Cheat Engine

[galunga]

Hello all,

Game: X3: Farnham's Legacy

I am trying to find an address of an item in my inventory(cargo bay), but the problem is...I only have 1 unit of that unique item so I can't really "change" the value in game to scan for values. I either have it or don't have it.

I can successfully find the addresses of other items with 2 or more units, because I can buy/sell or drop/pickup the item while scanning for the changed value.

However I noticed that every time you pick up a new item, it gets written to a completely new address. Even if,. let's say I have 10 Energy Cells in my cargo bay, I find the address and then I jettison all of them. When I pick those same 10 Energy Cells back again, they are in a different address. Any change to the old address does nothing. This sort of makes sense because if I get rid of all the Energy Cells, they are removed from my inventory(cargo bay).

So now, knowing the above, I have the following problem:

1. I am trying to find the address of an unique item of which I only have 1 unit in my cargo bay.
2. I can drop and pick-up said item to simulate a "value change"
3. But the problem is, as described above, when I pick it up again, it is written to a different address. So it's like a wild goose chase.

What I tried so far.
-Searched and found addresses of multiple items in my cargo bay and noticed that they all get written to with an instruction by another address which I believe is the base address(it's colored green)

I was thinking to somehow monitor this address and see all the addresses it writes to(with the hope that I find my unique item) but I'm kinda lost at this point as I have no idea how to do this.

Sorry for the long winded explanation. I hope it makes sense.

[ParkourPenguin]

Find the address of some other item, find out what instructions access that address, and see if those instructions access other items' addresses (right click the instruction in the disassembler and select "Find out what addresses this instruction accesses")

[galunga]

Thanks for the reply.

So I did just that, but it finds thousands of addresses. And they just keep piling up without me doing anything in game.

EDIT:

I notice I can filter the results so worst case scenario I'm changing all addresses that have a particular value(EAX should be 1 I think?) and with trail and error I might find it eventually.

But the problem is, while this monitor is running and keeps finding addresses, my game is frozen and unusable. So I can't make the change in game to trigger the instruction.

Any ideas?

[cooleko]

In these situations, I find the pointer to the item slot, then put the difficult item in the found slot, usually works.

[ParkourPenguin]

That's a very weird behaviour to be accessing unaligned data. Try some other instruction- maybe something that reads from the address. (my previous comment said "access", not "write to")

Filtering it might be faster if you inject code to filter it out.

If you can't find a good instruction, I'd start analyzing data next. Maybe there's a pattern- e.g. the next inventory item comes exactly 5 bytes after the previous one.

The game is clearly abnormal. Reverse engineering it might lead to something interesting, but that isn't worth the time for me. If you can't do this yourself, you could try looking at other people's work on that game or a similar one (X3AP maybe).

[galunga]

I initially tried to find a pattern but there doesn't seem to be any.

For example, I completely emptied the cargo bay and then picked up the same 4 items in the same order, searched their addresses, reloaded the game and repeat. I did this 3 times

These were their addresses:

first time:
22C3AEE2
59D2E222
4B109F02
45C4ED82

second time:
2D1C7D1A
51E7B902
48EAE2DA
70D397CA

third time:
0FAAF452
588C007A
2B19874A
2CB2E2F2

There's no clear pattern unfortunately.

[Frouk]

usually items are close with each other, you just need to know item structure size

[galunga]

I know what you mean but in this case i'm not so sure. I mean look at the addresses above, with an empty cargo bay I picked up 4 different items(in amounts larger than 1 of course, so I can actually find the addresses). They are not equal/constant distance away from one another in neither of the 3 scenarios

[ParkourPenguin]

It's offset by 2 in some structure aligned to 8 bytes. Beyond that, there's no pattern I can see.

The data structure backing up the inventory is probably allocating memory every time an item gets picked up and storing a pointer to that allocated memory.

You can try pointers as suggested by cooleko. I'd empty the inventory, pick up an item, find the address of that item, and do a pointer scan for that address. This video shows how to use the pointer scanner:
https://www.youtube.com/watch?v=3dyIrcx8Z8g

[galunga]

Searching for pointers was leading me nowhere. I tried both the pointer map method(resulted 0 results each time) and the manual method.

However I did look at the data more closely. There is no pattern between the addresses that are allocated even for the same item but there is a pattern with the data a few offsets before the address that holds the amount of units you have.

If you have an item in your cargo bay and you dump it, these 3 values will change(Image1). I took a closer look and those values starting from 88 seem to be a reference to the item ID(image2)

The pattern is consistent every time you pick up the same item. The pattern differs for other objects.

I tested and changed some of the values between the first 01 and the last 01 and managed to change the item in my cargo bay into a completely different item. Not just in name, because then to test, I transferred that item to another ship and it was behaving correctly(turned a ware into a weapon for example)

What I couldn't figure out is the structure and nature of this pattern. Was it an address? In game, items have an item ID that is a string in the form of SS_WARE.... etc. I tried to convert the values from hex to text but it made no sense. So I'm not sure exactly what is this value, but changing it will change the object completely(maybe a refference to something that links to the object type)

So I ran a "Find out what accesses this address" on my original address that I found, opened the in game inventory, got the opcode, ran a "Find out what addresses this code accesses", filtered and brute-forced my way through all of them that had the value of 1, checking the patterns and saving the ones that matched the most.

Then I finally found the pattern of the item I was looking for

Now the question is, can I search for a specific pattern, not knowing the starting address but knowing it's value?

For example:
Unknown==01
Unknown-0x1==01
Unknown-0x2==00
Unknown-0x3==0A
and so on....

EDIT: I figured it out. I can search the pattern as an 8-byte hex value to find my address. I'm sure there are more ways but this one works too.

[ParkourPenguin]

If the game engine is such that static base addresses are difficult to find, you could search for a dynamic address, but that won't persist across game restarts by itself. This might fail too if the game is packing data in with pointers. Given it's already doing unaligned accesses to packed structs, I wouldn't be surprised.
(I did this in an old AS1/2 flash game where the interpreter was reallocating data every write)

I'm glad you were able to figure out a solution.

You could just scan for an array of bytes. If that example listed bytes in reverse order, you could scan for "0A 00 01 00". Wildcards can be added with "??": e.g. "12 34 ?? 0A 00 01 00" matches anything for the third byte.
For more advanced structures, a groupscan might be appropriate.