4] [esi+8] [esi+20] contain 4 control axis raw values.
[edi+4] [edi+8] [edi+c] are 3 axis movement speeds.
all modules called in here were tested previously by other modules and are correct.

1000030C - 56 - push esi
1000030D - 57 - push edi
1000030E - 8b b6 58 06 00 00 - mov esi,[esi+00000658]
10000314 - 8b 79 20 - mov edi,[ecx+20]
10000317 - 83 c7 70 - add edi,70
1000031A - d9 46 08 - fld dword ptr [esi+08]
1000031D - d9 05 4c 26 40 00 - fld dword ptr [0040264c] 0.5
10000323 - ff 15 30 03 40 00 - call dword ptr [00400330] <- value limit [-0.5, 0.5]
10000329 - d9 5f fc - fstp dword ptr [edi-04] = lean angle
1000032C - d9 47 48 - fld dword ptr [edi+48]
1000032F - d8 67 b4 - fsub dword ptr [edi-4c]
10000332 - d9 5f 10 - fstp dword ptr [edi+10] = reference point relative altitude
10000335 - 66 8b 57 12 - mov dx,[edi+12]
10000339 - 66 81 fa d0 3f - cmp dx,3fd0
1000033E - 7c 16 - jnge 10000356
10000340 - d9 05 1c 54 40 00 - fld dword ptr [0040541c] 0.999
10000346 - d9 47 04 - fld dword ptr [edi+04]
10000349 - d8 c9 - fmul st(0),st(1)
1000034B - d9 5f 04 - fstp dword ptr [edi+04] = forward speed
1000034E - d8 4f 08 - fmul dword ptr [edi+08]
10000351 - d9 5f 08 - fstp dword ptr [edi+08] = side speed
10000354 - eb 5d - jmp 100003b3
10000356 - 66 81 fa ff 3e - cmp dx,3eff
1000035B - 7f 06 - jg 10000363
1000035D - d9 ee - fldz
1000035F - d9 c0 - fld st(0)
10000361 - eb 34 - jmp 10000397
10000363 - d9 05 4c 26 40 00 - fld dword ptr [0040264c] 0.5
10000369 - d9 e8 - fld1
1000036B - 66 81 fa bf 3f - cmp dx,3fbf
10000370 - 7f 07 - jg 10000379
10000372 - d9 47 10 - fld dword ptr [edi+10]
10000375 - d8 e2 - fsub st(0),st(2)
10000377 - de c9 - fmulp
10000379 - d9 06 - fld dword ptr [esi]
1000037B - 83 3e 00 - cmp dword ptr [esi],00
1000037E - 7d 02 - jnl 10000382
10000380 - d8 ca - fmul st(0),st(2)
10000382 - d8 c9 - fmul st(0),st(1)
10000384 - d9 46 04 - fld dword ptr [esi+04]
10000387 - de cb - fmulp st(3),st(0)
10000389 - d9 ca - fxch st(2)
1000038B - de c9 - fmulp
1000038D - d9 05 3c 26 40 00 - fld dword ptr [0040263c] 0.3 = walk speed multiplier
10000393 - dc ca - fmul st(2),st(0)
10000395 - de c9 - fmulp
10000397 - 8d 4f 08 - lea ecx,[edi+08]
1000039A - 68 00 00 70 3f - push 3f700000
1000039F - ff 15 00 03 40 00 - call dword ptr [00400300] <- make current value closer to target value
100003A5 - 83 e9 04 - sub ecx,04
100003A8 - 68 00 00 70 3f - push 3f700000
100003AD - ff 15 00 03 40 00 - call dword ptr [00400300]
100003B3 - 31 d2 - xor edx,edx
100003B5 - d9 05 f8 1f 40 00 - fld dword ptr [00401ff8] 0.0005
100003BB - d9 47 04 - fld dword ptr [edi+04]
100003BE - d9 e1 - fabs
100003C0 - d8 d9 - fcomp st(0),st(1)
100003C2 - df e0 - fnstsw ax
100003C4 - f6 c4 01 - test ah,01
100003C7 - 74 03 - je 100003cc
100003C9 - 89 57 04 - mov [edi+04],edx
100003CC - d9 47 08 - fld dword ptr [edi+08]
100003CF - d9 e1 - fabs
100003D1 - de d9 - fcompp
100003D3 - df e0 - fnstsw ax
100003D5 - f6 c4 01 - test ah,01
100003D8 - 74 03 - je 100003dd
100003DA - 89 57 08 - mov [edi+08],edx
100003DD - d9 47 f8 - fld dword ptr [edi-08] = heading
100003E0 - d9 47 04 - fld dword ptr [edi+04]
100003E3 - d9 c1 - fld st(1)
100003E5 - d9 fe - fsin
100003E7 - d8 c9 - fmul st(0),st(1)
100003E9 - dc 47 38 - fadd qword ptr [edi+38]
100003EC - dd 5f 38 - fstp qword ptr [edi+38] = reference point coordinate
100003EF - d9 c1 - fld st(1)
100003F1 - d9 ff - fcos
100003F3 - de c9 - fmulp
100003F5 - dc 47 40 - fadd qword ptr [edi+40]
100003F8 - dd 5f 40 - fstp qword ptr [edi+40] = reference point coordinate
100003FB - d8 05 a4 10 40 00 - fadd dword ptr [004010a4] 1.5708
10000401 - d9 47 08 - fld dword ptr [edi+08]
10000404 - d9 c1 - fld st(1)
10000406 - d9 fe - fsin
10000408 - d8 c9 - fmul st(0),st(1)
1000040A - dc 47 38 - fadd qword ptr [edi+38]
1000040D - dd 5f 38 - fstp qword ptr [edi+38]
10000410 - d9 c9 - fxch
10000412 - d9 ff - fcos
10000414 - de c9 - fmulp
10000416 - dc 47 40 - fadd qword ptr [edi+40]
10000419 - dd 5f 40 - fstp qword ptr [edi+40] = reference point coordinate
1000041C - d9 05 a4 10 40 00 - fld dword ptr [004010a4] 1.5708
10000422 - d8 66 20 - fsub dword ptr [esi+20]
10000425 - d9 5f 20 - fstp dword ptr [edi+20] = person height target value
10000428 - 89 16 - mov [esi],edx
1000042A - 89 56 04 - mov [esi+04],edx
1000042D - 89 56 08 - mov [esi+08],edx
10000430 - 89 56 0c - mov [esi+0c],edx
10000433 - 89 56 20 - mov [esi+20],edx
10000436 - a1 d0 63 42 00 - mov eax,[004263f0]
1000043B - 8d 88 3c 01 00 00 - lea ecx,[eax+000003c]
10000441 - d9 47 0c - fld dword ptr [edi+0c]
10000444 - 81 7f 10 00 00 d0 3f - cmp [edi+10],3fd00000
1000044B - 7e 0f - jle 1000045c
1000044D - d9 01 - fld dword ptr [ecx]
1000044F - d8 0d d8 42 40 00 - fmul dword ptr [004042d8] -10.0
10000455 - de c1 - faddp
10000457 - 88 57 b2 - mov [edi-4e],dl
1000045A - eb 3a - jmp 10000496
1000045C - 39 57 0c - cmp [edi+0c],edx
1000045F - 7d 0e - jnl 1000046f
10000461 - d9 c0 - fld st(0)
10000463 - d8 09 - fmul dword ptr [ecx]
10000465 - d8 0d d8 42 40 00 - fmul dword ptr [004042d8] -10.0
1000046B - de c1 - faddp
1000046D - eb 11 - jmp 10000480
1000046F - 38 57 b2 - cmp [edi-4e],dl
10000472 - 74 0c - je 10000480
10000474 - d9 05 bc 53 40 00 - fld dword ptr [004053bc] 150.0
1000047A - d8 09 - fmul dword ptr [ecx]
1000047C - de c1 - faddp
1000047E - eb 16 - jmp 10000496
10000480 - d9 47 20 - fld dword ptr [edi+20]
10000483 - d8 67 10 - fsub dword ptr [edi+10]
10000486 - d8 0d e8 28 40 00 - fmul dword ptr [004028e8] 6.0
1000048C - d8 09 - fmul dword ptr [ecx]
1000048E - de c1 - faddp
10000490 - d8 0d 18 54 40 00 - fmul dword ptr [00405418] 0.95
10000496 - d9 57 0c - fst dword ptr [edi+0c]
10000499 - d8 09 - fmul dword ptr [ecx]
1000049B - d8 47 48 - fadd dword ptr [edi+48]
1000049E - d9 5f 48 - fstp dword ptr [edi+48]
100004A1 - e8 da 08 00 00 - call 10000d80
100004A6 - 5f - pop edi
100004A7 - 5e - pop esi
100004A8 - c3 - ret

