Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Multilevel Base-Pointer

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Wed Oct 22, 2014 7:13 am    Post subject: Multilevel Base-Pointer Reply with quote

Hello, my name is Max and I am new to Cheat Engine. (v6.4)

I am currently trying to find a (multilevel) Base-Pointer and I am using
the things I have learned in the Cheat Engine Tutorial.exe.

The Forum told me, that I am not yet allowed to post URLs, so I had to
make a screenshot of my post with all images in it and Upload it as attachment... sorry!

Please look at the screenshot (which is just my post with images) and tell me what I am doing wrong here.



ThreadScreenshot.png
 Description:
Screenshot of the whole post with images and description.
 Filesize:  83.14 KB
 Viewed:  10153 Time(s)

ThreadScreenshot.png


Back to top
View user's profile Send private message
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Wed Oct 22, 2014 4:31 pm    Post subject: Problem solvded with AoB Reply with quote

Hello again. Smile

I did not manage to solve my problems with pointers, but I have read about Array of Bytes (AoB)
and got it working with an Auto Assemble 'aobscan' Script.

If I restart the game now, I just have to execute (checkbox) the script once and
then it shows all my values since I stored them like this: '_base+offset' (as address).

I still want to know, if I made something wrong with the pointers, or if it might be the game itself.
But for now, I got my Cheat Table working. Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Oct 22, 2014 5:02 pm    Post subject: Reply with quote

The registers shows are the value after the ibstruction has been executed
mov eax,[eax] will overwrite eax so don't go by the eax value

Anyhow, you don't need to know what eax is, you only need to know the offset. mov eax,[eax] can be rewritten as mov eax,[eax+0000000000000000000000000000000000000000]
So, the offset is 0
Now that you know the offset, you know the base
You did a find what accesses on 9857cfe4
So the base is 9857cfe4-0000000=9857cfe4
So, search for an address that contains that address

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Wed Oct 22, 2014 6:30 pm    Post subject: Reply with quote

Dark Byte wrote:
The registers shows are the value after the ibstruction has been executed
mov eax,[eax] will overwrite eax so don't go by the eax value

Ah, I see. Thanks for hint - this explains the problem here.

Dark Byte wrote:
You did a find what accesses on 9857cfe4
So the base is 9857cfe4-0000000=9857cfe4
So, search for an address that contains that address

I did a search for the new base address (restarted the game, so 9857cfe4 was not correct anymore)
but I did not find anything... (Found: 0)

But the very first scan on the base address showed the Offset '0C'.
Then I got the Pointer and that is where I got the Offset '0' (mov eax,[eax])
So, I still need to do something with the '0C' I think - or not?
Back to top
View user's profile Send private message
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Thu Oct 23, 2014 9:37 am    Post subject: Reply with quote

I just tried to use the Pointer Scanner again:
- threads 8 (Core i7 920, 8 cores)
- max level 7
- max offset 2048

It took 14 minutes to scan for the current address of the value I was looking for.
After that I restarted the game, found my value again and used the Rescan Memory function with the new address.
This time there were still pointers left (36.000).

So I restarted the game again, found my value again and did another Rescan Memory with the new address.
Still 12.000 Pointers found.

restarted again, value found, rescan: 0 pointers Evil or Very Mad
I also tried to load up my first Pointer Scan result and checked that one for the current value: 0 pointers Evil or Very Mad

I don't want to try lvl 8 pointers, because this would take around 40 minutes or more with my CPU setup and I am not sure it would get me
any good pointers in the end...

---

There is one thing I have noticed, though:
The value I am looking for is an Item in the Inventory of the game.

So I tried to look up other items and when I use 'find out what accesses this address'
all the inventory items have the same instruction and the same offset (0C).
I guess I need to find a way to find that instruction or the pointer for it.

I have also looked into the Memory Viewer and saw that the items have
an ID and the amount available in the inventory saved next to each other.
From item to item it is Offset 18 to the next one.

There is also a address next to each item, which leads to 'nop' (if i follow it in memory)
-> this address is the same for all the items
But I also noticed that the place the items are stored in the memory changes,
after some time. (not only after restart, seems random too).

Rolling Eyes Question
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Oct 23, 2014 11:34 am    Post subject: Reply with quote

sometimes it's the structsize, try 3092

Also, it's an inventory item. Was it the last time in exactly the same position? Did you have any other items in the inventory ?

Generally speaking, pointers to inventory items are annoying as they can get influenced by other inventory items, but they can still be useful as they point to a slot

Those offsets you've found are mainly useful if you want to do code injections

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Thu Oct 23, 2014 2:00 pm    Post subject: Reply with quote

Dark Byte wrote:
Also, it's an inventory item. Was it the last time in exactly the same position? Did you have any other items in the inventory ?

No, I have noticed that the items would change positions/order within the inventory itself.
But I did not really care, because I just need to figure out a way to find
the code that decreases the number for each item and then change it.

Dark Byte wrote:
Those offsets you've found are mainly useful if you want to do code injections

That's what I want to do after I have found all my values (items). Smile

---

I just opened the Cheat Engine Tutorial again and tried Step 9 again,
to refresh my memory about the data/struct scan.
Now that I have finished Step 9 again, I am gonna try and do the same
stuff with my Inventory-Items in the game... hope that will work. Smile

(some items are only available once in the game and freezing them or
changing the number on these items would crash the game... so I have to
find a way to identify these with a structure (hopefully item ID will work here)
and then add this to my Auto Assembler Script. Rolling Eyes

Just to make sure:
If I want to check for multiple different (blacklisted) item IDs
with assembler, I need 2 lines each like this:
Code:
cmp [address+offset],<ID1>
je originalcode
cmp [address+offset],<ID2>
je originalcode
...

Or is there a way to compare multiple IDs at once (like a list)?


@Dark Byte: thanks for your help so far - I hope I can get this to work soon. Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Oct 23, 2014 4:27 pm    Post subject: Reply with quote

you could do a loop through a list of id's but you'll have to code that yourself, which can become a bigger headache than the time you save on just doing a simple cmp list

anyhow, here is an example:

Code:

alloc(list,64) //make sure this is big enough

list:
dd 1234
dd 5678
dd 9abc
//...

alloc(code, 2048)
label(originalcode)
code:
mov eax,[address+offset] //get the value in eax
mov ecx,(int)3 //listsize
mov edi,list //edi must get the address of the list

repne scasd   //check if EAX is in the current list
je originalcode //if it is in the list, jump

//do your stuff here


originalcode:
//original code stuff here

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Thu Oct 23, 2014 6:26 pm    Post subject: Reply with quote

Thanks for the example, but I agree: using simple compare for each ID is easier.
Maybe I am gonna need the list in another project. Wink

I just finished my inventory script and it is working fine.
I had to filter out only 5 item IDs with 'cmp' to prevent crashes.
All the other items should cause no problems and are working fine so far.

The data/struct mode of Cheat Engine really made it a lot easier for me,
to get all the item IDs ready. Saved me a lot of time! Smile

---

I think this topic can be closed for now, because I got everything working
with AoB (aobscan) instead of Pointers. So I just start my Script, the aobscan
finds the new address of the assembler code and overwrites the code. Done. Cool


Thank you for your help and the example code.
Back to top
View user's profile Send private message
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Sat Oct 25, 2014 9:19 am    Post subject: Reply with quote

I don't want to make a new topic for this question, so I just post it here to expand my old topic. Still the same game.

Last time I was looking for Inventory Items and managed to use Code Injection on the instruction, which subtracts the amount of items.

This time I was aiming for Health, Armor and other player related things.
I found the player base address and managed to write a script to get that address and use it dynamically in my table.

Could you please look into this script and tell me if this could cause any problems:
Code:
[ENABLE]

// aobscan for the instruction that stores the decreased health
// health offset (to player base address) = C0
aobscan(INJECT,D9 9E C0 00 00 00 E9)
alloc(newmem,64)

label(code)
label(return)
label(_base)

newmem:

code:
registersymbol(_base)

// saving the location of the new memory
_base:
  push eax
  mov eax,esi
  // writing eax (which holds the base address) to newmem+20
  mov [newmem+20],eax
  pop eax

  // original code which stores the decreased health to base+C0
  fstp dword ptr [esi+000000C0]
  jmp return

INJECT:
  jmp code
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db D9 9E C0 00 00 00

unregistersymbol(_base)
unregistersymbol(INJECT)
dealloc(newmem)


I have added the health, armor, etc. to my table like this:
Add new address: [base+20]+<offset>

This works just fine:
1) enable the script
2) take some damage
-> script will store the base address to newmem+20
-> since I used the label '_base' I can access it with [_base+20]
-> and then I just add the Offset for Health, Armor, etc.
3) use the table to set new values to health, armor, etc
4) freeze the values
5) success Very Happy

I know this way works, because I tested it.
The question is: Is this way "okay" or could I ran into an error with this method?
Is there another (easier) way to store the player base address into my '_base' label?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sat Oct 25, 2014 10:23 am    Post subject: Reply with quote

it'll work, but I recommend allocating the write location specifically (in case your script gets bigger than 64 bytes)

there is also no need to use eax. ESI will do just fine.
(and there doesn't seem to be any use for the code label)

e.g:
Code:

[ENABLE]

// aobscan for the instruction that stores the decreased health
// health offset (to player base address) = C0
aobscan(INJECT,D9 9E C0 00 00 00 E9)
alloc(newmem,2048)  //no need to be cheap, it's going to allocate 4KB anyhow and this gives you more room to experiment before having to resize (And ultimately it makes 64KB inaccessible to the target)
alloc(_base,4) //puts _base right after newmem
registersymbol(_base)

label(return)

newmem:
  // saving the location of the new memory
 
  mov [_base],esi // writing esi (which holds the base address) to _base

  // original code which stores the decreased health to base+C0
  fstp dword ptr [esi+000000C0]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db D9 9E C0 00 00 00

unregistersymbol(_base)
unregistersymbol(INJECT)
dealloc(newmem)
dealloc(_base)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Max89
How do I cheat?
Reputation: 0

Joined: 22 Oct 2014
Posts: 9

PostPosted: Sat Oct 25, 2014 11:02 am    Post subject: Reply with quote

Ah okay. Very nice - thank you!
I am still experimenting with the script-stuff and I did not think about allocating the memory for '_base' like this. Embarassed

btw: I just used eax (push, pop, etc.) to test how it works. I know I don't need it in this case.
I just forgot to remove this part, before I posted the script here. But thanks for the hint. Smile

Dark Byte wrote:
Code:
alloc(newmem,2048)  //no need to be cheap, it's going to allocate 4KB anyhow

So the size of the allocated memory will always be 4 kb (or more)?
Does that mean, that: 'alloc(_base,4)' will also take more than 4 bytes?
Is this how Cheat Engine allocates memory (4 kb = default) or is it the 'alloc' instruction itself? (I just want to understand why this happens.)

Dark Byte wrote:
(and there doesn't seem to be any use for the code label)

I used the AutoAssembler Template 'AoB Injection' to create this script.
The code label was already there, so I kept it - altough I was wondering why I would need it, too. Embarassed
-> Is there a way to create my own Template for AoB Injection?
-> The current template does add some usefull lines at the end and it also includes the aobscan-bytes itself, which is nice.
-> But if I could edit this template to create my own, it would be nice to have my comments there in each new script. Smile

Sucks to be a noob at these things. Sometimes I get confused by the little things, because I don't understand <all of it> in the <right context> yet. Very Happy
But I will get there eventually...


Thanks for helping me out and explaining things. Your help is much appreciated!
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sat Oct 25, 2014 12:21 pm    Post subject: Reply with quote

Quote:

So the size of the allocated memory will always be 4 kb (or more)?

Yes

Quote:

Does that mean, that: 'alloc(_base,4)' will also take more than 4 bytes?

No, all alloc's in a single script will get grouped into one alloc, so the above script will want to allocate 2052 bytes. (it still gets 4096 though)

Quote:

Is there a way to create my own Template for AoB Injection?

You can copy/paste a script you use a lot, but I generally go for the basic code injection and update that to aob if I feel like it

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites