Cheat Engine

[cparty]

[SunBeam]

cparty, I am lazy, and judging from the memory NFSC eats, plus that I have 512 MB RAM, am not gonna let the pointer scanner do its job. It would go sloooowww...

Anyway, I don't think my way is bad, it's actually the easiest way. Store away operation result in a static address, and you're set. The no bust code is ripped from NFS-MW. I used a different code. Plus I think it's calculated based on distance between your car and the cops` cars. Not everything is NOPs you know..

[cparty]

Zhoul is unable to post right now, so I'll post it for him

[cparty]

*edit* I get a 403 error when posting large amounts of text, so I had to split it up

[cparty]

[cparty]

*edit* now I get mySQL errors :p

Some more offsets for the base pointer:

Start of carslots:
234

Start of customization slots:
128c

Currently selected career car (the carslot number):
242e8

The carslot is built exact the same as in MW. First starts with a 4Byte SlotNumber, then comes 4Byte carcode and a 4Byte logocode. This is followed by the 2Byte car-category (stock, career, mycars, bonus, special..) and a 2Byte sub car-category (I think this was always 000F in MW). After that there is the 1Byte customization slot identifier used for this car (FF if not customized) and a 1Byte career slot identifier. The next 2Bytes are 0000 and are just padding (they were CDCD in MW).

[gnagna2000]

Car's position i'm using

[JONG]

[cparty]

[JONG]

[Zhoul]

You can take any trainer and figure out how it does what it does, by doing the following process.

- Launch the game
- Get to a point in the game where you can pause the action completely (i.e. hit ESC while in free roam)
- Launch CE and connect to the game
- Do an unknown 4-byte scan (the trainer might change more/less then 4 bytes, but doing a 4 byte scan will show you the general area... you can do a 1-byte scan, but it will make the rest of this process incredibly slow)
- Immediately after your first scan, do another "Unchanged Value" scan. Do this about 4 times to knock out any values that might be timers/etc.
- Once your results stop decreasing, launch the trainer.
- Enable a cheat with the trainer, then do a 'changed value' scan.

At that point, you should have narrowed the results down to the actual change the trainer made. If not...

- Disable the cheat and do a 'changed value' scan.
- Keep enabling/disabling and doing changed value scans until you narrow down to what's changing.

Keep in mind that once you find the 4 bytes that are changing, that it may only be 3 bytes changing. You can simply launch the mem viewer and enable/disable the cheat and watch the changes.

I would help you on this venture, but there might be a flood here in a few hours and i gotta get packin! (no joke!)

- Zhoul

*EDIT*

This method works BEST with assembly/code changes, but not value pokes.

I.e. a trainer might use a pointer path to give 99999999 money. In this case , you will find the location of money, but only that one time.

*EDIT 2*

Make sure you have 'scan read only memory' checked as well.

[cparty]

Ok, here we go. It's just a straight forward approach to get the pointer. For more about pointers read the pointer tutorials in the pointer section - they are really good.

How to find the money pointer for NFSC:
Note: The addresses will probably differ if you have chinese version, just use the addresses you find.
Let's assume you already got the address where you money is stored (found by exact scans, buy, scan, buy, scan...)
It's at address 0E356388.

Now the first step is to use the 'find out what accesses this address' function on that table entry. Go buy something so we can actually capture something: This will get you a couple of results as shown here:

I decide to use the second one, because in the first one EAX (the value we are looking for) is overwritten with the result, and I'm to lazy to set a breakpoint just to find out what EAX was before.
The value of EAX is 0E332058 and the offset is 24330 (take note of the offset, we will need it later).
If this would be a 1-level pointer (only 1 level deep) then we would be finished right now... unfortunately it is not.
Note:See the call to 00572b90 above? It's were our journey is going to take us, so looking at the Assembler code could speed up our search.

So we start a 4Byte scan for the HEX-Value 0E332058. The search returns only 1 result as shown here (lucky day, I usually get hundreds )

Add the address 0A834138 to the table. Now do another 'found out what accesses this address' on the new address, which will get you this:

As you can see ECX is 00000000 so the offset (ECX*4) will be 0 (Take note of offset 0).
Because the offset is 0 we can directly do a 4Byte HEX-Value scan for 0A834138 (this is what EAX was before the above instruction).
You get again 1 result 0A8340EC, add it to the table:


One more time we do a 'find out what accesses this address' on the new address:

ECX is 0A834018 and the offset is d4 (write it down).
Note: As you can see this is just 2 instruction above the last we found. So looking at the Assembler code would have speed up our search. It's the entry point of the call of the instruction just before the first money address access.

Do 4Byte HEX-Value scan for 0A834018 which will give you a couple of results:

As you can see, the topmost one 00A97A7C is displayed in green. This means it is a static address and therefore our search has ended - we found the start of our pointer

Now press the 'add address manually' button, press 'add pointer' 2 times (to get 3 pointer levels) and add the address we just found (the one in green). Then add the offsets we wrote down before:


Sorry if it's all confusing I'm not good at explaining, but maybe the pictures should help.

greets
cparty

[Ike]

I'm not sure if this is especially germane to a CE discussion, but I wonder if anyone here's had their hands on a copy of this trainer* made by the folks at Cheathappens. I absolutely loathe the way they try to tease people into paying for (access to) trainers they're going to release anyway, but surely some kind soul has distributed their copy, probably through channels that probably aren't a welcome topic of discussion here. In any case, since it's free in a week anyway, it's not exactly warez but feel free to kill my post if it's out of place anyway.

In any case, if someone could grab onto this and take it apart it might help speed the assembly of a workable Carbon setup for the esteemed Zhoul's project. I mean, if nothing else, you can look at that "megatrainer" as a laundry list of features that have already been done with some success and use it to shape the development of new/better-implented options, in the same spirit as the brilliant map warp feature in his MW trainer established it as the ne plus ultra of that game's numerous trainers.

One of the things that's troubling me about CH's current-release trainer is that its "get all unlocks" feature reverts the values after it's out of memory; there doesn't seem to be a way in Carbon to force the unlocks to persist as though earned in-game (like the behaviour in MW).
One last shot before I dump this huge boring post into the mix (sorry!), the Carbon official site mentions that the next Carbon "release" in a week or so will entail the rollout of a pay-real-money-for-"premium"-virtual-crap system, which opens up an incredible can of worms. If, for example, someone distributes these "premiums" as files that ordinarily couldn't be integrated, and CE could be used to devise a method for importing these items successfully, would that be in essence theft? Also, whatever system they're going to use to make this happen gives me hope that we might be able to make our own cars, parts, graphics, &c and kind of slipstream them into the game...

* - Sorry, I can't post URLs; if you go to the cheathappens mainpage, they should still have a big Carbon link on the right, go there, then halfway down center there's a list of items from their boards, click the top item, "+19 MEGA Trainer now available". I'll edit the link back in once I get permission to.

[gnagna2000]

JONG already posted the megatrainer lol

and beside, i'm done with NFSCarbon trainer since all i wanted are in there, except the annoying crash with the unlocking feature (if code is not disabled) but it's fine, i won't complain

[Ike]

Maybe I'm just really stupid, but I don't see it.
Are we talking about the same trainer?

*edit*

Further, the abovelinked file refuses to work with my retail 1.2 version. Is it crack-dependent somehow?