10000D80 - d9 e8 - fld1 = calculate eye coordinate
10000D82 - d9 47 fc - fld dword ptr [edi-04]
10000D85 - d9 ff - fcos
10000D87 - de e9 - fsubp
10000D89 - d8 6f 48 - fsubr dword ptr [edi+48]
10000D8C - dd 5f c8 - fstp qword ptr [edi-38]
10000D8F - d9 47 fc - fld dword ptr [edi-04]
10000D92 - d9 fe - fsin
10000D94 - d9 47 f8 - fld dword ptr [edi-08]
10000D97 - d8 05 a4 10 40 00 - fadd dword ptr [004010a4] 1.5708
10000D9D - d9 c0 - fld st(0)
10000D9F - d9 fe - fsin
10000DA1 - d8 ca - fmul st(0),st(2)
10000DA3 - dc 47 38 - fadd qword ptr [edi+38]
10000DA6 - dd 5f b8 - fstp qword ptr [edi-48]
10000DA9 - d9 ff - fcos
10000DAB - de c9 - fmulp
10000DAD - dc 47 40 - fadd qword ptr [edi+40]
10000DB0 - dd 5f c0 - fstp qword ptr [edi-40]
10000DB3 - c3 - ret

atom0s · Posted: Fri Apr 01, 2011 9:38 am Post subject:

From what I can see, my guess would be that when you are calling:
10000329 - d9 5f fc - fstp dword ptr [edi-04]

the float stack possibly does not have a value other then 0 at the time you called it. Check if ST(0) has a value. I assume the call just before this should be returning a float to be stored? If so make sure its returning a float properly to the float stack and not storing the result in EAX for example.

supercharger · Posted: Fri Apr 01, 2011 9:46 am Post subject:

the called module is like this:

004003C0 - d8 d1 - fcom st(0),st(1)
004003C2 - df e0 - fnstsw ax
004003C4 - f6 c4 01 - test ah,01
004003C7 - 75 0b - jne 004003d4
004003C9 - d9 e0 - fchs
004003CB - d8 d1 - fcom st(0),st(1)
004003CD - df e0 - fnstsw ax
004003CF - f6 c4 01 - test ah,01
004003D2 - 75 03 - jne 004003d7
004003D4 - dd d9 - fstp st(1)
004003D6 - c3 - ret
004003D7 - dd d8 - fstp st(0)
004003D9 - c3 - ret

but it's not the source of the problem, since i tried changing this paragraph

1000031A - d9 46 08 - fld dword ptr [esi+08]
1000031D - d9 05 4c 26 40 00 - fld dword ptr [0040264c] 0.5
10000323 - ff 15 30 03 40 00 - call dword ptr [00400330] <- value limit [-0.5, 0.5]
10000329 - d9 5f fc - fstp dword ptr [edi-04] = lean angle

into this paragraph:

mov eax,[esi+8]
mov [edi-4],eax

it was still producing 0x00000000 in [edi-4].

supercharger · Posted: Sat Apr 02, 2011 12:08 am Post subject:

fool me. i always thought there was only 1 source of input.
now i found there were other inputs when there are more than 1 objects in the game. so [edi-4] was rewritten by other sources.
now it's fixed.