Cheat Engine

[de donia]

I keep getting this error:
attempt to perform arithmetic on a string value (local 'adr')

[Redouane]

[de donia]

Thanks, that was what I needed.

For my initial test this now works:

[ParkourPenguin]

1 - You can store the addresses in a table if you want.

[de donia]

1. So arrays don't have a fixed size in Lua, that is nice to know.

2. First one didn't really give me usable values, so I've to look at readBytes I guess.


The script is god awful slow though, and I don't think I can async for more than one pattern either.

i. How much quicker do you believe it would be to write a dll in c++ for the pattern scanning, and just inject it instead?
Would the speed benefits be significant if I used something like fdsasdf's method?


I mainly used CE and Lua because it is just a lot quicker for prototyping.

[ParkourPenguin]

That's technically a table, not an array. In Lua, the term "array" by convention refers to a table that is indexed using consecutive positive integers starting at 1.

I don't know what you mean by "usable values." If you're checking whether or not an address stores a particular instruction, any value you read from that address should be usable.

I'd bet the vast majority of the time spent executing that Lua script is spent on the AoB scan. Unless you feel like you can write a better one that still scans through all the memory of a process, you should first try using stricter search settings. Only scan through executable, non-writable, non-CoW memory. Make your AoB signature more unique (especially the first few bytes). If you know it's in a particular region of memory (i.e. a .dll), restrict the search area to that region (use memscan class for that).

[de donia]

I did a little more testing and came across two new issues:

i.

I have this pattern:
"?? ?? ?? 50 00 00 00 ?? 40 00 00 ?? ?? ?? ?? ??"
It will actually look like this:
"?? ?? 24 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 25 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 27 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 29 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 29 50 00 00 00 ?? 40 00 00 02 ?? ?? ?? ??"

Is this possible?
"?? ?? 2? 50 00 00 00 ?? 40 00 00 0? ?? ?? ?? ??"
Then maybe use readBytes for 3rd and 12th byte to check if they are 24-29 or 01/02 if it isn't sufficient.


ii.

While I was looking at one of the other addresses that I usually get from the arithmetic I noticed a trend.

If it was a npc it was always this:
004024D8 - 89 86 14000000 - mov [esi+00000014],eax

If it was an object it was always this:
00403204 - 89 86 14000000 - mov [esi+00000014],eax

if it was a player it was always this:
004014F1 - 89 86 14000000 - mov [esi+00000014],eax


As you can see the the first address is always the same for different stuff.
Is there a way to check for this, so I can filter out to only display players?

[ParkourPenguin]

i. Yes, you can search for nibbles.

ii. Why not just search for that instruction instead? It's probably going to be more unique than what you're currently searching for, especially if the instructions around that one are similar.

[de donia]

I am not sure how to do this:

If I aob for:
"89 86 14 00 00 00"
I get like 6 static hits, among them are these:
004024D8
00403204
004014F1
The ones I mentioned earlier.

I am probably doing something wrong, how is this going to help me?

How do I go from that to a value I can use?


(Just to mention there were 27 players in the area when I did that search.)

[ParkourPenguin]

I figured from a previous post your goal was to use that AoB scan to find the instruction that access that address. I think I can see what you're trying to do now.

A much simpler way of doing this would be to hook an instruction that accesses some address in the structure of every character. Pointers to the different characters are probably stored somewhere as well (i.e. in an array). I really would not recommend doing an AoB scan for data. If you do, you should use a much bigger signature than that. This topic might help.

Ignore what I said earlier. In order to see what instructions access that address, you'll need to set a breakpoint there. You can't just magically know what instructions access which addresses.

[de donia]

Yeah, I am trying to get information on players/objects/npcs within my reach.
All the info that is possible, something that obviously includes health, class, gear, and positional data,
basically anything I can get hold of.

My current approach of AoB is dirty, but there is still a road for me to walk when it comes to stuff like this.
I am currently trying to find the path that leads to this road, but trekking in mud is not fast going, and sometimes you get stuck, or lost, and need someone to help you find your bearings again.


Not everything on the map is accessible to me, only what is within my range.
As I move about, I lose sight of some entities, while I gain sight of others.

I have come to believe that what I can see is contained in an array somewhere, but to locate it, and be able to read from it is something I am far away from understanding.
It probably will be my destination, and I hope that some day I can reach it.

[de donia]

Sadly most stuff I come across is meant for a single address, to freeze health, except for one where I found something meant to insta-kill enemies.

I did look at that topic but it was not much for my progress.

What I did find was the use of:
"Find what addresses this instruction accesses"

Above one of my instructions I was able to use it, and it would show one address, that kept getting updated rapidly with the different height values of the enemy.

mov eax,[ebp-08] <<---- this one
mov [esi+308],eax

If I had 10 enemies within reach I would see this number change constantly representing each of the enemies height values, as if it iterated over an array somewhere.


If I used it on the instruction below I would get up a match for every single enemy in reach in the "Changed Addresses"-window.

I am not sure if any of that can be used in any way,
disregarding for a moment that linking them together with the other character data seems complex.

[ParkourPenguin]

I highly doubt mov eax,[ebp-08] accesses some address in the enemies' structures. If you mean mov [esi+308],eax, then esi should be the base address of each of the enemies' structures. Once you have that information, you can do whatever you want with anything you want in the enemies' structures.

[de donia]

I currently find the esi with aobscan, and can usually do what I need with it,
but now I wonder if I can somehow speed the scan up a bit.

You mentioned using memscan to restrict the search area.

Is it possible to get an example of it, where hits get placed in a 'foundlist'?

I ran around a bit ingame and caught these addresses:

[++METHOS]

What was the point of that? Just provide a range.