| 
			
				|  | Cheat Engine The Official Site of Cheat Engine
 
 
 |  
 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| seikur0 Advanced Cheater
 
  Reputation: 7 
 Joined: 02 Aug 2013
 Posts: 98
 Location: Germany
 
 | 
			
				|  Posted: Mon Aug 11, 2014 9:15 am    Post subject: Useful features for future Cheat Engine releases |   |  
				| 
 |  
				| Hey guys, in the moment I'm working quite a lot with Cheat Engine and therefore I noticed some software features would be nice to have. I dont't know if this is the right place for this thread, maybe you can already request features somewhere else, but here I go:
 
 -Dynamic offsets for pointers: The possibility to set the offset of a pointer from a simple "ED" for example to 1.:"[016F578B]" or maybe even something complicated like 2.:"[016F578B]*4+[016F576A]+0x87". While the second one might already be too much, the first one would be really handy. You could then use auto assembler script to reach the second complicated expression and store it somewhere and use it in the first expression.
 
 -The ability to minimize the main window without minimizing everything else. It should be an option in the settings, because sometimes you just need that window space. Also sometimes you need other stuff open and visible like text editors or images so you should be able to turn off the always in foreground behavior in the settings as well.
 
 -The ability to type in another window while you modify an adress in the main window. Often while searching for pointers you have an adress with a longer pointer chain and you need to see it or at least the base adress while working in the memory view window or maybe data dissect tool.
 
 -The ability to copy register values like eax at any time not only when breaking a process.
 
 -For an adress in the main window the ability to copy not only the base adress but the following adresses for each offset would be very handy.
 
 -More advanced options for the data dissect tool to auto-determine variable types and when you have the structure the ability to quickly change the data type. 1-byte or 2-byte values might be nowhere in the game at all and you might know it, so the data dissect should be able to take that into account
 
 -This would be really advanced but there could be a much much better pointer scan tool. Let me explain:
 If you have an adress, you can scan, what accesses this adress, so you have the place in the code, where that happens. For example "mov [eax+7b],ebx". Now 7b is the first offset, doing it manually you would search for the place, where eax is modified, like maybe 5 lines higher mov eax,[ecx]. So 00 is the next offset. Now you would look for the code, that modifies ecx and so on. At the time of the "mov [eax+7b],ebx" instruction Cheat Engine can determine exactly the path in the code, the program went, because it has the code and the stack. Therefore this process of looking for a pointer could be done completely automatically. This is much better than the pointer scan tool as it is now. Now it just bruteforces the adresses. With the method I described it would really find them as they are in the code and as they are used, so it would be much more reliable. The theoretical tool would show all code lines of the pointer path with the corresponding adress in the code. So you could manually look for things like "mov eax,[eax+edx*4]" so you could manually adjust the offset at this place if edx maybe varies from 0 to 5 to adjust the pointer to point to one of 6 character stats. The tool can find even more complicated relations because it knows the stack and it knows the code. For more complicated constellations where the stack pointer is changed a lot, it could break the code at every place, where it lacks information and get these from the current stack and registers:
 mov [ecx+08],ebx
 inc ecx,4
 mov eax,[ecx+0c]
 ->eax=ebx
 All in all this feature would be so much helpful, it would be really revolutionary in my opinion.
 
 Maybe some of these features are already included and I just don't know it. Who develops Cheat Engine anyway, is it a team? For the last tool I described, I would be interested in adding it myself to the program, if possible. Or maybe it would be possible with lua script, what do you think? Also what do you generally think of these features I described or maybe do you have another feature, which would be really handy but is not in the Program? I'm eager to see your answers.
 
 Greetings, SeiKur0
 |  |  
		| Back to top |  |  
		|  |  
		| Redouane Master Cheater
 
 ![]() Reputation: 3 
 Joined: 05 Sep 2013
 Posts: 363
 Location: Algeria
 
 | 
			
				|  Posted: Mon Aug 11, 2014 10:43 am    Post subject: Re: Useful features for future Cheat Engine releases |   |  
				| 
 |  
				|  	  | seikur0 wrote: |  	  | -Dynamic offsets for pointers: The possibility to set the offset of a pointer from a simple "ED" for example to 1.:"[016F578B]" or maybe even something complicated like 2.:"[016F578B]*4+[016F576A]+0x87". While the second one might already be too much, the first one would be really handy. You could then use auto assembler script to reach the second complicated expression and store it somewhere and use it in the first expression.
 | 
 
 
 Maybe,I don't use the pointer scanner very often.
 
