Cheat Engine

GetPushPop · How do I cheat? Reputation: 0 Joined: 15 Jun 2016 Posts: 6

This is my first exposure to CE or memory scanning. I've spent several frustrating hours trying to find a value associated with displaying the HUD in Shadow Of Mordor during normal gameplay. (I know, I know, I'm two years late to that party...)

I've noticed that by default the "All" scan type does not include byte or 2-byte types. Can anyone tell me why this is the case? Are these types so uncommon?

I managed to locate a variable (and create a corresponding script) which keeps the chosen "photo mode instagram filter" active during normal play. Which is pretty neat, and gave me hope that disabling the HUD is possible.

I found that value very quickly by scanning for a byte-type, which made me think other related toggles would be easy to locate. I've since spent several hours disproving that optimistic theory.

I don't really know what I'm looking for / at. I'm seeing some 0/1 toggles, but also 0/256's and 0/65,535's - doesn't that seem like they're using the wrong value type for boolean values?

What I'm after has got to be a bool or state enum or integer (the numeric concept, not necessarily the value type). However, I've spent a solid hour with each scan type, and still haven't found a value that affects whether the HUD is displayed.

Does anyone have a suggestion as to what value type I'd be looking for, or alternate methods of achieving the desired result, or am I really stuck filtering through 2 billion records for 45 fruitless minutes at a time?

My sincere thanks for any insight,

atom0s · Posted: Thu Jun 16, 2016 2:26 am Post subject:

Not all games have an option to turn off the entire hud or even separate elements. Therefore finding a 0/1 to toggle it is not always the case. In some cases, you will have to find where the game is causing it to be drawn and kill the draw calls for it instead. Some games make this easy with a single call to draw the whole hud, while others draw different elements at different stages.

GetPushPop · How do I cheat? Reputation: 0 Joined: 15 Jun 2016 Posts: 6

Rats. I was afraid it might be more complicated than I'd like. Thanks for the rapid response!

I didn't just look for on/off until the results were in the thousands and wouldn't filter further.

I was looking for changed values based on whether the normal gameplay UI was being displayed, but the most exhaustive scans still had 1000+ candidates.

I couldn't narrow it any further without assuming one state or another was a zero.

Does this mean this might be a fruitless endeavor? Any suggestions on an alternate approach?

Many thanks,

atom0s · Posted: Thu Jun 16, 2016 3:27 pm Post subject:

Dig into the game to see if there is a developer console that offers the ability to toggle the UI. If so you could make use of that to do it.

Search for strings that are displayed on the UI, something that is visible every frame that possibly has a changing value. Something like:
Health: 99

You could look for something like:
Health: %d

Trace back to how that is called and you can sometimes find the entire hud rendering function.

++METHOS · Posted: Thu Jun 16, 2016 7:05 pm Post subject:

I'd start with a boolean and work up from there. Try 1 for on and 0 for off. If you can access certain points in the game (such as a shop for buying items, or a game menu etc.) where the hud is not showing, you can use that for your searches. Just be sure that any game menu isn't just an overlay (i.e. the hud is still showing, but it's hidden behind something). If 0/1 bool doesn't work, try changed/unchanged. If that doesn't work, there are other methods that are more time consuming and difficult, depending.

Tip: Try searching for float type. (3f800000 hex for on and 0 for off).

GetPushPop · How do I cheat? Reputation: 0 Joined: 15 Jun 2016 Posts: 6

Ah, some new tricks to try out. This is great, thank you both for your time!

@atom0s - Finding the function that makes the draw call in such a roundabout way is rather sneaky. Seems like a long shot, but it's worth a try. Hunting for a single boolean certainly hasn't worked.

@METHOS - My best efforts to narrow this down to a single bool left me with 1000+ candidates, and I was only vaguely confident of my searches in the first place. I never did search for a float though, so I'll give that a try.

Now let's share a moment of silence for the bygone era where PC games weren't half-assed ports, didn't actively discourage modders, and actually exposed their consoles...

++METHOS · Posted: Fri Jun 17, 2016 12:05 am Post subject:

1000 results is negligible. Add them all to your list and change 100 or so at a time to 0. If none of them work, use Ctrl+Z to undo the change and remove them for your list. Move on to the next 100 or so.

GetPushPop · How do I cheat? Reputation: 0 Joined: 15 Jun 2016 Posts: 6

Aye, sadly I've done so a few times without success. Eventually CTD'd during each attempt.

Which wouldn't be so bad, but scanning takes anywhere from half a second to a full five minutes of non-responsive waiting. Is there a fixable reason scan times are so wildly different? One early "changed / unchanged" might take an instant, while the next takes several minutes.

Now I'm CTD-ing while trying to find what reads/writes to a given candidate. The crash is instantaneous when the game regains focus. It was working fine last time...

This is kind of a bummer, huh? Someone should invent a machine that does this kind of work for humans... ;)

I'll keep trying; I'm stubborn that way.

++METHOS · Posted: Fri Jun 17, 2016 3:11 pm Post subject:

If the target crashes while attaching the debugger to check what writes/accesses, try using a different debug method, such as VEH.

If you search for an initial, unknown value, then scan for 0 (for example), your scan will take a long time. If your initial scan is an exact scan for 0, then you scan for unchanged, it will take a long time. etc. etc. If, however, you search for an initial scan of 1, then scan for 0, it won't take as long.

GetPushPop · How do I cheat? Reputation: 0 Joined: 15 Jun 2016 Posts: 6

Thanks for the continued support!

Having had no luck with specific values or types, I'm forced to try All and un/changed scans.

The first "unchanged" scan was taking about an hour, and I finally realized why: My SSD was full.

In AppData/temp, cheat engine had borrowed an unfathomable 74GB. For a single scan. I had just purged it immediately prior. The scan hanged halfway through, so I imagine it wanted twice that space to continue.

This is more than twice the weight of the game files in their entirety. Obviously this is a deal-breaker for continuing this memory editing adventure. What in the heck is going on here, and can I make it stop?

Thanks,

++METHOS · Posted: Fri Jun 24, 2016 2:46 am Post subject:

Since I don't want my SSD to die prematurely, I set up my CE temp folder on an internal, disk drive. You could use an external, too.

Obviously, your scans won't be as fast, but my scans don't take long anyways.

GetPushPop · How do I cheat? Reputation: 0 Joined: 15 Jun 2016 Posts: 6

So a temporary cache of ~80 gigs for a "recommended 8GB ram" game is not wildly abnormal? That's rather startling. Anyhow, thanks for the rapid response - I'll consider pampering my SSD.

++METHOS · Posted: Fri Jun 24, 2016 3:48 am Post subject:

I don't know. I would check your temp folder and delete everything first, just in case. Those items are supposed to be deleted automatically, after a few days (assuming CE closed properly), so you could have data in there that is not related.

That said, doing an unknown, initial scan will essentially make a copy of the game.

Dark Byte · Posted: Fri Jun 24, 2016 3:54 am Post subject:

no need to use all when using changed/unchanged. just use 4 or 8 bytes and figure oit the type later on

and if you can debug you could try the d3d snapshot function.
use it and look through the screensbots to find the draw call for the gui.
then look at the stack, trace back, and inject code that skips that specific render