Cheat Engine

[jackdaniels42]

[jackdaniels42]

many in the forum call themselves master cheater, but seriously have no clue...had the experience I had solved my problem.

[jackdaniels42]

delete my account from this needless community

[Telecide]

Hi! So this is an old thread and all. But it's been immensely helpful. Just had a question though. So I'm working on an invincible shield cheat for Distant Worlds: Legends and I've got it sort of working. Using the data/dissect trick I've found that at offset 20 of the ship base address is a pointer, which is the same for ships belonging to the same race. So I use that as the condition for my jump. The only problem is that that number changes, sometimes in midgame, which of course render the shields vulnerable again.

How would I go about finding the way that number is calculated and write an aa script that finds it automatically?

Thanks!

[Geri]

Probably your pointer is pointing to an area where player info is stored, eg the resources of the player etc. I don't know because I didn't play this game. You may find a player ID in that area and you can use it to make a permanently working script.

I mean something like this:


ship structure:
0000 some value
0004 some value
0008 some value
000C some value
0010 pointer to player info


player info where the pointer is pointing:
0000 some value
0004 some value
0008 some value
000C money of the player
0010 some value
0014 some value
0018 ID of the player

Then you can make a script to check the area where the pointer is leading and check the player ID in that area.

[Telecide]

Thanks for the reply. That was quicker than I expected!

So here's the script I'm using to give you an idea what my problem is..

[Geri]

I know what you mean, but I guess you didn't understand my reply.

Try to do this:

Check the pointer's value for your ships and enemy ships.
Jump to the memory address where the pointer is pointing. For both friendly and enemy ships. Then compare these memory areas and see if you find anything that could be used as a player ID.

If you find something, write down where is the value compared to the pointer's destination, eg if you follow the pointer and in that area, you find a player ID 10 bytes later, then pointer+10.

[Telecide]

Ok, I think I may be getting somewhere. I found a nice low integer at [eax+24]+3a8. But I'm having trouble figuring out how to notate that in an aa script. I finally ended up with this

[Geri]

To store the pointer, you can use lea, yes.

lea eax,[eax+24]

will store the pointer on eax and then [eax+3A8] is what you have to compare to 1.

But it should work as you did it too. You made a more complicated script, but it does the same.

Is the pointer always pointing to the player info? If has a value like 00000000 , that could crash the game in some cases.

It may also happen that fstp st(0) is not enough, maybe you should put something behind it, like

mov [eax+0000020C],(float)1000

to make sure that your health will get some valid value.

Other than this, I don't see anything in the script that would cause a crash.
Except that I don't know what is the

//cmp [eax+1c0],00000069

instruction that you have commented out.

[Telecide]

Thank you. Thank you!

The commented line was from an earlier version where I found what looked like a race specific id, but later looked like a ship class id.

It's weird. It did work before when I just used the first pointer as a player id. Not sure what I did, but it's still crashing. There is also the shield capacity value right above the current shield value in the structure, so I guess I could just stick that in.

Really appreciate the help!

[Geri]

Well if you don't know whats wrong, debug your own code. Set a breakpoint before the code that you modify and see what happens when the script is executed. Then you will see what is causing the crash or where is it taking an unexpected turn.

If you are not sure that the pointer is always working, you can try to add one more compare to ensure that the value of the pointer is not 0 or something similar. If the pointer has a 0 value, that could cause a crash. Check it and make sure that [eax+24] is never 0.

You should also check that the script is crashing right at the first execution or sometimes it's working and sometimes it's crashing. You will see it if you debug it.

[Telecide]

I did actually take a look at that. I did a break and trace as opposed to manually setting a breakpoint just because I can never tab out of the program when it hits the breakpoint.

Since the code is injected in the routine that writes to the shield value, the condition is always false the first time it runs because I have to start the fight by shooting at some enemies. Although I suppose I could easily change the 01 value to an 04 to get it to be true.

It is interesting that the program crashes even when it doesn't execute the alternate code. There does seem to be a lot of code that ran between my injection and the actual crash (although less than a second of time). Maybe something weird with push/pop eax and pushfd popfd? Hopefully I can figure it out now that I haven't looked at it for a while.

[Geri]

Well you can try to remove the pushfd/popfd instructions. It happened to me maybe once or twice that they have caused some problem, but usually not. Still, you can try.

[Telecide]

Hmmm, well removing push/pop makes it crash on the compare. Putting 'em back, it run up to a, well here, I'll post the trace. I don't know if this matters but I think because it's a .net game there is a lot of unusual behavior. I have to do everything with aob because the game code moves all over the place. And even then I sometimes have to modify the aobs between different sessions.

[Geri]

You should try removing parts from your script to see what is causing the problem. Here are some things that you should try:

1. I would say check if code injection itself may cause the problem, but if your old script worked fine, this is done I guess. Unless that was crashing too sometimes.

2. Replace fstp st(0) and replace it with the original code, so in both cases, the original code will be executed.

3. Remove the cmp code. Remove pushfd/popfd, replace your jne with a jmp instead.

4. Use another register instead of eax in your script. ESI, EDI is the usual choice for me, depending on the game.

5. Don't use push eax and pop eax, store the value "manually". Eg

mov [allocatedmemory],eax
mov eax,[allocatedmemory]

Preferably combine this with the 4th point and don't use eax at all, use another register.

6. Leave out the whole

push eax
add eax,24
mov eax,[eax]
add eax,3a8
mov eax,[eax]
cmp eax,00000001
pop eax


part from your script to see if any of these instructions are causing the problem.


You mess with the stack and the value only. If one of them is causing a crash, removing these parts from the script one by one or in combination should reveal which part is causing the error.

It doesn't matter that your cheat will not work while you are debugging your script, just make a functional script even if it has no effect in the game, only for the sake of testing which part is causing the crash.


Also, these are not just independent versions, try to combine them. Eg remove all push/pop instructions from your script so the stack is not used by it at all. You can do this if you get rid of the cmp instruction and also get rid of the messing with the register part at the same time, or if you store the register on an allocated memory address instead of using push/pop and while you are there, use something else instead of eax.