darkjohn20 Posted December 7, 2009 Posted December 7, 2009 (edited) Hello, on tutorial level 4 in Cheat Engine, you must find what is changing the value, and nop it. I have scanned the value, and found the address, but I cannot find a static one. It just loops and gives a dead end. For people who have used CE, I get the address 01CAAF30. I then find out what writes to this address, and I get a list of 4 addresses where this value changed. They look like this: 0045ae66 - 8b 80 0c 03 00 00 - mov eax,[eax+0000030c]. All of them are similar with a different start address. When I try to find a pointer using more information, I get 01CAAF30 again, but with an offset of 30c. Adding this manually to my code list gives me a bad address and the value is 0. I want to know if it is possible with nomadmemory to search for an array of bytes and nop them. I cannot find a static address, so I am confused on what to do. Does anyone know what I need to do in this case? Is more information needed? A better explanation? Please ask. Thanks, John. EDIT: By getting the value of EAX BEFORE the action, I found a static pointer that points to the correct value. Now all I need to do is nop it in AutoIt..... How? At this point, if this can't be done with NomadMemory, or can be done an easier way, I would accept that as well. Thanks again! Edited December 7, 2009 by darkjohn20
SXGuy Posted December 30, 2009 Posted December 30, 2009 You dont need autoit to nop the address, you are ment to use CE, thats the whole point in the CE tutorial. Anyway, 0045ae66 - 8b 80 0c 03 00 00 - mov eax,[eax+0000030c]. mov eax,[eax+30c] may be the static pointer you found, but its not that address you are ment to nop, its the address with the pointer information. 0045ae66 I will explain, at that address is an array of bytes, those array of bytes represent the register and offset for the pointer. 8b 80 = mov eax,eax 0c 03 00 00 = +0000030c Bytes are reversed due to the way it understands the code (big and little endian) Anyway, to replace this address with nops you would replace each byte at that address with "90" 90 = nop. So go to Memory view in CE and go to the address 0045ae66. Double click that address and type "nop". It will say that you have asked to nop once, but you need to nop 6 times, just click ok, so it will nop the rest for you. There you have it. If you really do wish to know how to do the same with Autoit then its quite simple. Read up on _WinAPI_WriteProcessMemory
darkjohn20 Posted December 30, 2009 Author Posted December 30, 2009 (edited) I solved this some time ago. It was a simple error where the default type was dword and needed to be changed to byte. I know it can be done quite easily in CE (I have been using both this and CE for multiple years), but my goal was to replicate it in AutoIt. This was I can make a nice looking GUI instead of CE's default. I know most people like to avoid this topic, so that is all. Actually, does anyone know of an instruction to opcode/byte converter? I really need one. Edited December 30, 2009 by darkjohn20
SXGuy Posted December 31, 2009 Posted December 31, 2009 I dont know of any converter out there im afraid, if im unsure of one, i just use CE attached to notepad, type the opcode and look in the dissembler for the bytesHowever, if you download CE 5.5 source code and look at one of the .pas files, i think you will get a good idea on how it converts opcodes to byte expressions
darkjohn20 Posted December 31, 2009 Author Posted December 31, 2009 I talked to darkbyte a while back and assemblerunit.pas contains what I need, but It's like a billion lines long and I have no idea how to convert it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now