Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Reading Memory Viewer to Understand the Underlying Item

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Cadmium
How do I cheat?
Reputation: 0

Joined: 13 Nov 2017
Posts: 6

PostPosted: Mon Nov 13, 2017 2:27 pm    Post subject: Reading Memory Viewer to Understand the Underlying Item Reply with quote

Hi Guys, I've been tinkering around with CE and ran into a unique problem that hasn't really been solved by browsing the forums and google.

The issue revolves around a lot of the guessing portions of some single player games out there.
For instance, we have single player games that have loot boxes or pick one out of three items with their corresponding value (I.e different amounts of gold). If someone wanted to modify their gold amount, that'd be pretty simple since you can input pre-opening gold and then search for post-opening gold

My issue in particular is figuring out if someone could creatively figure out ahead of time, prior to picking, how much gold (or a dud) is in each of the three choices.
Assuming once someone clicks the loot box or once it's secured, the outcomes are already set. (There's a reveal after its been opened of what you could've gotten).

So Far I've taken a look at the memory viewer and attached debuggers to figure out what accesses gold value when the box is picked and what writes to the gold address. That could be the end of my search, changing the value is easy, but I am more interested in what CE can Tell me about the character of the item.



I apologize in advance, I'm not very good at describing things, and would love to chat about it.

Thanks everyone!
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Nov 13, 2017 3:09 pm    Post subject: Reply with quote

if i didnt get confused, you wanna modify the gold amount you get from these three boxes?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Cadmium
How do I cheat?
Reputation: 0

Joined: 13 Nov 2017
Posts: 6

PostPosted: Mon Nov 13, 2017 3:17 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:
if i didnt get confused, you wanna modify the gold amount you get from these three boxes?


Not quite,

Modifying gold amount isn't really the main objective since that could probably be accomplished through looking up base gold.

I think the real challenge is be able to somehow figure out how much gold is in each "option" in a box. One deals with modification, which CE is really great for. The other, more difficult thing I'm confused about is how to go about looking at the memory and saying "that one is 50 gold because it has the character of a 50 gold option" or "that one is red and the other is blue".
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Mon Nov 13, 2017 5:35 pm    Post subject: Reply with quote

Not something I've done but perhaps you can see what code changes gold and backtrace to see where that value comes from.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Nov 13, 2017 5:45 pm    Post subject: Reply with quote

usually (as far as i know and went thru) when there is something like value/item randomizer function its gonna be like this:

- wait for user mouse-click / key-press
- call randomizing function
- move the final value into register, then move the register into the address to display it.

so in short you have to click/press a key to get this little thingy executed, so assuming there is special subroutine to manage the box value/item:

- go to memory view
- run break and trace on your gold function before clicking on the box(after seeing whats writing to your address)

and its should take you to that subroutine (thats if there is a separate subroutine for that box)

but knowing the final value without clicking/pressing on a key isnt gonna work, unless its preset before clicking on the box which means its waiting for your click/key-press to show you the final result.

hope that make sense.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Cadmium
How do I cheat?
Reputation: 0

Joined: 13 Nov 2017
Posts: 6

PostPosted: Mon Nov 13, 2017 5:48 pm    Post subject: Reply with quote

My example with a loot box and gold/duds was really to illustrate the issue I've been running to.

The more accurate scenario I'm working with is like say, you have ten boxes, and your AI opponent has ten boxes. Each box has (i.e, three hp) and either a Win or Loss. Each turn, you get to pick any number of boxes to assign two points of damage to. Meaning You pick one box, it gets hit for 1 point of damage, and then you pick another target to assign one point of damage (could be the same).

The Win/Loss nature of the box is determined when the game starts.

Once the box has 0 HP, it's revealed to everyone if it was Win or Loss.
First player to reveal 3 Win boxes, wins the game.

So far, I've been able to pin down the exact three addresses (they turned out to be 4 byte) of the boxes I damage when I play, and I search around the local memory of where the address is located.
I have multiple search tabs open, (10 In this example), and I do searches as I do damage to them.
My issues that I can't figure out how to use what I've gotten to guess if it's a win or loss.

The frustration also comes from the fact that the address changes every time I play and any guess I make takes multiple searches so the value of knowing what to aim for is low, unless there's some way to pin down the values right when the game starts.

Sorry for the wordy reply, I'm not good at describing things.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Nov 13, 2017 6:08 pm    Post subject: Reply with quote

just a quick post:

the call should be to mscorlib.dll for randomizing the value. (i havnt seen anyone made his own random number generator for a game which will be a waste of time i guess, so its probably gonna be mscorlib)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Cadmium
How do I cheat?
Reputation: 0

Joined: 13 Nov 2017
Posts: 6

PostPosted: Mon Nov 13, 2017 6:23 pm    Post subject: Reply with quote

To Clarify,
The numeric "health" of the boxes is always the same at the start. (3).
The address of the health (and other qualities of the box) changes every game.

However, the address looks super similar almost down last three digits in a 4 byte address.

