Cheat Engine

[Zaladine]

Hi...

I've completed the step 9 of CE's tutorial regards Shared Code. The method i did is simple:

• I noticed that around HP address there is certain value determines which side of the respective unit (1=Player's, 2=Computer's)
  
• So i injected simple comparison about this address. Let's say that [esi+8] points to HP address, then [esi+10] points to above value (which determines whose side the unit belongs to), the code modified like this:
  

  Code:

  injection_code: cmp [esi+10], 2 jne original_code xor eax, eax         ; set eax to 0 original_code: mov [esi+8], eax   ; writes unit's HP exit: jmp return

  
  
• If the unit belongs to Computer ([esi+10] == 2), the code will drop its HP to 0, immediately kills it.
  
• If the unit belongs to Player ([esi+10] != 2), the code will writes its HP in normal way.
  

This method works quite well...

HOWEVER, i don't think that this method will work well for emulators since, i've heard that, emulators use exactly the same code to change every values. Other said that, all values in emulators are 'pipe-lined' from one line of code.

I'm quite certain if i use the above method, there will be massive inefficiency though only tiny code is injected since the injected code is accessed thousand times per seconds.

So, my question is: Would you please show me better method than mine to resolve Shared Codes that accessed very very frequently?


Thank you very much in advance. Please pardon my English.

[Dark Byte]

For emulators check the stack (The memory block esp points to)
CE has a feature in the "more info" and other register views to display the stack at that time (usually a button named "S")
In there you can rightclick and choose the option to lock and add that stack snapshot to a dissect data window

An extra thing you can do then is use the structure spider. If you have two or more stacksnapshots locked , you can rightclick the address in the dissect data window to find the address the stack was copied to, and use that address with the structure spider

What the structure spider does is follow every pointer path up to a max level and stores which values are the same or different between two bases you gave

(For example you might be able to find the pointerpath to the currently executed original code and check that. Or if it's a crap emu like java or flash the variablename itself as a string)
--

[Zaladine]

Thanks for replying, Dark Byte.

Though i don't quite understand recommended methods, since i've just heard most part of your reply just now (stack, esp; haven't use any esp before, structure spider, etc). Guess i'm not that good yet... However, i'll slowly follow your recommendations while digging other topics which may help with these matters.

Just for information, regards pointers, the actual case are mostly 2 level deep of working pointers. So the CT tables work perfectly... Yet, i should really try the Structure Spider...


Cheers.