|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Wed Oct 22, 2014 7:13 am Post subject: Multilevel Base-Pointer |
|
|
Hello, my name is Max and I am new to Cheat Engine. (v6.4)
I am currently trying to find a (multilevel) Base-Pointer and I am using
the things I have learned in the Cheat Engine Tutorial.exe.
The Forum told me, that I am not yet allowed to post URLs, so I had to
make a screenshot of my post with all images in it and Upload it as attachment... sorry!
Please look at the screenshot (which is just my post with images) and tell me what I am doing wrong here.
Description: |
Screenshot of the whole post with images and description. |
|
Filesize: |
83.14 KB |
Viewed: |
10153 Time(s) |
|
|
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Wed Oct 22, 2014 4:31 pm Post subject: Problem solvded with AoB |
|
|
Hello again.
I did not manage to solve my problems with pointers, but I have read about Array of Bytes (AoB)
and got it working with an Auto Assemble 'aobscan' Script.
If I restart the game now, I just have to execute (checkbox) the script once and
then it shows all my values since I stored them like this: '_base+offset' (as address).
I still want to know, if I made something wrong with the pointers, or if it might be the game itself.
But for now, I got my Cheat Table working.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed Oct 22, 2014 5:02 pm Post subject: |
|
|
The registers shows are the value after the ibstruction has been executed
mov eax,[eax] will overwrite eax so don't go by the eax value
Anyhow, you don't need to know what eax is, you only need to know the offset. mov eax,[eax] can be rewritten as mov eax,[eax+0000000000000000000000000000000000000000]
So, the offset is 0
Now that you know the offset, you know the base
You did a find what accesses on 9857cfe4
So the base is 9857cfe4-0000000=9857cfe4
So, search for an address that contains that address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Wed Oct 22, 2014 6:30 pm Post subject: |
|
|
Dark Byte wrote: | The registers shows are the value after the ibstruction has been executed
mov eax,[eax] will overwrite eax so don't go by the eax value |
Ah, I see. Thanks for hint - this explains the problem here.
Dark Byte wrote: | You did a find what accesses on 9857cfe4
So the base is 9857cfe4-0000000=9857cfe4
So, search for an address that contains that address |
I did a search for the new base address (restarted the game, so 9857cfe4 was not correct anymore)
but I did not find anything... (Found: 0)
But the very first scan on the base address showed the Offset '0C'.
Then I got the Pointer and that is where I got the Offset '0' (mov eax,[eax])
So, I still need to do something with the '0C' I think - or not?
|
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Thu Oct 23, 2014 9:37 am Post subject: |
|
|
I just tried to use the Pointer Scanner again:
- threads 8 (Core i7 920, 8 cores)
- max level 7
- max offset 2048
It took 14 minutes to scan for the current address of the value I was looking for.
After that I restarted the game, found my value again and used the Rescan Memory function with the new address.
This time there were still pointers left (36.000).
So I restarted the game again, found my value again and did another Rescan Memory with the new address.
Still 12.000 Pointers found.
restarted again, value found, rescan: 0 pointers
I also tried to load up my first Pointer Scan result and checked that one for the current value: 0 pointers
I don't want to try lvl 8 pointers, because this would take around 40 minutes or more with my CPU setup and I am not sure it would get me
any good pointers in the end...
---
There is one thing I have noticed, though:
The value I am looking for is an Item in the Inventory of the game.
So I tried to look up other items and when I use 'find out what accesses this address'
all the inventory items have the same instruction and the same offset (0C).
I guess I need to find a way to find that instruction or the pointer for it.
I have also looked into the Memory Viewer and saw that the items have
an ID and the amount available in the inventory saved next to each other.
From item to item it is Offset 18 to the next one.
There is also a address next to each item, which leads to 'nop' (if i follow it in memory)
-> this address is the same for all the items
But I also noticed that the place the items are stored in the memory changes,
after some time. (not only after restart, seems random too).
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Thu Oct 23, 2014 11:34 am Post subject: |
|
|
sometimes it's the structsize, try 3092
Also, it's an inventory item. Was it the last time in exactly the same position? Did you have any other items in the inventory ?
Generally speaking, pointers to inventory items are annoying as they can get influenced by other inventory items, but they can still be useful as they point to a slot
Those offsets you've found are mainly useful if you want to do code injections
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Thu Oct 23, 2014 2:00 pm Post subject: |
|
|
Dark Byte wrote: | Also, it's an inventory item. Was it the last time in exactly the same position? Did you have any other items in the inventory ? |
No, I have noticed that the items would change positions/order within the inventory itself.
But I did not really care, because I just need to figure out a way to find
the code that decreases the number for each item and then change it.
Dark Byte wrote: | Those offsets you've found are mainly useful if you want to do code injections |
That's what I want to do after I have found all my values (items).
---
I just opened the Cheat Engine Tutorial again and tried Step 9 again,
to refresh my memory about the data/struct scan.
Now that I have finished Step 9 again, I am gonna try and do the same
stuff with my Inventory-Items in the game... hope that will work.
(some items are only available once in the game and freezing them or
changing the number on these items would crash the game... so I have to
find a way to identify these with a structure (hopefully item ID will work here)
and then add this to my Auto Assembler Script.
Just to make sure:
If I want to check for multiple different (blacklisted) item IDs
with assembler, I need 2 lines each like this:
Code: | cmp [address+offset],<ID1>
je originalcode
cmp [address+offset],<ID2>
je originalcode
... |
Or is there a way to compare multiple IDs at once (like a list)?
@Dark Byte: thanks for your help so far - I hope I can get this to work soon.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Thu Oct 23, 2014 4:27 pm Post subject: |
|
|
you could do a loop through a list of id's but you'll have to code that yourself, which can become a bigger headache than the time you save on just doing a simple cmp list
anyhow, here is an example:
Code: |
alloc(list,64) //make sure this is big enough
list:
dd 1234
dd 5678
dd 9abc
//...
alloc(code, 2048)
label(originalcode)
code:
mov eax,[address+offset] //get the value in eax
mov ecx,(int)3 //listsize
mov edi,list //edi must get the address of the list
repne scasd //check if EAX is in the current list
je originalcode //if it is in the list, jump
//do your stuff here
originalcode:
//original code stuff here
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Thu Oct 23, 2014 6:26 pm Post subject: |
|
|
Thanks for the example, but I agree: using simple compare for each ID is easier.
Maybe I am gonna need the list in another project.
I just finished my inventory script and it is working fine.
I had to filter out only 5 item IDs with 'cmp' to prevent crashes.
All the other items should cause no problems and are working fine so far.
The data/struct mode of Cheat Engine really made it a lot easier for me,
to get all the item IDs ready. Saved me a lot of time!
---
I think this topic can be closed for now, because I got everything working
with AoB (aobscan) instead of Pointers. So I just start my Script, the aobscan
finds the new address of the assembler code and overwrites the code. Done.
Thank you for your help and the example code.
|
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Sat Oct 25, 2014 9:19 am Post subject: |
|
|
I don't want to make a new topic for this question, so I just post it here to expand my old topic. Still the same game.
Last time I was looking for Inventory Items and managed to use Code Injection on the instruction, which subtracts the amount of items.
This time I was aiming for Health, Armor and other player related things.
I found the player base address and managed to write a script to get that address and use it dynamically in my table.
Could you please look into this script and tell me if this could cause any problems:
Code: | [ENABLE]
// aobscan for the instruction that stores the decreased health
// health offset (to player base address) = C0
aobscan(INJECT,D9 9E C0 00 00 00 E9)
alloc(newmem,64)
label(code)
label(return)
label(_base)
newmem:
code:
registersymbol(_base)
// saving the location of the new memory
_base:
push eax
mov eax,esi
// writing eax (which holds the base address) to newmem+20
mov [newmem+20],eax
pop eax
// original code which stores the decreased health to base+C0
fstp dword ptr [esi+000000C0]
jmp return
INJECT:
jmp code
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9E C0 00 00 00
unregistersymbol(_base)
unregistersymbol(INJECT)
dealloc(newmem) |
I have added the health, armor, etc. to my table like this:
Add new address: [base+20]+<offset>
This works just fine:
1) enable the script
2) take some damage
-> script will store the base address to newmem+20
-> since I used the label '_base' I can access it with [_base+20]
-> and then I just add the Offset for Health, Armor, etc.
3) use the table to set new values to health, armor, etc
4) freeze the values
5) success
I know this way works, because I tested it.
The question is: Is this way "okay" or could I ran into an error with this method?
Is there another (easier) way to store the player base address into my '_base' label?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Oct 25, 2014 10:23 am Post subject: |
|
|
it'll work, but I recommend allocating the write location specifically (in case your script gets bigger than 64 bytes)
there is also no need to use eax. ESI will do just fine.
(and there doesn't seem to be any use for the code label)
e.g:
Code: |
[ENABLE]
// aobscan for the instruction that stores the decreased health
// health offset (to player base address) = C0
aobscan(INJECT,D9 9E C0 00 00 00 E9)
alloc(newmem,2048) //no need to be cheap, it's going to allocate 4KB anyhow and this gives you more room to experiment before having to resize (And ultimately it makes 64KB inaccessible to the target)
alloc(_base,4) //puts _base right after newmem
registersymbol(_base)
label(return)
newmem:
// saving the location of the new memory
mov [_base],esi // writing esi (which holds the base address) to _base
// original code which stores the decreased health to base+C0
fstp dword ptr [esi+000000C0]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db D9 9E C0 00 00 00
unregistersymbol(_base)
unregistersymbol(INJECT)
dealloc(newmem)
dealloc(_base)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Max89 How do I cheat? Reputation: 0
Joined: 22 Oct 2014 Posts: 9
|
Posted: Sat Oct 25, 2014 11:02 am Post subject: |
|
|
Ah okay. Very nice - thank you!
I am still experimenting with the script-stuff and I did not think about allocating the memory for '_base' like this.
btw: I just used eax (push, pop, etc.) to test how it works. I know I don't need it in this case.
I just forgot to remove this part, before I posted the script here. But thanks for the hint.
Dark Byte wrote: | Code: | alloc(newmem,2048) //no need to be cheap, it's going to allocate 4KB anyhow |
|
So the size of the allocated memory will always be 4 kb (or more)?
Does that mean, that: 'alloc(_base,4)' will also take more than 4 bytes?
Is this how Cheat Engine allocates memory (4 kb = default) or is it the 'alloc' instruction itself? (I just want to understand why this happens.)
Dark Byte wrote: | (and there doesn't seem to be any use for the code label) |
I used the AutoAssembler Template 'AoB Injection' to create this script.
The code label was already there, so I kept it - altough I was wondering why I would need it, too.
-> Is there a way to create my own Template for AoB Injection?
-> The current template does add some usefull lines at the end and it also includes the aobscan-bytes itself, which is nice.
-> But if I could edit this template to create my own, it would be nice to have my comments there in each new script.
Sucks to be a noob at these things. Sometimes I get confused by the little things, because I don't understand <all of it> in the <right context> yet.
But I will get there eventually...
Thanks for helping me out and explaining things. Your help is much appreciated!
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Oct 25, 2014 12:21 pm Post subject: |
|
|
Quote: |
So the size of the allocated memory will always be 4 kb (or more)?
|
Yes
Quote: |
Does that mean, that: 'alloc(_base,4)' will also take more than 4 bytes?
|
No, all alloc's in a single script will get grouped into one alloc, so the above script will want to allocate 2052 bytes. (it still gets 4096 though)
Quote: |
Is there a way to create my own Template for AoB Injection?
|
You can copy/paste a script you use a lot, but I generally go for the basic code injection and update that to aob if I feel like it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|