 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
F3l1x
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2017
Posts: 5
|
 Posted: Mon Mar 06, 2017 6:36 pm Post subject: Desperately trying to find an Address, plz help me |
 |
|
Hello Everyone,
I'm new here and just started messing with cheat engine a couple days ago, so have mercy on me for this noob question:
So Ive been trying to find an Address for Strength of a Character in a game, but could at first only find the visual representation of it. Then i went to find what writes to this address and found a
mov [esi+00002C08],eax
after that i wrote a script, thats messing with eax and found out that eax holds the actual value at that point, but the problem is its updated every time i enter a battle -> unless i have my script running the whole time str will change everytime.
My question is: How do i go from here to find the address, that holds the actual value of my str?
I would appreciate any help alot^^ thx in advance.
P.S. Ive been trying to go up in the Dissassembler from that point to see if i can find, whats giving eax the value and stumbled across some stuff, which looks like this:
mov eax,51EB851F
imul edx
sar edx,05
mov eax,edx <-----
shr eax,1F
add eax,edx
.
.
.
mov [esi+00002C08],eax
I know, that edx had my value in it at the marked point, because i used break and trace before that point, but why is this 51EB851F loaded into eax? Wouldnt this be the indicator of the end result?? is this already what I'm looking for?[/b]
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 150
Joined: 06 Jul 2014
Posts: 4654
|
| Posted: Mon Mar 06, 2017 7:17 pm Post subject: |
|
|
It's possible for values to look like something important when they actually aren't.
Look at how the value is being calculated. You've already started doing this, but one would need more information than that to figure out what's going on. i.e. what's the value of edx prior to the imul, and where is it getting that value from?
Also, is this an online game? If so, the value could be stored on a server, meaning you should give up. If not, saying its name could help others help you.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
F3l1x
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2017
Posts: 5
|
| Posted: Mon Mar 06, 2017 7:43 pm Post subject: |
|
|
Not an online game.
So I found out, that i actually already found the address of my str, it just updates at the start/end of every battle. Modyfying it in a battle would give me the result i wanted, but not for long ^^
so that means if i mess with that updating (finding out what writes to it and skipping it for example) would do the trick, but it can break the mechanic of giving me str for leveling up for example right?
Any suggestions on how to go further?
what i found about that imul thing is:
When imul is passed a 32 bit argument as in your case with EDX which effectively means EAX * EDX where both EAX and EDX are 32 bit registers.
Since you are multiplying two 32 bit values it is possible that the answer will overflow 32 bits in which case the high 32 bits of the answer will be written to the EDX register and the low 32 bits to the EAX register, this is represented with the `EDX:EAX' notation.
the str value im looking for is 177 in dez B1 in Hex
From the Tracer
mov eax,51EB851F
imul edx <----- 1
sar edx,05 <----- 2
mov eax,edx <----- 3
shr eax,1F
add eax,edx
.
.
.
mov [esi+00002C08],eax
at 1: edx has 00004578
at 2: edx has 0000163A
at 3: edx has 000000B1
| Description: |
| Here is whats before the code snippet |
|
| Filesize: |
176.79 KB |
| Viewed: |
10458 Time(s) |
|
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4654
|
| Posted: Mon Mar 06, 2017 9:13 pm Post subject: |
|
|
Values that are semantically an aggregate of other values are usually calculated from their constituent parts before they are used. This calculation can sometimes be expensive, so the result of the calculation tends to be cached for the duration of its use. Modifications to the cached value would be transient, while modifications to the constituent values would affect future calculations of the aggregate value.
In this case, the value in question is the strength stat. If I had to guess, its value is an aggregate of other values: the number of skill points assigned to it, equipment bonuses, buffs / debuffs, etc. The game probably makes this calculation once prior to the beginning of a battle, caches the result, and uses that cached value for the rest of the battle. Modifying the cached value might have an effect for the duration of the current battle, but it wouldn't have any effect for future battles. If you change one of the values strength is calculated from, however, it will affect your strength stat the next time it's calculated.
Another option would be to change the function that calculates your strength stat. If a hypothetical function is "strength = base + skillPoints * 8 + equipmentBonus", you can change the 8 to some higher number. Of course, you'll need to find the code in order to make this change, which is sometimes easier said than done.
If you're only concerned about your strength stat while in battle, you can hook the instruction that accesses the address of your strength if that instruction doesn't access other addresses and is run often enough. From that point, do whatever you want: make it move some constant into the address of your strength stat, multiply the value by something, or just copy the address into some registered symbol and allow the user to decide what to do with the strength stat. The section titled "Injection Copies" of this topic goes over the basics of the last point.
