Cheat Engine

[Astaroth4256]

It's been around a year now since I got into this and I still haven't made any progress towards this kind of cheats(wtb more free time), so I'd appreciate it if someone gave me directions.

My problem isn't programming but reading a game's memory, I can get addresses for simple things like health/level/location of my own character and I already made some simple bots(and hacks) that use these simple values but I aim for making real bots that can play without me semi-playing the game.
I need to somehow get a list of nearby objects in game (monsters/loots/anything), a list of my character's items in inventory and manipulate these items e.g drop them/sell them/equip/whatever but for that I believe I'd need the item's location on my screen to right click it and use it. And that's the problem, I don't know how to do that.
I have tried many times to get any of these three using cheat engine but I always ended up with no results.

So my question is how can I get such information from the game for my bots? I don't mind if the solution isn't related to reading game's memory.
I'd appreciate it if someone could explain or link me to a tutorial/guide/useful source of knowledge in this direction which I could use to make proper bots.

[atom0s]

It differs per game based on how they are coded. Some games will use a simple array of objects, others will use containers such as std::list or std::map etc. Or some will home-brew their own methods of holding data.

So there is no clear cut way to do it for every game out there.

The best thing to start with is finding an enemy in memory. One of the basics to start with is their health. Target them (and continue to target them the entire duration of your scans) and scan for their health. Hit them once to lower it some, scan again etc. until you find it.

Now this is something you need to do before continuing further. Untarget the enemy and see if the address is still valid. Target something else and again make sure its still valid. If it changes or isn't you probably didn't find an address that is going to be helpful.

If you do find one, then the next step is to debug it and find what writes to it and accesses it. In some cases you can find a lookup table call that is indexing an array of objects in some fashion which will lead you to a base pointer / first object in the array.

[Astaroth4256]

I found several opcodes with a little count and two with a few thoushand count so I guess one of the latter is what I'm looking for. But I have no idea what to do next, I don't know how to use this finding to get a list of whatever is near my character in game. Oh well

[cooleko]

The last bot i coded was for FFXIV before Reborn (or w/e it is called).
I started by finding my Coords (X,Y) and then finding what changed it. It only worked for Player Characters, but not mobs. So then I found a mob's coords (locked onto mob, /follow, and search within a 2 unit radius until i narrowed it's coords down). Mob coords all shared the same instruction. Then I looked around my instruction, I knew it accessed every mob's coordinates, but I needed to find the structure/list it used to do so.

Turns out it was pretty simple, a few traces showed that the game loaded a base address, and then some offset, simple deconstruction across a few mobs showed that the offsets were spaced every 0x90

Hope this helps

[Astaroth4256]

So I have found X coord of an object. Then I looked up what was around this address and I found health/name/energy/level etc. of the object around it's X coord address. But I don't know how what to do next in order to find the list of these objects in game, could you explain how you used the instruction to do that?

[cooleko]

Break and trace the instruction, write down the registers and stack, for ease of understanding look up npc name using your current knowledge, compare these addresses across 10 npcs, look for the patterns. Is there a base address always loaded, is there an index or ofset loaded, is there a different base addres for PCs, NPCs, Mobs?

You just need to gather as much data as possible and look for patterns.
You can also look at the structure dissector to see if patterns are there too.

[Astaroth4256]

So I decided to "find out what accesses to this address" on the base of the object's structure (1A7C9420 and 1A7C9420+488 is the object's X coord) and it shows a list of like 40-50 instructions. I have to ask, if I look through each of these instructions then can I find what points to the object's structure (or simply can I find the object list) using this way? I ask because it looks like it would take me a few hours to analyze all these instructions and I'm quite short on free time.

I have collected this by finding out what accesses to the X coord adresses

[cooleko]

Every game is unique, there are many methods for reaching the solution you want to reach, and I have given you two different approaches that worked for me. You are fairly lucky that the coords are located in an easily identifiable structure. Why dont you look for the pointer to the structure of multiple mobs/npcs/pcs? Since you know that it is ESI, find something in memory that accesses the ESIs of all the mobs and you may be able to find every single one of them without any more effort.

[Astaroth4256]

I found a list of pointers to base addresses of structures of objects in the area in game, but I can't find any pointer to this structure. I tried scanning for addresses of the list and it returned me nothing.

[cooleko]

Pick any of the pointers you found and see what accesses them. That instruction may access all of them. If not, it will at least tell you where the base of the structure holding all the pointers you found is. Use that base to see what accesses and that instruction will always give you your base.

[Astaroth4256]

Awesome, the base of this structure was 198 away from the first pointer in the list. I scanned for pointers to the base and it returned a base address, then I used it in a different game client and it pointed to the base of the structure I was looking for. Thanks.