Cheat Engine

[Dlve]

The game in question is Virtua tennis 3 and when serving there is a gauge bar which gets filled and then emptied in a rapid pace. If I push the serve button when the gauge bar is full I get a max serve. I would like to make a cheat so I get a max serve all the time.

The approach I've come up with is trying to find a value for the gauge by first searching for unknown initial value when the gauge is completely filled then I've either used value changed or increased and decreased. I have chosen the value type as all and I've compared the results with the first scan when the gauge bar has been full.

I have only been able to find some sort of values which if frozen will kind of show the gauge bar full in flashes or when I pause the game but they don't actually fill the gauge so I would get a max serve.

So umm... what do you reckon I could do?

I was thinking about giving up on this but this keeps bothering me.

[Rydian]

When dealing with non-specific values like gauges, I'd avoid comparing to previous searches since what looks the same on the gauge can be a slightly different number each time (especially if it's a float or double).

Since it seems you can pause the game, I'd suggest leaving the game paused and searched for unchanged addresses a few times. If you can go into some menus while the game is paused (leaving the meter as-is) and then do unchanged while messing around in the options that can filter out a lot of addresses.

Once you do manage to find out the bar's current value, one thing to note is that "freezing" an address with a tool like CE actually just makes CE reset the value to your choice a couple of times a second (configurable in the options). To actually change the game's behavior so that the bar is always full, you could either find the code that writes that value and change it to always write a full value, or change the code that reads it so it always reads as full no matter how full the bar actually is.
http://forum.cheatengine.org/viewtopic.php?p=5510987

[Dlve]

First I want to thank you for taking an interest in helping me.

As you were able to deduce from my post I can pause the game while the gauge is moving and I've been searching for unchanged values even though I didn't say that in the first post. If I can't compare the values to anything there is a problem with that. I'm left with about 800 values. When I compared I was able to narrow it down to about 70 values.

Now I'm not saying that what you suggested is wrong, it's most likely the right and only way to find the correct value but do you have any suggestions what I could do to narrow those values down?

Edit: Never mind, I figured out a way to narrow it down to 43 values.

[Rydian]

Once it's down to an amount that doesn't want to seem to filter down, you can look at the types and values of the addresses at varying points in the bar's fullness to see if they make sense. Chances are a number of the addresses are the same but with a different type (inflating the number of results).

[Dlve]

Alright so I found a value that does seem to have something do do with the gauge because when I freeze it, the same thing happens as described in the first post.

Then I check what accesses this point and get:

00576D5D - D9 58 18 - fstp dword ptr [eax+18]
0041DD3B - F3 0F10 40 18 - movss xmm0,[eax+18]
00576CAF - F3 0F11 51 18 - movss [ecx+18],xmm2

Those don't look too familiar to me. If I wanted to do a script as you suggested what do you think about these instructions?

[Rydian]

Well without experience in the game itself I can only tell you what I would try first only having that info. First check out what value the meter appears to contain when it's full. For this example I'll assume it's 100.

00576D5D - D9 58 18 - fstp dword ptr [eax+18]

For this one, show it in the disassembler and hit CTRL+A when that line is selected. In the new window that comes up, go to Template - Cheat Table Framework Code and then Template - Code Injection (and hit okay on the default).

You should find a copy of "fstp dword ptr [eax+18]" underneath "originalcode:".
Delete it and type this in it's place.

[Dlve]

I tried that and the whole screen went black. Probably because the instruction accesses 8 addresses so I'd need to filter them but there are some issues in that regard as well so I'm gonna try and provide some information. Hopefully someone will be willing to look at them.

From the found addresses I moved all of the addresses to the address list, choosing 8 and 4 byte values over double and float if there were addresses with different types. Then I froze the values one by one and checked if they had any sort of effect on the gauge and you can see what was left in the address list.

Then I check what accesses this point and those instructions access 8 others, but you can see that when I click on "More Information" in that list does not appear to be the address for which I tried to find out what accesses it. At this point I'm already really confused. Since one of those addresses is in my address list I choose to use that in the data dissection.

In the last picture you can see that there isn't offset 18 so that gave me a "what the... ?" moment.

[Rydian]

The auto-guess feature of the structure window is... kinda' crappy really.

Can you use "find what accesses" running when you take the swing to find an instruction that only accesses the bar's value?

[Dlve]

[Dlve]

Hello, in case you've been reading this thread you will know that I've been shooting in the dark but I've figured some things out with dissecting data.
I was able to create a script which does not create any problems except it does not do exactly what I need it to do.

The gauge bar is full at first but as the serve goes on the gauge suddenly becomes empty and then the gauge works as it normally does. I'd like it to stay full.

Here is the script:

[Rydian]

I don't have the game myself so I can't see how things work to give any further advice.

[Dlve]

I see.

Can somebody at least tell me why is it that when I search for other accessed addresses, the address I initially found is not in the list? Is it just because the maximum amount in the list is 8 or is there a deeper meaning to it?

[++METHOS]

Keep the debugger window open for a while. The initial instruction may only show up when the address is being written to, or during some other event.

[Dlve]

I meant the address list that opens up when I choose an instruction and click more information.

Edit: If possible I'd like to know the answer to the question above but I also need a more experienced opinion to a different subject.

I've been wasting time trying to look for the correct value or address that would keep the gauge full and I found a way to do that but it seems that the code injection I made only modifies the display and not the gauge in reality. Long story short, there is a value which changes from 0 to 105 (at full gauge 100 to 105) even when my code injection is enabled. Because the serve speed changes at full gauge a little bit it must have something to do with that. Using data dissection I've seen that the mentioned value is displayed in multiple addresses.

Using code injection I was able to change it so that one of the addresses was always 102 but the other addresses still worked normally. Would it be possible to change the values of all those addresses to 102 somehow simply without having to go through them all and seeing what is accessing them? Or do you rather think this is a lost cause?

[++METHOS]

Visual vs. actual usually means wrong address. The exception usually being online, server-sided games.