Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Cheat Engine 6.2 Tutorial Step 9: Explanation by the beginer

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
balrog_svr
How do I cheat?
Reputation: 0

Joined: 13 Sep 2011
Posts: 2

PostPosted: Fri Jul 27, 2012 11:41 am    Post subject: Cheat Engine 6.2 Tutorial Step 9: Explanation by the beginer Reply with quote

Cheat Engine 6.2 Tutorial Step 9 actions:

1. Found the address for health of Player 1, Player 2, Player 3, Player 4 via scanning for the float value

Player 1 00098FAC
Player 2 01B3007C
Player 3 01B70084
Player 4 01B88424

2. Using "Find what writes to this address" option on the Player 1 I found out the memory address of the Player 1:

>>004250C6 - mov [ebx+04], eax -----where EBX=00098FA8

the offset 04 provides the location of the health of the player in question.

3. Now, i created and defined new structure to get the offset for the Group to which players were assigned:

a. Browse this memory region (CRTL+B) from Player 1
b. Dissect data/structure (CTRL+D) from Tools menu
c. Adding 4 Extra Addresses (for all players) with the offsets found in step 2:

00098FAC-04
01B3007C-04
01B70084-04
01B88424-04


d. I found that offset 10 contains the group ID# to which players are assigned

Player 1 & Player 2 ====> Group ID#1
Player 3 & Player 4 ====> Group ID#2

4. Now, i find out what accesses this address for Player 1 when he is hit. The following is the result:

0042507E - D9 43 04 - fld dword ptr [ebx+04]
0042509D - D8 6B 04 - fsubr dword ptr [ebx+04]
004250C6 - 89 43 04 - mov [ebx+04],eax
004250CB - D9 43 04 - fld dword ptr [ebx+04]
00425107 - FF 73 04 - push [ebx+04]

Looking at the first access in disassembler i get this:

1. Tutorial-i386.exe+25076 - 0F85 CD000000 - jne Tutorial-i386.exe+25149
2. Tutorial-i386.exe+2507C - D9EE - fldz
3. Tutorial-i386.exe+2507E - D9 43 04 - fld dword ptr [ebx+04]
4. Tutorial-i386.exe+25081 - DED9 - fcompp
5. Tutorial-i386.exe+25083 - DFE0 - fnstsw ax
6. Tutorial-i386.exe+25085 - 9E - sahf
7. Tutorial-i386.exe+25086 - 75 0F - jne Tutorial-i386.exe+25097
8. Tutorial-i386.exe+25088 - A1 74145500 - mov eax,[Tutorial-i386.exe+151474]
9. Tutorial-i386.exe+2508D - E8 5E940E00 - call Tutorial-i386.exe+10E4F0
10. Tutorial-i386.exe+25092 - E9 B2000000 - jmp Tutorial-i386.exe+25149
11. Tutorial-i386.exe+25097 - 89 75 CC - mov [ebp-34],esi
12. Tutorial-i386.exe+2509A - DB 45 CC - fild dword ptr [ebp-34]
13. Tutorial-i386.exe+2509D - D8 6B 04 - fsubr dword ptr [ebx+04]
14. Tutorial-i386.exe+250A0 - D9 5D D0 - fstp dword ptr [ebp-30]
15. Tutorial-i386.exe+250A3 - D9EE - fldz
16. Tutorial-i386.exe+250A5 - D9 5D CC - fstp dword ptr [ebp-34]
17. Tutorial-i386.exe+250A8 - D9 45 D0 - fld dword ptr [ebp-30]
18. Tutorial-i386.exe+250AB - D9 45 CC - fld dword ptr [ebp-34]
19. Tutorial-i386.exe+250AE - DED9 - fcompp
20. Tutorial-i386.exe+250B0 - DFE0 - fnstsw ax
21. Tutorial-i386.exe+250B2 - 9E - sahf

Looking at the disassembler, as a novice, my intuition tells me that what i need is located on the line #13 with float subtraction
(fsubr dword ptr [ebx+04]) and storing of the result (fstp dword ptr [ebp-30]).

what does fsubr dword ptr [ebx+04] really mean?
This is what it would look like if we would write it in a regular C math expression:

ST(0) = EAX-ST(0); // subtract ST(0) from the REAL4 value pointed to by EAX and store the result in ST(0)

5. Using line 13 for Auto Assemble with code injection at: "Tutorial-i386.exe"+2509D:

alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(friendly)

newmem:
cmp [ebx+10], 1 //i am checking if the player who is hit belongs to group 1
je friendly //if the player is from group 1 i will jump to the special code for friendly players
jmp originalcode

originalcode: //this code is kept so the enemies are getting hit
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
jmp returnhere

friendly: //this will allow to increase friendly unit health in the amount of a hit they should take
fadd dword ptr [ebx+04] //add the REAL4 value pointed to by EAX to ST(0)
fstp dword ptr [ebp-30] //stored the result of the ST(0) computation in the address specified by [ebp-30] and pops st(0)
jmp returnhere

"Tutorial-i386.exe"+2509D:
jmp newmem
nop
returnhere:


6. Now when i hit friendly i get the health of Player 1 and Player 2 to increase, but Player 3 and Player 4 will get their health reduced if hit.
Now click on auto play and you are a winner.


Please note I have never studied or used assembler. I googled for the references of assembly commands to figure out what to do. If you have any questions please let me know.
Back to top
View user's profile Send private message
Xylem
How do I cheat?
Reputation: 0

Joined: 04 Dec 2011
Posts: 1

PostPosted: Fri Jan 18, 2013 8:05 am    Post subject: Reply with quote

this works for me, thanks brother, learnt heaps
Back to top
View user's profile Send private message
chinccw
How do I cheat?
Reputation: 0

Joined: 03 Mar 2013
Posts: 1

PostPosted: Sun Mar 03, 2013 9:30 am    Post subject: Reply with quote

there is some part where i dont really understand. anyway your code is working so i can slowly try to figure out . thx alot Very Happy
_________________
time to hack!!!
Back to top
View user's profile Send private message
Nemexia55
Advanced Cheater
Reputation: 0

Joined: 28 Jan 2014
Posts: 54
Location: Iran

PostPosted: Mon Feb 17, 2014 9:36 am    Post subject: so hard! Reply with quote

so hard!
_________________
Some one help me with AA!
Back to top
View user's profile Send private message
phadeb
Cheater
Reputation: 0

Joined: 25 Jun 2007
Posts: 31

PostPosted: Sun Mar 16, 2014 8:52 pm    Post subject: Reply with quote

It crashed with this :

Code:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

cmp [ebx+10],1
je originalcode
mov [ebx+04],0
jmp exit

originalcode:
mov [ebx+04],eax
fldz

exit:
jmp returnhere

050A0000:
jmp newmem
returnhere:




and i Lol'd so hard Very Happy [/code]
Back to top
View user's profile Send private message
Nemexia55
Advanced Cheater
Reputation: 0

Joined: 28 Jan 2014
Posts: 54
Location: Iran

PostPosted: Mon Mar 17, 2014 4:42 am    Post subject: Reply with quote

Finally I could do it!!!
_________________
Some one help me with AA!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum



Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)