 
  	  | seikur0 wrote: |  	  | -The ability to minimize the main window without minimizing everything else. It should be an option in the settings, because sometimes you just need that window space. Also sometimes you need other stuff open and visible like text editors or images so you should be able to turn off the always in foreground behavior in the settings as well. | 
 
 
  	  | Code: |  	  | do local main = getMainForm();
 createHotkey(function () main.Visible = false end,VK_A)
 createHotkey(function () main.Visible = true end,VK_B)
 -- feel free to change A and B
 end
 | 
 Then,press A to minimize and B to restore
 
 
  	  | seikur0 wrote: |  	  | -The ability to type in another window while you modify an adress in the main window. Often while searching for pointers you have an adress with a longer pointer chain and you need to see it or at least the base adress while working in the memory view window or maybe data dissect tool. | 
 
 When working,I always keep the notepad open,and copy/paste any useful finding to it,so this wouldn't help me much.
 
 
  	  | seikur0 wrote: |  	  | -The ability to copy register values like eax at any time not only when breaking a process. | 
 
 How can Cheat Engine know the value of a register in a code area that did not get executed?it isn't even possible to guess,there are jumps,conditions everywere.
 
 
  	  | seikur0 wrote: |  	  | -For an adress in the main window the ability to copy not only the base adress but the following adresses for each offset would be very handy. | 
 
 I don't really understand what you mean,but I think that you mean the addresses of the offsets in the same structure.
 
 
  	  | seikur0 wrote: |  	  | -More advanced options for the data dissect tool to auto-determine variable types and when you have the structure the ability to quickly change the data type. 1-byte or 2-byte values might be nowhere in the game at all and you might know it, so the data dissect should be able to take that into account | 
 
 I think that there is something for this in Lua:
 onAutoGuess(function)
 http://wiki.cheatengine.org/index.php?title=onAutoGuess
 I have never used this.
 
 
  	  | seikur0 wrote: |  	  | -This would be really advanced but there could be a much much better pointer scan tool. Let me explain: If you have an adress, you can scan, what accesses this adress, so you have the place in the code, where that happens. For example "mov [eax+7b],ebx". Now 7b is the first offset, doing it manually you would search for the place, where eax is modified, like maybe 5 lines higher mov eax,[ecx]. So 00 is the next offset. Now you would look for the code, that modifies ecx and so on. At the time of the "mov [eax+7b],ebx" instruction Cheat Engine can determine exactly the path in the code, the program went, because it has the code and the stack. Therefore this process of looking for a pointer could be done completely automatically. This is much better than the pointer scan tool as it is now. Now it just bruteforces the adresses. With the method I described it would really find them as they are in the code and as they are used, so it would be much more reliable. The theoretical tool would show all code lines of the pointer path with the corresponding adress in the code. So you could manually look for things like "mov eax,[eax+edx*4]" so you could manually adjust the offset at this place if edx maybe varies from 0 to 5 to adjust the pointer to point to one of 6 character stats. The tool can find even more complicated relations because it knows the stack and it knows the code. For more complicated constellations where the stack pointer is changed a lot, it could break the code at every place, where it lacks information and get these from the current stack and registers:
 mov [ecx+08],ebx
 inc ecx,4
 mov eax,[ecx+0c]
 ->eax=ebx
 | 
 
 This would take a quadratic time,because:
 1-Assembly code isn't always that simple,sometimes,you have to go through a thousand of crazy lines of asm to find it,there are also conditionnal jumps,jumps from outside that cannot be backtraced,because you are going backward.
 2-This can't be done to 10,000 addresses,it wouldn't work
 There is an option in the pointer scanner 'pointer must end with specific offsets' that I find very useful
 
 
  	  | seikur0 wrote: |  	  | Maybe some of these features are already included and I just don't know it. Who develops Cheat Engine anyway, is it a team? For the last tool I described, I would be interested in adding it myself to the program, if possible. Or maybe it would be possible with lua script, what do you think? Also what do you generally think of these features I described or maybe do you have another feature, which would be really handy but is not in the Program? I'm eager to see your answers. 
 Greetings, SeiKur0
 | 
 
 Cheat Engine is Developped by Dark-Byte,it's open source,this means that you can get the source code and modify it,the source can be found here:
 https://code.google.com/p/cheat-engine/source/checkout
 you can also download it from here:
 http://cheatengine.org/downloads.php
 |  |  
		| Back to top |  |  
		|  |  
		| seikur0 Advanced Cheater
 
  Reputation: 7 
 Joined: 02 Aug 2013
 Posts: 98
 Location: Germany
 
 | 
			
				|  Posted: Mon Aug 11, 2014 12:07 pm    Post subject: Re: Useful features for future Cheat Engine releases |   |  
				| 
 |  
				|  	  | Redone wrote: |  	  | 
  	  | seikur0 wrote: |  	  | -The ability to copy register values like eax at any time not only when breaking a process. | 
 
 How can Cheat Engine know the value of a register in a code area that did not get executed?it isn't even possible to guess,there are jumps,conditions everywere.
 | 
 I mean after you used a breakpoint, but when the process is running again. You still see the register values but can't copy them.
 
 
  	  | Redone wrote: |  	  | 
  	  | seikur0 wrote: |  	  | -For an adress in the main window the ability to copy not only the base adress but the following adresses for each offset would be very handy. | 
 
 I don't really understand what you mean,but I think that you mean the addresses of the offsets in the same structure.
 | 
 In the main window, when you add an adress and if it's a pointer with many offsets, then you have a new adress for each offset. Those should be copyable. Also in the same window you should be able to set these offsets dynamically, that's what I meant.
 
 
  	  | Redone wrote: |  	  | 
  	  | seikur0 wrote: |  	  | -This would be really advanced but there could be a much much better pointer scan tool. Let me explain: If you have an adress, you can scan, what accesses this adress, so you have the place in the code, where that happens. For example "mov [eax+7b],ebx". Now 7b is the first offset, doing it manually you would search for the place, where eax is modified, like maybe 5 lines higher mov eax,[ecx]. So 00 is the next offset. Now you would look for the code, that modifies ecx and so on. At the time of the "mov [eax+7b],ebx" instruction Cheat Engine can determine exactly the path in the code, the program went, because it has the code and the stack. Therefore this process of looking for a pointer could be done completely automatically. This is much better than the pointer scan tool as it is now. Now it just bruteforces the adresses. With the method I described it would really find them as they are in the code and as they are used, so it would be much more reliable. The theoretical tool would show all code lines of the pointer path with the corresponding adress in the code. So you could manually look for things like "mov eax,[eax+edx*4]" so you could manually adjust the offset at this place if edx maybe varies from 0 to 5 to adjust the pointer to point to one of 6 character stats. The tool can find even more complicated relations because it knows the stack and it knows the code. For more complicated constellations where the stack pointer is changed a lot, it could break the code at every place, where it lacks information and get these from the current stack and registers:
 mov [ecx+08],ebx
 inc ecx,4
 mov eax,[ecx+0c]
 ->eax=ebx
 | 
 
 This would take a quadratic time,because:
 1-Assembly code isn't always that simple,sometimes,you have to go through a thousand of crazy lines of asm to find it,there are also conditionnal jumps,jumps from outside that cannot be backtraced,because you are going backward.
 2-This can't be done to 10,000 addresses,it wouldn't work
 There is an option in the pointer scanner 'pointer must end with specific offsets' that I find very useful
 
 | 
 With the "Dissect Code" feature those conditional jumps can be traced already, the tool could then set breakpoints at every possible location from where it could have jumped and compare the registers to determine, which is the real one. You could set breakpoints at all possible locations with the condition that all or some registers must be the same, then it would be linear. Then you might have to trigger it several times ingame, for example loose health, if you're scanning for the health pointer. An alternative method can be used as well: With the break and trace and step over feature it is possible to find the function from which it is called and go to the basic calling function. From there you can just trace all the jumps up to the code line you're interested in. Of course there are many things to consider and it might have limits, but I think it's feasible especially since it can be done manually as well.
 The specific offset option is helpful indeed.
 
 Thank you for the informations, maybe I will try to add this advanced pointer scan routine sometime.
 |  |  
		| Back to top |  |  
		|  |  
		| Chris12 Expert Cheater
 
 ![]() Reputation: 1 
 Joined: 27 Apr 2012
 Posts: 103
 
 
 | 
			
				|  Posted: Mon Aug 11, 2014 12:35 pm    Post subject: Re: Useful features for future Cheat Engine releases |   |  
				| 
 |  
				|  	  | Redone wrote: |  	  | 
  	  | seikur0 wrote: |  	  | -More advanced options for the data dissect tool to auto-determine variable types and when you have the structure the ability to quickly change the data type. 1-byte or 2-byte values might be nowhere in the game at all and you might know it, so the data dissect should be able to take that into account | 
 
 I think that there is something for this in Lua:
 onAutoGuess(function)
 http://wiki.cheatengine.org/index.php?title=onAutoGuess
 I have never used this.
 
 
  	  | seikur0 wrote: |  	  | -This would be really advanced but there could be a much much better pointer scan tool. Let me explain: If you have an adress, you can scan, what accesses this adress, so you have the place in the code, where that happens. For example "mov [eax+7b],ebx". Now 7b is the first offset, doing it manually you would search for the place, where eax is modified, like maybe 5 lines higher mov eax,[ecx]. So 00 is the next offset. Now you would look for the code, that modifies ecx and so on. At the time of the "mov [eax+7b],ebx" instruction Cheat Engine can determine exactly the path in the code, the program went, because it has the code and the stack. Therefore this process of looking for a pointer could be done completely automatically. This is much better than the pointer scan tool as it is now. Now it just bruteforces the adresses. With the method I described it would really find them as they are in the code and as they are used, so it would be much more reliable. The theoretical tool would show all code lines of the pointer path with the corresponding adress in the code. So you could manually look for things like "mov eax,[eax+edx*4]" so you could manually adjust the offset at this place if edx maybe varies from 0 to 5 to adjust the pointer to point to one of 6 character stats. The tool can find even more complicated relations because it knows the stack and it knows the code. For more complicated constellations where the stack pointer is changed a lot, it could break the code at every place, where it lacks information and get these from the current stack and registers:
 mov [ecx+08],ebx
 inc ecx,4
 mov eax,[ecx+0c]
 ->eax=ebx
 | 
 
 This would take a quadratic time,because:
 ...
 | 
 
 Hi, it's not 100% related to dissecting code/data-structures but might still be interesting.
 I made a tool some time ago (1-2 years) that does something similar.
 Ofc it won't work for all things but it will generate a complete expression most of the time.
 For example you select an assembly line in CE and then you hit the hotkey you've set in my tool.
 It will backtrack the expression and split at each ambiguous expression.
 For example:
 
 mov [ecx], 0xabc
 mov eax,1
 mov ebx,[ecx]
 add eax,ebx
 mov [12345], eax <<<<<< select this line, my tool will interpret it as "how does [12345] get its value here?"
 
 It will show you a list of expressions that will create the value at your selected assembly line.
 In my example it will output:
 1.) [12345] <- [ecx]+1
 2.) [ecx] <- 5
 1.+2.) ([0xabc]+1)
 ...
 
 The tool allows you to instantly find static addresses and pointer-paths even to very complex pointers. You just have to fill in some blanks. For example at some point a register is used as an index into an array, so you have to insert something for it, maybe a player-index (Player, Npc1, npc2, ...) or something.
 
 So the foundation of the code is already done and I could post it. The suggested feature and my tool share many concepts so maybe that could help?
 I stopped working on it because CE sometimes does not load .NET-Dlls correctly and crashes. I talked with DB about it but couldn't figure out what was wrong.
 |  |  
		| Back to top |  |  
		|  |  
		| STN I post too much
 
  Reputation: 43 
 Joined: 09 Nov 2005
 Posts: 2676
 
 
 | 
			
				|  Posted: Mon Aug 11, 2014 12:44 pm    Post subject: |   |  
				| 
 |  
				| I have to agree about the copying registers thing, after a breakpoint is set and game allowed to run you can't copy them anymore even though their values are shown correct. 
 Of course before a breakpoint their values can't be available but after that, i believe they are stored in a buffer somewhere or even the editbox/whatever it is using, it should be just a matter of copying them.
 
 Rest of the feature requests don't apply to me or expect CE to be way advanced and guess things, i don't think they are even possible.
 _________________
 
 |  |  
		| Back to top |  |  
		|  |  
		| Redouane Master Cheater
 
 ![]() Reputation: 3 
 Joined: 05 Sep 2013
 Posts: 363
 Location: Algeria
 
 | 
			
				|  Posted: Mon Aug 11, 2014 1:23 pm    Post subject: Re: Useful features for future Cheat Engine releases |   |  
				| 
 |  
				|  	  | seikur0 wrote: |  	  | I mean after you used a breakpoint, but when the process is running again. You still see the register values but can't copy them. | 
 
 Sorry for misunderstanding,I mostly use Ollydbg when it comes to debugging.
 
 
  	  | seikur0 wrote: |  	  | In the main window, when you add an adress and if it's a pointer with many offsets, then you have a new adress for each offset. Those should be copyable. Also in the same window you should be able to set these offsets dynamically, that's what I meant. | 
 
 Since I'm fast at typing,I don't see it as a problem to just type it manually.
 |  |  
		| Back to top |  |  
		|  |  
		| seikur0 Advanced Cheater
 
  Reputation: 7 
 Joined: 02 Aug 2013
 Posts: 98
 Location: Germany
 
 | 
			
				|  Posted: Thu Aug 14, 2014 1:24 am    Post subject: |   |  
				| 
 |  
				| @Chris12: Yes I think that's about the same thing I meant, I just want it integrated in CheatEngine directly. It would be very helpful, if you could post it. 
  	  | Chris12 wrote: |  	  | I stopped working on it because CE sometimes does not load .NET-Dlls correctly and crashes.
 | 
 Maybe you could use CheatEngine to debug another CheatEngine Instance, which loads the dll to trace the crash, haha.
 |  |  
		| Back to top |  |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 You cannot attach files in this forum
 You can download files in this forum
 
 |  |