Cheat Engine

thethiny

So I ran an API monitor to track file loads, and I was able to make my hack using the tool. However I want to convert that hack to Cheat Engine, so I ran pointer checks and found none, even at levels as high as 20 with 8192 maximum, still nothing. So I used the address I've found in API Monitor for the file loaded and tracked what writes to it and found this:
i.imgur. com/SYBf2cL.png
The game goes as following:
-Write the Character Package Loaded into this address.
-Load the Package.
-Move over to the next Costume then Display it.

in API Monitor, I was able to replace "Assets\Character" with "Mods\Character" to load the characters from a different folder under a different name. But in cheat engine, I don't know how to do that using ASM, also using breakpoints crashes the game rather than actually breaking points.

Any help please?

In case anyone is wondering, this is a 64Bit App, Mortal Kombat X.

akumakuja28 · Posted: Fri Aug 07, 2015 4:22 pm Post subject:

Im a little unclear what your asking.
A pointer is a address in the game code that tracks a random(ish) memory location start.

Basically you have MKX.exe and in its code it has a line of code that says im writing all my memory PERTAINING to character load here 123456789. That is the address you need to search for not the address of the code you found.

From that base address of 12345678, you add an offset to your pointer entry to modify the value you need.

After looking at your picture I would probably start with the RCX value of the bottom picture. Also you prolly want to look for string data if you are loading DATA from a different hard disk LOCATION. That is easily modified with a text entry and will unlikely require a POINTER.

thethiny · Posted: Sat Aug 08, 2015 2:25 am Post subject:

What I'm trying to do is replace the string with a different one, I can do that using CE and it works fine, my problem is finding the pointer, or I mean the Base Address, so that it works whenever I restart the game instead of rescanning, since that wouldn't work I just want to make a script that replaces \Assets with \MODS for example everytime it finds a custom string. Besides I don't know what RCX and these stuff mean so I don't understand what's in my picture at all.

akumakuja28 · Posted: Sun Aug 09, 2015 9:40 pm Post subject:

Ok, so there is a couple option you have here.

Find your code then click browse this memory region.

Find another value in memory editor thats blinking red that very close and ABOVE to your CODE/string/text and find out what access's that address. In the new window click on more information button. In the middle of the screen it will say the pointer for this is probably 46373???????.

Write that value down somewhere and then goback to ACCESS window and click the same opcode and click the button on the right that says show in dissambler. You will now have the opcode location for that memory sector.
DO NOT CLOSE THE DISASSBLER.
Right click on the opcode and select what writes/access or something along those lines you know have a new window add one those addresses to your cheat list.

Go to your cheat list and right click /find pointer on the address you just added. Type the value that you written down. And scan.

If you get no results try the same PROCESS over in a different memory location.

33. Now that you have pointer results. Restart your game and close all the access windows exept memory editor and pointer scan do not close memory editor do not close memory editor. Open the game and get to the same place game you Scan for your code. Right click on the SAME opcode in the memory editor and click what access/writes too. You will get a new window add that code and right click and click browse memory location. Look forYOUR text string in the bottom window.

If you found it Awesome your on the right track
If not start at step one. BLOWS.

Now right click and find what accesss the code you just added find that same op code in the new window that matches your memory browser and click the more information button to the right. Write down that middle address again.

Go back to your pointer scan window and select the last drop menu option and click the rescan. Type the new address that you just written down in there. Now rescan and repeat from step 33.

After awhile you will get to reasonable amout of pointers. Add a dozen or so to your list and double check which ones give a dynamic memory start value everytime.

Then when your satisfied with a certain pointer. Right click on that pointers VALUE and GOTO the memory editor bottom window and goto that VALUE which is an address. Now find out what the starting address of your CODE is write it down. Type the value you written down in your windows calc in hex mode and minus the pointer VALUE. Thats your offset. Now copy and paste the pointer in question and double click the address, press add offset button and type in the value of your calculator.

Congratulations you made a pointer

thethiny · Posted: Mon Aug 10, 2015 12:35 am Post subject:

Well, thanks but that didn't work, there is no blinking red anywhere :\

ulysse31 · Posted: Mon Aug 10, 2015 2:45 am Post subject:

Hey

Since you said you can manually edit it in CE I am guessing the variable is read every time.
So why don't you "make find out what accesses the variable" that you replace, see how many opcodes read it and find the opcode that is really determining the loaded file.
Once that is done, you hook this opcode either to load the same file all the time (but your file now) either to take that information from another memory location (a code cave for example) where you always can store the file you want loaded.
You can code a .exe that writes into the program memory and hooks the reading string function

thethiny · Posted: Mon Aug 10, 2015 5:49 am Post subject:

ulysse31 · Posted: Mon Aug 10, 2015 6:19 am Post subject:

You need to :
1) right click your string variable and "find out what accesses".

2) You will probably see several codes (if you see only one it's the easiest possibility but unlikely) and there are chances the variable being read then rewritten with the same value (if that if the case you will see 2 or more codes).
So here you need to determine which is the code that is reading your variable (it will be a code that is something like mov register,[register+xx]
with register being one of eax ebx ecx etc... and xx being in a 00 to FF range.
The brackests must be on the right side of the opcode ie they must affect right operand that means your value is being read (it" important you understand that).

3)Now you use tool of cheat engine in memory window and you scan for code cave. Any code cave will do, you chose one and you write the adress on paper, you will need it later.

4) once you have determined that code your click follow in dissassembler, you click on the opcode line and you press ctrl +A then ctrl +I. ctrl+A opened assemble window and ctrl +I is a great time saving tool that basicly makes inserting code that much easier (Thank you Dark Byte you are brilliant).
There you replace the existing code that is preinserted by ctrl+I, you will find it at "originalcode:"
Remember " mov register,[register+xx]" ?
you replace the register+xx into bracket by the memorycave adress you chose. now you simply edit the memory code cave adress and it's the value that will be read.

I should have mentioned that concerning " mov register,[register+xx]" it is unlikely yet possile that you see a memory adress into the bracket, something like mov register,[02435678] if that is the case you replace the 8 digits by your code cave adress.

It is possible that modifying the game's code makes your game crash after 1 or 2 mins if the game has protections, if that is the case do not worry there are easy ways around this.

You can add my skype if you need quicker info : Atlhe0 (the last character is the digit 0)

thethiny · Posted: Mon Aug 10, 2015 6:30 am Post subject:

ulysse31 · Posted: Mon Aug 10, 2015 7:11 am Post subject:

This is quite a bit of opcodes.
A good thing to do to narrow them down:
Say your file is being read when you press that button, click "find out what accesses" on your variable like before, let it run a few minutes then click the button and check if you see new opcodes and also which previous opcode got their execute timer increased.
Because the right opcode will be one of these.

You're values narrowed down are invalid, I am not sure how you narrowed them down but you've kept writting values (which we dont care about and should exclude straight up) and you have eliminated movzx and stuff that isn't "mov".
Any instruction that is part of the mov family is valid, that includes movzx and so on, what you can exclude is the instructions with brackets on the left operand (which you kept in your narrowed down values) because these are writting the file.

So, a first narrow down could look like this :

thethiny · Posted: Mon Aug 10, 2015 7:21 am Post subject:

I will try that now, but I've found out that the 4 Code Caves are actually read-only, so this means that there are absolutely no usable Code Caves :\