You are correct about what the imul instruction does with a single operand. I don't know why the game is doing those operations- might be a part of calculating the strength stat, or might be obfuscation / bad encryption. If you want to go further down this rabbit hole, look at where edx comes from before it's multiplied by that number; however, IMO you'd have an easier time either modifying the code or changing one of strength's constituent values.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
F3l1x
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2017
Posts: 5
|
| Posted: Mon Mar 06, 2017 10:04 pm Post subject: |
|
|
| Quote: | In this case, the value in question is the strength stat. If I had to guess, its value is an aggregate of other values: the number of skill points assigned to it, equipment bonuses, buffs / debuffs, etc. The game probably makes this calculation once prior to the beginning of a battle, caches the result, and uses that cached value for the rest of the battle. Modifying the cached value might have an effect for the duration of the current battle, but it wouldn't have any effect for future battles. If you change one of the values strength is calculated from, however, it will affect your strength stat the next time it's calculated.
Another option would be to change the function that calculates your strength stat. If a hypothetical function is "strength = base + skillPoints * 8 + equipmentBonus", you can change the 8 to some higher number. Of course, you'll need to find the code in order to make this change, which is sometimes easier said than done.
|
That is actually what i meant in first place haha^^ I just expressed myself really bad (not a native english speaker)
im actually looking for that calculation and want to find like a "base" (x)
if the calculation is sth like
str = x * level + Equipmentbonus*0.1*x or something like that, but i don't know how to go further into that from the point where i am right now.
i found that this instruction:
mov [esi+00002C08],eax
is calculating the str stat for everyone in the game (player characters and enemies) and i would kind of know how to make a script differentiate from my guys and the enemies (I'd make a dissect data structure from esi for everyone and look for similarities/differences), but I'm actually interested in finding the calculation, you talked about.
So I'll try to find out what is done to edx before that point now.
Oh another quick question: could it be that the game is trying to encrypt the value/function, im looking for too? because i would have no idea how to deal with that at all
and also is there an easy way to look for certain functions being triggered?
Thx for helping me so far 
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4654
|
| Posted: Mon Mar 06, 2017 11:24 pm Post subject: |
|
|
My apologies; I didn't realize you weren't a native English speaker.
| F3l1x wrote: | | could it be that the game is trying to encrypt the value/function, im looking for too? |
After looking at that code for a bit, I don't think so. It is certainly trying to hide the value 0x7D0 (2000 in decimal), which I'm guessing is the maximum limit on stats. However, the code that multiplies edx by 51EB851F and shifts the result to the right by 5 is actually just dividing edx by 100 quickly.
esi looks to be a very important structure where it's getting all the values from. [esi+2BE4] looks like the raw strength (important!), and [esi+2C34] looks like a % increase applied to the total strength. I don't know what edi is suppose to be at the instruction at 00521262 - perhaps it's set to something important in some other branch of execution. The byte at [esi+430C] looks like a flag for something (e.g. status effect, player or enemy, etc.). The value at [esi+2E8C] might be somewhat related to your strength, but it could be something else entirely.
Try changing [esi+2BE4] and see what happens. If that instruction accesses multiple addresses, make sure you get the one for your player and not some enemy.
If that doesn't work out, there are other things you can try:
The function that calculates your total strength could be spread out over several hundred instructions in many different areas of memory. Trying to find it by looking at what code is being executed could be difficult. Instead, it might be easier to look at what instructions access your level or something else that affects your strength. Look for instructions that are run the same time as the instruction that writes to the address of the strength stat. Once you find something, track down what the game does with the value after it reads it from the address.
You can also try backtracing. You have been doing this already by looking at preceding instructions, but you may need to look at what code called this code to run. Set a breakpoint and let the code run to the nearest ret instruction. The ret instruction will usually jump back to the point just after the call. Execute the ret instruction, scroll up, and you should see the call instruction that called the code you found to run. Above that should be more code that does stuff that might be interesting.
| F3l1x wrote: | | also is there an easy way to look for certain functions being triggered? |
"easy" is relative, but look into a feature called "ultimap" if you want. There are a couple YouTube videos that show it off.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Mar 07, 2017 2:44 am Post subject: |
|
|
| ParkourPenguin wrote: | | F3l1x wrote: | | also is there an easy way to look for certain functions being triggered? |
"easy" is relative, but look into a feature called "ultimap" if you want. There are a couple YouTube videos that show it off. |
-I just want to add: if you know which instructions that you are interested in, then you can set a breakpoint on them to see which ones are being triggered and when.
