 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
imposible
Newbie cheater
![]() Reputation: 0
Joined: 12 Jan 2015
Posts: 22
|
 Posted: Mon Jan 12, 2015 7:38 pm Post subject: Is possible to find all the routines of a class? |
 |
|
Hello. I have experience on programming , but not on assembler. I am a newbie with Cheat Engine.
This is my first post, and I'm not allowed to post images or url, but I will attempt to post the image url, replacing the "." with ",", and removing the bar in the closing [/img] tag
I tried to contact the moderator to ask for fixing the images, which I cannot post. However, I am also not allowed to PM the moderator.
Please, may somebody quote my message with the images fixed?
I'm trying to get past a locked door on a game about an alien.
First, I tried to locate the player position, but failed.
I aimed to find the Z values, by going up and down many stairs, and looking for increased/decreased values. But I ended with 1500 variables, and no way to reduce that number.
I also tried to stay quiet in the place and filter by unchanged values, but then I ended with 0 variables, because maybe the z value has slight random variations for realism.
So, I tried another tactic. I need to get pass this door:
[img]i,imgur,com/BFr5P5n.jpg?1[img]
As you can see, the door presents a message: "Door Locked". I found the constant string, and edited it to "doorlocked". Then I verified that all door locked show this string, so it is the right universal string.
This is a different door:
[img]i,imgur,com/PZKbZXz.jpg?1[img]
But this door has a button, which can be used to open locked doors:
[img]i,imgur,com/4aXDLgg.jpg?1[img]
Now, I suspect that both doors are instances of the same class, so what I want to do is to find the function for the button, that unlocks the second door, to execute it on the first door, which does not have a button, but probably haves the button/unlock routine.
So, I started finding the locked door and button strings, which are "Locked Door", and "Emergency Override", edited both constants by deleting the space, and verified that all locked doors and buttons use that constant, so they are not an ephemeral string:
[img]i,imgur,com/XeALaQI.jpg?1[img]
Then I used the option to find "What accesses this address" for both strings, and I think that I found some copy routine placed at 01CDCCA0 and 01A42070.
I do not understand assembler, but I can see that the routines are the same for both accessed strings.
[img]i,imgur,com/mUWMyZn.jpg?1[img]
[img]i,imgur,com/rnnDsYu.jpg?1[img]
At this point, my brain burned, and I do not know if I'm on the right track.
Do I have a chance to find the routine that unlocks the door?
What should I try next?
I thought on put a breakpoint on the possible string copy routine, and run step by step until I find the button routine who called that code, but I have no idea on how many nested calls are there. In assembler there may have hundreds or thousands of nested routines, and how I will identify that I reached the door class level?
Even then, I would had found button code, but not the unlock door code, but the string one. ¿how do I find the other routines on that class?
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Jan 12, 2015 8:55 pm Post subject: Re: Is possible to find all the routines of a class? |
|
|
| imposible wrote: | | Do I have a chance to find the routine that unlocks the door? |
Ahem, the probability of you finding the function that unlocks the door is non-zero, but imo is very very low.
| imposible wrote: | | What should I try next? |
Click on the show disassembler button that will show you a larger chunk of code that the poor 5 lines of the find out what *** window. Most likely the function that reads the strings just copies them from a string database to a temporary buffer before sending to screen, so you'll have to look at the parent functions. One such parent function will probably be something like DisplayText(StringID) (your game is localized, ya know...), and far far far deeper you'll have the function that controls opening/closing doors.
Your best friend there will be the execute till return feature.
Q:How do I know I'm looking at the function that unlocks doors after stepping out of subfunctions?
A:*Pokerface*, why did I say "very very low" probability?
Sometimes there may still be references to debug messages (like "push 123456" and the debugger will tell you that at 123456 lies the string "DEBUG: unlocked door %d").
Or you can also try replacing the function by a simple "return" and see what happens. Return in assembly is "retn"/"ret" or "ret Number", you'll have to use the same as what the function originally uses. "ret Number" does not mean "return this Number" but "exit function and deallocate Number/4 parameters".
Or you can find a conditional jump over a particular subfunction call and try to force that jump (replace j** with jmp). It may have less unwanted effects than replacing with retn/ret Number, especially if the subfunction is called from various places, or if its return value matters.
...And that assumes that the function that prints text onscreen is actually called by the door opener or one of its subfunctions. However the door opener could also simply post a message and return; and the message would be handled at a completely different time, possibly by a different thread.
If I were you, I'd continue on the position hack.
| imposible wrote: | First, I tried to locate the player position, but failed.
I aimed to find the Z values, by going up and down many stairs, and looking for increased/decreased values. But I ended with 1500 variables, and no way to reduce that number. |
When you've reached that point there are 2 things you can try:
1-Lookup the values and see if some "look nice", ie: I doubt position exceeds 100 000, so all floats that are displayed with a "E+0xxx" are unlikely to be your position.
2-Add all 1500 results to your table, freeze half and see if you can jump. If you can, then delete all the frozen results, otherwise delete the others, rinse and repeat. Sometimes this method will make the game crash (ex: when freezing a pointer), but that's a risk to take.
| imposible wrote: | | I also tried to stay quiet in the place and filter by unchanged values, but then I ended with 0 variables, because maybe the z value has slight random variations for realism. |
Which hints that position is probably a float or double rather than an int. Otherwise a slight variation would at least be one full game unit and a corridor's length would be huge, which would be less practical when creating the map. I know it's not much of a justification, I'm just giving you my hunch.
EDIT: If you absolutely insist on opening the door, I guess you could do the following IF unlocked doors open when you come near them and close shortly after:
1-find the boolean that governs whether a door is currently open, or the timer until it autocloses.
2-find what accesses it and then put a breakpoint (BP) on the first instruction of the function that accessed bDoorOpen.
3-go to a locked door and see if your BP is hit.
If it is hit then you have a good idea of where bLocked is checked.
If your BP is not hit go back to the unlocked door, find the parent of the function that contains your BP, and move your BP to the top of this function, then try the locked door again. Normally you shouldn't have to dig very deep in the function hierarchy.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
pellik
Advanced Cheater
![]() Reputation: 0
Joined: 14 Jun 2013
Posts: 93
|
| Posted: Wed Jan 14, 2015 4:33 pm Post subject: |
|
|
Does DBVM work for you? It allows you to log code branching to see what code has or has not run. For example, when the "door locked" message is on the screen you know that bit of display code is getting called when from the same routine that locks the door. You just look at the door, is run, look away, isn't run, etc. until you've got a few dozen instructions to look through.
(I can't remember what that feature is called right now, sorry)
|
|
| Back to top |
|
|
imposible
Newbie cheater
![]() Reputation: 0
Joined: 12 Jan 2015
Posts: 22
|
| Posted: Wed Jan 14, 2015 5:38 pm Post subject: Re: Is possible to find all the routines of a class? |
|
|
| Gniarf wrote: | EDIT: If you absolutely insist on opening the door, I guess you could do the following IF unlocked doors open when you come near them and close shortly after:
1-find the boolean that governs whether a door is currently open, or the timer until it autocloses.
2-find what accesses it and then put a breakpoint (BP) on the first instruction of the function that accessed bDoorOpen.
3-go to a locked door and see if your BP is hit.
If it is hit then you have a good idea of where bLocked is checked.
If your BP is not hit go back to the unlocked door, find the parent of the function that contains your BP, and move your BP to the top of this function, then try the locked door again. Normally you shouldn't have to dig very deep in the function hierarchy. |
I want to thank you for your help. I wanted to have something before answering, but I didn't made any advance.
I made other attempts with the position, but got nothing.
The game cannot jump, but haves crouch. Crouch does not seems to modify Z position, and strangely, neither camera position (I can't detect it).
I'm still trying opening the door. I found a text string with the text AI_UI_INTERACTIONS_OPEN_DOOR
I thought it was used by a constructor, but it is accessed 26 times when I open/close a door.
Edit: I also found these strings:
AI_UI_DOOR_LOCKED
AI_UI_USE_DOOR
LOCKED_DOOR
UNLOCKED_DOOR
And this one: DOOR_STATE
By searching the var that stores the open/closed state of a door, I reduced the search to some 100 boolean vars, which switch when a nearby door open. Sometimes changing the value of one locks the door. It does not open or close, but when I approach, the open/close animation is triggered.
Sadly, changing that variable do not triggers any function.
| pellik wrote: | Does DBVM work for you? It allows you to log code branching to see what code has or has not run. For example, when the "door locked" message is on the screen you know that bit of display code is getting called when from the same routine that locks the door. You just look at the door, is run, look away, isn't run, etc. until you've got a few dozen instructions to look through.
(I can't remember what that feature is called right now, sorry) |
Yes, it works. Thanks for telling me.
The first time it crashed windows, but it runs now.
I had being running the debugger step by step. There is a way to choose the next instruction to be executed?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jan 14, 2015 9:43 pm Post subject: Re: Is possible to find all the routines of a class? |
|
|
| imposible wrote: | I wanted to have something before answering, but I didn't made any advance.
I made other attempts with the position, but got nothing.
The game cannot jump, but haves crouch. Crouch does not seems to modify Z position, and strangely, neither camera position (I can't detect it). |
Disable fast scan and try again. Fast scan with alignment=4 means CE will only look for 32 bit aligned variables, which is the most likely thing for position, but sometimes developers do weird things...
Also just in case: sometimes axes are upside down, going up makes your Z decrease. Did you try scanning for that?
| imposible wrote: | | By searching the var that stores the open/closed state of a door, I reduced the search to some 100 boolean vars, which switch when a nearby door open. Sometimes changing the value of one locks the door. It does not open or close, but when I approach, the open/close animation is triggered. |
Very good, you have found variables that are written each time you open/close a door and fiddling with them does affect door behavior. Now find what writes one of them (presumably the door state) and the (un)locked check shouldn't be far, possibly in the immediate parent, or the current function. Maybe a few levels deeper but most likely really close.
| imposible wrote: | | There is a way to choose the next instruction to be executed? |
Double click on "EIP", type/paste the address of the instruction you want to execute.
| imposible wrote: | | The game cannot jump, but haves crouch. Crouch does not seems to modify Z position |
That means you cannot use jump/crouch to check if you're really freezing Z position. In this case climb some stairs, freeze variable, and try to go down. If you "glide" or repeatedly fall then you've found Z position.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
imposible
Newbie cheater
![]() Reputation: 0
Joined: 12 Jan 2015
Posts: 22
|
| Posted: Wed Jan 14, 2015 11:17 pm Post subject: Re: Is possible to find all the routines of a class? |
|
|
| Gniarf wrote: | | imposible wrote: | I wanted to have something before answering, but I didn't made any advance.
I made other attempts with the position, but got nothing.
The game cannot jump, but haves crouch. Crouch does not seems to modify Z position, and strangely, neither camera position (I can't detect it). |
Disable fast scan and try again. Fast scan with alignment=4 means CE will only look for 32 bit aligned variables, which is the most likely thing for position, but sometimes developers do weird things...
Also just in case: sometimes axes are upside down, going up makes your Z decrease. Did you try scanning for that? |
I will check. If Z is inverted, or rotated, that would invalidate all I did.
| Gniarf wrote: | | imposible wrote: | | There is a way to choose the next instruction to be executed? |
Double click on "EIP", type/paste the address of the instruction you want to execute. |
That's gold, Gniarf. You don't know how valuable it is to me. I thought that Cheat Engine was unable to do that, so I was planning to use Cheat Engine on itself to change the address 
| Gniarf wrote: | | imposible wrote: | | By searching the var that stores the open/closed state of a door, I reduced the search to some 100 boolean vars, which switch when a nearby door open. Sometimes changing the value of one locks the door. It does not open or close, but when I approach, the open/close animation is triggered. |
Very good, you have found variables that are written each time you open/close a door and fiddling with them does affect door behavior. Now find what writes one of them (presumably the door state) and the (un)locked check shouldn't be far, possibly in the immediate parent, or the current function. Maybe a few levels deeper but most likely really close. |
I reduced them to 50 variables which change when the door is locked.
¿There is any way to detect what one changes first/last, other than finding the access of all of them, and manually setting a breakpoint on all of them, to find the first breakpoint (I really will do that)?.
I was thinking on using Cheat Engine on itself.
If there is an easy way to put a breakpoint on Cheat Engine routine who updates the scan tab, it would stop at the first update.
Edit: I recorded a video, with the intention of advancing it frame by frame to see what variables change first, but Cheat Engine updates all of them at the same time (the green/red light shows the unlocked/locked state)
[img]i,imgur,com/c1RoRUI,gif?1[/img]
Last edited by imposible on Wed Jan 14, 2015 11:54 pm; edited 1 time in total |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jan 14, 2015 11:52 pm Post subject: Re: Is possible to find all the routines of a class? |
|
|
| imposible wrote: | | There is any way to detect what one changes first/last, other than finding the access of all of them, and manually setting a breakpoint on all of them, to find the first breakpoint (I really will do that)?. |
Afaik, the simplest way is to use a lua script to automatically set a BP on each record of your cheat table. Refer to main.lua (in the same directory as cheat engine's executable) for the list of available CE lua functions.
EDIT 2: forgot to mention that this only works with breakpoint type set to page exceptions in settings->debugger options. Otherwise you're limited to 4 breakpoints.
| imposible wrote: | I was thinking on using Cheat Engine on itself.
If there is an easy way to put a breakpoint on Cheat Engine routine who updates the scan tab, it would stop at the first update. |
Well cheat engine is open source, so you could compile it in debug mode and set a breakpoint wherever you want... I'd prefer the lua method described above though.
Thinking again about:
| imposible wrote: | | Sometimes changing the value of one locks the door. It does not open or close, but when I approach, the open/close animation is triggered. |
If you lock the door in closed state and come near it, the opening animation will play. If you wait a bit can you go through this opened door, or is there somekind of invisible wall? Does the door instantly close when the animation is over?
If you look at CE while the door is opened and the variables are frozen in "door closed" state, do the variables seem to "flicker" or quickly alternate between both states (if yes it means they are periodically overwritten by the door's real state, which is stored elsewhere)?
The thing I'm trying to figure there is if you have found the door's state, or the state of the door's 3D model.
EDIT 1: looking at your gif made me think about one more thing: green addresses means statically allocated variables, so unless all the map's (door) data is hardcoded into the exe, you can ignore green addresses.
Search results' values are updated every 500 ms by default, as defined in settings->general settings.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Last edited by Gniarf on Thu Jan 15, 2015 1:30 am; edited 1 time in total |
|
| Back to top |
|
|
imposible
Newbie cheater
![]() Reputation: 0
Joined: 12 Jan 2015
Posts: 22
|
| Posted: Thu Jan 15, 2015 12:16 am Post subject: Re: Is possible to find all the routines of a class? |
|
|
| Gniarf wrote: | | EDIT: looking at your gif made me think about one more thing: green addresses means statically allocated variables, so unless all the map's (door) data is hardcoded into the exe, you can ignore green addresses. |
Gold again!
Levels are loaded at runtime, so it makes nonsense to have all door with static variables.
The only thing which I could imagine having static variables is the player itself.
So I had just moved to another door, locked it, and only the green addresses updated.
When I returned to the first door, and locked it, the green address recovered the values it had with this door.
I didn't made clear that in the last post I was speaking of the locked_door_state, and on older posts I was talking of the closed_door _state.
Doors can be open/closed, and locked/unlocked
EDIT:
| Gniarf wrote: | | Search results' values are updated every 500 ms by default, as defined in settings->general settings. |
I reduced 500ms to 16ms, and recorded the video at 60 fps. I was lucky, and identified a single variable that changes first.
That one changes first, then all the other, but two, then the red light switches, and then the last two variables switch.
[img]i,imgur,com/un45eEU,gif?1[/img]
Let's see what I can do with it. Hope the first help me to identify the routine who fires the unlock door code, and the last the locked door variable.
|
|
| Back to top |
|
|
imposible
Newbie cheater
![]() Reputation: 0
Joined: 12 Jan 2015
Posts: 22
|
| Posted: Thu Jan 15, 2015 10:32 pm Post subject: |
|
|
¡Partial success!
I changed some behavior of the locked door.
I reduced the boolean vars to a small bunch, used "find out what access this address" (and also what writes) to identify how many functions and how frequent they access each address.
One “accessing instruction” continually accessed that address each time I approached the door I could control, on locked state, and also when I approached that door, locked, from the other side.
When I checked the addresses it access, it also fired continually when I approached another door.
So, I approached the door I want to unlock, checked the most accessed address, changed his value, and it affected if the “door locked” label was displayed.
I did not unlocked the door, but at least changed some of his behavior.
I made a video. Sorry for the low resolution (720p), but my monitor is 1650, so youtube reduces it to 720p.
www,youtube,com/watch?v=En3XzaKjsSI
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Jan 16, 2015 12:06 am Post subject: |
|
|
Ok, this is interesting, wtf do they need a bool just to toggle displaying a message:
theory A: some doors that are never meant to be opened are locked doors that do not display the "door locked " message.
theory B: this game has collision boxes that display messages when you enter them (like "warning radioactive area!"). Locked doors are just "coincidentally" wrapped in such boxes.
Anyways, some comments I can make on what I saw:
-the function you found is very short (2 instructions), it is probably an accessor called a several different places. It'd be interesting to have a look at the parent functions.
-your variable is accessed with an offset of +0C, which most of the time means that your class instance starts 0xC bytes earlier. Watch the door you can control in the memory dump (lower pane of the memory browser) and see what & how its other members vary when you (un)lock the door.
-You also found the function that writes that boolean, at 1454Dxx, see if it also writes other variables... Like the one that controls whether you can actually open the door or not. Apparently it's the function you where investigating there. The cmp you circled checks if the door is really locked and the next jne skips some code if the door is UNlocked. Consequently we can assume that what's between this jne and its landing point is probably the unlocking code, or part of it.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
imposible
Newbie cheater
![]() Reputation: 0
Joined: 12 Jan 2015
Posts: 22
|
| Posted: Fri Jan 16, 2015 3:24 am Post subject: |
|
|
I opened the door, but can't reproduce it. It was just luck.
I messed with too many boolean.
The only thing I can say for sure, is that I only switched boolean variables stored on byte, and I had disabled the "Door locked".
Suddenly, I found the prompt press E to open the door. I don't even remember the text.
I can't think clearly now. I don't know how many hours I'm awake. Going to sleep.
www,youtube,com/watch?v=XB6gjPWH60I
This is not over. I want to reproduce, and understand it.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
