Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Having issues finding pointers in a singleplayer steam game

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
ArcaneDegree
How do I cheat?
Reputation: 0

Joined: 07 May 2022
Posts: 3

PostPosted: Sat May 07, 2022 9:29 am    Post subject: Having issues finding pointers in a singleplayer steam game Reply with quote

Hello there, I have been lurking around the forums for quite some time, I have also been learning some Assembly recently. I have been trying to find the base address of a value that changes the number of artillery troops in a game called DummyNations, a newly released game on Steam. The number of artillery troops is basically stored as a 4-byte value in a dynamic address and I have managed to locate the dynamic address. The problem I am facing currently however is that I am unable to find a pointer to the dynamic address.

Problem:
I managed to find the dynamic address holding the value for the number of artillery troops. I right clicked on this value and clicked on "Find out what accesses this address", then I found this:
1F26024D2E8 - C481622A5C 91 10 - vcvtsi2ss xmm3,ebx,[r9+r10*4+10] <<
where r9 is equal to 000000070C101AB0 and r10 is equal to 0000000000000003, once I clicked on "More Information", Cheat Engine also tells me that the value of the pointer needed to find this address is probably 70C101AB0, I tried a hex search for this value (even selected all value types to search), however, I got 0 results. My question is how do I find the pointer in that case?
Back to top
View user's profile Send private message
MarcRené
Newbie cheater
Reputation: 0

Joined: 20 Mar 2017
Posts: 15

PostPosted: Sat May 07, 2022 10:07 am    Post subject: Reply with quote

You can try several things:

1. try a pointer scan for 70C101AB0 but with increased depth and offset size. You should at least get some results - usually you'll get thousands of results. And with some luck, some of these pointers will stay valid after restarting your game

2. try a pointer scan for 70C101Acc (the final result of r9+r10*4+10)

3. best thing would be to go to the code address you found and make a code injection (Mark the line with the code you found, hit Ctrl-A to invoke the auto assembler and then klick on Template - AOB Injection. In the code injection, backup the address to your own memory location. The final script should be look something like this:

Code:

[ENABLE]
aobscan(INJECT,C4 81 62 2A 5C )
alloc(newmem,$1000)

label(code)
label(return)
alloc(myaddress,8)  // reserve room for your address

newmem:
  mov [myddress], r9  // store adress

code:
  vcvtsi2ss xmm3,ebx,[r9+r10*4+10]
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT myaddress) // make your address known to the rest of the table

[disable]
INJECT:
  db C4 81 62 2A 5C
unregistersymbol(*)
dealloc(*)


best regards,
Marc
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sat May 07, 2022 10:57 am    Post subject: Reply with quote

Did you search using the 8-byte data type? Pointers in 64-bit processes generally have a size of 64 bits (8 bytes).

You can try the pointer scanner if you want.
https://www.youtube.com/watch?v=3dyIrcx8Z8g

I'd reach for code injection first, but it can be confusing if you don't know how to read assembly. Search for "injection copy" for more information.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
ArcaneDegree
How do I cheat?
Reputation: 0

Joined: 07 May 2022
Posts: 3

PostPosted: Sat May 07, 2022 9:23 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Did you search using the 8-byte data type? Pointers in 64-bit processes generally have a size of 64 bits (8 bytes).

You can try the pointer scanner if you want.
[Insert the link of youtube video you sent me since I can't send links at the current time.]

I'd reach for code injection first, but it can be confusing if you don't know how to read assembly. Search for "injection copy" for more information.


I did indeed try searching using the 8-byte data type, as well as data types, but still got 0 results. I also tried the steps in the video you linked, it works in the tutorial but in this game for some reason I still get 0 results. I have also tried the pointer scanner, but all pointer scans return 0 pointer paths for some reason and they take very short time to complete despite my attempts to continuously and rapidly increase the structure size and max offset. I am starting to wonder why pointers are suddenly non-existent in this game. Is there any other way I could find pointers in this game or is code injection my only option at this point?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sat May 07, 2022 10:31 pm    Post subject: Reply with quote

Maybe the pointers could be packed with other data: i.e. the most significant byte and maybe 1-3 of the least significant bits could be used for something else and masked away when necessary.

Maybe it's an emulator using big endian.

Maybe the game is obfuscating pointers on purpose (e.g. xor).

I don't know. I'd have to look at the code to find out.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
ArcaneDegree
How do I cheat?
Reputation: 0

Joined: 07 May 2022
Posts: 3

PostPosted: Thu May 12, 2022 7:16 am    Post subject: Reply with quote

ParkourPenguin wrote:
Maybe the pointers could be packed with other data: i.e. the most significant byte and maybe 1-3 of the least significant bits could be used for something else and masked away when necessary.

Maybe it's an emulator using big endian.

Maybe the game is obfuscating pointers on purpose (e.g. xor).

I don't know. I'd have to look at the code to find out.


Hi there, sorry for the late reply, I have been trying to figure out how the game is obfuscating the pointers but can't really seem to find any leads, here's some of the code at the game particularly the part that gets executed when the value of the artillery troops is being written to:

22493AC15B7 - 48 8B D2 - mov rdx,rdx
22493AC15BA - E9 C1AAFFFF - jmp 22493ABC080
22493AC15BF - 89 44 9A 10 - mov [rdx+rbx*4+10],eax <<
22493AC15C3 - 41 0FB6 5D 01 - movzx ebx,byte ptr [r13+01]
22493AC15C8 - 49 FF C5 - inc r13

RAX=000000000000011B
RBX=0000000000000003
RCX=00000224AFF36560
RDX=00000007078A1810
RSI=00000224B02D9750
RDI=0000000707E16038
RSP=0000007E627FF248
RBP=0000007E627FF290
RIP=0000022493AC15C3
R8=0000000701FF9DF8
R9=0000000000000003
R10=00007FF98B73A350
R11=0000000000000005
R12=0000000000000000
R13=00000224AFF34FF4
R14=0000007E627FF2C8
R15=00000224B78543C0

Please let me know if you need more code, I am having a hard time figuring out how the pointers are being encrypted, been stuck on this for the past couple of days now.

Edit: By the way, just wanted to add on to my previous reply by mentioning that I did some digging around in the game folder of the steam game and saw a java executable file as well as some dlls with "java" included in their name which leads me to suspect that this game may be written in Java and not in C++ or C#, which I also think may be the cause for why I am not able to find pointers at all within the game, is there a way to be sure that a game is written in Java and am I right in my assumption that the game is most likely written in Java? Also, is it still possible to find pointers in Java games?

Edit 2: Also noticed some strange behaviour where the address holding the value of the troops would just sometimes randomly change mid-game despite me not restarting or leaving the game or doing anything else, did some research and it seems to be confirming my suspicions that this game is most likely pretty much a Java game, which would also explain the issues I am having with finding zero pointers in the game, I have heard that pattern scanning and modifying instructions may be a better workaround for this problem, however, I have noticed that when trying to write a value to the eax register, which as can be seen in the code above, copies it's value over to the memory address that stores the value of the number of artillery troops, it causes the game to crash and exit with some random exit code that consists of a bunch of numbers, I have tried to use another empty register to write another value to the same memory address but this has also caused the game to crash, could this be the result of an integrity check that the game is carrying out on the value I am trying to change? Is there a way I can prevent the game from crashing when I try to inject the code to write a new value to the memory address that stores the value of the number of artillery troops? I have noticed the crashes only occur if I write a new value to it, but if I just inject the code and not write any new value then the game does not crash.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Thu May 12, 2022 10:48 am    Post subject: Reply with quote

That's a fairly basic array access. rdx is the base, rbx is the index into the array (dwords), and 0x10 is the array's offset from the base. If searching for rdx (8-byte hex scan) doesn't return any results, find out where rdx comes from. This might be dozens or hundreds of instructions above that point, or even somewhere else in the callstack (caller or callee).
You will have a hard time doing that on your own if you can't read assembly, and it's unlikely I'll be able to figure it out for you in a reasonable amount of forum posts. You can try asking someone else to do it for you.

Java could make pointers harder given it likely goes through the jvm. Personally I wouldn't try to find pointers in games being run through any kind of virtual machine (emulator or otherwise)- VMs can do weird things that CE doesn't account for.

Given it's using an array access, code injection would be more annoying since that instruction will almost certainly access addresses other than the one you want. I'd still reach for that before pointers.
If you must, find a non-static pointer to the value and inject on that. This might not be practical if the value's location in the data structure can change.

ArcaneDegree wrote:
Also noticed some strange behaviour where the address holding the value of the troops would just sometimes randomly change mid-game despite me not restarting or leaving the game or doing anything else
It probably changes location in the data structure it's stored in.
If you can't find an instruction that accesses the exact unit you want and nothing else, see step 9 of the CE tutorial to learn how to differentiate between addresses being accessed.

ArcaneDegree wrote:
I have noticed that when trying to write a value to the eax register, which as can be seen in the code above, copies it's value over to the memory address that stores the value of the number of artillery troops, it causes the game to crash and exit with some random exit code that consists of a bunch of numbers, I have tried to use another empty register to write another value to the same memory address but this has also caused the game to crash, could this be the result of an integrity check that the game is carrying out on the value I am trying to change?
More likely than not you're doing something wrong in your AA script. That instruction accessing more than one address is almost certainly a problem, but there are many other potential problems.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites