|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
densjizz How do I cheat? Reputation: 0
Joined: 20 May 2014 Posts: 3
|
Posted: Tue May 20, 2014 5:37 pm Post subject: Static addresses and pointers question aimed at Gurus |
|
|
First of all i want to say that am new to this.
So i used cheat engine to read the memory out of a game to get a list of the players name.
I used pointer scanners so this is what i got
This is where the game stores the first player's name
Code: | ("game.dll" + 0x12345) + (0xAe7) + (0x0) + (0xA) |
and if i add 104 to 0xA i get the next player's name and so on.
So i can deduce that the object at (0xA) is the first of the list and at (0x0) would be the base of the list ?
Now since am using pointers i can get this anytime the game closes and opens no problem. The problem is that i cannot find a way to keep that pointer valid after a patch, the game updates often for very small patches and often it screws up my pointers prolly because the size between the offset changed.
Now i am wondering how i could keep it so that each time the game updates i can still get the pointers correctly. Also i notice that the value stored in ("game.dll" + 0x12345) is also located inside a static variable, would that help me ? Any reply or ressources on the subject would be very appriciated. Thanks alot !
PS: sorry for the bad english.
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Tue May 20, 2014 8:02 pm Post subject: |
|
|
Somewhere in the game's code it's written "read the 4 bytes at game.dll + 0x12345" and after a patch it could become "read the 4 bytes at game.dll + 0x12543", but you can write an auto assembler script that will locate that piece of code and fetch game.dll + 0x12345 from there.
Here's a little example based on CE's tutorial's step6: pointers. For me the data was at address [[Tutorial-i386.exe+231360]+0], so add "Tutorial-i386.exe+231360" to the cheat table, right click on it->"find out what accesses...", make the value change and you'll see 4 "mov e**, [00631360]" each of which means "read the 4 bytes at 00631360 (=Tutorial-i386.exe+231360)". In a real-life scenario, just changing the data might not be enough for the pointer base to be accessed (if the game made copies of intermediary pointers) so you might need to fiddle some more, change maps, get back to main menu...
Anyway when you've got at least one "mov e**, [Some constant]", select it and click show disassembler, you'll see something like: Code: | Tutorial-i386.exe+2685E - E8 FD4BFEFF - call Tutorial-i386.exe+B460
Tutorial-i386.exe+26863 - E8 B86BFEFF - call Tutorial-i386.exe+D420
Tutorial-i386.exe+26868 - 50 - push eax
Tutorial-i386.exe+26869 - 85 C0 - test eax,eax
Tutorial-i386.exe+2686B - 0F85 DA000000 - jne Tutorial-i386.exe+2694B
Tutorial-i386.exe+26871 - A1 60136300 - mov eax,[Tutorial-i386.exe+231360] <-highlighted line
Tutorial-i386.exe+26876 - 8B 00 - mov eax,[eax]
Tutorial-i386.exe+26878 - 89 45 F4 - mov [ebp-0C],eax
Tutorial-i386.exe+2687B - B8 E8030000 - mov eax,000003E8
Tutorial-i386.exe+26880 - E8 FB62FEFF - call Tutorial-i386.exe+CB80
Tutorial-i386.exe+26885 - 89 45 F0 - mov [ebp-10],eax
Tutorial-i386.exe+26888 - C7 45 EC 00000000 - mov [ebp-14],00000000
Tutorial-i386.exe+2688F - EB 3E - jmp Tutorial-i386.exe+268CF
| You then have to build an auto assembler script to locate the "mov eax,[Tutorial-i386.exe+231360]" (because it contains the Tutorial-i386.exe+231360 we want).
Aobscan tutorial, read sections 5-AOB and 6-A good signature.
One thing Rydian forgot to say: you can make your aob signature start anywhere and it can have any length, just copy-paste your signature (with wildcards) in the main scanner, select type=array of bytes, right click on "writable"->preset:scan all memory, then do a first scan. If there is more than one result, try another signature.
A pointer base locator will look like this: Code: | [enable]
aobscan(MarkerForPointerBase,A1 ?? ?? ?? ?? 8B 00 89 45 F4 B8 E8 03 00 00) //this will set MarkerForPointerBase=Tutorial-i386.exe+26871
label(PointerBase)
registersymbol(PointerBase)
MarkerForPointerBase+1: //set PointerBase=MarkerForPointerBase+1
PointerBase: //the +1 comes from 'there is only one byte (A1) in "A1 60136300" before the final pack of 4 bytes'.
[disable]
unregistersymbol(PointerBase) | Last step is to manually add an address (pointer) to the cheat table with its base at "PointerBase" (CE will recognize the text from your AA script once you activate it), its first/bottom offset =0, and the offsets you found above that (AE7, 0, and A for you, one more 0 for me).
Next time the game updates, your AA script should find the updated "mov e**,[game.dll + 0x12345]" if your signature is good enough, otherwise you'll have to add more wildcards/try another so I suggest you keep a copy of what the disassembler showed you to see what changed and what didn't - and probably won't - change.
densjizz wrote: | This is where the game stores the first player's name
Code: | ("game.dll" + 0x12345) + (0xAe7) + (0x0) + (0xA) |
and if i add 104 to 0xA i get the next player's name and so on.
So i can deduce that the object at (0xA) is the first of the list and at (0x0) would be the base of the list ? | If you mean that [[["game.dll" + 0x12345]+AE7]+0]+0 is the base of the list, then my answer is yes.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
Back to top |
|
|
densjizz How do I cheat? Reputation: 0
Joined: 20 May 2014 Posts: 3
|
Posted: Tue May 20, 2014 11:04 pm Post subject: |
|
|
Thanks alot ! that is exactly what i was looking for, woukd it be a good idea to try to search the pattern using cheat engines source/dll since i could have my application search it auto instead of doing it manually ? Thanks again !
|
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Wed May 21, 2014 8:16 am Post subject: |
|
|
Cheat engine source? What does the source code have anything to do with that?
It's simpler to use CE to scan for the signature when you're developing your hack, but once you've got it to work it makes more sense to use the same program to scan for the signature/find the pointer's base and read/use the player names.
As for "searching it auto", cheat engine will automatically search for the signature when you activate your AA script in the cheat table, the only time you have to manually scan for signatures is when you're developing your hack and checking if your signature is really unique.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
Back to top |
|
|
densjizz How do I cheat? Reputation: 0
Joined: 20 May 2014 Posts: 3
|
Posted: Wed May 21, 2014 9:27 am Post subject: |
|
|
I understand am just saying that after i get signature, i could use programming to get that base address automatically instead of having to go back to cheat engine scanning it and then opening the source of my hack and then changing the values. I might be miss understanding something, the way i see it is i have to search for a pattern in memory for something that will allocate that player list, once i found it i will always be the same object that allocates it unless they make major changements to the code. Once i get the signature what is a prolly way of streamlining it to my hack ?
|
|
Back to top |
|
|
justa_dude Grandmaster Cheater Reputation: 23
Joined: 29 Jun 2010 Posts: 891
|
Posted: Wed May 21, 2014 11:43 am Post subject: |
|
|
No, it doesn't work that way unless the bit you're scanning for happens to be in a static location.
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
Back to top |
|
|
Gniarf Grandmaster Cheater Supreme Reputation: 43
Joined: 12 Mar 2012 Posts: 1285
|
Posted: Wed May 21, 2014 2:17 pm Post subject: |
|
|
densjizz wrote: | I understand am just saying that after i get signature, i could use programming to get that base address automatically instead of having to go back to cheat engine scanning it and then opening the source of my hack and then changing the values. | If I understand correctly you have written a 3rd party program that has nothing to do with CE and this program reads the player names. In this case, yes, you should scan for the signature in your own program.
densjizz wrote: | I might be miss understanding something, the way i see it is i have to search for a pattern in memory for something that will allocate that player list | Close, but not exactly that.
1-You have to find (a signature inside) a function that accesses your pointer base, but not necessarily the function that allocates the list.
2-You have to find (a signature inside) a function that accesses your pointer base, but not necessarily a function that accesses player name list, ie: if your pointer is like game.dll->world_object->list_of_players then a function that accesses game.dll->world_object->list_of_birds will also read game.dll+xxxxx to get the world_object pointer, so it is good too.
densjizz wrote: | once i found it i will always be the same object that allocates it unless they make major changements to the code. | More like "that function will always reference the base of my pointer unless they make...."
densjizz wrote: | Once i get the signature what is a prolly way of streamlining it to my hack ? | Start by putting "aobscan + your_programming_language" in the forum's search box. Then ask if you encounter insurmountable obstacles.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
Back to top |
|
|
densjizz How do I cheat? Reputation: 0
Joined: 20 May 2014 Posts: 3
|
Posted: Wed May 21, 2014 7:39 pm Post subject: |
|
|
Quote: | If I understand correctly you have written a 3rd party program that has nothing to do with CE and this program reads the player names. In this case, yes, you should scan for the signature in your own program. |
Yes exactly.
Quote: | 2-You have to find (a signature inside) a function that accesses your pointer base, but not necessarily a function that accesses player name list, ie: if your pointer is like game.dll->world_object->list_of_players then a function that accesses game.dll->world_object->list_of_birds will also read game.dll+xxxxx to get the world_object pointer, so it is good too. |
Got it !
Quote: | Start by putting "aobscan + your_programming_language" in the forum's search box. Then ask if you encounter insurmountable obstacles. |
I've seen this done already, one guy at this for a wow bot. Thanks alot i will keep searching and reading. Thanks you very much ![/quote]
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|