Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Hit the wall with Dishonored
Goto page Previous  1, 2, 3, 4
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Dlve
Advanced Cheater
Reputation: 0

Joined: 24 Feb 2014
Posts: 54

PostPosted: Wed Mar 12, 2014 4:14 pm    Post subject: Reply with quote

Alright! That was an excellent explanation. That's how Geri should've done it.

So money value is in [esi+04] right, and let's assume here that when offset is 10 the value is 1 only for the "address" that accesses money. I'm not sure if address is the correct term there but I hope you understand.

How would I write this script correctly?
Code:
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(value)
registersymbol(value)

newmem:
cmp [esi+10],1
jne returnhere
mov [value],esi
mov eax,[esi+04]
test ebx,ebx
jmp returnhere

value:
dd 0

"Dishonored.exe"+80B508:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Dishonored.exe"+80B508:
mov eax,[esi+04]
test ebx,ebx
//Alt: db CC 46 04 85 DB

unregistersymbol(value)
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Mar 12, 2014 4:50 pm    Post subject: Reply with quote

If what you're saying is true, then yes, the above script should work - after you add the custom 'value' address in your cheat table (after you have enabled the script).

One thing you might look at, however, is what the value type is at offset +10. If the value type is float, for example, then you would need to write it out like this for a proper compare:

Code:
cmp [esi+10],(float)1.0


Also, unless you specify, all values in your script will be hexadecimal. So, for example, if you know that the value at offset +10 is, say, 90 (decimal), then you would need to write your script like this:

Code:
cmp [esi+10],#90    //decimal format


or

Code:
cmp [esi+10],5A    //hexadecimal format


You can use windows calculator under 'programmer' version to convert dec/hex, or, you can 'change element' in the data structure to see what the value would be by changing it to byte, 2 byte, 4 byte, double, 8 byte, float, hexadecimal/decimal etc.
Back to top
View user's profile Send private message
Dlve
Advanced Cheater
Reputation: 0

Joined: 24 Feb 2014
Posts: 54

PostPosted: Sat Mar 15, 2014 1:45 pm    Post subject: Reply with quote

++METHOS wrote:
If what you're saying is true, then yes, the above script should work - after you add the custom 'value' address in your cheat table (after you have enabled the script).


I see, I was hoping there was something wrong with the script. I've checked a few times that when the offset is +B8 the value is 2 for the correct address but my game keeps crashing when I enable the script. Would that indicate that my assumption is wrong or are there some other reasons for the crash? The type of the value is 4 bytes.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Mar 16, 2014 12:01 am    Post subject: Reply with quote

Not sure what this script is for, but the game could be crashing because of this:

cmp [esi+10],1
jne returnhere

Whatever you are filtering out here, is jumping over your original code:

mov eax,[esi+04]
test ebx,ebx

So, the above code is not getting executed for the filtered address(es), which is probably causing the crash. You can try this, instead:

Code:
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(value)
registersymbol(value)

newmem:
cmp [esi+10],1
jne originalcode
mov [value],esi
jmp originalcode

originalcode:
mov eax,[esi+04]
test ebx,ebx
jmp returnhere

value:
dd 0

"Dishonored.exe"+80B508:
jmp newmem
returnhere:
 
[DISABLE]
dealloc(newmem)
"Dishonored.exe"+80B508:
mov eax,[esi+04]
test ebx,ebx
//Alt: db CC 46 04 85 DB

unregistersymbol(value)
Back to top
View user's profile Send private message
Dlve
Advanced Cheater
Reputation: 0

Joined: 24 Feb 2014
Posts: 54

PostPosted: Sun Mar 16, 2014 2:46 pm    Post subject: Reply with quote

Thank you that script works much better.

Man this game is one tough nut to crack. I started dissecting the data and copied the data to notepad and then loaded a different save. It took me an hour to find values that matched with different saves but what do you know the values change once you close and reopen the game. If you've run into similar problems I'd really need some advice...
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Mar 16, 2014 3:26 pm    Post subject: Reply with quote

It gets easier with experience. Eventually, you will get a better idea about what to look for and how to look for it. For most games, just digging deeper, inside pointer trees, you can find everything you need. Not only ID for everything, but you may find that everything is connected - health, coordinates, ID, speed, everything. With that information, you can use the base address for the targeted structure and build a table that has everything you need, all in one script.

Anyway, one way I speed things up is by using a screen capture program (snagit or some other 'print screen' utility). I also have 3 monitors, so comparing 20+ structures at the same time is not a problem for me. I find that this really helps to find good offsets, because the more you can compare, the more likely you are to see which offsets are really worth looking at.

Typically, I can find a good compare without needing to compare screen captures. You can test your filter by enabling your script and following the code to your code cave. There, you can use the 'find what addresses this instruction accesses' on the code that is being filtered. By doing so, you can see if anything else is getting through. Of course, whether you are comparing screen captures or examining code with the debugger, it is always best to close out the game each time, before checking the validity and reliability of your filter(s).

Other things can be done, such as locking your structure and comparing it against an identical structure (be sure to set your update interval to 1). This allows you to see, in real-time, which offsets are static and which offsets are obviously dynamic (i.e. no good).

You can also change the element for each/every offset since CE isn't always correct (and) to give you a better idea if the offset is good for your compare. You may even find a pointer tree that you didn't even know was there.

Also, just because the instruction(s) has an offset of +4 (e.g. [esi+04]), doesn't mean that the structure base is at offset -4. Sometimes, it goes beyond that. On one game, I had an ID that I used for my compare, that had an offset of -F4...it just depends on how big the targeted structure actually is.

You can also use the structure spider to find similarities between other hero values/structures etc., and you may find that you do not even need to use a compare (or) you can use a totally different instruction that handles a totally different value, and use that to create a filter for you.

You can also compare against a stable pointer, and use that to compare against the value of the register that is being used to carry your targeted value.

Really, you can create an ID, but that is not really recommended.

Most things you will not understand until later because they take time to learn and there are not tutorials available for everything. If I were you, I would focus on comparing your targeted structure against unwanted structures and also learn about digging deeper inside pointer trees and comparing those values to use for your compare.
Back to top
View user's profile Send private message
Dlve
Advanced Cheater
Reputation: 0

Joined: 24 Feb 2014
Posts: 54

PostPosted: Mon Mar 17, 2014 9:32 am    Post subject: Reply with quote

I can't figure out how I can implement the offset to the script from the pointer tree.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Mon Mar 17, 2014 10:09 am    Post subject: This post has 1 review(s) Reply with quote

Let's say your instruction is this:

mov [esi+04],edx

Let's say your targeted address (for health or something) is this:

002B4108

If you dissect data structures on your targeted address, you will have this in the data structures text box:

002B4108-4

Now, let's say you find a pointer tree at offset +C, and inside that pointer tree was another pointer tree at offset +24, and inside that pointer tree was an ID value at offset +48, you could do this:

Code:
push edi                  //any register should do
mov edi,[esi+C]           //first pointer tree
mov edi,[edi+24]          //second pointer tree...notice esi changed to edi
mov edi,[edi+48]          //value at offset 48 inside second pointer tree
cmp edi,ID_value          //ID value will be 4 byte hex unless you specify
pop edi                   //we are done with this, so we must pop edi
jne originalcode          //anything that doesn't match your ID value will jump over to originalcode

This is one way to do it.
Back to top
View user's profile Send private message
Dlve
Advanced Cheater
Reputation: 0

Joined: 24 Feb 2014
Posts: 54

PostPosted: Mon Mar 17, 2014 11:06 am    Post subject: Reply with quote

Thank you very much for that. It would've taken me at least ten years to come up with that myself.

I need an opinion about this code:
Code:
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(value)
registersymbol(value)

newmem:
push edi
mov edi,[esi]
mov edi,[edi+54]
cmp edi,26
pop edi
jne originalcode
mov [value],esi
jmp originalcode

originalcode:
mov eax,[esi+04]
test ebx,ebx
jmp returnhere

value:
dd 0

"Dishonored.exe"+80B508:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Dishonored.exe"+80B508:
mov eax,[esi+04]
test ebx,ebx
//Alt: db CC 46 04 85 DB

unregistersymbol(value)


So the pointer tree is at offset 0, and in the pointer tree at offset 54 is a 4 byte value 26. So the question is shouldn't this script be working when I enable it?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Mon Mar 17, 2014 1:04 pm    Post subject: Reply with quote

1. Use [esi+0] for pointer tree at offset +0
2. Be sure that the value at offset +54 is 26 in hex, not decimal. If the value in your data structure is shown in decimal (this can be changed), then the value that you need to compare with is actually 1A (hex equivalent of 26)

You can compare against both, decimal and hexadecimal. In assembly, the value will default to hex unless otherwise specified. Here, you can see how you would compare both, depending on which data type you choose:

Code:
cmp edi,#26   //decimal
cmp edi,1A    //hexadecimal


These compares do the same thing, but the data is interpreted differently based on how you write them.

(hex) 26 = (dec) 38
(dec) 26 = (hex) 1A

You can use windows calculator (in programmer mode) to convert Dec/Hex etc. In the data structure window of CE, you can also change the element type and it will give you the hex/decimal/byte/2 byte/4 byte/float/double/8 byte/string etc. representation of that selected offset. The same thing can be done in your cheat table by changing the value type and by specifying hex or decimal etc.
Back to top
View user's profile Send private message
Dlve
Advanced Cheater
Reputation: 0

Joined: 24 Feb 2014
Posts: 54

PostPosted: Tue Mar 18, 2014 11:21 am    Post subject: Reply with quote

++METHOS wrote:
1. Use [esi+0] for pointer tree at offset +0
2. Be sure that the value at offset +54 is 26 in hex, not decimal. If the value in your data structure is shown in decimal (this can be changed), then the value that you need to compare with is actually 1A (hex equivalent of 26)


Much appreciated. I got the script working. I was confused about the decimal thing. I kind of still am. Tell me if I'm wrong, but is it so that there are a total of three value types and they are either float, hex or decimal which means that I can't just use command cmp to compare with a bare number like I did in that script I posted?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Mar 18, 2014 11:45 am    Post subject: Reply with quote

There are other data types, but they are generally handled in two different formats - hexadecimal or decimal. You may still need to specify which data type you are using (e.g. byte, 2 byte, 4 byte, 8 byte, double, float, etc.). Some people use ONLY decimal because it's easier for them to work with. For example, if you want your ammo in a game to be 999, it's a lot easier to just write #999 in your script than to write it as 000003E7. Same with float...you can write (float)1.0, or, 3f800000. They are the same thing, but one is a lot easier to remember.

The different data types can be specified in your script, as well as decimal/hexadecimal...for example:

byte
word
dword
qword
(float)
etc...

You can have something like:

mov byte ptr [ecx],#128

Which specifies the data type as 'byte', and represents the value as decimal. The same thing can be done by representing the value as hexadecimal:

mov byte ptr [ecx],80

In other words...the data types are not the same thing as the language used. English and French can both be used to say hello to someone, but English may be easier for us to work with.

An example...

We can use metric or imperial to represent the distance between two points, but we must still specify the unit of measurement that is being used (e.g. mile, inch, meter or kilometer etc.).

Just as 1.5 feet can be written as 1'-6"...but as long as we know the unit of measurement (feet inches), we can work it out.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4
Page 4 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites