Cheat Engine

[truefalse]

hello,

i'm trying to first get the base adress for HP in a game, that i will use in a C# project to display this HP..

..second pointer is adressed to 1E502268 and the offset happen to be 8. <- this does infact display the HP in Cheat engine -

... do ineed to go to the base adress if i don't want to modify the HP?
If i do need to go further, i tried this:

then i try to go further to the next pointer which will then lead me to the next and then to the base adress.. but i get stuck at third pointer and i believe thats bcuz i dont know how to do the math at this specific point.

extra info:

EAX=FFFFF075
EBX=24C1D800
ECX=07FA71FC
EDX=0000008A
ESI=1DF90000
EDI=1DB60000
EBP=0018FDD8
ESP=0018FDD4
EIP=00870F61

Probable base pointer =07FA71FC

00870F55 - and edx,[ecx+00000418]
00870F5B - mov ecx,[ecx+08]
00870F5E - mov ecx,[ecx+edx*4]
00870F61 - pop esi
00870F62 - test ecx,ecx


this is what i tried:
1E502268=[ecx+edx*4]
(1E502268-07FA71FC)/4=1C5185E9 <- wtf is this? oO is it even correct?

[Fresco]

that's because in the extra info you see ecx after it's execution

mov ecx,[ecx+edx*4]

this instruction modifies ecx, therefore if cheat engine displays ecx after the execution of the code you get wrong math

just go in the debugger at address : 00870F5B
right click the instruction and hit > trace > insert 3 > execute the code with the game > look in the tracer the values of ecx, and do the math with all ecx'es, pick the one that gives you right math

cheers

[truefalse]

thanx for the quick response, i will look into this asap and see what i can get out of it!

[Fresco]

i am posting this because you may not be able to double pot yet, so i'm giving you a chance

[truefalse]

I did like you said, went up a step on "Extra info" to collect the adress above the "*4" offset, which happen to be "00870F5B", to get the correct ecx..

went into "Show disassambler":
searched for adress: 00870F5B
Foudn the adress, right clicked and chose 'break and trace instructions'
i set the max trace count to 3
in all 3 results i wrote down the ecx:

19BFE02C, 19BFE040 and 37C27A20

i then replaced these values in my math formula like this:

Original math:
(1E502268-07FA71FC)/4=1C5185E9

pls notice: 1E502268 is an adress that changes whenever i re-open the game, this time it happen to be 19BFE2A0 so my math becomes:
(19BFE2A0 -19BFE02C)/4=134FEA95
(19BFE2A0 -19BFE040)/4=134FEA90
(19BFE2A0 -37C27A20)/4=BCF4418


i then use these adresses to find the pointer, neither of which work.
; but im not sure im doing this correctly =x

so many questions xD

[Corruptor]

In the original post:
...
EBX=24C1D800
ECX=07FA71FC
EDX=0000008A
...

using the trace method:
00870F5B - mov ecx,[ecx+08], ecx = 19BFE02C
00870F5E - mov ecx,[ecx+edx*4], ecx = 19BFE040
00870F61 - pop esi, ecx = 37C27A20

note how the ecx for the original instruction and the one from the break and trace thingy are totally different. Asuming the address is on an other adress every game, the offset should not change. But it does. I guess that this function is used to generally modify the HP of anything in the game and that that break and trace instruction tracked down some other units hp. If you want to track down YOUR hp, you got to use a conditional break point.
Talking about break points, why not setting a breakpoint directly ON the instruction at 00870F5E. It will break before execution and you can basically read the ecx right out of it. Since this seems to be a shared function, you mostlikely have to give this breakpoint a condition (which would be that ecx+edx*4 is the address you were using the "find out what accesses this adress" function on).
What does your formular do btw? edx*4 is the offset and ecx is the value the pointer mostlikely has. Theoretically, basis - pointer would be the offset, wouldnt it? dividing it by 4 would then be the value of edx.

Also, afaik: (19BFE2A0 -19BFE02C) = 0x274. Which is mostliekly an offset or something. Unit number 0x274/4 = 9D i'd say.

[truefalse]

alright, more info - thats awesome <3

i'll go ahead and try to BP the main instruction and see what happens, i feel like the futher i get the harder it becomes to understand what im doing and what you guys are telling me, but please share as much info as possible;

there's 2 things that gives me a kick,

1 when i solve stuff myself
2 when someone points me into the right direction so that istop hitting that brick wall

[Fresco]

Corruptor is right.
do the same break and trace, but this time set a condition, calculate ecx
(ecx == FFFFFFFF) replace FFFFFFFF with the true ecx.

[truefalse]

anywhere i can learn how to write these conditions?

[Fresco]

[Corruptor]

I actually found conditional break-and-trace-instructions to be bugged :/
Usually have to make a code injection with a conditional jump jumping over a nop to do that. And that is too deep for simply finding a pointer. Really, its like buying a tank to shoot your house to get rid of the hornet's nest in the garden. Actually, a normal breakpoint (the F5 one) should work totally fine.

Never found a tutorial for conditional breakpoints myself and the help file of cheat engine doesnt really contain usefull information either. I also never saw any kind of piece of lua code, so heres what i found out about it:
- registers are written in caps: ECX, EAX, ESP etc.
- hexadecimal values start with an 0x: 0xFF, 0x9D, 0x11, 0x1C5185E9
(those 2 are standing in the actual menu)
- == and != to compare ('==' means equals and '!=' means not equals)
- you should use brackets everywhere. For sake of safety.

To add a conditional breakpoint:
- open the dissasembler
- mark the line
- Press F5 or in the menu "Debug" -> "Toggle Breakpoint"
-> the line should now become green or red, cant remember right now xD
-> your game will now mostlikely break, ignore that
- right click on the line
- in the context menu, click "Set/Change break condition"
- put the condition you want (in your case, ecx+edx*4 would access your health, so it would be something like (ECX+(EDX*4)) == 0x07FA71FC where that weird hex number is the adress of the variable you were using "find out what accesses this adress" on)
-> check your spelling a million times. There is no warning if you misspell something.
- Run the game again (Debug -> Run or F9 if i remember correctly)

Now the game should only break when you are attacked. If it doesnt work, try to create a scenario where you are entirely alone and where the is no way any other anything's HP could possibly be altered on any way.
However, it should break. At the right side of the dissassembler, it should then list the correct values of the registers.

[truefalse]

oh wow i just enterd a whole new world of adresses, time to explore

so much support, thankyou doods <3

[truefalse]

First of all, I'm a noob at this so pls take this with a grin of salt..

I'm not sure if CE is bugged, or if im a noob.. but the Offset and address can not be found with CE.

Why that is? i don't know.. but one thing is for sure, with Spiro's program its way more efficient to find multi-pointers, and it works - for a noob like me.
(I did part 9-tutorial, which i had enormous problems with to pass with CE, with Spiro's program in a matter of minutes..)

the adress i was tryint to find said that it was a distance of 4000+ away from the original adress and the adress i was looking for, base adress (green) is: 00F6DF90

the offsets were as follows:

org. addr: 07A6B9B0
p1 offset 0x8
p2 offset 0x68
p3 offset 0xFEC

base addr.: 00F6DF90

[Dark Byte]