 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
unkown-dev
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2012
Posts: 6
|
 Posted: Fri Oct 26, 2012 9:24 am Post subject: Help decoding value (found the right value in EDX register) |
 |
|
Hi,
I'm having a problem finding how to 'decode' a 32bits value..
I know where the object where the value is stored is, and the offset to go to the value address (its 0x8C from the object address)
The thing is I know where the value is stored, but the value is not stored in a 'readable' way.
As ingame the value appears as 50948(C704) but its stored as B1B242A1, so they are probably applying some rotates, or stuff like that to make it hard to edit..
Sorry if I'm being such a noob..
Thanks
Last edited by unkown-dev on Mon Nov 12, 2012 10:10 am; edited 1 time in total |
|
| Back to top |
|
 |
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Fri Oct 26, 2012 10:49 am Post subject: |
|
|
Okay so is this football manager by any chance? If so which version 2012? Not that it matters but just wondering as its called 'fm.exe'
Anyways I think you are right on the money with the rotates... And you posted a nice place where the value is not encoded in memory, and it looks like it happens to be that the value is encoded right after that code (which you did a break and trace on)
Now I don't have this game but just from looking at the image you posted, it appears that it uses the dynamic address of your value in question as part of the encoding of it...
lea ecx,[ebp+8c] is similar to mov edx,[ebp+8c] except it copies the address of [ebp+8c] into the register rather than the value of it...
Because its using the dynamic address as part of the encoding it makes it a little trickier to know how it encodes/decodes the value but I think CE can do it!
Try this, add this script to your CT and enable it while fm.exe is running:
EDIT: fixed, lol sorry about that since I didn't have the game I didn't make sure everything was correct
| Code: |
[enable]
alloc(fmvaluedecoder,64)
label(DynamicAddressOfEncodedValue)
label(back)
registersymbol(DynamicAddressOfEncodedValue)
fmvaluedecoder:
mov edx,[ebp+8c] //decoded value in edx after this line
lea ecx,[ebp+8c] //dynamic address of your value in ecx after this line
mov [DynamicAddressOfEncodedValue],ecx
jmp back
DynamicAddressOfEncodedValue:
dd 0
fm.exe+51eee0:
jmp fmvaluedecoder
nop
back:
[disable]
fm.exe+51eee0:
mov edx,[ebp+8c]
dealloc(fmvaluedecoder)
unregistersymbol(DynamicAddressOfEncodedValue)
|
Ok now that isn't going to do anything except now be copying the dynamic address of your encoded value into the newly registered symbol 'DynamicAddressOfEncodedValue'
Now I'm not sure if CE will use registered symbols with a custom type script but I don't see why not! And CE did let me use that registered symbol name in the custom type script I made for you so I think this will work...
So now that you have that enabled, and DynamicAddressOfEncodedValue contains the dynamic address of that value your interested in (trigger the code to be executed by doing whatever is associated with that value you did to get 'DynamicAddressOfEncodedValue' filled with the dynamic address we need...
Then right click on the 'Value Type' dropdown on the main window of CE and click define new custom type (AutoAssembler) (shown in attached image)
Then delete everything and paste this:
| Code: |
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(UsesFloat,1)
TypeName:
db 'FM encoded vaue',0
ByteSize:
dd 4
UsesFloat:
db 0 //Change to 1 if this custom type should be treated as a float
//The convert routine should hold a routine that converts the data to an integer (in eax)
//function declared as: stdcall int ConvertRoutine(unsigned char *input);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
//jmp dllname.functionname
[64-bit]
//or manual:
//parameters: (64-bit)
//rcx=address of input
mov eax,[rcx] //eax now contains the bytes 'input' pointed to
ret
[/64-bit]
[32-bit]
//jmp dllname.functionname
//or manual:
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//example:
mov eax,[ebp+8] //place the address that contains the bytes into eax
mov eax,[eax] //place the bytes into eax so it's handled as a normal 4 byte value
//ADDED CODE HERE -->
xor eax,6327d393 //the same
rol eax,1e //rotate left rather than right
not eax //the same
mov ecx,[DynamicAddressOfEncodedValue] //the same
and ecx,1f //the same
ror eax,cl //rotate right rather than left
//eax now contains decoded value, I hope :D
//<-- ADDED CODE HERE
pop ebp
ret 4
[/32-bit]
//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
ConvertBackRoutine:
//jmp dllname.functionname
//or manual:
[64-bit]
//parameters: (64-bit)
//ecx=input
//rdx=address of output
//example:
mov [rdx],ecx //place the integer the 4 bytes pointed to by rdx
ret
[/64-bit]
[32-bit]
//parameters: (32-bit)
push ebp
mov ebp,esp
//[ebp+8]=input
//[ebp+c]=address of output
//example:
push eax
push ebx
mov eax,[ebp+8] //load the value into eax
mov ebx,[ebp+c] //load the address into ebx
mov [ebx],eax //write the value into the address
pop ebx
pop eax
pop ebp
ret 8
[/32-bit]
|
The only thing I changed after choosing define a new custom type is adding this:
| Code: |
//ADDED CODE HERE -->
xor eax,6327d393 //the same
rol eax,1e //rotate left rather than right
not eax //the same
mov ecx,[DynamicAddressOfEncodedValue] //the same
and ecx,1f //the same
ror eax,cl //rotate right rather than left
//eax now contains decoded value, I hope :D
//<-- ADDED CODE HERE
|
What its going to do is use the dynamic address in 'DynamicAddressOfEncodedValue' which should contain the right address after you enabled that first script, then perform the same operations the game did in reverse to (HOPEFULLY  lol) decode the value properly...
After having the first script enabled, and adding that custom type script, then on your address list you should be able to change your value's type into an 'FM encoded value' type (which we created with that custom type script)
If it shows the proper decoded value then we have done it! If not maybe I did something in reverse wrong... And to double check that is even the encoding code place a breakpoint on this line: "cmp edx,edi" which is right after this line: "xor edx,6327d393" and see if edx at that point is even containing the proper encoded value...
And if you just care about setting the value, and not really care how its encoded then try this:
| Code: |
[enable]
alloc(fmcheat,64)
label(back)
fmcheat:
mov edx,539 //change to value you want
jmp back
fm.exe+51eee0:
jmp fmcheat
nop
back:
[disable]
fm.exe+51eee0:
mov edx,[ebp+8c]
dealloc(fmcheat)
|
And change mov edx,539 so it moves the value you want instead... Since the decoded value is here before its encoded, it might work to set the value to whatever you want without having to worry about how its encoded!
Well hope this helps! 
| Description: |
|
| Filesize: |
63.71 KB |
| Viewed: |
9519 Time(s) |
|
_________________
Last edited by SteveAndrew on Fri Oct 26, 2012 2:14 pm; edited 4 times in total |
|
| Back to top |
|
|
unkown-dev
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2012
Posts: 6
|
| Posted: Fri Oct 26, 2012 11:42 am Post subject: |
|
|
Hi,
Yes, its FM, and thanks for all your help 
I'm just having some problems, making your first script work, as it throws an error
| Code: | [enable]
alloc(fmvaluedecoder,64)
label(DynamicAddressOfEncodedValue)
label(back)
registersymbol(DynamicAddressOfEncodedValue)
fmcheat:
mov edx,[ebp+8c] //decoded value in edx after this line
lea ecx,[ebp+8c] //dynamic address of your value in ecx after this line
mov [DynamicAddressOfEncodedValue],ecx
jmp back
fm.exe+51eee0:
jmp fmcheat
nop
back:
[disable]
fm.exe+51eee0:
mov edx,[ebp+8c]
dealloc(fmcheat)
unregistersymbol(DynamicAddressOfEncodedValue) |
The error says: 'label DynamicAddressOfEncodedValue is not defined in the script', also
is that line 'alloc(fmvaluedecoder,64) ' right? as the 'fmvaluedecoder' is never used anywhere..
Once again, thanks
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Fri Oct 26, 2012 12:16 pm Post subject: |
|
|
you need to change fmcheat to fmvaluedecoder, or fmvaluedecoder to fmcheat
also, change
| Code: |
label(DynamicAddressOfEncodedValue)
|
to
| Code: |
alloc(DynamicAddressOfEncodedValue,4)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
unkown-dev
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2012
Posts: 6
|
| Posted: Fri Oct 26, 2012 1:06 pm Post subject: |
|
|
Thank you both
I will try the updated script, but I'm already happy, as with your help, and after reading some stuff that I had forgot about ASM instructions, I was able to manually do the conversion, by following the xor, ror, rol opcodes
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Fri Oct 26, 2012 2:08 pm Post subject: |
|
|
Ah yes thanks Dark Byte! I originally named the script 'fmcheat' and when I changed it to 'fmdecoder' I forgot to change the bottom part of the script lol...
unknown-dev glad you figured it out and are now able to properly decode the value! So it does actually use part of the dynamic address of the value to encode the value? I've never seen that done before but I guess if that's how they did it, then that's how they did it!
_________________
|
|
| Back to top |
|
|
unkown-dev
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2012
Posts: 6
|
| Posted: Sat Oct 27, 2012 4:17 am Post subject: |
|
|
Yes, it uses the dynamic address as you said
basically they do an AND operation with the dynamic address and then they use the result to rotate the value..
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
