Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[HELP]Newbie need help understanding Cheat Engine and Memory
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Sun Mar 12, 2017 4:19 pm    Post subject: [HELP]Newbie need help understanding Cheat Engine and Memory Reply with quote

Hello, Im new too this and have run into a problem i can not solve. I have some understanding about programming, but again, pretty new to this.

Im trying to find the real adress of the main players Health. After reading and doing tutorial, i have found out a pointer that corrensponds to the Health ingame. But i cannot change it..

So i read on this forum that maybe becuse it is for the GUI, and not the real one.
I tried doing scans for all data types and only with unchanged/changed arguments. Like for 1000 times and came up with nothing, in the end no adress changed when Health changed or vice versa.

And the game can be run offline, so no servers holding the adress.
It is a steam game, something to do with that?

In Memory Viewer, at the adress my pointer is pointing to is the correct value for the Health every time i start the game and if i gain Health or take damage.
But i get confused with the Opcode on that adress.
For it changes depeing if you have 35 life or 20 or 100. Is the value at that adress representing players Health or is it executing that Opcode instruction?


Sorry for the long text and my bad english.



cheat.jpg
 Description:
 Filesize:  1.13 MB
 Viewed:  12960 Time(s)

cheat.jpg


Back to top
View user's profile Send private message
pellik
Advanced Cheater
Reputation: 0

Joined: 14 Jun 2013
Posts: 93

PostPosted: Sun Mar 12, 2017 8:46 pm    Post subject: Reply with quote

The op codes are gibberish. That address is storage memory not program. You need to use the "what writes to this address" feature to see relevant op codes.
Back to top
View user's profile Send private message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Mon Mar 13, 2017 8:11 am    Post subject: Reply with quote

Thank you for your answer. How can one tell if the instruction is gibbrish?

So when i choose "Find out what writes to this adress F6", i got two options becuse this is a pointer.

If i choose "Find out what writes this pointer" i get many instructions that write that pointer, as seen on the image below.

If i choose "Find out what writes the adress pointed at by this pointer", i only get one instruction. And i can look at the instructions, as seen on the image.
I can not make much sense on the instructions, and if i follow the jump to SSBD.exe+1797A0 you can see the instruction at that jump.

..wich i also cant make any useful information of. I feel im in too deep and dont know what to do Sad



followed.jpg
 Description:
 Filesize:  425.33 KB
 Viewed:  12865 Time(s)

followed.jpg



writestheadresspointedtobypointer.jpg
 Description:
 Filesize:  795.42 KB
 Viewed:  12865 Time(s)

writestheadresspointedtobypointer.jpg



writespointer.jpg
 Description:
Find out what writes this pointer
 Filesize:  303.17 KB
 Viewed:  12868 Time(s)

writespointer.jpg


Back to top
View user's profile Send private message
pellik
Advanced Cheater
Reputation: 0

Joined: 14 Jun 2013
Posts: 93

PostPosted: Mon Mar 13, 2017 11:53 am    Post subject: Reply with quote

It's jibberish because of those db lines and because the code just doesn't make sense. Also the reasonably high address space looks like memory and the hex view has a lot of 00 bytes that look like memory.

The first image you posted with the mov instruction looks like it's what writes to your address. The value is stored in eax when it's written to your address. Earlier in the code it's put there with the movsx command before it's modified. Seeing what that address is when that instruction executes may get you a modifiable address.
Back to top
View user's profile Send private message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Mon Mar 13, 2017 6:37 pm    Post subject: Reply with quote

Okej, thank you for answering.

I was trying to figure out the value or where it gets its value to put in eax with
movsx eax,word ptr [ebx + 02]

And added a breakpoint on that instruction to see what ebx register was. But i dont think i understand that instruction very well.

i was looking att ebx+02 adress after i had toggle the breakpoint, but seem rubisch, and ebx value changed every time i toggled the breakpoint

But i notice that even if i restarted the game and toggled breakpoint at movsx. The eax register would always be 5A, maybe that is something?



ex.jpg
 Description:
exemple of ebx+02
 Filesize:  296.05 KB
 Viewed:  12793 Time(s)

ex.jpg



beakpoint.jpg
 Description:
 Filesize:  369.71 KB
 Viewed:  12793 Time(s)

beakpoint.jpg


Back to top
View user's profile Send private message
gameplayer
Advanced Cheater
Reputation: 2

Joined: 26 Jun 2011
Posts: 97
Location: Vietnam

PostPosted: Mon Mar 13, 2017 7:56 pm    Post subject: Reply with quote

As information above, i think ecx is the health address. You should inject your code at the line SSBD.exe+17A93D and change the value of eax because it may be the health value. Remember to add some filter conditions to leave out irrelevant addresses if any. The value of ebx+02 should be an reduced offset.
Back to top
View user's profile Send private message
pellik
Advanced Cheater
Reputation: 0

Joined: 14 Jun 2013
Posts: 93

PostPosted: Mon Mar 13, 2017 10:00 pm    Post subject: Reply with quote

He started with the value in ecx at 17A93D, so presumably changing that isn't going to work because otherwise he would have just set the value in cheatengine and been done with it.


Try noping the movsx instruction and see what that does to your health. If ebx is always different then the instruction may be doing something much harder to reverse through. I don't know what's going on in eax at all but if you think it's always 5a when your health is modified then make an autoassemble script that checks if eax is 5a and then overwrites the value in ebx+2.
Back to top
View user's profile Send private message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Tue Mar 14, 2017 5:35 am    Post subject: Reply with quote

Thanks for the answers. I done som testing, trying to figuar this out. I have started to wonder if this just is a GUI representation of the health. But i really cant find other adress thats updates when taking damage etc..

Anyway, here is what i have tested.
Changing SSBD.exe+17A93D to an instruction like this mov [ecx],000064, Craches the game. I tried with and without padding the 64 value

when i take "Find out what writes to this adress" and get that one instruction, mov [ecx],eax .The counter updates atleast every secound.. is that a hint it just a GUI variable that updates every game cycle?

I tried noping movsx eax,word ptr [ebx+02], and that made the position of the gui elements move to top left corner and moves player camera?. And that maybe a hint that this is just a GUI representation?
I have attach image what it look like before and after nooping.

I also tried injecting code at both movsx eax,word ptr [ebx+02] and mov [ecx],eax. The code crashed the game, and i attached an image of the code.

Also im new to this, so my code may not be so great. I used the inject template



writeto.gif
 Description:
updating of instruction
 Filesize:  179.65 KB
 Viewed:  12721 Time(s)

writeto.gif



code.jpg
 Description:
the injecting code
 Filesize:  264.68 KB
 Viewed:  12721 Time(s)

code.jpg



nopmovsx.jpg
 Description:
after nop
 Filesize:  670.9 KB
 Viewed:  12721 Time(s)

nopmovsx.jpg



movsxorginal.jpg
 Description:
before nop
 Filesize:  686.25 KB
 Viewed:  12721 Time(s)

movsxorginal.jpg


Back to top
View user's profile Send private message
pellik
Advanced Cheater
Reputation: 0

Joined: 14 Jun 2013
Posts: 93

PostPosted: Tue Mar 14, 2017 12:50 pm    Post subject: Reply with quote

Instead of accessing each value in memory separately, your game may use one function that loads values when called. Unfortunately it may not be as easy as eax being 5a.

If you doubleclick the result in 'what writes to this address' the pop-up has the current state of the registers and (iirc) a snapshot of the stack. There should be something in there that determines what value is being retrieved.

It's possible that the cmp in your function is causing a problem. Try sticking pushfd and popfd around the cmp/je to be sure you're not breaking things that way.

Also look at the ebx value in the stored state from the what access breakpoint and plug that + 2 into cheatengine and see if that value is related to your health.

If nothing works you might have to dig deeper into where that ebx+2 value is being written from when it gets the health value written in, and continue hunting deeper in.
Back to top
View user's profile Send private message
gameplayer
Advanced Cheater
Reputation: 2

Joined: 26 Jun 2011
Posts: 97
Location: Vietnam

PostPosted: Tue Mar 14, 2017 7:46 pm    Post subject: Reply with quote

[ebx+2] value is a reduced offset. You have nothing to do with this offset. First thing you need to figure out is finding the most stable pointer results. Focus on the pointer results that don't change address while playing game. Increasing the pointer's level may help in some cases.
Second, the injection point should at 17A93D not 17A923. The filter condition could be cmp ecx,<true heath address>. The problem is i don't know what is true health address in that condition. The pointer results may tell you that address but they must not change while you're playing game.
Back to top
View user's profile Send private message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Wed Mar 15, 2017 12:33 pm    Post subject: Reply with quote

Thanks for the answers. I have fiddle around a bit more. I tried sticking pushfd and popfd around the cmp/je, it still crashed.

I will show a screenshort of the stack, one picture comparing one stack against a stack after a restart of the game. I cant make much sens of it becuse im in over my head here, but i can see some familieritys in those two stack, maybe something?

And i notice one thing while searching for the adress of the shotgun ammo. That it came up 2 adress, wich both reacted and correspond to the ammo ingame. the diffrence was that one i couldn't change, and the other i could change.
So i guess the one i couldn't change was for the GUI value.

Same thing happen when searching for other ammo types, and same for the "stars" you can collect.

But when searching for the health, only 1 adress comes up.. so maybe i haven't find the real one. But if that is the case, i have no ide how to find the real one becuse i tried searching by "changed value" and "decrease/increase".. but maybe i missed it anyway?

Anyhow i have found the pointer to Armor atleast, now im stuck with that the same way i stuck with Health.

I will fiddle a bit more and try the things your guys said, i just wanted to update ongoing process



stackcompare.jpg
 Description:
compareing stack at instruction
 Filesize:  1.09 MB
 Viewed:  12464 Time(s)

stackcompare.jpg


Back to top
View user's profile Send private message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Sun Mar 19, 2017 5:27 am    Post subject: Reply with quote

Well, i found the health adress at last. But maybe not in the best way.
I had a stable Armor pointer and was looking at the memory area while takeing damage etc. And notice these 4 bytes and tried changing them. And sure enuff, the health changed in game. But it was wierd.. when i put like 55 there would be another health ingame. And like 00 FF 00 FF = 0 health.
But given the type of float, it make sense. But it is little wierd have the health as float? but maybe thats common in game programming?

So when health is 0.5, the health is 50 in game, and when 1.0 means 100 in game.

But i got a question about adding pointers manuall. I wanted to copy the Armor pointer, and step back in memory so it points to health. So i copied the yellow region on the "add pointer image" from armor pointer and made a new one, and on the red region i stepped back 4 steps.
But that was not enough, i had to add the purple region to make the adress at the top to say the adress i wanted..

Why did i hafto add the purple region?



pointer.jpg
 Description:
Add pointer image
 Filesize:  133.67 KB
 Viewed:  11918 Time(s)

pointer.jpg



healtfloat.jpg
 Description:
Memory region
 Filesize:  902.09 KB
 Viewed:  11918 Time(s)

healtfloat.jpg


Back to top
View user's profile Send private message
gameplayer
Advanced Cheater
Reputation: 2

Joined: 26 Jun 2011
Posts: 97
Location: Vietnam

PostPosted: Sun Mar 19, 2017 8:41 am    Post subject: Reply with quote

The pointer partially say how data is stored in memory. The way that data is stored is actually defined by human. For some reasons, they can not store the whole data for an object in a continuous block of memory. So, they store the data in separate blocks of memory and a base address of one block can be stored inside another block. By this way, the first base address will hold the next base address. Therefore, they form the next level of the pointer. The number of levels of a pointer depends on the complexity of data structure.
All the purple lines you must add in a pointer show the way they access to a specific block of memory.
Back to top
View user's profile Send private message
z13swee
Newbie cheater
Reputation: 0

Joined: 12 Mar 2017
Posts: 12

PostPosted: Mon Mar 20, 2017 7:58 am    Post subject: Reply with quote

Oh, that explains it.

Now im on the hunt for the cooardinates for the player. I have found what i think is the x and y on many adresses ( see picture ). But i cant change any of them. Does that mean i haven't find the real adress? or can it be cooardinate adress is none changeable?

All these adresses where green.

I also was wondering how teleport hack would work? can i just find the "real" adress and change it? Or is it more complicated becuse of the way movement are regenerated ( input from keyboard, and algorithm? )



cooardinate.jpg
 Description:
Many adresses
 Filesize:  402.48 KB
 Viewed:  11649 Time(s)

cooardinate.jpg


Back to top
View user's profile Send private message
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 149

PostPosted: Mon Mar 20, 2017 9:32 am    Post subject: Reply with quote

The number of the address that stores the player position depens on the number of coordinates, so if the game is 2d you will have two coordinates then 2 addresses, to make a teleport hack you just have to change the float value of these...
Btw the one you have marked I'm kinda sure it's not a coordinate address due to it's value that may not be a "real float".


Edit: in 2d games sometimes the coordinates x , y referr to the pixels of the screen so they don't need to be float. But just int
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites