 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Bosparan
Cheater
![]() Reputation: 1
Joined: 30 Apr 2015
Posts: 36
|
 Posted: Thu Apr 30, 2015 2:23 am Post subject: Hacking Bunny Black - Pointer Issues |
 |
|
Hi Guys,
I've just (very) recently started trying my luck with Cheat Engine and I've hit a snag. After running my head into a wall for a couple of days I got smart and decided to ask for help (thus this post).
Objective I'm trying to reach:
Edit Character Stats of the main character.
Attempt 1: Static values
Finding the stats was trivial, changing them worked reliably. Only problem: They don't persist, meaning I'd have to write the table again after next start.
However: The structure of the stats is static (So "CurrentStrength" is always 4 bytes after "CurrentHealth" etc.).
Hm, why? Doing a search turned up a simple answer:
"Don't skip the tutorial" - a good answer as it turns out. Moving on to ...
Attempt 2: Pointers - Manually
The tutorial on Pointers and Multi-Pointers (6 and 8 I believe) was great - managed to clear both without undue difficulties.
Applying this to Bunny.exe turns out to be somewhat more problematical though:
"The values of the pointer needed"-Results weren't stored anywhere.
I tried the other addresses stored in memory that were highlighted, with no greater result.
Attempt 3: Pointers - Scanning for Pointers
The scanning for Pointers option was more fruitful, giving a bounty of potential pointers.
Only downside: None of those pointers persisted through a game restart.
Damn.
Attempt 4: Assembling a pointer
When all pointers fail, that left me with trying to do this the Assembler way. Maybe I could simply get the game to tell me where the character stats are when it changes them?
So I searched on how to do this, and found these two helpful posts:
forum.cheatengine.org/viewtopic.php?t=570083
Rydian's Guide To Basic AOBs And Scripts
forum.cheatengine.org/viewtopic.php?t=573548&sid=228562f444bcb5485ec432f80aa42025]
Gniarf's reply in "Static addresses and pointers question aimed at Gurus"
(Sorry, can't post urls yet)
So what I have is the exact location where the values are processed, it's always in the same space. Then I know the name of the variable that - only while executing this code apparently - holds the information I want (The starting address of character stats).
Now my idea was that if I replaced that code with my own code (that does the exact same thing as the original), I could somehow write that address to a separate location and use that location as pointer.
To do this I imagine I'd simply use mov to write the address to a different slot in memory and that's my pointer.
Problem: How do I determine the slot to use?
Scratching things together from these two posts I got this far, but have absolutely no idea on where to store the data:
| Code: | { Game : Bunny.exe
Version:
Date : 2015-04-30
Author : Bosparan
This script does blah blah blah
}
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
//Store ecx in dedicated pointer
mov edx,[ecx]
add [eax],edx
mov edx,[ecx+04]
add [eax+04],edx
mov edx,[ecx+08]
add [eax+08],edx
mov edx,[ecx+0C]
add [eax+0C],edx
mov edx,[ecx+10]
add [eax+10],edx
mov edx,[ecx+14]
add [eax+14],edx
mov edx,[ecx+18]
add [eax+18],edx
mov edx,[ecx+1C]
add [eax+1C],edx
mov edx,[ecx+20]
add [eax+20],edx
originalcode:
mov edx,[ecx]
add [eax],edx
mov edx,[ecx+04]
add [eax+04],edx
mov edx,[ecx+08]
add [eax+08],edx
mov edx,[ecx+0C]
add [eax+0C],edx
mov edx,[ecx+10]
add [eax+10],edx
mov edx,[ecx+14]
add [eax+14],edx
mov edx,[ecx+18]
add [eax+18],edx
mov edx,[ecx+1C]
add [eax+1C],edx
mov edx,[ecx+20]
add [eax+20],edx
exit:
jmp returnhere
"Bunny.exe"+32400:
jmp newmem
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
returnhere:
aobscanmodule(StatPointer,Bunny.exe,8B 11 01 10 8B 51 04 01 50 04 8B 51 08 01 50 08 8B 51 0C 01 50 0C 8B 51 10 01 50 10 8B 51 14 01 50 14 8B 51 18 01 50 18 8B 51 1C 01 50 1C 8B 51 20 01 50 20) // should be unique
alloc(newmem1,$1000)
label(code1)
label(return1)
newmem1:
code1:
mov edx,[ecx]
add [eax],edx
mov edx,[ecx+04]
add [eax+04],edx
mov edx,[ecx+08]
add [eax+08],edx
mov edx,[ecx+0C]
add [eax+0C],edx
mov edx,[ecx+10]
add [eax+10],edx
mov edx,[ecx+14]
add [eax+14],edx
mov edx,[ecx+18]
add [eax+18],edx
mov edx,[ecx+1C]
add [eax+1C],edx
mov edx,[ecx+20]
add [eax+20],edx
jmp return1
StatPointer+02:
jmp code1
nop
nop
return1:
registersymbol(StatPointer)
[DISABLE]
StatPointer+02:
db 8B 11 01 10 8B 51 04 01 50 04 8B 51 08 01 50 08 8B 51 0C 01 50 0C 8B 51 10 01 50 10 8B 51 14 01 50 14 8B 51 18 01 50 18 8B 51 1C 01 50 1C 8B 51 20 01 50 20
unregistersymbol(StatPointer)
dealloc(newmem1)
{
// ORIGINAL CODE - INJECTION POINT: "Bunny.exe"+32400
"Bunny.exe"+323F6: C3 - ret
"Bunny.exe"+323F7: CC - int 3
"Bunny.exe"+323F8: CC - int 3
"Bunny.exe"+323F9: CC - int 3
"Bunny.exe"+323FA: CC - int 3
"Bunny.exe"+323FB: CC - int 3
"Bunny.exe"+323FC: CC - int 3
"Bunny.exe"+323FD: CC - int 3
"Bunny.exe"+323FE: CC - int 3
"Bunny.exe"+323FF: CC - int 3
// ---------- INJECTING HERE ----------
"Bunny.exe"+32400: 8B 11 - mov edx,[ecx]
"Bunny.exe"+32402: 01 10 - add [eax],edx
"Bunny.exe"+32404: 8B 51 04 - mov edx,[ecx+04]
"Bunny.exe"+32407: 01 50 04 - add [eax+04],edx
"Bunny.exe"+3240A: 8B 51 08 - mov edx,[ecx+08]
"Bunny.exe"+3240D: 01 50 08 - add [eax+08],edx
"Bunny.exe"+32410: 8B 51 0C - mov edx,[ecx+0C]
"Bunny.exe"+32413: 01 50 0C - add [eax+0C],edx
"Bunny.exe"+32416: 8B 51 10 - mov edx,[ecx+10]
"Bunny.exe"+32419: 01 50 10 - add [eax+10],edx
"Bunny.exe"+3241C: 8B 51 14 - mov edx,[ecx+14]
"Bunny.exe"+3241F: 01 50 14 - add [eax+14],edx
"Bunny.exe"+32422: 8B 51 18 - mov edx,[ecx+18]
"Bunny.exe"+32425: 01 50 18 - add [eax+18],edx
"Bunny.exe"+32428: 8B 51 1C - mov edx,[ecx+1C]
"Bunny.exe"+3242B: 01 50 1C - add [eax+1C],edx
"Bunny.exe"+3242E: 8B 51 20 - mov edx,[ecx+20]
"Bunny.exe"+32431: 01 50 20 - add [eax+20],edx
// ---------- DONE INJECTING ----------
} |
Cheers and thanks for any insights,
Bosparan
|
|
| Back to top |
|
 |
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Thu Apr 30, 2015 2:45 am Post subject: |
|
|
http://forum.cheatengine.org/viewtopic.php?t=572465
Follow the instructions there to narrow down the results for the scan (by specifying the offset for one value) and also increase the depth and max offset.
And if that doesn't work the game might not have native pointers, so you can use the AOB to data technique.
_________________
|
|
| Back to top |
|
|
Rissorr
Master Cheater
![]() Reputation: 3
Joined: 17 Sep 2013
Posts: 273
Location: Israel!
|
| Posted: Thu Apr 30, 2015 9:30 am Post subject: |
|
|
you can try to fetch the value from a code that accesses it.
for example:
| Code: | | 12345678 - mov [ecx+10],eax |
is the code that writes to your HP
now make a script:
| Code: |
alloc(mem,1024)
registersymbol(baseHP) //DECLARE YOUR VARIABLE
alloc(baseHP,4) //MAKE SOME SPACE FOR IT
label(mainCode)
label(originalCode)
label(return)
mem:
mainCode:
mov [baseHP],ecx //SAVE BASE ADDRESS OF YOUR HP FOR FURTHER USE
jmp originalCode
originalCode:
mov [ecx+10],eax
jmp return
address:
jmp mainCode
return:
|
and then in the address list:
1. add manual address
2. pointer
3. pointer base -> baseHP
4. offset -> 10
5. Done!!
|
|
| Back to top |
|
|
Bosparan
Cheater
![]() Reputation: 1
Joined: 30 Apr 2015
Posts: 36
|
| Posted: Thu Apr 30, 2015 8:07 pm Post subject: |
|
|
Hi Guys,
thanks a lot for the help!
Rydian:
The guide was massively helpful with understanding good practices. Unfortunately it didn't work out for my case. Regular AOB Scanning didn't do the trick either (There are massively repetitive structures for all the other minions you can have and the space above is fairly random (the reason why addresses keep shifting, probably). That said, I'll probably get to use the skills I earned down the road, so I'm fairly happy with the time spent 
DogeMan:
Awesome, thanks for showing me how to write down some information (should have figured that out on my own - after all, how else do we create the memory space to put in the changes to the code?).
The only real addition I had to make, is that since this code is fairly repetitive I had to add an if/else clause, so it's only written the first time. Nothing a judicious use of google on cheatengine.org couldn't help me with ^^
Sooo ... I got this to work like a charm, thanks again for the help. I'll use my Cheat Table for a bit to add some features and iron out any bugs I might encounter, then I'll upload it for the benefit of the community.
Cheers,
Bosparan
|
|
| Back to top |
|
|
lol_Red
How do I cheat?
![]() Reputation: 0
Joined: 27 Jul 2012
Posts: 4
|
| Posted: Sat May 02, 2015 6:16 am Post subject: |
|
|
| where u able to get this script work if so plz share it thank u in advance
|
|
| Back to top |
|
|
Bosparan
Cheater
![]() Reputation: 1
Joined: 30 Apr 2015
Posts: 36
|
| Posted: Sat May 02, 2015 2:38 pm Post subject: |
|
|
I've tested it a bit (and added some more cheats to it). You can find it here:
forum.cheatengine.org/viewtopic.php?p=5591889#5591889
|
|
| Back to top |
|
|
daanish.0250
How do I cheat?
![]() Reputation: 0
Joined: 22 Mar 2020
Posts: 1
|
| Posted: Sun Mar 22, 2020 9:27 am Post subject: Bunny Black 2 Cheat Table |
|
|
Hi,
I tried going on the link you posted for your Bunny Black 2 Cheat Table (forum.cheatengine.org/viewtopic.php?p=5591889#5591889) but it doesn't work. Can you please repost it or send the file to me?
Thanks!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
