 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
 Posted: Wed Jun 11, 2014 9:52 am Post subject: Pointer Problems |
 |
|
Hi folks,
As you can probably tell I'm new to game hacking, but I've been programming for a while now (I study Computer Science), so I know what a pointer is, but for the life of me I can't get them working in CE.
So I'm trying to have a bit of fun with Crash Bandicoot (my favorite game!) by hacking some of the basic stats, namely the number of lives I have.
As the lives are a dynamic variable I've decided to make a pointer that I can save and use again when I change levels (this re-initializes the value to somewhere else in RAM). I looked up tutorials on how to do so, and I ended up with a pointer that gives a large integer value which is clearly not what I want, so here's what I did:
-Found the address of the lives/verified it's the one I need to create a pointer for
-Right clicked and checked what was writing to that address
-I got 1 function, which I double-clicked and viewed
This is where it stopped being familiar with the tutorial video, the given function was the following:
mov [eax + edx], ebx;
Now I can understand assembly well enough, and I'm aware that the video will have different code to me, but every tutorial I've viewed has an instruction which contains a raw numeric offset, here it's just 2 registry addresses, so I'm not sure if I should treat this the same, but here's the rest of what I did:
-The dialog says that the pointer I need is probably 061F2020, so I search this in the main CE window.
-I get 8 results, the top one is green so it's a static address, so I go for that one.
I enter a new address manually and check 'pointer'. I put the number of the 1st result's address in for the base address, but then I'm unsure about what needs to be the offset. I know it's whatever is added to the address that is taken from the dialog to be searched (i.e 061F2020), but I notice that that address is actually EDX, and the only thing added to that (according to the memory viewer) is EAX. I assume EAX is the offset so I put that in, but I get that large integer value I mentioned previously.
What's odd about this pointer is that, even though it looks to be pointing to the completely incorrect location, when I change it's value the lives counter appears at the top of the screen and quickly decrements by 1 and then resets itself to the previous value. So the pointer seems to be affecting the lives count, but doesn't actually change it, which is what's really confusing about this.
Hope someone can help, I'm sure it's just a simple mistake.
|
|
| Back to top |
|
 |
Rissorr
Master Cheater
![]() Reputation: 3
Joined: 17 Sep 2013
Posts: 273
Location: Israel!
|
| Posted: Wed Jun 11, 2014 10:18 am Post subject: |
|
|
Your offset is probbly EDX , to find what value stored in edx just watch in the "What acsesses this address" window the value of EDX for exemple:
EDX=00000064
or
EDX=0006BB93
copy that value, this is your offset.
P.S
if i was in your situation, i would use the Pointer Scan.
or writing an script with AOBSCAN for the
| Code: | | mov [eax + edx], ebx |
instruction.
|
|
| Back to top |
|
|
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
| Posted: Wed Jun 11, 2014 10:26 am Post subject: |
|
|
Thanks for the reply,
The only issue is that in the instruction
| Code: | | mov [eax+edx], ebx; |
I'm told that the "pointer needed to find this address is probably 061F2020", which is EDX. This is what confuses me, as according to the tutorials I've watched the offset should be the second value in the instruction that's added to the first. But here I'm being told that the second value is the one I need to search, which confuses me a bit.
If I'm told to search for EDX, then does that mean the offset is EAX? Regardless of which one's the offset I don't get the correct value.
Any ideas?
|
|
| Back to top |
|
|
Daijobu
Master Cheater
 Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Wed Jun 11, 2014 11:34 am Post subject: |
|
|
If [eax+edx] holds your value and ebx is being moved into it you want to get the address of [eax+edx], right?
Add edx to eax at that location to get your address. Or load the effective address of [eax+edx] into a var.
_________________
|
|
| Back to top |
|
|
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
| Posted: Wed Jun 11, 2014 12:46 pm Post subject: |
|
|
Hmm, still no luck here.
It makes sense to me that the contents of EBX is being put into the address at EAX + EDX, but when I add both with a calculator and put the number in as the base address for my pointer (with no offset) I get 6200, which is the address of EBX. 
Here's the addresses I'm working with:
EAX: 9E808
EBX: 6200
EDX: 61F2020
The static address I found to contain EDX is: 571A5C
Can anyone possibly construct the correct pointer for this data given the code: | Code: | | mov [eax + edx], ebx; |
I'm also wondering if the data types have to do anything with this? i.e. the lives variable is a Byte size number, when constructing the pointer for it do I also have to make it a Byte type pointer? (given past experience in C I guess this is the case?).
Thanks for the help!
|
|
| Back to top |
|
|
Daijobu
Master Cheater
Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Wed Jun 11, 2014 1:38 pm Post subject: |
|
|
You don't want the value, you want the address of [eax+edx].
e.g.:
| Code: | push ecx
lea ecx,[eax+edx]
mov [myVar],ecx
pop ecx |
This will load the address of the two combined into myVar.
Add myVar to your table as byte/2b/4b/whatever.
_________________
Last edited by Daijobu on Wed Jun 11, 2014 2:07 pm; edited 1 time in total |
|
| Back to top |
|
|
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
| Posted: Wed Jun 11, 2014 1:50 pm Post subject: |
|
|
Sorry, I might be just confusing myself here, but maybe you can clear this up for me?
If I want to find the address of [eax + edx] (and not the value), do I just add their addresses together to get the location of the value I want? I think that's what I did the last time, but to be honest I think I'm just making this harder than it seems to be...
Thanks again 
|
|
| Back to top |
|
|
Daijobu
Master Cheater
Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Wed Jun 11, 2014 2:08 pm Post subject: |
|
|
That would do the same. But smarter people on these boards might be able to be of more assistance.
_________________
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jun 11, 2014 4:26 pm Post subject: |
|
|
| kmahon99 wrote: | -The dialog says that the pointer I need is probably 061F2020, so I search this in the main CE window.
-I get 8 results, the top one is green so it's a static address, so I go for that one. |
Add that green result to your cheat table and edit its address, you should see something like Program.exe+1234. Put it in your clipboard.
| kmahon99 wrote: | Here's the addresses I'm working with:
EAX: 9E808
EBX: 6200
EDX: 61F2020
The static address I found to contain EDX is: 571A5C
Can anyone possibly construct the correct pointer for this data given the code: | Code: | | mov [eax + edx], ebx; |
|
Click add address manually, tick pointer, paste the Program.exe+1234 in the large box at the bottom, and type 9E808 in the box just above. Set type to 4 bytes and validate. The resulting cheat entry should "be"/point to your lives.
If it doesn't keep working across game restarts, consider using the pointerscanner (and use "pointer paths must end with:" 9E808, you can keep structure size at default value).
Note 1: very large offset like 9E808 are uncommon (you don't see int MyArray[162 306] often (162 306=0x9E808/sizeof(int)) except in emulated games. Hmm... crash bandicoot?...emulator?... Yup, very likely.
Note 2:"mov [eax + edx], ebx" writes 4 bytes at once, so your health is most likely a 4 byte int and not just a single byte variable, unless the emulator writes a bunch of variables at once (boo).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
| Posted: Wed Jun 11, 2014 4:40 pm Post subject: |
|
|
Alright, so I was just messing around with the numbers and, despite inputting the exact same addresses for the pointer, for some reason this time it pointed to the correct value
What annoys me about this is that I decided to try the same on the fruit score, but after trying the same method I get the same problem I had previously. I had 5 fruit, I scanned for function accesses and got the same instruction, [eax + edx], ebx; and then I searched the recommended pointer address. I found a green/static address in the results list and used it's address to create a pointer with the offset being EAX, as with the previous lives example. But the number the pointer points to is a very large number, 1540 or something like that.
This issue has the same characteristics as the previous one did. I created the pointer anyway and decided to change the value of it to see what happened. This time when I change the pointer's value, the fruit value changes to 0, regardless of what I put in. If I try to change the original fruit value from the dynamic address, the pointer's value changes to something really large, like +1200.
Could there be something else going on here? I find it odd that my method was actually correct all along as the lives pointer works properly now, but I can't see why it suddenly started pointing to the right value and now the fruit value is experiencing the same issues...
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Thu Jun 12, 2014 1:04 am Post subject: |
|
|
So you found fruit address, probably using exact value searches and you are trying to get a pointer to it.
Make sure your pointer points to fruit address (same address in the address column) and not something close but 1-3 bytes different.
Make sure the both cheat entries (the one with and the one without pointer) use the same datatype.
If you had 6 fruits when your pointer was displaying 1540 then you made a typo in the pointer's topmost offset, increase it by 1.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
| Posted: Thu Jun 12, 2014 7:22 pm Post subject: |
|
|
| Gniarf wrote: | | If you had 6 fruits when your pointer was displaying 1540 then you made a typo in the pointer's topmost offset, increase it by 1. |
Hey, that's really odd, I just gave that a try and it points to the correct value if I increment the value by 1 Is there a reason why the address is correct 1 ahead of what it's supposed to be? Thanks for the help, looks as if I was doing it right all along, but was slightly off each time for some reason...
I have one more question regarding hacking the position of the character. I've found the address that contains the Y value of the character, among about 12 other addresses that hold the same value (I guess it's the same sort of instancing that existed with the lives counter). What I'm a bit confused about is the game's desire to disobey my hack. It's a float value, changing it by a small amount causes the character to appear slightly higher in the air and drop down to ground level. But if I try to lock the Y-value to see if I can get Crash to float across holes, he'll move between ground level and the value I've set rapidly. Attempting to cross a hole with the locked elevation value still allows him to sink slowly into the hole below. If I set the altitude of Crash to something above 0.5 of an increment, he'll disappear from the screen, then come flying down past the camera, then the value is reset as it approaches 0 and he'll go falling back down again, which I thought was odd behavior. Can this happen often in games, or is it just that CB is coded strangely?
I've found a way to overcome the issue, but it involves pausing the game, changing the value and then resuming, but this can only be temporary as at some point he'll just fall for no apparent reason.
Thanks again 
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Jun 13, 2014 7:04 am Post subject: |
|
|
| kmahon99 wrote: | | Gniarf wrote: | | If you had 6 fruits when your pointer was displaying 1540 then you made a typo in the pointer's topmost offset, increase it by 1. |
Hey, that's really odd, I just gave that a try and it points to the correct value if I increment the value by 1 Is there a reason why the address is correct 1 ahead of what it's supposed to be? Thanks for the help, looks as if I was doing it right all along, but was slightly off each time for some reason... |
First possibility is that you manually typed the offset and made a typo instead of copy-pasting from the debugger window.
The other option is that the emulator is batch writing variables, something like:
| Code: | typedef struct _MyStruct
{
char DataType;
union
{
char 8bitPayload
short 16BitPayload
}
char PaddingOrWhatever;
} MyStruct;
//and somewhere in the code:
MyStruct A,B;
DoSomethingWith(B);
A=B;//if the default implementation of operator = is indeed a raw 32bit memcpy |
In this example MyStruct takes 4 bytes and I think some compilers will write A in one go instead of member by member. As a result the instruction that writes 16BitPayload is actually writing the 4 bytes starting at DataType, so if this instruction was your "mov [eax+ebx]", then eax+ebx=&(A.DataType) even if you asked to find out what writes on A.16BitPayload.
Things like that almost never happen when you hack regular games, but emulators/virtual machines have some weird memory managers. I'm not competent about console programming and emulators, but you might even have fun cases like a game that has its own memory manager, that works under the emulator's memory manager (which works under windows' memory manager). Since you're browsing the memory allocated to the emulator by windows, you see the result of game manager+emulator manager.
| kmahon99 wrote: | | Attempting to cross a hole with the locked elevation value still allows him to sink slowly into the hole below. |
If he sinks, it means you didn't lock the Y position but something else (dunno what). Had you really locked you would have seen something like a sawtooth movement, or the character falling and getting teleported up a split second later.
The fact that increasing a bit what you found make the character fall is puzzling though, maybe you found the Y speed?
I don't really have any decent theory to offer there, but if I were you I'd scan for something else because I don't think you've got the Y pos yet.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
kmahon99
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2014
Posts: 7
|
| Posted: Fri Jun 13, 2014 6:14 pm Post subject: |
|
|
Thanks for the explanation, although it's less likely, I'd say it was the batch writing that caused it. As I did copy all the addresses rather than write them by hand.
But I'm finding that all the pointers I've saved to the cheat table aren't retaining the correct value after restarting. The most volatile value seems to be the pointer to the Y position, which actually changes after each level load. Might this be a problem caused by the emulator? I know you said you don't deal with them much but any thoughts are appreciated.
I have noticed that the register addresses change after each launch (i.e. EAX, EBX etc.), might this indicate some sort of internal emulated memory management that won't allow pointers to consistently reference the same data? Or is this an issue that can be caused by something else?
Thanks for the help so far
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Jun 13, 2014 7:34 pm Post subject: |
|
|
| kmahon99 wrote: | | Thanks for the explanation, although it's less likely, I'd say it was the batch writing that caused it. As I did copy all the addresses rather than write them by hand. |
If you copy-pasted then there is not a lot of room for hesitation.
| kmahon99 wrote: | | But I'm finding that all the pointers I've saved to the cheat table aren't retaining the correct value after restarting. The most volatile value seems to be the pointer to the Y position, which actually changes after each level load. Might this be a problem caused by the emulator? |
Normally, the emulator doesn't know when you're loading a level, so if your Y-pos pointer get invalid it's either:
A-because the game decided to reallocate stuff
OR
B-general randomness that caused the emulator to write something over your pointer's base.
In case A, Y-pos pointer's topmost offset will alway be different.
This case would mean that the game uses dma (dynamic memory allocation), and things would get real hairy because the console has a pointer to Y pos but from the console's perspective, addresses are relative to the beginning of its RAM buffer, while CE works with addresses that are relative to the address 0 of the memory that windows gave to the emulator process.
Still keep a pointer to several Y-pos your character used, maybe the game uses a specific set of addresses, ie: position would be stored at different addresses for map 1-1,1-2,1-3, but at the same for map 1-1 and 2-1, 1-2 and 2-2, etc...
In case B you should see all your cheats go invalid if the all use the same pointer base (which they should).
Typically when you hack a console game you find the address of the variable you wanna hack, then go to memory viewer->view->memory regions and find the region that contains your address. This region represents the console's RAM. Then you compute address_of_my_variable-address_where_region_starts and that's your pointer's topmost offset. All that's left is to find a pointer to the console's RAM (use the pointerscanner for that, pointer paths must end with 0) and add your offset at the top. This is why all your pointers should have the same base.
| kmahon99 wrote: | | I have noticed that the register addresses change after each launch (i.e. EAX, EBX etc.), might this indicate some sort of internal emulated memory management that won't allow pointers to consistently reference the same data? Or is this an issue that can be caused by something else? |
Depends on if it's the base of the offset that changes, ie: you had mov [eax + edx], ebx with eax=9E808 and edx=61F2020. The big one is the base (where the emulator allocated a several MB to hold the console's RAM) and the smaller one is the offset within the console's RAM (or the address, from the game's point of view).
-If the base change when you reboot the emulator/game it's totally normal. Each time a program does "Whatever* MyStuff= malloc(sizeof(Whatever))" windows vista and later (linux too) allocate MyStuff at a randomly generated address. This is called ASLR. So the console's ram buffer should always be at a different address.
-If it's the offset within the console's ram that changes, I assume it means the game uses dma and the offset varies because stuff don't always get allocated in the same order (I don't know how consoles work but I don't think they use aslr).
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
