Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[HELP] Finding base addresses. Specific to game issues.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
iam87x
How do I cheat?
Reputation: 0

Joined: 24 Aug 2015
Posts: 8

PostPosted: Mon Aug 24, 2015 11:46 am    Post subject: [HELP] Finding base addresses. Specific to game issues. Reply with quote

Alright, So first off I apologize if I got a million eye rolls from everyone that's seen a somewhat similar thread 8 times in the last 24 hours. I promise that I did research, did the tutorials, read the tutorials page on here and searched these forums as well as google and Youtube for possible solutions and have yet to find the answer. I will try to give as much detail as possible to try and push this along.

Game: Odallus: The Dark Call
CE 6.4
Issue: Can't find base address for health or sp. weps
Process:

I found out through the forums here that the Health and items were stored as "Byte" data as a decreasing value towards 255. For example, with 3 hearts filled, you count each whole heart as 4 bytes, thus making a total of 12 bytes. You take 12 and subtract it from 255 and get 243. Normal search, get hit, search procedures will leave you with a dynamic value that WILL freeze, add or remove your hearts based on custom input. (this was at 0910A9D2 for me)

Scanning what accesses this address gave me three options for taking dmg. All telling me the probable location is 0910A7C8 and offset is 20A. Hex search for 0910A7C8, gives me three options: 06D1B2E8, 0910A7D4, and 0B494CA4.

I set up a manual address, plug in the 20A offset and I chose 0B494CA4 first, the value is correct, so I checked what accesses it.. No response. Not for taking dmg, adding health, walking, or anything. 0910A7D4 was the same way. 06D1B2E8 gives me about 12 things, only one of them goes active while taking dmg. Probable location is 0910A7C8(same as above) and offset is ecx*8. ECX = 0000006A. 6A*8 = 350. Creating a manual address with two offsets with appropriate information ends up with ?? in the values slot. Here is how it ends up looking:

<20a> 00000000+20A = 0000020A
<350>[0910A7C8+350]->00000000
06D1B2E8 -> 0910A768

And now i'm stuck. Assistance please?

(ps, also tried pointer scanner, no dice. Get about 9000 results on the first scan, and 0 once I've reset the game and found the new address.)

(pss, The game changes pointer locations every time you go to the world map. So everytime I switch levels I have to redo the process to find the location to freeze.)
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Mon Aug 24, 2015 1:17 pm    Post subject: Reply with quote

If you insist on using pointers, then increase the offset and/or depth for the scan or try other methods here.
http://forum.cheatengine.org/viewtopic.php?t=572465

Otherwise the modern trend is AOB injection.
http://forum.cheatengine.org/viewtopic.php?t=570083

_________________
Back to top
View user's profile Send private message
iam87x
How do I cheat?
Reputation: 0

Joined: 24 Aug 2015
Posts: 8

PostPosted: Tue Aug 25, 2015 5:11 pm    Post subject: Reply with quote

Thanks for the quick reply and those great links. I like the idea of the injections better than pointers so I am going to start working on getting my skills up in this category from here on out.

Now let me ask you about this. While following that video and reading the post that you wrote yourself and applying it to Odallus. I come a point where after adding the jmp and applying it from the Cheat table my character no longer does anything. He wont jump, walk, attack, or anything. Here is what I am looking at.

{ Game : Odallus.exe
Version:
Date : 2015-08-25
Author : 87x

This script does blah blah blah
}

define(address,"[b]Odallus.exe"+15175[/b])
define(bytes,89 8E 0A 02 00 00)

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat



assert(address,bytes)
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
//mov [esi+0000020A],ecx
[b]mov [esi+0000020A],ecx[/b]
jmp return


blah blah blah.

So, the things in bold are what I wanted to bring attention to. The address being the ".exe +15175", is there something I am missing here? or is it just leaving out the "000" in the front.

Secondly, "mov [esi+0000020A],ecx". I have tried changing it to add or changing it to a NOP, but still get the same results. I also tried removing ECX and adding "1", which also froze my characters ability to move. I did figure out that ECX changes in value EVERYTIME I run the "show what writes to this address" function. ECX is equal to the HEX value in 4bytes of my current health negative. Just follow me here, So if I have 3 hearts, each heart equaling 4 pieces, I have 12 health. So ECX would be FFFFFFF4.

FFFFFFF4 = 4294967284 (in 4 byte dec) = -12 (in byte dec)

Do you have any suggestions that you think could help me out?




EDIT.

I tried the "What accesses this address" in the dis-assembler as well and couldn't find a value for my character that wasn't accessed by everything else. Jumping, moving, using items, health, and gold all like to talk to each other for whatever reason... Unless I am missing something here.
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Tue Aug 25, 2015 6:05 pm    Post subject: Reply with quote

Wait wait wait.

What are you trying to do, what steps did you take to get to that point, which script template did you use?

_________________
Back to top
View user's profile Send private message
iam87x
How do I cheat?
Reputation: 0

Joined: 24 Aug 2015
Posts: 8

PostPosted: Tue Aug 25, 2015 8:57 pm    Post subject: Reply with quote

Here is what I did.

-Open game
-open cheat engine
-attach process
-go into level
-search 225 (byte)
-lose 1/4 heart
-search 226 (byte)
-lose 1/4 heart
-search 227 (byte)
-copy only value left to bottom table

This is where I tried two different approaches
Approach 1:
-Right click, "What writes to this address"
-Lose health
-1 value pops up
-walk around, do stuff in game
-still 1 value
-lose health
-1 value, increments go up on debugger as I lose health.
-Stop debugger
-Show in disassembler
-CTRL+A
-Bring up template
-AOB injection
-make changes
-Save to cheat table
-activate
-Game freezes.

Approach 2:
-Right click value, "What accesses this address"
-Lose health
-pick one of three values (tried all three by the end of this)
-Value search for 4byte hex
-Pick one of three values (tried all three by the end of this)
-None of them show results for "what accesses" or "what writes to" the address.


I did the same procedure above to find any variable I could think that would be directly and only tied to my single character to use what I read through your post "Right-click the code and click "Find what addresses this instruction accesses" and you'll see a new window. " All of the variables I found, health, gold, sp weapons, movement, lives, etc. Were all accessed by all of the other items. So When I would originally would have searched for health.. I would get the "what access this" thing up from the assembler and it would start with about 2-5 things. As I would move around and casually play, new things would pop up, ie, use of sp.weapon, gaining or losing health, going into a store, hitting a check point, gaining or losing gold, etc.

I am coming to the conclusion that this game is just "one of those games", or I am seriously not understanding the videos and text tutorials you have given me.

*EDIT*

For shit and grins I went back to pointers and did a pointer scan at the health address I found. Took it to 10 levels with 1024 max offset, but defined the last pointer level to be 20A (which it always is at the health value) and whittled down my list to 100~ options all with the same initial starting address. Added to the table, locked it. It worked. Changed levels, it reset itself, got ?? for my value. Checked the Pointer table and all 100~ options and the values column was going haywire for all of them.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Tue Aug 25, 2015 9:19 pm    Post subject: Reply with quote

May be a bit too advanced, but I would break and trace the instruction which first reads the address.
Give it a nice 10,000 instruction limit and follow your value as it moves between addresses.
Eventually, it will perform a SUB or DEC on the value.
If you're lucky, that subtraction won't be shared by other addresses.

You'll need to setup a little injection to filter out only when ESI equals the value related to your address.
Example below is what writes to your address, but your injection should be at what first accesses it.
Set your breakpoint on the NOP below.
Code:
newmem:
  cmp esi,########
  jne code
  nop
code:
  mov [esi+0000020A],ecx
Odallus.exe"+15175:
  jmp newmem
  nop
return:
Back to top
View user's profile Send private message
iam87x
How do I cheat?
Reputation: 0

Joined: 24 Aug 2015
Posts: 8

PostPosted: Tue Aug 25, 2015 9:37 pm    Post subject: Reply with quote

How does one, "Break and trace"?
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Tue Aug 25, 2015 10:09 pm    Post subject: Reply with quote

Right-click on the line of code in the memory viewer and it's one of the options, the default settings will work. Next time the code is run it'll generate a new window showing what was done in which order.

Also when you find the codes that writes to your health, right-click it and "find what accesses this address" and see if it modifies just your health, or a lot of other crap too.

_________________
Back to top
View user's profile Send private message
iam87x
How do I cheat?
Reputation: 0

Joined: 24 Aug 2015
Posts: 8

PostPosted: Wed Aug 26, 2015 8:34 pm    Post subject: Reply with quote

Thanks for the help yall..

So I am working through this Break and trace instruction and the first thing on the list (from the top) is a + sign to expand some stuff.

Do I start from the top or do I start from the bottom? (like the first address was written but was pushed down by the next thing)

Also, When I come to something called "Call eax", it always has an expand option, should I expand or just keeping searching for the sub/dec?

And the last question, when I find a sub or dec and I click to see what addresses this instruction accesses, I get nothing (even after walking around or taking dmg). Does this mean its only used by the initial address I clicked on, or should I skip it because nothing showed up on the list?

Btw, again, thanks for all the help, I learn best by doing, and I feel like I am getting some good practice here.

*EDIT*

Break and Trace finished with "no" results.
I found a bunch of Sub and Dec, but when I found them in the dissassembler and clicked to see what accesses them, there was either 0 results or about 30. There were two that had 1 results, one of them had to do with the screen positioning (horizontal), and one for screen positioning (vertical).

Any thoughts?
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Aug 26, 2015 10:39 pm    Post subject: Reply with quote

The trace starts from the top. The expansions are there to show you where a function ends/begins and jumps/returns to/from another function. It's very common to have the function you started return to another function primarily.

If you're searching for the sub/dec, you can double-click either...
A - The first instruction after expanding everything.
B - The first instruction that comes after the first return of an indentation.
... and scroll up a bit, depending on the needs (in this case probably B).

You should be searching for things before the initial mov, not after. The trace is so you can see where the function you're looking at ends so you can find where it was called from and scroll up a bit.

_________________
Back to top
View user's profile Send private message
iam87x
How do I cheat?
Reputation: 0

Joined: 24 Aug 2015
Posts: 8

PostPosted: Thu Aug 27, 2015 8:29 pm    Post subject: Reply with quote

So, in other words, Break trace and then go to the last item on the list and then slightly above that for items? I found all of the Sub/Dec earlier and my results were posted above.

If it isn't listed, or the Sub/dec isn't only used for the health, what are my other options?
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Fri Aug 28, 2015 1:51 am    Post subject: Reply with quote

You want the first indentation back. If the trace looks something like this when you expand it all...

--xxx
--xxx
--xxx
-yyy
-yyy
zzz
zzz
zzz
zzz

Then you want to look at the first yyy thing, that will be the opcode right after the function you looked at returns. Double-click it to look at it in the memory viewer. Scroll up one opcode and that should be the jump/call to the function you looked at. So looking above that should get sub/decs that happened before the function you looked at was called.

This is assuming you didn't find the sub/dec by simply scrolling up a bit in the memory viewer after finding what writes/accesses initially...

_________________
Back to top
View user's profile Send private message
Stregum
Advanced Cheater
Reputation: 0

Joined: 17 Jun 2014
Posts: 56
Location: We make baguettes there !

PostPosted: Fri Aug 28, 2015 5:04 am    Post subject: Reply with quote

If you don't get what rydian said, imagine there is one function in another.

Pseudocode
Code:

Hurt
{
    int damage = enemy.attack
    int playerDamage = player.hp - damage //here is your sub/dec
   
    ApplyDamage
    {
        player.hp = playerDamage //Here is your mov
    }
}


So right now you're in the ApplyDamage function, where your mov is.
You want to go back in the caller function, where the sub is.

You can do
- a break'n'trace as mentionned earlier
- or you can put a breakpoint, and where your game is 'breaked' you go to Debug -> Execute until return. Then you should see a call right above, that is the ApplyDamage function (I'm not sure about other subfunctions, but it works for me). You should scroll up a little bit, and eventually see a sub somewhere, if you're lucky enough. It depends on the game.

Quote:

This is assuming you didn't find the sub/dec by simply scrolling up a bit in the memory viewer after finding what writes/accesses initially...

^ What he said.

_________________
Rhaa Stregum Vitae Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites