Cheat Engine

[Menoetius]

Hello, I've got a solid base pointer along with a pointer that holds a value that gets written to by the game, and I want to be able to NOP the code via scripting.

So I have the bullet count, and can find out what writes to it, but I'm unsure of how to proceed with the scripting.

[JustSmile]

Have u tried the simplest Approach
i think this is more easier than it seems

try noping the "dec line" see what happens

[Menoetius]

Yeh I have, that also works, that's not an issue. What I'm saying is the only thing the same about these functions on game reload is [dosbox.exe+12F1F8C]. I'm wondering if I could hinge something off of that.

I know how to NOP, what I need is either:
an AOBscan - which does require a lot of bytes AND doesn't work until the first shot is fired - I actually do have a working AOBscan for a couple of these, but the AOBs are pretty long and again, dont work until the first shot is fired
OR
Some sort of offset? but the function is in a different memory usually on load that I can use instead of an AOBscan.

[OldCheatEngineUser]

you cant really NOP anything, because technically you will be NOPing both dosbox routines and emulated routines. ----- thats a definite crash or improper stuff will happen.

[Menoetius]

That is true, however I've been able to construct AOBscans that rewrite/disable without an impass (so far). What other options do I have in regards to things similar to this?

Should I make a thread that resets values, an AOBscan replace of something static, or an injection site?

So far:
AOBscan: works after first shot fired, but have to do it for all weapons despite pooling ammo. Very lengthy Array to find, as well as rewrites EMU processes (suboptimal)
Thread: works okay, BUT I'm not versed enough to understand why a jmp during a thread crashes it no matter what. If you know why something like this when it jumps to M__LOOP crashes, please let me know:

[OldCheatEngineUser]

im using my phone to post, so excuse any typos or even if i missed something.

first im trying figure out what are you doing here, you code flow:
- inc [i_loop] // increment by 1, data type inetger 1 byte
- jmp m_loop

push #500 // never executed // 500 milliseconds (0.5seconds)
call sleep // because it jumps to m_loop and never returns

m_loop:
mov dword ptr [tmp],2 // assuming tmp is registered from outside the script + allocated 4 bytes of memory

basically copy value 2 into memory location tmp, but then it never returns back to t_loop

what will happen? whats after mov [tmp],2 ?
well, it will be add [eax],al this instruction have the following opcode/bytes 00 00

so you probably want to either do spaghetti jumps or call.

so a quick fix is:
call m_loop
...
m_loop:
mov [tmp],2
ret



also you did not allocate memory for i_loop, so allocate or move it under m_loop

[Menoetius]

Basically I'm just trying to figure out how createthread works best. I kept adding simple commands that work on their own to test what crashes or makes a loop.

The I__LOOP is simply a counter that counts the loop runs.
tmp is just a place in memory that I want to set value to - I know it doesn't reference anything, its more like using a "print" statement
mov [tmp], 2 simply tests that I can indeed do such a thing without crashing
M__LOOP or main/memory of loop is where I would like the instructions to be executed. Because I know that the previous command mov [tmp], 2 works, and jmp M__LOOP that holds the instructions of mov [tmp], 2 does not, I can discern that that is why the thread/game crashes.
Placing a "ret" after M__LOOP ends the thread immediately, which I can discern from the counter I implemented.


Here's the whole thing:

[OldCheatEngineUser]

im assuming main/memory loop mean dosbox instructions, then this cant be done.

because each thread have it own registers, so your thread's registers are not same as dosbox threads. so you should indeed crash.

and either ways you dont wanna do it with a JMP because as soon as it hits a RET instruction the thread will be returned to the operating system.

[Menoetius]

Solid, my man. call/ret is what I needed for a thread, not jmp. I missed that in your previous post.

M__LOOP is a substitute for a list of commands I want to do, such as set ALL ammo counters to whatever, or something of the like (a bunch of mov [ammo_address number1], 42), not directly use a game function address.

Thank you again for that.


For future reference and learning purposes, would you happen to know other methods of: automating locating memory(such as aobscan, static injection), and then being able to continually replace it on game reload(as it will automate again). AOBs for emus are volatile and/or recurring, but looking at static injection, perhaps I could use that to discover where the functions will load (Assuming I already have a base game address).

Again thank you so much with your assistance thus far c:

[OldCheatEngineUser]

FOR ME, dosbox never change the address so pointers are not needed. (again for me)

as for finding and populating the address-list, you need to have at least base address + distance from each memory address that hold weapons data.

then using lua scripts you can populate the address-list with entries (current address + offset to next address).

but i have no idea how to use lua, nor CE's API. (only assembly programming and scripting)