|
|
| Back to top |
|
|
F3l1x
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2017
Posts: 5
|
| Posted: Wed Mar 08, 2017 2:09 pm Post subject: |
|
|
Okay so today I continued looking for it^^
I tried to apply all the methods of looking further, that you suggested, I just don't get how to do this:
| Quote: | Look for instructions that are run the same time as the instruction that writes to the address of the strength stat. Once you find something, track down what the game does with the value after it reads it from the address.
|
how do you look at instructions, that are run at the same time?
Alright, looking through hundreds of instructions (what a pain), i found that alot of instructions above and below(including following the calls) calculate all of the characters' stats at the start of a battle (and for enemies at the time they are struck in a battle) and it seems, that this whole structure (that esi had) is updated before a battle EXCEPT the values for Health (probably because theres stuff happening to it outside of battle too) and player name...
the only promising thing i kinda found was at looking what writes to the address of [esi+2BE4], which we expected to be base str and again i stumbled across something in the calculation, which doesnt make sense to me
it's like this
xor eax,eax
.
.
.
mov [esi+2BE4],eax
without anything changing eax in between, but [esi+2BE4] holds the value of 171 afterwards (177 was the str)
how is that possible? xor xxx,xxx should clear xxx right?
I havent tried to find stuff with that ultimap yet, but i'll definitely look into that at some other time.
I think i learned a lesson anyways tho haha^^ trying to find the base value just wastes my precious time and isnt really worth it i found that the equipment stats for example, don't update like the str does so it's much easier changing it that way. For the sake of learning it I'm just trying to solve this particular problem still
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4654
|
| Posted: Wed Mar 08, 2017 2:27 pm Post subject: |
|
|
| F3l1x wrote: | | how do you look at instructions, that are run at the same time? |
Technically, I don't mean instructions that are run at the exact same time. I'm talking about instructions that are run a few microseconds apart from each other.
For example, say you have the address of your level, and you know your level is used in the calculation of your total strength stat. There are a few instructions that access the address of your level, but there is one in particular that seems to be executed at (about) the same time as the instruction that writes to your strength stat. This might be just a coincidence, but more often than not, it's because that instruction is reading your current level so it can use that to determine what your strength should be. Set the break and trace on the instruction that accesses your level and see where it leads to after that.
xor eax,eax does indeed set eax to 0. There may have been a call instruction that sets eax to something. If there wasn't, the code may not have executed that xor instruction due to a jump instruction somewhere else.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
F3l1x
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2017
Posts: 5
|
| Posted: Wed Mar 08, 2017 7:01 pm Post subject: |
|
|
Alright, I finally found something in that calculation, which doesnt change after ages of backtracing
thank you for the guidance, I definitely learned a lot (also that I won't look for this stuff anymore if there is another way haha)
|
|
| Back to top |
|
|
SunBeam
I post too much
 Reputation: 65
Joined: 25 Feb 2005
Posts: 4023
Location: Romania
|
| Posted: Thu Nov 25, 2021 2:11 pm Post subject: |
|
|
Kinda old and sorry for necro, but I found the same calculation logic in "The Red Solstice" with the same constant/seed -> 0x51EB851F 
| Code: | 00940C26 | B8 1F85EB51 | MOV EAX,51EB851F |
00940C2B | F7E9 | IMUL ECX |
00940C2D | C1FA 05 | SAR EDX,5 |
00940C30 | 8BC2 | MOV EAX,EDX |
00940C32 | C1E8 1F | SHR EAX,1F |
00940C35 | 03C2 | ADD EAX,EDX |
00940C37 | 50 | PUSH EAX |
00940C38 | 8D8424 BC010000 | LEA EAX,DWORD PTR SS:[ESP+1BC] |
00940C3F | 50 | PUSH EAX |
00940C40 | E8 5BB4AFFF | CALL game.43C0A0 | |
Googled for it and found this topic. Keep you posted if I ever find some source code using it or the cryptographic algorithm's name.
LE #1: According to a response in this tweet it appears to be divide by 25. Although I think he meant "divide by 2^5" because this other post talks of 32. And 2^5 is 32.
Yes, The Red Solstice is an x86 game.
LE #2: But then again this picture and this picture talk of pi = 3.14 Judge for yourself.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 150
Joined: 06 Jul 2014
Posts: 4654
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
