 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
KareemOWheat
How do I cheat?
![]() Reputation: 0
Joined: 10 Oct 2012
Posts: 5
|
 Posted: Tue Jul 16, 2013 9:12 pm Post subject: EXP Multiplier issues |
 |
|
I'm playing an rpg on epsxe, and I want to make an experience multiplier for the game since I cant seem to find one on the internet, and grinding exp is boring.
I've found a few topics relating to exp multipliers, but none really take me through the process of how to do it in a way I can understand anyway. I get as far as attempting to inject code, but I have little to no idea what I'm doing there.
Any help with this problem, or even pointing me toward a tutorial, would be greatly appreciated!
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jul 17, 2013 1:09 am Post subject: |
|
|
Since you're using an emulator code injection will most likely be fairly complicated. Instead I recommend you start by finding a pointer to your xp (or one xp pointer per character if it's a party rpg). Cheat engine's tutorial (help->cheat engine tutorial) step 6 gives you a good method to find pointers in emulator games (and a bad method for other games).
Once you have a pointer that always work, make a lua script with a timer that will periodically read your xp, compare it with its previous (stored) value and give you several times the difference.
Look at C:\Program Files (x86)\Cheat Engine 6.3\main.lua for help on some CE lua functions. You'll probably need readInteger, createTimer, and writeInteger (unless your xp is stored as a float or double).
Edit: still, you're going to use "find out what access/write..." anyway, so could you post an instruction that writes your xp ( square brackets [] are in the left side of the comma , if any) along with the information in the bottom pane (EAX=..., EBX=..., etc)? There might be a shortcut.
Also how many instructions (line in the upper pane) access your xp (only 2 would be ideal)?
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
KareemOWheat
How do I cheat?
![]() Reputation: 0
Joined: 10 Oct 2012
Posts: 5
|
| Posted: Wed Jul 17, 2013 1:36 pm Post subject: |
|
|
I've made a lua script, and it's servicable, but not exactly what I was looking for.
As for the instructions that access my exp, I have 11. As for what writes to it, there are only 3.
Edit: Upon further inspection, 4 run when my post battle exp is actually added however the counters on all of them are anywhere from 4-1. The other 6 run when zeroing out the exp just before the new value is added, and one appears rapidly increasing on par with the frame rate, so I'm guessing it's being accessed by the screen draw?
As for what is writing to it, only 1 instruction writes, but it appears to run the instruction 4 times.
The instructions that access the post battle exp value:
Run 4 times
| Code: | 08C05428 - 25 FFFF0000 - and eax,0000FFFF
08C0542D - 8B 0C 8D 40AF8200 - mov ecx,[ecx*4+ePSXe.exe+42AF40]
08C05434 - 89 1C 08 - mov [eax+ecx],ebx <<
08C05437 - 81 E2 FCFF1F00 - and edx,001FFFFC
08C0543D - BB 2070E108 - mov ebx,08E17020
EAX=0000D7DC
EBX=00000000
ECX=009DC020
EDX=8009D7DC
ESI=00510AC0
EDI=0000013F
ESP=0018FAA4
EBP=0018FF84
EIP=08C05437
|
Run 4 times
| Code: | 08C8BA4C - 05 20C09400 - add eax,ePSXe.exe+54C020
08C8BA51 - 8D 7F FB - lea edi,[edi-05]
08C8BA54 - 8B 00 - mov eax,[eax] <<
08C8BA56 - EB 05 - jmp 08C8BA5D
08C8BA58 - E8 A397F7FF - call 08C05200
EAX=00000000
EBX=08EB4800
ECX=00A3C020
EDX=00000000
ESI=00510AC0
EDI=00000010
ESP=0018FAA8
EBP=0018FF84
EIP=08C8BA56
|
Run 3 times
| Code: | 08C8C64C - 05 20C09400 - add eax,ePSXe.exe+54C020
08C8C651 - 8D 7F FB - lea edi,[edi-05]
08C8C654 - 8B 00 - mov eax,[eax] <<
08C8C656 - EB 05 - jmp 08C8C65D
08C8C658 - E8 A38BF7FF - call 08C05200
EAX=00000028
EBX=09016ED8
ECX=08E17020
EDX=08C8C940
ESI=00510AC0
EDI=0000030A
ESP=0018FAA8
EBP=0018FF84
EIP=08C8C656
|
Run 1 time
| Code: |
08C91CE9 - 05 20C09400 - add eax,ePSXe.exe+54C020
08C91CEE - 8D 7F FB - lea edi,[edi-05]
08C91CF1 - 8B 00 - mov eax,[eax] <<
08C91CF3 - EB 05 - jmp 08C91CFA
08C91CF5 - E8 0635F7FF - call 08C05200
EAX=00000028
EBX=09016E88
ECX=08E17020
EDX=08C91DCA
ESI=00510AC0
EDI=000006D1
ESP=0018FAA8
EBP=0018FF84
EIP=08C91CF3
|
The instructions that write to the post battle exp value:
| Code: |
08C05428 - 25 FFFF0000 - and eax,0000FFFF
08C0542D - 8B 0C 8D 40AF8200 - mov ecx,[ecx*4+ePSXe.exe+42AF40]
08C05434 - 89 1C 08 - mov [eax+ecx],ebx <<
08C05437 - 81 E2 FCFF1F00 - and edx,001FFFFC
08C0543D - BB 2070E108 - mov ebx,08E17020
EAX=0000D7DC
EBX=00000000
ECX=009DC020
EDX=8009D7DC
ESI=00510AC0
EDI=0000013F
ESP=0018FAA4
EBP=0018FF84
EIP=08C05437
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jul 17, 2013 2:47 pm Post subject: |
|
|
| KareemOWheat wrote: | | one appears rapidly increasing on par with the frame rate, so I'm guessing it's being accessed by the screen draw? |
At least that's what I think.
| KareemOWheat wrote: | | Edit: Upon further inspection, 4 run when my post battle exp is actually added, the other 6 run when zeroing out the exp just before the new value is added |
For the lua script it'd be simpler and more reliable if you could find the total xp instead of the xp gained at after each battle.
Do a simple scan for "25 FF FF 00 00 8B 0C 8D ** ** ** ** 89 1C 08 81 E2 FC FF 1F 00 BB 20 70 E1 08", with type=array of bytes and tick "Writable" & "Executable" & "CopyOnWrite" into gray state. If you do not have exactly 1 result, please give me more lines of code (address+bytes+opcodes) around the mov [eax+ecx],ebx that writes your xp.
Otherwise if you're got exactly one result, you can try the following auto assembler script (not sure it'll work though, backup your saves just in case): | Code: | [ENABLE]
aobscan(WriteOperator,25 FF FF 00 00 8B 0C 8D ** ** ** ** 89 1C 08 81 E2 FC FF 1F 00 BB 20 70 E1 08)
registersymbol(WriteOperator)
alloc(MyMemory,1024)
//code locations
label(WriteOperatorHook)
label(WriteOperatorHook_OriginalCode)
label(WriteOperatorHook_ReturnHere)
//variable
label(XpFactor)
registersymbol(XpFactor)
WriteOperator+F:
jmp WriteOperatorHook
nop
WriteOperatorHook_ReturnHere:
MyMemory:
WriteOperatorHook:
cmp eax,D7DC //D7DC is the offset of the "post battle xp" in ePSXe's variable buffer
jne WriteOperatorHook_OriginalCode //jump if we're not writing the xp
imul ebx,dword [XpFactor] //muliply ebx=new xp by XpFactor
mov dword [eax+ecx],ebx //write the xp
WriteOperatorHook_OriginalCode:
and edx,001FFFFC
jmp WriteOperatorHook_ReturnHere
XpFactor:
dd 2
[DISABLE]
unregistersymbol(WriteOperator)
unregistersymbol(XpFactor)
dealloc(MyMemory)
WriteOperator+F:
and edx,001FFFFC |
Then click on "add address manually" and paste "XpFactor" in the address box (let the type on 4 bytes). You should be able to use this record to tune the battle xp factor.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
KareemOWheat
How do I cheat?
![]() Reputation: 0
Joined: 10 Oct 2012
Posts: 5
|
| Posted: Wed Jul 17, 2013 3:24 pm Post subject: |
|
|
| Gniarf wrote: | | For the lua script it'd be simpler and more reliable if you could find the total xp instead of the xp gained at after each battle. |
This is what the lua script does, the problem is that the particular rpg I'm playing levels up some of the equipment you are using at the time, and I'm not sure exactly how to find the values for their exp, considering your character can have multiple, or no pieces attached at any given time.
| Gniarf wrote: |
Do a simple scan for "25 FF FF 00 00 8B 0C 8D ** ** ** ** 89 1C 08 81 E2 FC FF 1F 00 BB 20 70 E1 08", with type=array of bytes and tick "Writable" & "Executable" & "CopyOnWrite" into gray state. If you do not have exactly 1 result, please give me more lines of code (address+bytes+opcodes) around the mov [eax+ecx],ebx that writes your xp. |
I'm getting exactly no results with that scan, unless I'm doing something wrong, but I've attempted it multiple times.
Here is an expanded sample of the code:
| Code: | 08C053F5 - 00 00 - add [eax],al
08C053F7 - 00 00 - add [eax],al
08C053F9 - 00 00 - add [eax],al
08C053FB - 00 00 - add [eax],al
08C053FD - 00 00 - add [eax],al
08C053FF - 00 89 C28D7FFB - add [ecx-0480723E],cl
08C05405 - 81 E2 0000C01F - and edx,1FC00000
08C0540B - 81 FA 0000801F - cmp edx,1F800000
08C05411 - 74 62 - je 08C05475
08C05413 - 8B 0D 840A5100 - mov ecx,[ePSXe.exe+110A84]
08C05419 - F7 C1 00000100 - test ecx,10000
08C0541F - 75 53 - jne 08C05474
08C05421 - 8B C8 - mov ecx,eax
08C05423 - 89 C2 - mov edx,eax
08C05425 - C1 E9 10 - shr ecx,10
08C05428 - 25 FFFF0000 - and eax,0000FFFF
08C0542D - 8B 0C 8D 40AF8200 - mov ecx,[ecx*4+ePSXe.exe+42AF40]
08C05434 - 89 1C 08 - mov [eax+ecx],ebx
08C05437 - 81 E2 FCFF1F00 - and edx,001FFFFC : [""Augscht""]
08C0543D - BB 2070E108 - mov ebx,08E17020 : [08C05040]
08C05442 - 03 DA - add ebx,edx
08C05444 - 8B 03 - mov eax,[ebx]
08C05446 - 3D 4050C008 - cmp eax,08C05040 : [178AE850]
08C0544B - 75 01 - jne 08C0544E
08C0544D - C3 - ret
08C0544E - B8 4050C008 - mov eax,08C05040 : [178AE850]
08C05453 - 8B 0C 10 - mov ecx,[eax+edx]
08C05456 - B8 20300A09 - mov eax,090A3020 : [00000000]
08C0545B - 8B 04 10 - mov eax,[eax+edx]
08C0545E - 2B C8 - sub ecx,eax
08C05460 - B8 4050C008 - mov eax,08C05040 : [178AE850]
08C05465 - 89 03 - mov [ebx],eax
08C05467 - 67 E3 0A - jecxz 08C05474
08C0546A - 83 EB 04 - sub ebx,04
08C0546D - 83 E9 04 - sub ecx,04
08C05470 - 3B 03 - cmp eax,[ebx]
08C05472 - 75 F1 - jne 08C05465
08C05474 - C3 - ret
08C05475 - 3D FF0F801F - cmp eax,1F800FFF
08C0547A - 7F 0C - jg 08C05488
08C0547C - 25 FF0F0000 - and eax,00000FFF
08C05481 - 89 98 20C4B400 - mov [eax+ePSXe.exe+74C420],ebx
08C05487 - C3 - ret
08C05488 - 89 7E 90 - mov [esi-70],edi
08C0548B - 53 - push ebx
08C0548C - 50 - push eax
08C0548D - E8 6EA581F7 - call ePSXe.exe+1FA00
08C05492 - 81 C4 08000000 - add esp,00000008
08C05498 - C3 - ret
08C05499 - 00 00 - add [eax],al
08C0549B - 00 00 - add [eax],al
08C0549D - 00 00 - add [eax],al
08C0549F - 00 00 - add [eax],al
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jul 17, 2013 4:39 pm Post subject: |
|
|
| KareemOWheat wrote: | | Gniarf wrote: |
Do a simple scan for "25 FF FF 00 00 8B 0C 8D ** ** ** ** 89 1C 08 81 E2 FC FF 1F 00 BB 20 70 E1 08", with type=array of bytes and tick "Writable" & "Executable" & "CopyOnWrite" into gray state. If you do not have exactly 1 result, please give me more lines of code (address+bytes+opcodes) around the mov [eax+ecx],ebx that writes your xp. |
I'm getting exactly no results with that scan, unless I'm doing something wrong, but I've attempted it multiple times. |
I think you're doing something wrong, most likely "Writable" & "Executable" & "CopyOnWrite" were not into grey state (right clicking on them->"preset: scan all memory" has the same effect).
The thing I asked you to scan for is actually some of the bytes present in your paste (ctrl+F "8B 0C 8D" to see what I mean) so you should at least find those.
Besides, I made a mistake in the byte sequence (aka code signature) it's better to use: "25 FF FF 00 00 8B 0C 8D ** ** ** ** 89 1C 08 81 E2 FC FF 1F 00 BB ** ** ** ** 03 DA 8B 03"
instead of: "25 FF FF 00 00 8B 0C 8D ** ** ** ** 89 1C 08 81 E2 FC FF 1F 00 BB 20 70 E1 08" otherwise it is unlikely to work after restarting the emulator. BUT regardless you should have been able to find both signatures since they both match your paste.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
KareemOWheat
How do I cheat?
![]() Reputation: 0
Joined: 10 Oct 2012
Posts: 5
|
| Posted: Wed Jul 17, 2013 5:44 pm Post subject: |
|
|
You were right about the grey state, I misread what you wrote on that.
My problem now is that when this script is active, my game freezes in battles, and causes some foreground elements to flicker pink while not it battle sequences.
Any idea on what might be causing that?
Thank you for all the help btw.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jul 17, 2013 6:40 pm Post subject: |
|
|
Ah crap, most likely there are several buffers, so buffer1+offset D7DC is your xp, buffer2+offset D7DC is something else, buffer3+offset D7DC has something to do with rendering... That's why I was reluctant to do an asm patch in an emulator.
Anyway try to find a pointer to your post battle xp an post it here. Given the code you showed me, its topmost offset will be D7FC or D7DC (probably [ePSXe.exe+42AF40 + IDKWhat*4]+D7DC).
The algorithm of this script will be simple: Take the function that writes stuff in the emulator, and if tries to write over the thing pointed by your pointer, perform xp multiplication.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
