Cheat Engine

777sage · How do I cheat? Reputation: 0 Joined: 03 Jan 2017 Posts: 3

Alright, so i have been trying to learn cheat engine more in depth for a little bit. I have gone through the tutorial and a couple times to improve. Basically, as a computer science major i see this as an opportunity to learn and understand assembly. So I will try to be as detailed as i can.

I am trying to create a script in a game using RPG Maker , the application is an RGSS3 exe. I wish to create a script where I can open the menu and can see the item name and count in the menu and be able to modify it. However there are issues:

1.The memory address of each element is never consistent and always changes with each restart of the game and whenever the game goes to the main menu. Only exceptions are player health so long as the game itself is not restarted.

2. The game appears to store the data, but based on the dissemblers representation of the functions it uses a push and pop method in a stack.

3. Since this is RPG maker, the values of elements in the game are x multiplied by 2 , plus 1. <--- This is dealt with using a data type script made by someone else.

4. When trying to figure out what address accesses/writes to the elements address to its offset(where the value of it is stored), it reports something odd. At least to me in my limited experience. A function is called where it appears to write to the address, but then another function is run 6 times each time the first function is written. Checking the assembly suggests that this is because it must access the RGSS3 library within the same dir as the exe, but i dont know what to do with it other than observe the assembly instructions.

Okay, thus far I have explained that, now I shall explain what I attempted to do to achieve my goal:

To try and fix this problem, i tried utilizing code finder method.... Doesn't really work as I thought it would because if i disable the script that writes the count it crashes the game as there is a stack error that likely comes from the 4th issue listed above. Storing the code doesn't seem to do anything, although it is likely because I DO NOT know how to take advantage of it or use it to automatically find the addresses and values of the what I am trying to modify. I think this is unlikely to work because the game seems to use the same calls when interacting with health as it does for items. So I decided to focus on items in the menu instead, and quickly remembered that even if the items are never in the same address I could try to use them via the Array of Bytes method, which seems to be a good direction as the address of the AOB found never seems to change even when the game crashes or restarts.

But here is where things got difficult:

I checked a number of tutorials online and observed their demonstrations. A lot of them were helpful but did not solve the issue because the game would crash, either due to a "font" error it just hard crashes. Ill try to explain what I did typically;

I open the menu in the game and search for an item, it happens to be food and i wish to heal a character using it, just to find it using cheat engine the usual way. I find it, and then I try to see what writes to the address and I find one. The instruction is:

100887F0 - 89 47 08 - mov [edi+08],eax

To my understanding, it basically means that it is taking whatever value is in eax and copying it into the address located at [edi+08].
Here are the instructions that follow it, I am posting this because when i auto assemble this it is seen as the original code, so i assume they have to be there:

100887F3 - 5F - pop edi
100887F4 - 5E - pop esi

My guess is that it pops the esi and edi that was used by the function found via the "find what accesses this address" method.
I noticed also, that no matter how many times the game restarts the bytes for the function, 89 47 08, never change so that was when i decided the array of bytes could be used. I did not feel like this was enough because of how the game accessed the address...

So i decided to see how it accessed the address, which should include both read and write functions. And as I mentioned above i get 2 results, the original function that I talked about above, and now a new function. This is the function:

10087C3A - 8B 4E 08 - mov ecx,[esi+08]

Now there is a new set of bytes at a new address, but heres the thing, it occurrs 6 times and CE shows me these overall:

10087C36 - 85 C0 - test eax,eax
10087C38 - 74 05 - je RGSS301.dll+87C3F
10087C3A - 8B 4E 08 - mov ecx,[esi+08] << What it pointed to...
10087C3D - 89 08 - mov [eax],ecx
10087C3F - 5D - pop ebp

So it appears to do a logical test, then it accesses RGSS301.dll, then it moves the value of the item I am looking at into ecx, where it then takes that value stored in the address and moves it into the address reference of eax. SO each time the item is consumed the total amount remaining is written to once, but is accessed 6 times? Where the hell did ebp come from? But i decided to ignore that.

When I autoassemble for code injection, only these are written in the original code section:

mov ecx,[esi+08]
mov [eax],ecx

I want to go into detail about what i did but ill give a short explanation because I first want to you all to correct me if my interpretations of the instructions are wrong. But basically I decided to create an AOB injection script using the array of bytes (yes they are unique) found at the instruction calls CE pointed to. Lets just say I tried to change change what was written to the amount remaining by writing this:

mov [edi+08], (int)199 << 199 is 99 in rpg maker due to x*2+1 formula so i decided to input that. I was trying to have the script change the value itself. But when heading back to the game to test the new AOB injection script it crashes, either CTD or it shows this error:

Exception : NoMethodError
undefined method `font=' for 99:Fixnum
trace:

Which to me makes no sense, because I am only trying to put an integer of 99 into the value of the item located at [edi+08], since the offset leads directly to the value of the item as proven when i dissected the data structure.

I tried different things to no avail, At this point I think I am just an idiot that is missing something huge. Is it because the int of 99 is seen differently as opposed to the value of 199 in hex? I tried that but i got a crash as well. What do you all think i should do? Any tips? What info do you need? Is what I am doing wrong?

Zanzer · Posted: Wed Jan 04, 2017 12:03 am Post subject:

Right-click the instruction and select Find out what addresses this instruction accesses.
Go back in game and do some random actions then come back to CE.
It should have popped up all of the addresses that the instruction touched.
Chances are, it's a crap load (technical term).
So when you set the value to 199, you're setting them ALL to that.

777sage · How do I cheat? Reputation: 0 Joined: 03 Jan 2017 Posts: 3

Alright, I see what you mean. Is it possible to use some sort of comparison or other means to find an element in the items menu and returning it so that cheat engine displays it? Do i need to learn LUA or some other method to do so?

UPDATE: You know I really must thank you, i think the creation of the script I am looking for is possible... just not in the same way. You see after checking the addresses the operation accessed I was also able to see the address to EVERY item in that menu, I was thus able to copy and modify them all at once to my liking without touching the menu system or anything else simply be restricting my actions to all addresses that match the first 4 characters. Now i just need to learn how to implement that in assembly language, as i do not have a 100% clear understanding of its syntax.

Zanzer · Posted: Wed Jan 04, 2017 11:15 am Post subject:

If the instruction you found is simply a decryption routine that the game uses for ALL variables, you'll have some difficulties.
You'll need to break and trace on the instruction and find another routine specific to inventory.
Once you find an instruction that can get you the address, it's quite easy to pull that out.

777sage · How do I cheat? Reputation: 0 Joined: 03 Jan 2017 Posts: 3

Hey, thanks for the help so far. But I have to be honest I have seen that style of code in many LUA and cheat tables, but never quite understood whats going on and how to use them well. So i did the break and trace method, but i dont quite understand how to make use of it. Maybe a couple youtube videos will guide me there, but when it comes to the routine specific the menu how would i know that I found it when the functions that call the menu are the same as what is used for the items themselves?

Also in some cheat tables I noticed they always had a pointer shown that allows a user to see a value on the table. Like when you open the menu and highlight an item and then go to the CE and you see the count of that item, whether it be potions or whatever. How is that done?