|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
amacati How do I cheat? Reputation: 0
Joined: 01 May 2022 Posts: 4
|
Posted: Sun May 01, 2022 7:14 am Post subject: Read underlying animations in DSIII |
|
|
Hi all, I'm trying to read the animations from bosses in Dark Souls III, specifically Iudex Gundyr, the first boss. This is for PvE only, not interested in the multiplayer part.
Thanks to the DSIII cheat table I was able to find a pointer chain to the animation of the boss. Now here is the tricky part: If I hit the boss, it displays what I suspect is the bleed animation. Meanwhile, the boss still continues its attack and even transitions to other attacks. I am however unable to tell when the animation has changed because the bleed animation "overwrites" these other animations for its whole duration. It's crucial for me to know exactly when the attack animations start.
Things I tried:
Disable bleed effect in the menu:
Does not work, the animation name still changes.
Dissect the entity structure:
I found two or three locations close to the animation string whose byte patterns correspond to the current animation. Unfortunately the bleed animation overwrites these as well.
Find the animation directly in the memory:
I looked for bytes/4 bytes/8 bytes in the memory that change when the animation changes. This was unsuccessful, mb each animation is broken down into sub animations internally? This is my first attempt at reverse engineering, so idk if that's a common pattern?
Find out what writes to this location:
It seems a single "repe movsb" op transfers the string. This copying over of animation names seems to pause during the bleed animation. I don't know how to trace where it gets disabled though, there are hundreds of jumps to this particular function. If I could find where it gets disabled I could maybe alter that jump to continue writing.
Check out where the value comes from:
The movsb op moves gets its value from a location way outside the usual game memory addresses. I was trying to see which ops access this weird address, but it gets accessed by hundreds of ops as well and changes values at high frequencies. I suspect this is some kind of address that many game objects use to transfer data, but can't figure out how to find the op that "transfers" the boss animation.
Any help on this is highly appreciated!
PS: This is my first post, if I somehow messed up the category or something pls let me know
Description: |
|
Filesize: |
288.89 KB |
Viewed: |
2053 Time(s) |
|
|
|
Back to top |
|
|
TsTg Master Cheater Reputation: 5
Joined: 12 Dec 2012 Posts: 334 Location: Somewhere....
|
Posted: Sun May 01, 2022 3:33 pm Post subject: |
|
|
this would need more reversing for sure, but try some of the following:
1- make the boss bleed, then while bleeding do breakpoint on the start of the code (at mov r10,rdx) and see if the string source actually contain a string that represent the attack, if it works, you can inject there and copy the string to an allocated memory later.
2- you can try breakpoint at DarkSouls.exe+1FC3724 (at the bit test with 1), this line checks the byte value in that pointer (DarkSouls.exe+493d4bc) and copies the value into the carry flag, which then jumps if it equals one or higher, you colud do some 'find out what writes the flag and see what the flag is about, and if it actually changes whenever the bleed effect starts/stops, the r10 register can also be checked there and see if it contains the attack string.
|
|
Back to top |
|
|
amacati How do I cheat? Reputation: 0
Joined: 01 May 2022 Posts: 4
|
Posted: Sun May 01, 2022 4:23 pm Post subject: |
|
|
Thanks for the suggestions! I had actually looked into DarkSouls.exe+1FC3724 to see which part branch the code usually takes. This flag (second one on the bottom of my table in the img attached to my first post) stays at 0x2. I have not seen it change. I tried setting it to 0x0 to change the CF and see what happens, but everything continues working just fine. That's what I was indicating with the comment, I think it might be some sort of optimization so that the movsb op can be replaced by something that has the identical effect. But I'm no asm expert, and it does strike me as an odd implementation, so mb I'm just not getting its real purpose.
The breakpoint is a great suggestion, thanks! The problem is that the function is called a lot. On the order of 1000s of calls per second. When I insert a breakpoint I never get to see the calls I'm interested in. I'm basically buried by thousands of other calls. Do you know if there is a way to automatically process breaks by checking a condition on the registers? Mb that would help.
Btw, it seems to be some value transfer between two parts of the memory, one in the range of 0x0000000004400000 and the other one in the range of
0x00007FF4A0000000 (at least on my system). The second one is where all the other information about the game is stored. I have no clue about the first one. Transfers go both ways, so sometimes the regular process memory is the target, sometimes the source. Have you seen something like this before? Is that a pattern that hints to something?
|
|
Back to top |
|
|
TsTg Master Cheater Reputation: 5
Joined: 12 Dec 2012 Posts: 334 Location: Somewhere....
|
Posted: Sun May 01, 2022 6:39 pm Post subject: |
|
|
-After setting a breakpoint, you can right click the line and look for (breakpoint conditiin) option, in there you can place a register as needed (for example RAX == 0x123456).
-As for the multiple breakpoint hits, this is most likely shared code, used by other game stuff, and need to find a good way to filter (like the registers for example).
-As for memory locations, i believe its irrelevant.
|
|
Back to top |
|
|
amacati How do I cheat? Reputation: 0
Joined: 01 May 2022 Posts: 4
|
Posted: Mon May 02, 2022 3:43 pm Post subject: |
|
|
Thanks for the hint, that's exactly what I was looking for. I'm gonna try to analyse the code a bit more with the conditioned breakpoints and let you know if I had any success with that.
Yeah I thought the same about the shared code. It's actually quite interesting to see what else is transferred in this function.
May I ask why you believe the memory locations are irrelevant? So far I've used the closeness in memory as kind of a sanity check, or at least as an indicator for whether or not I'm looking in the right place.
|
|
Back to top |
|
|
TsTg Master Cheater Reputation: 5
Joined: 12 Dec 2012 Posts: 334 Location: Somewhere....
|
Posted: Mon May 02, 2022 5:58 pm Post subject: |
|
|
cant really tell from here(sorry i dont have the game), the first address could be the base address of darksouls.exe or a page/code section near it, but if the game is always selecting a memory region at the 7xxxxxxxxxx range, it could be allocating memory near one of the system's/game's DLLs (usually system DLLs occupy that area).
If you want a closer look you can use the "Enumerate Dlls and Symbols" option, and activate the option to show all symbols, this should tell if that memory page belongs to a module or not.
|
|
Back to top |
|
|
amacati How do I cheat? Reputation: 0
Joined: 01 May 2022 Posts: 4
|
Posted: Wed May 11, 2022 3:26 pm Post subject: |
|
|
Follow up for anyone who is facing a similar problem: I managed to find an integer ID for each attack that still shows the correct attacks when the boss takes damage, and -1 if he's idle. While it's not what I was looking for initially it solves the problem.
Thanks again for your help TsTg!
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|