Sign in to follow this  
Followers 0

How to nop bytes?

5 posts in this topic

#1 ·  Posted (edited)

Hello, on tutorial level 4 in Cheat Engine, you must find what is changing the value, and nop it.

I have scanned the value, and found the address, but I cannot find a static one. It just loops and gives a dead end.

For people who have used CE, I get the address 01CAAF30. I then find out what writes to this address, and I get a list of 4 addresses where this value changed. They look like this:

0045ae66 - 8b 80 0c 03 00 00 - mov eax,[eax+0000030c].

All of them are similar with a different start address.

When I try to find a pointer using more information, I get 01CAAF30 again, but with an offset of 30c. Adding this manually to my code list gives me a bad address and the value is 0.

I want to know if it is possible with nomadmemory to search for an array of bytes and nop them. I cannot find a static address, so I am confused on what to do.

Does anyone know what I need to do in this case? Is more information needed? A better explanation? Please ask.

Thanks, John.


By getting the value of EAX BEFORE the action, I found a static pointer that points to the correct value. Now all I need to do is nop it in AutoIt..... How?

At this point, if this can't be done with NomadMemory, or can be done an easier way, I would accept that as well. Thanks again!

Edited by darkjohn20

Share this post

Link to post
Share on other sites

You dont need autoit to nop the address, you are ment to use CE, thats the whole point in the CE tutorial.

Anyway, 0045ae66 - 8b 80 0c 03 00 00 - mov eax,[eax+0000030c].

mov eax,[eax+30c] may be the static pointer you found, but its not that address you are ment to nop, its the address with the pointer information.


I will explain, at that address is an array of bytes, those array of bytes represent the register and offset for the pointer.

8b 80 = mov eax,eax

0c 03 00 00 = +0000030c

Bytes are reversed due to the way it understands the code (big and little endian)

Anyway, to replace this address with nops you would replace each byte at that address with "90"

90 = nop.

So go to Memory view in CE and go to the address 0045ae66.

Double click that address and type "nop".

It will say that you have asked to nop once, but you need to nop 6 times, just click ok, so it will nop the rest for you.

There you have it.

If you really do wish to know how to do the same with Autoit then its quite simple.

Read up on _WinAPI_WriteProcessMemory

Share this post

Link to post
Share on other sites

#3 ·  Posted (edited)

I solved this some time ago. It was a simple error where the default type was dword and needed to be changed to byte.

I know it can be done quite easily in CE (I have been using both this and CE for multiple years), but my goal was to replicate it in AutoIt.

This was I can make a nice looking GUI instead of CE's default.

I know most people like to avoid this topic, so that is all.

Actually, does anyone know of an instruction to opcode/byte converter? I really need one.

Edited by darkjohn20

Share this post

Link to post
Share on other sites

I dont know of any converter out there im afraid, if im unsure of one, i just use CE attached to notepad, type the opcode and look in the dissembler for the bytes

However, if you download CE 5.5 source code and look at one of the .pas files, i think you will get a good idea on how it converts opcodes to byte expressions

Share this post

Link to post
Share on other sites

I talked to darkbyte a while back and assemblerunit.pas contains what I need, but It's like a billion lines long and I have no idea how to convert it.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0