[ASM] Basic assembly instructions (opcodes) and examples

tarafından **Hello EMO** Cuma Ocak 14, 2011 5:34 pm

This article should cover basic assembly instructions to start building Your own scripts for Cheat Engine

Here You will find a simple list about the most important codes that You may use when You try to hack a game. You will also find 2 examples, the first one is how to make a God Mode cheat in an RTS game, Warhammer: Mark of Chaos. The second is a money cheat for C&C Generals which is affecting the human player only, not the AI.

Assembly instructions (Opcodes):

"dec" will decrease the value with 1
inc : increase the value with 1
sub : subtract the second operand from the first,
e.g. sub [ebx+00000310],4 would mean "decrease the value on ebx+0310 with 4".
add : will add the second operand from the first,
e.g. add [ebx+00000310],4 would mean "increase the value on ebx+0310 with 4".
mov : copy the second operand to the first,
e.g. mov [ebx+00000310],4 would mean "change the value on ebx+0310 to 4".
lea: copy the result of the second operand to the first operand
e.g. lea eax,[esi+30] would mean copy esi+30 to eax.
This is good to save pointers.
cmp : compare, 2 registers, or a number and a register.
e.g. cmp esi,2 //compare esi to 2
cmp esi,ecx //compare esi to ecx
The result of the comparing will be stored in a flag. To see more about flags,
check out the CE help file.
jmp : jump to and address
You can use the jmp instructions to jump to a specific address (long jump), or to jump forward or backward x bytes (short jump).
e.g. jmp +0000000A //this instruction would mean to jump forward 10 bytes in the code.
Conditional jumps:
You can use conditional jumps to jump to a specific address, or to jump
forward or backward x bytes.
- je : jump to a location if the previous compare's result was equal
  e.g.
  cmp esi,2
  je 0f445566 //if esi is equal to 2, the program will jump to 0f445566 address.
- jne: jump to a location if the previous compare's result was not equal
- jg : Jump if Greater
- jl : Jump if Less
push : save a register or flag in the stack
pop : load a register or flag from the stack
pushad : save all registers in the stack
popad : load all registers from the stack
pushfd : save all flags in the stack
popfd : load all flags from the stack

The stack is a "storage" where You can put values and load them from it. However You are not able to save and load the values in any order. The last value in the stack that You push in will be the first one that You pop out.

For example lets assume ecx=3, edx=2 and the stack stores the following values.
Stack:

4
5
6

Now we put an instruction like "push ecx". Then the stack will look like this.
Stack:

3
4
5
6

Now we also put in edx with "push edx". The stack will look like this.
Stack:

2
3
4
5
6

Now we want to pop a value from the stack, like "pop ecx".

In this case, the program will pull out the first value from the stack, which is 2,
and put it to ecx. So ecx=2 and the stack look like this.
Stack:

3
4
5
6

If we give a "pop edx" instruction now, edx will be 3, and the stack will look like
Stack:

4
5
6

The result: The stack is the same as when we have started, but ecx=2 now, and edx=3, we have changed their values with each other.

If You use pushad and pushfd, then popad and popfd, make sure to use them in the correct order.
[asm]pushad
pushfd
...
popfd
popad

or

pushfd
pushad
....
popad
popfd[asm]

So what You push in first should be popped out first. What happens if You dont?

WRONG example:

pushfd
pushad
....
popfd
popad

Result: You will push the flags into the stack, then push in the registers and with popfd instruction, You will load the value of the registers to the flags, which will totally mess up the program and most likely it will crash.

Why do we use push, pop and the stack anyway?
In assembly, You are not able to use 2 values as operands in the same instruction.
e.g. mov [ecx],[edx] is not a valid instruction. If You wish to move the value on [edx]to [ecx], first You need to put [ecx] to a register, then copy the register to [ecx]. However changing a register's value for Your own puproses without restoring it later will result in errors. Also when You use the cmp instructions, You change the status of the flags, so sometimes it may be needed to restore the flag values too.

For a fine example on how to use the stack, compare, conditional jumps and mov, I will describe how did I make a "God Mode" for my soldiers in an RTS game, Warhammer: Mark of Chaos.

First of all You need to search for a soldier's health and check which code is writing to the address of health. However, this code is changing all of the soldiers' health in the game, including the enemy soldiers. So if You just turn off this code, everyone will be invincible. That would not be useful.

The code which is changing the health is the following:

1	008d0f08 - d9 56 04 - fst dword ptr [esi+04]

If You look in the memory browser, You will realise that the soldier's data structure is very simple in this game. As You can see it in the code, the health is stored on esi+04. The maximum health of the unit is 4 bytes later, so it is on esi+08. One more information: if the value before the health (esi) is 0, then the unit is Your unit. If it is not, then an enemy unit.

So the data structure is the following:
[esi] = player ID, if it is 0, then the unit is Yours
[esi+04] = health
[esi+08] = max health

With these information, we can plan our script now. It should do the following:
Check if the unit is Your unit.
If it is Your unit, change the healt to the maximum health.

The script will look like this:

fst dword ptr [esi+04] //original code which is changing health
pushad //save the registers
pushfd //save the flags
cmp [esi],0 //check if the player ID is equal to 0
jne +6 //if it is not 0, the program will skip the next 2 lines
mov eax,[esi+08] //copy the value of max health to eax
mov [esi+04],eax //copy eax to the health, so max health=health
popfd //load flags
popad //load registers

Well, thats it. A simple code which will make only Your units invincible, but the enemies will take damage normally. Notice that before I have used cmp, I have saved the flags and before I have changed eax register's value, I have saved the registers too. At the end of the code, I have loaded back the original flags and registers so I was able to use the flags and registers as I wanted in my code, without crashing the program.

Another good example: Unlimited money for the player only in C&C Generals.

It is pretty easy to find the code which is changing the money for the players in Generals, but if You wish to make script that will give You unlimited money for You only, here is a simple hint which is working with most of the games.

When the game is working with the money, it is using different addresses to store Your money and the amount of money that is displayed on Your screen. This means that when You search for money, You will find 2 addresses.

The money that You actually have.
The amount that You see on the screen in the game.

The game is checking Your money about 10 times in a second and display the correct amount to Your gameplay screen.

You have an address where Your money is stored.
A code is reading how much money You have on that address.
A script is copying the value of the money to the address where You can see the displayed amount of money.

Why is that important?
It is important because only the player's money is displayed on the screen, so the code which is reading how much money do You have in the 2nd step is accessing to Your money only. If You have the code which is accessing to Your money only, You can easily write a script to change Your money, but not for the enemies.

How to find that code?
It is simple. Find the address where Your money is stored, but after that, You need to choose "Find out what accesses this address". You will get the code which is reading from the address, not just the one which is writing to it.

The code which is reading the amount of Your money is:

1	mov ebx,[eax+38]

Now all You need to do is write a script which is changing Your money when the program
is reading it:

1 2	mov ebx,[eax+38] //read Your money mov [eax+38],000f423f //change Your money to 999999 (which is 000f423f in hex)

Now You have learned another method which will save You from the troubles ahead if You want to find a specific code.