Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


A few questions on creating a free fly camera trainer

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Sarge411
Newbie cheater
Reputation: 0

Joined: 21 Apr 2018
Posts: 21

PostPosted: Sun Apr 22, 2018 3:40 am    Post subject: A few questions on creating a free fly camera trainer Reply with quote

I've been looking at a few free fly camera scripts from this thread:

www[dot]cheatengine[dot]org[slash]forum [slash]viewtopic[dot]php?p=5643360

and am trying to create one for duke nukem 3d. So far I managed to find all coordinates as well as other fields from the player table:

Code:

  <CheatEntries>
    <CheatEntry>
      <ID>9</ID>
      <Description>"Y coordinate"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>B70F58</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>4</ID>
      <Description>"X coordinate"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>B70F5C</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>3</ID>
      <Description>"Z coordinate"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>B70F60</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>0</ID>
      <Description>"Camera angle"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>Duke3dw.exe+770F64</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>23</ID>
      <Description>"Z Down Acceleration"</Description>
      <VariableType>4 Bytes</VariableType>
      <Address>00B70F8a</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>22</ID>
      <Description>"Y Acceleration"</Description>
      <VariableType>4 Bytes</VariableType>
      <Address>00B70F92</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>21</ID>
      <Description>"X Acceleration"</Description>
      <VariableType>4 Bytes</VariableType>
      <Address>00B70F96</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>28</ID>
      <Description>"Rotation"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70FD0</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>15</ID>
      <Description>"Ammo 2 Pistol"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70FE0</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>11</ID>
      <Description>"Ammo 3 Shotgun"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>Duke3dw.exe+770FE2</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>16</ID>
      <Description>"Ammo 4 Chaingun"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70FE4</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>12</ID>
      <Description>"Ammo 5 BFG (Sacrilege) "</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>Duke3dw.exe+770FE6</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>17</ID>
      <Description>"Ammo 6"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70FE8</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>13</ID>
      <Description>"Ammo 7"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>Duke3dw.exe+770FEA</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>18</ID>
      <Description>"Ammo 8"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70FEc</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>14</ID>
      <Description>"Ammo 9"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70FEE</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>19</ID>
      <Description>"Ammo 0"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B70Ff0</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>26</ID>
      <Description>"Armor"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>Duke3dw.exe+77107A</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>8</ID>
      <Description>"Elevation physics"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00D071CA</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>20</ID>
      <Description>"Player Size"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00D071D0</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>7</ID>
      <Description>"Health"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>Duke3dw.exe+9071E6</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>30</ID>
      <Description>"3rd person view enable disable"</Description>
      <VariableType>4 Bytes</VariableType>
      <Address>00B7102E</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>31</ID>
      <Description>"Crouch for x seconds"</Description>
      <VariableType>4 Bytes</VariableType>
      <Address>00B70f9a</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>33</ID>
      <Description>"Holoduke amount"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B71006</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>34</ID>
      <Description>"Access wallnum"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B71019</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>35</ID>
      <Description>"First aid amount"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B71024</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>36</ID>
      <Description>"Cheat phase"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B71034</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>37</ID>
      <Description>"Current inventory item"</Description>
      <VariableType>4 Bytes</VariableType>
      <Address>00B710B7</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>38</ID>
      <Description>"Jetpack amount"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B71076</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>39</ID>
      <Description>"Steroids amount"</Description>
      <VariableType>2 Bytes</VariableType>
      <Address>00B71078</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>40</ID>
      <Description>"Enable weapons array"</Description>
      <VariableType>8 Bytes</VariableType>
      <Address>00B710C3</Address>
    </CheatEntry>
  </CheatEntries>


In this script

fearlessrevolution[dot]com[slash]threads[slash]god-mode-free-fly-camera[dot]372[slash]

, a base address is used for the camera, but is it really needed?

Up to now I tried changing the coordinates from cheat engine but this results in a death once the camera is moved beyond a wall that is outside the playable map. I looked for and nop-ed the code that writes to the health
field. After, finding all instructions, now I can move outside the map but there is a dying animation that I can't get rid of (moving around works).

How can the camera be detached so that it does not move along with the character (the game's code kills the character even if noclip is used)?

How can cheat engine show the values of a memory region given an address and its offsets?

Once an instruction that writes to an address has been found, how can you determine if the address of that instruction is static or not? I have used cheat engine's search with the instructions address in hex but the search did not return any results?

Can cheat engine record instructions that access a memory region instead of fixed address?

When executing the camera thread, what happens to the original thread that handles the player character? Which coordinates are used to update the view point?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sun Apr 22, 2018 4:55 am    Post subject: Reply with quote

Quote:

Can cheat engine record instructions that access a memory region instead of fixed address?

use pageexception breakpoints in settings, then in the memoryview select the whole region you wish to watch , rightclick and choose data breakpoint->find out what accesses

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Sarge411
Newbie cheater
Reputation: 0

Joined: 21 Apr 2018
Posts: 21

PostPosted: Mon Apr 23, 2018 12:18 pm    Post subject: Reply with quote

Dark Byte wrote:
Quote:

Can cheat engine record instructions that access a memory region instead of fixed address?

use pageexception breakpoints in settings, then in the memoryview select the whole region you wish to watch , rightclick and choose data breakpoint->find out what accesses


Thanks.

I managed to get all instructions that were freezing the player's position after death as well as the those that rotate the view by a random angle. Right now, if I kill the character (set life to 0 from within cheat engine) the position remains the same and with the instructions found being nop-ed the player's coordinates are updated in game if the X, Y, Z addresses are changed (this also works for camera pitch and rotation).

