Cheat Engine

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

Hi legends,

I am trying to automate a procedure that I am currently doing manually with CE.

The procedure is:
attach to exe > memory view > go to address > right click on the address > break and trace instr > get a value from RBX.

Then I add the address manually with the value from RBX + 1 as type Byte.
Then invert the value (if 1, change it to 0 and vice versa).
Done.

I am getting sick of doing this every time, so I was trying to do it with lua,
but I am not even sure I am getting the value for RBX.

TheyCallMeTim13 · Posted: Fri Dec 17, 2021 10:44 pm Post subject:

It sounds like you'd be better off using ASM and code injection. Look up injection copy, you just want the base address so you can have a memory record of [base address]+1. And you can invert the value in injection script.

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

I understand your point, however, this is not the full picture, the script is way bigger (i have other functions working already) and it was simplified to make it easier to read and understand. Also, I am trying to learn LUA + CE so I would try to stick with it for a while.

I also have a C++ script (I can post it if some1 is interested but it's very messy) that does the same exact thing.

Today I will try it again and post here the solution if I can find it.
Or maybe add some clarifications in the wiki.

To me,debugger_onBreakpoint() it's unclear how to get access to the registries when the hook (event) debugger_onBreakpoint() it's triggered.

I've seen people calling getAddress inside of it, and people that don't do it.
I've seen people doing stuff like RIP=getAddress("aSymbol") inside of it.
Are they going to get RIP registry or just the address? Is there some kind of destructuring going on or just bad variable naming (shouldn't be local RIP instead)?

Thank you <3

TheyCallMeTim13 · Posted: Sat Dec 18, 2021 8:25 am Post subject:

I'm just thinking creating memory records and what not will slow things down a bit, so you might look at launching a seperate thread for that. As far as the code you posted you are setting the breakpoint then immediately removing it thus it's likely never triggered.

RIP is the instruction pointer it holds the address of the currently executing instruction. And unless they are using "read...(RIP)" they're just getting the address of RIP and not the value/code at that address. If they are setting RIP (RIP=getAddress(...) is setting RIP) they are changing the execution location for what I understand; but it's a bit weird and I've never done this, seems like it would just cause crashes but I'm not really sure.

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

I am hitting the breakpoint (I can print from there),

Let's suppose I use LUA only:

Dark Byte · Posted: Sat Dec 18, 2021 3:25 pm Post subject:

TheyCallMeTim13 · Posted: Sat Dec 18, 2021 3:32 pm Post subject:

Try something like this, this is for the CE tutorial step 2.

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

I am confused guys, I have tried that, but I have no idea why I get nil for RAX (or any other register RIP, RDX, RBX). Yes, 64bit game.

TheyCallMeTim13 · Posted: Sat Dec 18, 2021 5:19 pm Post subject:

Not sure where the error is but, with how you're using "getAddress" before "openProcess" this could have unforeseen behavior. And you use the global function "debugger_onBreakpoint" and don't check the instruction pointer for the intended instruction, so any breakpoints hit will call that function and this could cause problems. Plus the random semicolons says this is spaghetti code and you might be better off starting small with it till you get the breakpoint code working and have a better understanding of how it works, try a simplified version with the CE tutorial. And with "if readBytes(RAXVal, 1, false) then" so long as it reads any value it will equate as true (i.e.: any number is true in Lua).

ParkourPenguin · Posted: Sat Dec 18, 2021 5:27 pm Post subject:

"debugger_onBreakpoint()" is invoking the function debugger_onBreakpoint.

You shouldn't be defining that function as the global variable "debugger_onBreakpoint" if you don't want it to be the global breakpoint handler.

Code that isn't indented is horrible to read. There might be problems in such functions... I didn't look.

bptAccess triggers when a value in memory at that address is accessed. I'm guessing you want it to trigger when the code at that address is executed.

Here's how I'd print the value of rbx in step 2 of the CE tutorial (64-bit):

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

sorry for the bad indentation.
This is a cleaner version of the script:

TheyCallMeTim13 · Posted: Sat Dec 18, 2021 6:38 pm Post subject:

"debug_setBreakpoint" needs the function not it's return value.

i.e.:

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

even in its simplest form (coming from the Wiki), using the global debugger_onBreakpoint(), it is not working for me.

Dark Byte · Posted: Sat Dec 18, 2021 9:23 pm Post subject:

is the address correct and is the breakpoint actually set at the address? (red/green line)

GBRA4.669 · How do I cheat? Reputation: 0 Joined: 17 Dec 2021 Posts: 9

Yes DB. I am left with a game frozen, the breakpoint is set and it's red when that line is not highlighted in the memory view and green if highlighted (I guess red + blue makes it green).
I have to manually go into memory, go to that place in memory, right-click on the breakpoint and remove it or my game is left frozen. Thanks for the help.