Cheat Engine

[mcfe]

Are there any special cases where CE cannot find a base pointer to some address?

In this particular game, me and another guy are trying to display some data in-game in multiplayer(not for the purpose of cheating). Like score,kills,deaths etc.

The address of the score and any other data for a player depends on join time, i.e the address changes as soon as someone joins or leaves a game, thus every address for each player's stats is changed.
This friend of mine did a pointer scan and was UNABLE to find the base pointer, whose offsets lead to the new address of the player who joined the match first(and every 40 bytes there is data for the next player).

He said that he was able to find it via retracing a lot of code in OllyDbg, as CE was unable to find a pointer. It was a level 6 pointer.
I myself tried CE as well, I initiated a pointer scan with default settings and got exactly 0 pointers, then I changed the settings by increasing the max offset,the max level and was quickly able to find a lot of pointers to this address, but still, none were retained after a user joins/leaves OR a restart of the game.

So, is it possible at all to find this pointer without retracing code in Olly? I am not familiar much with assembly, and my first try was a couple of hours where I eventually ended with nothing. Is CE even prone to not finding such a pointer?

[Dark Byte]

It'spossible if it's a webbrowser game, if it is, you won't find it (olly won't be of any use either)

Besides that, try higher level pointerscans. Level 5 with structsize of 2048 (default) is often too small for most games. Try a level 7 or 8, and a structsize of 4096 or 8192

Also, instead of pointers try looking for a signature. Perhaps the object you're looking for has a specific vtable pointer

[mcfe]

No, it's a normal PE(Portable Executable) game.

And, yes I did try the higher levels and offsets, and it yields a LOT of pointers. Over a million where I am even forced to stop the scan, but still, neither seem to point to the address after a new match,player join/leave.

[Dark Byte]

Never click the stop button. If you do, the whole pointerscan was a waste of time because it wouldn't have found the correct path yet (I should really change the stop button to automatically delete the results...)

(also, one million is nothing, you can have billions and pointerscan resultfiles that consume over 1 TB of data )

[mcfe]

But the pointer scan results consume a lot of space, and cheat engine itself uses over 1.5 gigs of ram, and has reached well over 2.

[Dark Byte]

I know, it consumes a lot of space, that's why I recommend getting really big harddisks, and/or make a raid with a lot of diskspace and let it run overnight

Or retry your previous pointerscans without clicking stop prematurely

Also, once cheatengine has consumed the ram (the green bar building in the beginning) it won't need more ram, just diskspace from that point on. (1.5GB for the pointerdatabase, and the pointerresults go to disk)

If you know the offsets it should end with you can speed the pointerscanner up with that info

[mgr.inz.Player]

My advises:

- pause game process (for example, borderlands2 when minimized still consumes ~40% CPU)

- use NTFS compression (link) (it will slow down pointerscan process a bit, but PTR files are highly compressible)

[mcfe]

Is there a way to get en estimate of how large the file will be?

I have 30 gigs free if they are enough. And what about the pointer scan itself, how do I know when it might finish?

I was also thinking of a possible feature which allows me to use the PTR file I have as a reference of my progress, so it doesn't scan the same addresses,offsets again and again.

And my other question was not answered. Is it remotely possible that CheatEngine cannot find this address either at all or anytime soon? I have scanned over 90 million pointer paths, but I somehow doubt I will find the base pointer, unless it's guaranteed that CheatEngine will find it.

EDIT:The options I gave to the scanner was 8192 for max offset, and level 6 pointer(since I know it's level 6). 2 threads at low priority.
And what does "Address Specifiers found throughout whole process" mean?

[Dark Byte]

Address Specifiers throughout whole process means the number of pointers that are found.

In the worst case scenario the total number of results will be (totalPointers*(structsize/4))^level

Assuming that the base address is in fact a static address (in a module not listed in commonmodulelist.txt) ce will usually find it if the level and structuresize is big enough

Note though that if it is in a random spot in an array that is enumerated each time instead of indexed you may get a pointer to one player, while next time it points to a different player. (but it will always point to a player. One of the offsets in the path will be usable to enumerate through that list yourself)
One thing you can do is get a path to the currently focused/visible object since those usually have a secondary path that might be easier to follow and this always points to the focused player

And try a level 7

[mcfe]

[Dark Byte]

Yeah, but as i said, worst case scenario. But that only happens if the game exists only out of pointers and no data/empty space

[mcfe]

I was advised to untick the 32-bit address alignment option, but then CE started to use much more RAM than I have.

Is it possible for it to not use that much RAM?

[Dark Byte]

No, you'll have to get more ram then.

But really, why disable the 32-bit address alignment? Is any of the offsets of your friend not dividable by 4 ? Does the game use pointers that aren't aligned ?