|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
iam87x How do I cheat? Reputation: 0
Joined: 24 Aug 2015 Posts: 8
|
Posted: Mon Aug 24, 2015 11:46 am Post subject: [HELP] Finding base addresses. Specific to game issues. |
|
|
Alright, So first off I apologize if I got a million eye rolls from everyone that's seen a somewhat similar thread 8 times in the last 24 hours. I promise that I did research, did the tutorials, read the tutorials page on here and searched these forums as well as google and Youtube for possible solutions and have yet to find the answer. I will try to give as much detail as possible to try and push this along.
Game: Odallus: The Dark Call
CE 6.4
Issue: Can't find base address for health or sp. weps
Process:
I found out through the forums here that the Health and items were stored as "Byte" data as a decreasing value towards 255. For example, with 3 hearts filled, you count each whole heart as 4 bytes, thus making a total of 12 bytes. You take 12 and subtract it from 255 and get 243. Normal search, get hit, search procedures will leave you with a dynamic value that WILL freeze, add or remove your hearts based on custom input. (this was at 0910A9D2 for me)
Scanning what accesses this address gave me three options for taking dmg. All telling me the probable location is 0910A7C8 and offset is 20A. Hex search for 0910A7C8, gives me three options: 06D1B2E8, 0910A7D4, and 0B494CA4.
I set up a manual address, plug in the 20A offset and I chose 0B494CA4 first, the value is correct, so I checked what accesses it.. No response. Not for taking dmg, adding health, walking, or anything. 0910A7D4 was the same way. 06D1B2E8 gives me about 12 things, only one of them goes active while taking dmg. Probable location is 0910A7C8(same as above) and offset is ecx*8. ECX = 0000006A. 6A*8 = 350. Creating a manual address with two offsets with appropriate information ends up with ?? in the values slot. Here is how it ends up looking:
<20a> 00000000+20A = 0000020A
<350>[0910A7C8+350]->00000000
06D1B2E8 -> 0910A768
And now i'm stuck. Assistance please?
(ps, also tried pointer scanner, no dice. Get about 9000 results on the first scan, and 0 once I've reset the game and found the new address.)
(pss, The game changes pointer locations every time you go to the world map. So everytime I switch levels I have to redo the process to find the location to freeze.)
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
|
Back to top |
|
|
iam87x How do I cheat? Reputation: 0
Joined: 24 Aug 2015 Posts: 8
|
Posted: Tue Aug 25, 2015 5:11 pm Post subject: |
|
|
Thanks for the quick reply and those great links. I like the idea of the injections better than pointers so I am going to start working on getting my skills up in this category from here on out.
Now let me ask you about this. While following that video and reading the post that you wrote yourself and applying it to Odallus. I come a point where after adding the jmp and applying it from the Cheat table my character no longer does anything. He wont jump, walk, attack, or anything. Here is what I am looking at.
{ Game : Odallus.exe
Version:
Date : 2015-08-25
Author : 87x
This script does blah blah blah
}
define(address,"[b]Odallus.exe"+15175[/b])
define(bytes,89 8E 0A 02 00 00)
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
assert(address,bytes)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
//mov [esi+0000020A],ecx
[b]mov [esi+0000020A],ecx[/b]
jmp return
blah blah blah.
So, the things in bold are what I wanted to bring attention to. The address being the ".exe +15175", is there something I am missing here? or is it just leaving out the "000" in the front.
Secondly, "mov [esi+0000020A],ecx". I have tried changing it to add or changing it to a NOP, but still get the same results. I also tried removing ECX and adding "1", which also froze my characters ability to move. I did figure out that ECX changes in value EVERYTIME I run the "show what writes to this address" function. ECX is equal to the HEX value in 4bytes of my current health negative. Just follow me here, So if I have 3 hearts, each heart equaling 4 pieces, I have 12 health. So ECX would be FFFFFFF4.
FFFFFFF4 = 4294967284 (in 4 byte dec) = -12 (in byte dec)
Do you have any suggestions that you think could help me out?
EDIT.
I tried the "What accesses this address" in the dis-assembler as well and couldn't find a value for my character that wasn't accessed by everything else. Jumping, moving, using items, health, and gold all like to talk to each other for whatever reason... Unless I am missing something here.
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Tue Aug 25, 2015 6:05 pm Post subject: |
|
|
Wait wait wait.
What are you trying to do, what steps did you take to get to that point, which script template did you use?
_________________
|
|
Back to top |
|
|
iam87x How do I cheat? Reputation: 0
Joined: 24 Aug 2015 Posts: 8
|
Posted: Tue Aug 25, 2015 8:57 pm Post subject: |
|
|
Here is what I did.
-Open game
-open cheat engine
-attach process
-go into level
-search 225 (byte)
-lose 1/4 heart
-search 226 (byte)
-lose 1/4 heart
-search 227 (byte)
-copy only value left to bottom table
This is where I tried two different approaches
Approach 1:
-Right click, "What writes to this address"
-Lose health
-1 value pops up
-walk around, do stuff in game
-still 1 value
-lose health
-1 value, increments go up on debugger as I lose health.
-Stop debugger
-Show in disassembler
-CTRL+A
-Bring up template
-AOB injection
-make changes
-Save to cheat table
-activate
-Game freezes.
Approach 2:
-Right click value, "What accesses this address"
-Lose health
-pick one of three values (tried all three by the end of this)
-Value search for 4byte hex
-Pick one of three values (tried all three by the end of this)
-None of them show results for "what accesses" or "what writes to" the address.
I did the same procedure above to find any variable I could think that would be directly and only tied to my single character to use what I read through your post "Right-click the code and click "Find what addresses this instruction accesses" and you'll see a new window. " All of the variables I found, health, gold, sp weapons, movement, lives, etc. Were all accessed by all of the other items. So When I would originally would have searched for health.. I would get the "what access this" thing up from the assembler and it would start with about 2-5 things. As I would move around and casually play, new things would pop up, ie, use of sp.weapon, gaining or losing health, going into a store, hitting a check point, gaining or losing gold, etc.
I am coming to the conclusion that this game is just "one of those games", or I am seriously not understanding the videos and text tutorials you have given me.
*EDIT*
For shit and grins I went back to pointers and did a pointer scan at the health address I found. Took it to 10 levels with 1024 max offset, but defined the last pointer level to be 20A (which it always is at the health value) and whittled down my list to 100~ options all with the same initial starting address. Added to the table, locked it. It worked. Changed levels, it reset itself, got ?? for my value. Checked the Pointer table and all 100~ options and the values column was going haywire for all of them.
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Tue Aug 25, 2015 9:19 pm Post subject: |
|
|
May be a bit too advanced, but I would break and trace the instruction which first reads the address.
Give it a nice 10,000 instruction limit and follow your value as it moves between addresses.
Eventually, it will perform a SUB or DEC on the value.
If you're lucky, that subtraction won't be shared by other addresses.
You'll need to setup a little injection to filter out only when ESI equals the value related to your address.
Example below is what writes to your address, but your injection should be at what first accesses it.
Set your breakpoint on the NOP below.
Code: | newmem:
cmp esi,########
jne code
nop
code:
mov [esi+0000020A],ecx
Odallus.exe"+15175:
jmp newmem
nop
return: |
|
|
Back to top |
|
|
iam87x How do I cheat? Reputation: 0
Joined: 24 Aug 2015 Posts: 8
|
Posted: Tue Aug 25, 2015 9:37 pm Post subject: |
|
|
How does one, "Break and trace"?
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Tue Aug 25, 2015 10:09 pm Post subject: |
|
|
Right-click on the line of code in the memory viewer and it's one of the options, the default settings will work. Next time the code is run it'll generate a new window showing what was done in which order.
Also when you find the codes that writes to your health, right-click it and "find what accesses this address" and see if it modifies just your health, or a lot of other crap too.
_________________
|
|
Back to top |
|
|
iam87x How do I cheat? Reputation: 0
Joined: 24 Aug 2015 Posts: 8
|
Posted: Wed Aug 26, 2015 8:34 pm Post subject: |
|
|
Thanks for the help yall..
So I am working through this Break and trace instruction and the first thing on the list (from the top) is a + sign to expand some stuff.
Do I start from the top or do I start from the bottom? (like the first address was written but was pushed down by the next thing)
Also, When I come to something called "Call eax", it always has an expand option, should I expand or just keeping searching for the sub/dec?
And the last question, when I find a sub or dec and I click to see what addresses this instruction accesses, I get nothing (even after walking around or taking dmg). Does this mean its only used by the initial address I clicked on, or should I skip it because nothing showed up on the list?
Btw, again, thanks for all the help, I learn best by doing, and I feel like I am getting some good practice here.
*EDIT*
Break and Trace finished with "no" results.
I found a bunch of Sub and Dec, but when I found them in the dissassembler and clicked to see what accesses them, there was either 0 results or about 30. There were two that had 1 results, one of them had to do with the screen positioning (horizontal), and one for screen positioning (vertical).
Any thoughts?
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Wed Aug 26, 2015 10:39 pm Post subject: |
|
|
The trace starts from the top. The expansions are there to show you where a function ends/begins and jumps/returns to/from another function. It's very common to have the function you started return to another function primarily.
If you're searching for the sub/dec, you can double-click either...
A - The first instruction after expanding everything.
B - The first instruction that comes after the first return of an indentation.
... and scroll up a bit, depending on the needs (in this case probably B).
You should be searching for things before the initial mov, not after. The trace is so you can see where the function you're looking at ends so you can find where it was called from and scroll up a bit.
_________________
|
|
Back to top |
|
|
iam87x How do I cheat? Reputation: 0
Joined: 24 Aug 2015 Posts: 8
|
Posted: Thu Aug 27, 2015 8:29 pm Post subject: |
|
|
So, in other words, Break trace and then go to the last item on the list and then slightly above that for items? I found all of the Sub/Dec earlier and my results were posted above.
If it isn't listed, or the Sub/dec isn't only used for the health, what are my other options?
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Fri Aug 28, 2015 1:51 am Post subject: |
|
|
You want the first indentation back. If the trace looks something like this when you expand it all...
--xxx
--xxx
--xxx
-yyy
-yyy
zzz
zzz
zzz
zzz
Then you want to look at the first yyy thing, that will be the opcode right after the function you looked at returns. Double-click it to look at it in the memory viewer. Scroll up one opcode and that should be the jump/call to the function you looked at. So looking above that should get sub/decs that happened before the function you looked at was called.
This is assuming you didn't find the sub/dec by simply scrolling up a bit in the memory viewer after finding what writes/accesses initially...
_________________
|
|
Back to top |
|
|
Stregum Advanced Cheater Reputation: 0
Joined: 17 Jun 2014 Posts: 56 Location: We make baguettes there !
|
Posted: Fri Aug 28, 2015 5:04 am Post subject: |
|
|
If you don't get what rydian said, imagine there is one function in another.
Pseudocode
Code: |
Hurt
{
int damage = enemy.attack
int playerDamage = player.hp - damage //here is your sub/dec
ApplyDamage
{
player.hp = playerDamage //Here is your mov
}
}
|
So right now you're in the ApplyDamage function, where your mov is.
You want to go back in the caller function, where the sub is.
You can do
- a break'n'trace as mentionned earlier
- or you can put a breakpoint, and where your game is 'breaked' you go to Debug -> Execute until return. Then you should see a call right above, that is the ApplyDamage function (I'm not sure about other subfunctions, but it works for me). You should scroll up a little bit, and eventually see a sub somewhere, if you're lucky enough. It depends on the game.
Quote: |
This is assuming you didn't find the sub/dec by simply scrolling up a bit in the memory viewer after finding what writes/accesses initially...
|
^ What he said.
_________________
Rhaa Stregum Vitae |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|