Cheat Engine

calciumantacid · How do I cheat? Reputation: 0 Joined: 28 Dec 2011 Posts: 5

So, I was happily tracing a pointer and adding addresses with offsets. Then I get to 16CE7F68 with offset 20, search for the address that points to it - it's 16CE3AAC. Check what accesses it and get this:

0262E673 - 8B 49 14 - mov ecx,[ecx+14]
02D71BE7 - 8B 76 14 - mov esi,[esi+14]
02D7268F - 8B 76 14 - mov esi,[esi +14]

The value of the pointer to find this address is probably 16CE7F68.

It says the pointer address is 16CE7F68 which is what I was tracing from, it already had an offset of 20. Now I'm back to it for some reason, with apparently offset 14. But if I try to add that to the pointer, I can see it's not correct.

What to do? It's probably something very simple?

Dark Byte · Posted: Wed Sep 18, 2013 1:21 pm Post subject:

The value of the registers shown is that after the instruction has been executed
Anyhow, you can do basic math to figure out the original value

ecx+14=the address you used find what accesses on ( 16CE3AAC)

So ecx=16ce3aac+14=16ce3a98
So, scan for 16ce3a98

calciumantacid · How do I cheat? Reputation: 0 Joined: 28 Dec 2011 Posts: 5

Thank you very much, Dark Byte!

So if I understood correctly - it seems that in the typical scenarios like mov edi,[esi+14] we basically have mov pointer1,[pointer2+14] and we can scan the next address directly by looking for pointer2 value.

But if we have mov ecx,[ecx+14] that means mov pointer1,[pointer1+14] and we must calculate pointer2 manually, so pointer2 = current address - 14.

Then we scan for the new address by pointer2 value and when we create a manual pointer entry, we will enter that new address + 14.

My brain hurts, lol. I had to make a spreadsheet to visualize what's happening.

Dark Byte · Posted: Thu Sep 19, 2013 4:07 am Post subject:

The only reason you look at the assembler code is to figure out the offset, to find out where the current memory block starts at. Which is what you're looking for