Cheat Engine

[jungletek]

FYI, a strategy I find useful for Mono games is to try to find some sort of update function and hook (injection copy) a pointer to the player character's structure (the so-called player base).

So for example, you find an update function that is executed regularly (the idea being that you don't have to perform a specific action to get your injection code executed, and therefore the pointer you want copied to an address you control) and figure out what register is holding the address you need (often RCX, but not always, YMMV), and copy it to an address you can reference from your table or other scripts (do this by using registersymbol(), naming it whatever you want). Then you can just add a new address to your table, type pointer, with the base address being the name of the symbol you registered. The idea being that once you have the playerbase address, you can just build a table that consists of pointer entries in the format of 'symbolname+offset'.

Make sense? Perhaps not, but I'll try to keep an eye on this thread if you have questions, and respond when I can.

[ymiu]

That does make sense. I hadn't tried taking my base pointer (from Hunger updates, for example) and tried mapping it out to see if I could reference other interesting values from there. For this particular game, I'm quite satisfied with what I've achieved based on the help I've received so far-- using Mono references to code inject where certain values are changed.

There is one thing still plaguing me, however. It's not a showstopper, but I came across it while attempting to freeze item quantities when swapping items from my inventory into storage containers or NPC inventories during bartering. In this case, I noticed that the code that modifies the quantities comes from the exact same-named function, but in very different parts of memory. This confounds my attempts to inject into one of those functions (the latter one).

For example, in my current play session, here are the two functions and their address ranges:

[jungletek]

What's wrong with just using AOB's to find the code in each instance of the 'same' function to patch what you want patched? Am I missing something? Is it that the AOB would return the first instance when you wanted the second, or vice versa?

Having proper symbol names is nice for understanding what you're looking at from a macro scale, but you don't need them; you can always just find the same place by AOB scanning...

[ymiu]

I just like the improved speeds I get with aobscanregion() or especially code injection with mono references. I was hoping there was a way to take advantage of either in this situation, but certainly a regular AOB scan is effective.

[jungletek]

aobscanmodule() should be fast enough, certainly faster than scanning all of your system memory space.

[ymiu]

I wasn't aware of that one. Seems I have to RTFM some more.

On that note, I'm trying to RTFM to solve a new problem with allocating multiple vars in my header script. The idea is to activate the header script, which declares a couple address placeholders, then a couple of the child scripts will store addresses in those placeholder vars. This allows me to deactivate the child scripts but keep the pointer references.

This works when I use just one:

[ParkourPenguin]

It fails because you're trying to store an 8-byte value in a 4-byte storage space.

[ymiu]

The relevant lines in the two child scripts are:

[OldCheatEngineUser]

yes, both. (remember to tell ce how do you want it to be read in address list, as a byte? 2? 4? more? other float ...)

[ymiu]

Glad we're all following the same thought patterns so far... I did make sure that the addresses in my table were both 4-byte pointers. Any other ideas? Could it be a bug?

[OldCheatEngineUser]

cant think of it as a bug, many users do such things.

maybe posting a screen shot of address list + symbol and offset + hex dump of the region where the symbol resides, can help me and/or others to help you.

[ymiu]

Included as many details as I could in the screenshot...

[OldCheatEngineUser]

haha, sounds like a real bug here.

using symbols as a pointer huh, what if you read 4 bytes before hunger.

edit:
tried to make two scripts like what you did, and used symbols as a pointers.

but it worked perfectly, not sure why tho (i thought it would read and display it as an 8 byte long address) .. so yeah maybe something wrong with your ce.

[ymiu]

hmmm... quite the conundrum. How do I read 4 bytes before? I'm trying to put "hunger-4" in the pointer address, but that's not working.

[ParkourPenguin]

It's a bug with your code.

Pointers in a 64-bit process take up 8 bytes. You're accessing pointers through 4-byte registers. Even if the upper 32 bits of the pointers are 0, it's still a stupid method because people that don't know what they're doing end up with problems like this.

Use rdi / rax instead of edi/eax.