Cheat Engine

[DreamingJ]

Hi all, I've been watching a video tutorial by GH, specifically titled "Cheat Engine Tutorial Guide 1/3 Steps 1-5" (unfortunately I can't post URLs yet).

When he opens up the disassembler after the "find what writes to this address" window, it shows a window with 3 columns: "Address" , "Bytes" , and "Opcode". I attached a screenshot below.

My question is about the "Bytes column". What does this represent? Is it the hex representation for the 32 "1s and 0s" that are fed to the CPU as instructions (with the assembly representation of the instruction being in the "Opcode" column)? For example, one instruction might be any combination of 32 0s and 1s, but instead of representing a long sequence of 32 0s and 1s, cheat engine shortens it to hex? (I note 32 0s and 1s in a sequence of bits assuming it's 32-bit CPU)

In the bytes column for the first opcode, I see (take for example) "3B 45 F4". Does this mean this specific opcode uses 3 bytes, as each token "3B", "45", and "F4" use 8 bits each in binary form? However, what if the first token "3B" was 0x"3BAC". Would this specific opcode use more bytes then, as the binary representation of 0x3BAC uses more than 8 bits?

Lastly, he does a NOP operation on a mov [eax], edx instruction that had two different bytes listed in the Bytes column. Cheat engine placed two NOP operations, I'm guessing since 1 NOP operation only consists of 1 byte (0x90), but the original instruction to overwrite consisted of two bytes?

Please let me know if I'm mixing up terminology. Any help is appreciated, thank you!

[ParkourPenguin]

You more or less have it right.

Programs tell the CPU what to do by using machine code- a set of instructions representing simple actions like "move," "compare," "add," etc. Each line you see in the disassembler is an example of an instruction expressed in assembly language.

Machine code is stored in memory as a sequence of bytes, as shown in the "Bytes" column. Each byte is a sequence of 8 bits - 0 or 1 - that is commonly represented as two digits in base 16 (hexadecimal) for brevity. Some instructions take up more bytes in memory than others. e.g. "mov eax,[eax+00000478]" takes up 6 bytes while "mov edx,[ebp-10]" takes up 3 bytes.

Instructions are comprised of several parts- the most noteworthy being an opcode and operands. The opcode is what action the instruction does, and the operands are what the instruction uses to carry out its action. The opcode may consist of several bytes (e.g. F2* 0F 58 adds doubles) and may not necessarily be on the same granularity as bytes (e.g. 50+rd "push register" opcode uses 5 bits; 81/0 "add immediate" opcode uses 11 bits).
(*F2 is considered to be a "mandatory prefix" in this context, but that's pedantic and inconsequential)
For example, the byte 8B is an opcode that means "move data from a register or memory location into a register." The bytes that follow are the operands and specify the things being moved from and to. If the bytes that follow 8B are 55 F0, that means you're moving data from the memory location [ebp-10] into the register edx.

Opcodes can be grouped into classes based on similar functionality. These classes are given mnemonics to represent the common action the opcodes in the class perform: "mov" is used for opcodes that move data, "add" is used for opcodes that add data, etc.

So: