Cheat Engine

[susofseattle]

Short and sweet version:

DarkSouls2:SotF (Offline only) Cast Speed.

Used 'Unknown initial value / All' & 'Changed/Unchanged Value' only (added piece of armor that changed stat, removed piece, added different piece, etc) to arrive at the address: 7FFEB6DC5E8. I cannot change or freeze values, and after 3 days of watching tutorials on multilevel pointer offset scanning, I still have no idea wtf I'm doing.

Below are screens of the debugger on the line that write to the screen display of Cast Speed on the character Sheet. Hopefully enough is included that you can just point me in the right direction.

[ulysse31]

What are you trying to do ?
Are you trying to edit your cast speed value ? If yes, correct me if I am wrong but you equipped and unequipped armors so that you could scan for this cast speed value ?
What do you mean you cannot freeze or change value ? does it crash or does it just get unaffected (can happen if game rewrites it many times per second) ?

[susofseattle]

The end goal is to overwrite the calculation supplied to "Cast Speed", to supply a fixed value.

"Cast Speed" is an increasing numerical value that is influence by: Armor Effects (a combination of 5 separate pieces that are known raise Cast Speed); increases with stats: INT, ATN, ADP, FTH, and rings with the effect "increases your casting speed".

After adding the only address to the list: 7FFEB6DC5E8 (4byts), the value of the Cast Speed showed correctly, and adjusted as equipment was removed and added. The value shown reflected the Cast Speed on the Character Sheet, exactly.

However, if I "X'd" the box for that memory address, the value would change anyway. If I changed the value, the change did not stay. It immediately reverted to the original value.

--

I believe I've basically found the summary 'display' value for Cast Speed, but not one of the base addresses that factor into the calculation to arrive at it. Or in other words, I found a multi-level pointer.

I have honestly watched about 16 hours of tutorials for pointer scans / using the address to find the offset and tracing the pointer upwards; but the command: "mov [rcx],edx" doesn't have an offset to trace, and RCX is the address I found (shown in pics).

I'm lost.

--

In the second pic listed, you can see a large portion of the code that should contain what I'm looking for.. but I don't know assembly.

[ParkourPenguin]

[susofseattle]

[ParkourPenguin]

A pointer is a type of value that is a reference to another address. Nothing more. It doesn't have anything to do with calculating a value. It would be useful for finding that specific value again after you restart the game, but beyond that, it's no more useful than that address is.

There isn't much I can deduce from that section of assembly. Some other instruction(s) almost certainly calls that to run. The start of that subroutine is probably mov [rsp+08],rbx (the one after the int 3).

As I said, backtrace it. Find the instruction that calls this subroutine to run when it writes to that address (break and trace or just look at the stack), look behind it, and find out where it's getting edx from. Use conditional breakpoints if that instruction accesses more than that address.

[ulysse31]

Will point you the the most similar case I have seen which is a tutorial by Geri, it also contains a video of him backtracing a function which encrypts some data (missiles, lifes and such).
Not the easiest but a fairly accessible after CE's tutorial has been completed :
http://szemelyesintegracio.hu/cheats/41-game-hacking-articles/225-basic-encryptions-debugging-backtracing-and-some-info-on-the-stack


Taking a guess at the code :
cmp [rcx],edx
je...
mov [rcx],edx

meaning if you manually change the value the game probably notices it right away because Z flag is no longer set.
If you change the 'je' to 'jmp' and manually edit the value of the address you found, what happens ? also put a breakpoint on mov [rcx],edx just to be sure it no longer executes that way.

Edit : Just to be clear if that indeed is only a graphical value it won't affect the gameplay nevertheless by patching this instruction the game will no longer instantly overwrite whichever value you enter (or it will need to use another opcode to do so which is possible).