Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Finding Base Address - Paint The Town Red

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
AceDongKing
How do I cheat?
Reputation: 0

Joined: 12 Jan 2020
Posts: 1
PostPosted: Sun Jan 12, 2020 2:00 pm    Post subject: Finding Base Address - Paint The Town Red Reply with quote
I am trying to find the player base address.

I start by trying to find the player's health by doing an 'Unknown Initial Value' scan with the value type of Float, taking damage, 'Decreased Value' scan, 'Unchanged Value' scan, repeat... until I get the list down to about 63 results found.

Looking through the value's I select 10 addresses that look good and are sitting close together in a block.

<<IMAGE ONE>>

When I freeze the values, it seems that my health goes down but instantly goes back to the frozen value. Unfreezing it makes the player take damage again, so that's good.
Through ticking them all and unticking them one by one I am able to find the single address that actually freezes the value. Unfortuantely it is not always in the same spot
in the list of 10 addresses that come up for health(I.E. it's not always the first / third one / last one / etc).
Checking 'What Accesses This Address' on all 10 found health addresses I find that they're all being accessed by the same instruction in memory.

When I see what writes to these addresses it seems to be a one shared instruction from the same address.

<< IMAGE TWO >>

Although the one address that actually freezes the health is being accessed by three.

<< IMAGE THREE >>

Here is the disassembler for the address that is hared amongst the 10 health addresses.

<< IMAGE FOUR >>

Back-tracing the assembly a bit, I get lost at the 'mov rax, [rsi+20]' at 09CEBEE0 instruction after the two jumps.
Not really sure where it's getting the data and what the data is.
Putting the addresses into the data dissecter does not help me out much.

I decided to check what addresses are accessed by the shared instruction 09CEBF2F.

<< IMAGE FIVE >>

It seems there are 30 different addresses accessing this instruction, 10 of them are continious updates while the other 20 only update when the player is damaged or hit.
Upon further investigation I beleive that 10 of the 20 addresses that are being written to are part a different player attribute (the Power) as modifing them increased that stat for me in game.
These addresses change every time that the level restarts or the player dies.
It seems that the amount of addresses that access the instruction also changes.

<< IMAGE SIX >>

My goal is to find the player base address so I can modify the health / power / stamina / other interesting variables that may be contained in the struct.
Any push in the right direction would be greatly appreciated!

five.PNG
 Description:
IMAGE FIVE
 Filesize:  50.61 KB
 Viewed:  4919 Time(s)

five.PNG
four.PNG
 Description:
IMAGE FOUR
 Filesize:  117.69 KB
 Viewed:  4919 Time(s)

four.PNG
three.PNG
 Description:
IMAGE THREE
 Filesize:  44.53 KB
 Viewed:  4919 Time(s)

three.PNG
two.PNG
 Description:
IMAGE TWO
 Filesize:  80.66 KB
 Viewed:  4919 Time(s)

two.PNG
one.PNG
 Description:
IMAGE ONE
 Filesize:  32.01 KB
 Viewed:  4919 Time(s)

one.PNG
Back to top
View user's profile Send private message
DanyDollaro
Master Cheater
Reputation: 3

Joined: 01 Aug 2019
Posts: 334
PostPosted: Tue Jan 14, 2020 10:48 am    Post subject: Reply with quote
I would not be wrong but the player's base address is marked in the second image in the instruction:
Code:
movss [rax], xmm5

in this case the instruction has no offset so the life address should be the player's base address
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4706
PostPosted: Tue Jan 14, 2020 11:41 am    Post subject: Reply with quote
Two instructions above that is an lea that indexes into the array. Use that value of rax instead.
Code:
 new_rax = rax + rcx * 4 + 20
3A95A040 = rax + 8 * 4 + 20
     rax = 3A95A040 - 20 - 20
     rax = 3A95A000

Further back from that is rsi+20, and rsi looks like it comes from the first parameter to the function (rcx). If you want to continue looking at code, step through the ret instruction to look at the caller to this function (or use break and trace). Otherwise, try searching for rsi (3C2CF818) and go from there.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites