Cheat Engine

moshe · Posted: Sat Apr 01, 2006 6:08 am Post subject: pointer prob

can someone help me?
im trying to hack icy tower..
and i found the address for the gravity..

but when im trying to get the pointer of the addres..
it changes after i close the game and opens it later!
plus the offset that is given to me.. gets me to a diffrent addres then what i need

like if the addres is : 0215D84B
and i do "find out what writes to this address"
i get some line of code..all almost the same..
0041398a - dd 52 18 - fst[edx+18]
and edx = 0215d830

and when i search for 215d830 (edx) i get this addres 004cc414
and with the offset it gets me to 0215D848
but the address that i needed to change was 0215D84B
now why is that?
and why when i open the
game later i find up that the poiner is now pointing to.. 00000018
help Exclamation

cparty · Posted: Sat Apr 01, 2006 12:32 pm Post subject:

As for the pointer stuff, you are only looking at the last level of the pointer. The Register edx doesn't contain the static address so the pointer won't work the next time you start the game. You have to check how edx became edx and build up the pointer several levels until you reach the start of the pointer, which should be a static address. Now the problem is edx got calculated with something like [ecx*4+0049e2a0] and afaik you cannot add pointers like this in CE. Thats why I write out the calculated pointer myself (check my table in the other thread).

And now for the wrong offset:
0041398a - dd 52 18 - fst[edx+18] seem to write a Double Value which takes up 8Bytes (I did that one wrong too in my table in the other thread). So the Value for gravity really starts at 0215D848 and not at 0215D84B.

I hope I made sense Smile

moshe · Posted: Sat Apr 01, 2006 3:59 pm Post subject:

im sorry to say you made no sense to me!
could you take it slower?
explain this to me in a way that Newbie cheater could get it?
what is a static address?
what do you mean by check how edx became edx?
you mean that its a pointer in a pointer or something?
cuz i didnt got anything of what you said..

cparty · Posted: Sun Apr 02, 2006 2:57 am Post subject:

No problem, but I recommend that you read the treads in the pointer tutorial subforum http://forum.cheatengine.org/viewforum.php?f=14

A static address gets its name because it never changes (it is static), it is hardcoded in the assembler code. Pointers start with a static address, but pointers usually aren't just one level deep, instead they are a path of pointers.
So "check how edx became edx" means you need to find the path back to the static address (e.g. in assembler view scroll up and see how the value in edx became edx etc.). Pointer path finding methods are written in the pointer tutorial subforum... unfortunately though the IcyTower pointer is not like this, it is calculated from 2 static addresses.
Lets take a look at the floor level, if you check what reads the floor level value you will get this address (amongst others):
0040f0ab - 8b 50 28 - mov edx,[eax+28]
So in this example eax is the address of the structure holding all the interesting player values and 28 is the offset to the floor level field in the structure.
Now we want to know how eax became eax and we check the assembler lines before this instructions. Right, one line above you can find this:
0040f0a4 - 8b 04 8d 20 b9 4c 00 - mov eax,[ecx*4+004cb920]
As you can see, part of it is a hardcoded static address (004cb920) and the other part is some calculation. So now we need to find where ecx got its value from... scroll up and find where ecs is written, you find:
0040f095 - 8b 0d 08 b9 4c 00 - mov ecx,[004cb908]
Good, here's the second static address and our hunt for the pointer path is finished. This process could have gone very long though not even necessarly ending with a result.
Now the Problem is this line:
0040f0a4 - 8b 04 8d 20 b9 4c 00 - mov eax,[ecx*4+004cb920]
If it would have been
0040f0a4 - 8b 71 32 - mov eax,[ecx+32]
then we could insert the pointer path into CE, but afaik the ecx*4 expression is not supported.
To solve this I write my own pointer using an auto assembler script, check it in the table I posted: http://forum.cheatengine.org/viewtopic.php?t=8052&start=15

moshe · Posted: Sun Apr 02, 2006 8:42 am Post subject:

dude i dont know what to do!
i dont know assembler..
and i found the two static address.. but what now?
what do i do with it?

cparty · Posted: Sun Apr 02, 2006 10:14 am Post subject:

moshe · Posted: Sun Apr 02, 2006 1:47 pm Post subject:

dude i cant get it! Mad

i think im going to give up... Shocked

i just dont know assembler Exclamation

i tried reading the help file.. didnt do much..
i read about the auto assembler... didnt get a thing..
i looked at what you did and i still dont know what it is..
cuz i dont know assembler! Crying or Very sad

this year my school choose not to teach it.. insted they are teaching vbscript and javascript and vb.. and who know what more! Evil or Very Mad

so if you cant find a way to explain this to me
like you do to a 2 years old baby.. Confused

i think im going to quite..

cparty · Posted: Mon Apr 03, 2006 1:15 pm Post subject:

L0neW0lfe · How do I cheat? Reputation: 0 Joined: 14 Aug 2006 Posts: 6

LOL i get it
and i know y he doesnt understand its because he doesnt have programming knowledge. he has to know at least the basics of programming.

UnknownValue · Cheater Reputation: 0 Joined: 17 Aug 2006 Posts: 36

Hopfully you can help me now. Smile

Im trying to find a pointer value for an online game that doesn't have any protection whatsoever for right now and im wondering if you can help me find the pointer value of this one. I Know its 01C900B0, but its saying [ecx + 00000498] What do I do to find it?

4c00h · Newbie cheater Reputation: 0 Joined: 04 Sep 2006 Posts: 23

01C90548