The main idea is:

1. Find a thread that accesses any coordinate often and use the given instruction as an injection point.

2. Upon enabling the cheat disable (nop) freezing instructions (that constantly write the last players coordinates to the X, Y, Z addresses).

3. Create a thread that is launched afterwards, waits user input and updates the values from the addresses holding the positional coordinates (given these are static).

My questions now are:

1. Can those instructions accessing the coordinate values be nop-ed if a cheat is enable (and unnop-ed when disabled)?

2. Is there a better way of going about this than nop-ing instructions?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Apr 24, 2018 11:53 am    Post subject: Reply with quote

1: Of course you can do that, but it depends on the game how it reacts. (Perhaps it works, or perhaps it goes into a loop till the coodinates have returned to what it expects)

2: no idea, perhaps

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Sarge411
Newbie cheater
Reputation: 0

Joined: 21 Apr 2018
Posts: 21

PostPosted: Tue Apr 24, 2018 3:55 pm    Post subject: Reply with quote

Dark Byte wrote:
1: Of course you can do that, but it depends on the game how it reacts. (Perhaps it works, or perhaps it goes into a loop till the coodinates have returned to what it expects)

2: no idea, perhaps


Thanks again. I wrote a basic script that fetches the original coordinates and health values, and saves them to memory. Here is the code:

Code:

{ Game   : Duke3dw.exe
  Version:
  Date   : 2018-04-23
  Author : Sarge411

  This script does blah blah blah
}

define(address,"Duke3dw.exe"+53401)
define(bytes,8B 85 18 02 00 00)

[ENABLE]

globalAlloc(myCamX, 4)
globalAlloc(myCamY, 4)
globalAlloc(myCamZ, 4)

globalAlloc(origCamX, 4)
globalAlloc(origCamY, 4)
globalAlloc(origCamZ, 4)

globalAlloc(health, 4)
globalAlloc(origHealth, 4)

origCamX:
dd 0
origCamY:
dd 0
origCamZ:
dd 0

myCamX:
dd B70F5C
myCamY:
dd B70F58
myCamZ:
dd B70F60

Health:
dd D071E6
origHealth:
dd 0

assert(address,bytes)
alloc(newmem,$2000)


label(code)
label(return)

newmem:
  // Save previous camera coords
  push eax
  // Save X
  mov  eax, [myCamX]
  mov [origCamX], eax
  xor  eax, eax
  // Save Y
  mov  eax, [myCamY]
  mov [origCamY], eax
  xor  eax, eax
  // Save Z
  mov  eax, [origCamZ]
  mov [origCamZ], eax
  xor  eax, eax
  // Kill duke (set health to 0)
  mov eax, [Health]
  mov [origHealth], eax
  xor eax, eax

  pop  eax

code:
  mov eax,[ebp+00000218]
  jmp return

address:
  jmp newmem
  nop
return:

[DISABLE]

address:
  db bytes
  // mov eax,[ebp+00000218]

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Duke3dw.exe"+53401

"Duke3dw.exe"+533D2: 78 07                          -  js Duke3dw.exe+533DB
"Duke3dw.exe"+533D4: 66 81 FA FF 0F                 -  cmp dx,0FFF
"Duke3dw.exe"+533D9: 7E 1A                          -  jle Duke3dw.exe+533F5
"Duke3dw.exe"+533DB: 8B 85 38 02 00 00              -  mov eax,[ebp+00000238]
"Duke3dw.exe"+533E1: 89 85 14 02 00 00              -  mov [ebp+00000214],eax
"Duke3dw.exe"+533E7: 8B 85 3C 02 00 00              -  mov eax,[ebp+0000023C]
"Duke3dw.exe"+533ED: 89 85 18 02 00 00              -  mov [ebp+00000218],eax
"Duke3dw.exe"+533F3: EB 18                          -  jmp Duke3dw.exe+5340D
"Duke3dw.exe"+533F5: 8B 85 14 02 00 00              -  mov eax,[ebp+00000214]
"Duke3dw.exe"+533FB: 89 85 38 02 00 00              -  mov [ebp+00000238],eax
// ---------- INJECTING HERE ----------
"Duke3dw.exe"+53401: 8B 85 18 02 00 00              -  mov eax,[ebp+00000218]
// ---------- DONE INJECTING  ----------
"Duke3dw.exe"+53407: 89 85 3C 02 00 00              -  mov [ebp+0000023C],eax
"Duke3dw.exe"+5340D: 8B 85 14 02 00 00              -  mov eax,[ebp+00000214]
"Duke3dw.exe"+53413: 89 85 30 02 00 00              -  mov [ebp+00000230],eax
"Duke3dw.exe"+53419: 8B 85 18 02 00 00              -  mov eax,[ebp+00000218]
"Duke3dw.exe"+5341F: 89 85 34 02 00 00              -  mov [ebp+00000234],eax
"Duke3dw.exe"+53425: 8B 85 1C 02 00 00              -  mov eax,[ebp+0000021C]
"Duke3dw.exe"+5342B: 89 85 40 02 00 00              -  mov [ebp+00000240],eax
"Duke3dw.exe"+53431: 8B 85 44 02 00 00              -  mov eax,[ebp+00000244]
"Duke3dw.exe"+53437: 89 85 48 02 00 00              -  mov [ebp+00000248],eax
"Duke3dw.exe"+5343D: 8B 85 8C 02 00 00              -  mov eax,[ebp+0000028C]
}


I was wondering if the code for saving the original X, Y, Z coordinates from static addresses is correct (move value stored at static address to EAX, then move contents of EAX to locally defined address). I saw that other scripts didn't have to specifically define the addresses in the script but were using <SymbolEntries> from the cheat table.

Can a thread be created after these values are saved so that it begins updating the values stored at the static addresses? or does it have to be defined in a new script?[/code]
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites