Search code examples
c++cheat-engine

How to find static assembly instruction address from CE (C++)

I'm trying to edit some value in the memory but it instantly reverts back because of some instruction like player::update or player::reset

In CE I can attach debugger to it and check what's writing into it and replace it with NOP, but how can I get the static address of this instruction? FYI, I have the static address of my value (playerBase signature scan + known offset) but not instruction address

Solution

  • Below are the steps to find the "Static Instruction Address":

    Step 1: Attach Debugger to the Process

    • Open Cheat Engine (CE).
    • Attach the debugger to the target process (the game or application where your value is located).

    Step 2: Find What Writes to the Address

    • Go to the address of the value you want to edit in Cheat Engine.

    • Right-click on the address and select "Find out what writes to this
      address...".

    • This will open a new window where the debugger will list all instructions that modify this value.

    Step 3: Identify the Instruction

    • Perform an in-game action that causes the value to change (e.g., updating or resetting the player).
    • The instruction that writes to the value will appear in the window. Note down this instruction.

    Step 4: Find the Static Address of the Instruction

    • Double-click on the instruction to view it in the Disassembler window.
    • The instruction might be located in a dynamically loaded module (e.g., a DLL), which means its address might change every time the game is restarted.
    • To find the static address, you need to locate the base address of the module where this instruction resides.

    Step 5: Calculate the Static Address

    • In the Disassembler window, note down the instruction's address.
    • Find the base address of the module by clicking "View" > "Memory Regions..." in Cheat Engine.
    • Subtract the base address of the module from the instruction’s address to get the relative offset.
    • Combine this offset with the module’s base address to form the static address.

    Step 6: Replace Instruction with NOP (Optional)

    • If your goal is to prevent the instruction from modifying the value, you can replace it with a NOP (No Operation) instruction directly in the Disassembler.

    Let me show you an example for better understanding:

    • Let's say the instruction that writes to your value is at '0x7FF65321F123' and it's located in a module named 'player.dll'.
    • The base address of 'player.dll' is '0x7FF653200000'.
    • The offset would be: '0x7FF65321F123' - '0x7FF653200000' = '0x1F123'.
    • The static address of the instruction would be 'player.dll' + '0x1F123'.