Cheat Engine

listito · Cheater Reputation: 0 Joined: 31 Dec 2010 Posts: 35

hey,

i'd like to log every single return address into stack when some calls are shown in "find out what access this address"

for example:
10 cmp dword ptr [ecx],01

"find out what access this address" tell's me it was called 10 times, and i'd like to know those 10 return addresses

is that possible? Shocked

Dark Byte · Posted: Sun May 15, 2011 7:26 am Post subject:

Not with find out what accesses, but you can do it in the debugger

First define "function debugger_onBreakpoint()" in the lua engine

in there check if ECX==the address you want to inspect

Then when that matches do a returnaddress=readInteger(EBP+4) (if ebp+4 is not valid due to using a different kind of function calling use ESP+xxxx where XXXX is the offset into the stack where the return address is actually stored)

And hold a counter so it disables the breakpoint after 10 times

I'll see if I can make an easy example

Dark Byte · Posted: Sun May 15, 2011 7:43 am Post subject:

The following script will set a breakpoint at 0x00421138 and when it is triggered and EBX = 0x2D924B8 it will write down the return address

I'm sure you can figure out how to adapt it to your own situation

listito · Cheater Reputation: 0 Joined: 31 Dec 2010 Posts: 35

man, thanks, i luv you Twisted Evil

is it a hardware BP? if not, how to set it?

Dark Byte · Posted: Sun May 15, 2011 9:25 am Post subject:

It depends on your settings (it's the same as selecting it and pressing f5)

Default it will be a hardware breakpoint (unless all 4 have been used up, in which case it will be a software bp)

Dark Byte · Posted: Sun May 15, 2011 9:28 am Post subject:

Also, instead of debug_setBreakpoint(AddressOfCode) you could also do:

debug_setBreakpoint(DataAddressToWatch, 4, bptAccess)

that will set a Break on dataaccess on the given address

In the onBreakpoint you could then check for the EIP if there are multiple codes, and it's sure to be a HW breakpoint (Note that on data breakpoint eip is always the eip of the instruction after it)

listito · Cheater Reputation: 0 Joined: 31 Dec 2010 Posts: 35

hey DB, can you tell me how to write into code section with lua?

i'm just thinking how can i know more about it's api's? for example, i didn't find any reference to readInteger() in google

Innovation · Posted: Wed May 18, 2011 6:36 pm Post subject:

listito · Cheater Reputation: 0 Joined: 31 Dec 2010 Posts: 35

Dark Byte · Posted: Sun May 22, 2011 9:39 pm Post subject:

ebx matches the value you are looking for?

If not, then you might want to fix that, or just remove that check completely if you're not looking for that

also, if you really mean esp+4 and it's not a typo then replace EBP+4 with ESP+4

listito · Cheater Reputation: 0 Joined: 31 Dec 2010 Posts: 35

fixed the code, but, there's any way to do it without breakpointing?

because i wanna log the keyboard array which store keyboard state of directinput, if i break i cant change the state of this array

Dark Byte · Posted: Mon May 23, 2011 4:58 am Post subject:

There's nothing stopping you from using writeInteger/ writeFloat to change that array

Anyhow, you can of course use code injection, so instead of a breakpoint just use the auto assembler code injection template and then write the code to do 'stuff' there