Here's an example

I narrow down one box's addresses to
1BF6648C
2D9B5A18
2DD56350

and another one is
2A36CD14
2D9A27A8
2DD15420

That third address is remarkably similar to the one before, and locking down the others I get a similar 2DD result.

That doesn't mean much, so I attached a (find out what accesses this address) and I get this

three hits.

65 counts of

2527FA4 - 85 C0 - test eax,eax
12527FA6 - 75 1A - jne 12527FC2
12527FA8 - 48 63 46 30 - movsxd rax,dword ptr [rsi+30] <<
12527FAC - 85 C0 - test eax,eax
12527FAE - 40 0F9F C0 - setg al

RAX=0000000000000002
RBX=0000000012D65D20
RCX=000000002DD56500
RDX=0000000000000002
RSI=000000002DD56500
RDI=0000000030703690
RSP=000000000077EBC0
RBP=000000000077EC90
RIP=0000000012527FAC
R8=0000000000000800
R9=0000000000000000
R10=000000002860C3E8
R11=0000000012527F90
R12=0000000030986070
R13=000000003765A690
R14=00000000307036A8
R15=0000000029F8C2A0

One count of
125029D2 - 48 8B 45 E0 - mov rax,[rbp-20]
125029D6 - 44 88 70 24 - mov [rax+24],r14l
125029DA - 48 63 46 30 - movsxd rax,dword ptr [rsi+30] <<
125029DE - 89 47 28 - mov [rdi+28],eax
125029E1 - 48 8D 65 E8 - lea rsp,[rbp-18]

RAX=0000000000000002
RBX=0000000043C92360
RCX=000000000077F678
RDX=000000001B103B20
RSI=000000002DD56500
RDI=00000000304254E0
RSP=000000000077E850
RBP=000000000077E870
RIP=00000000125029DE
R8=0000000000000800
R9=000000000000061D
R10=000000000FBFF0B0
R11=0000000003A470E0
R12=0000000043C92360
R13=0000000000000000
R14=0000000000000000
R15=000000002DD56500

and one count of

16D02910 - 48 63 4D CC - movsxd rcx,dword ptr [rbp-34]
16D02914 - 48 8B 45 A0 - mov rax,[rbp-60]
16D02918 - 89 48 30 - mov [rax+30],ecx <<
16D0291B - E9 61000000 - jmp 16D02981
16D02920 - 83 3E 00 - cmp dword ptr [rsi],00

RAX=000000002DD56500
RBX=000000000FE72480
RCX=0000000000000001
RDX=0000000000000001
RSI=0000000043C92360
RDI=0000000000000000
RSP=000000000077EBF0
RBP=000000000077EC70
RIP=0000000016D0291B
R8=000000000000005C
R9=000000000F9C0312
R10=000000000FBFF0B0
R11=0000000016CEE490
R12=000000002DD56500
R13=000000002DD56500
R14=000000002DD56500
R15=000000003808B340
Back to top
View user's profile Send private message
Cadmium
How do I cheat?
Reputation: 0

Joined: 13 Nov 2017
Posts: 6

PostPosted: Tue Nov 14, 2017 7:42 pm    Post subject: Reply with quote

On an unrelated note,
I'd love to reimburse/donate to anyone who'd be willing to to work on this project. It might be more helpful to work through PM if someone here has the expertise and time to analyze memory.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Nov 14, 2017 8:08 pm    Post subject: Reply with quote

For finding the addresses you can probably open the memory view to

12527FA8 - 48 63 46 30 - movsxd rax,dword ptr [rsi+30]

since it accessed it 65 times it's probably reading it for display purposes and so may well be reading all of the addresses. Right click and see what addresses it accesses. With luck it'll show 1 address for each box and nothing else, whether they've had their health changed or not.

At that point you still have to use dissect data to try and find something that'd tell you what's in them or try to find a pointer which stores that kind of value nearby etc. but at least you don't have to spend much time finding the addresses.

Though it is entirely possible that all the "contents" aren't actually randomly generated at the start, only when they are opened; After all, without cheating what's the difference between randomly assigning win/lose/empty at the start vs when it's actually opened? Answer: to the player, none but code wise you may only have to generate 3 values in the second case (if the first 3 all happen to be "win") instead of 10 and you only have to store how many opened boxes have been "win" so that you can check if you're done not the value for all n boxes (for all players).
Back to top
View user's profile Send private message
Cadmium
How do I cheat?
Reputation: 0

Joined: 13 Nov 2017
Posts: 6

PostPosted: Tue Nov 14, 2017 8:53 pm    Post subject: Reply with quote

So moving onto a more concrete example,

The scenario I had in mind locks down (predetermines) whats inside the box at the start of the game. I'm pretty sure, with the research I've done,the value inside the AI's boxes is not determined at the second I open it.

I'm unable to PM because of how noob I am, but would definitely like to hear more advice

Your deduction was spot on, I traced the code to
17C97028 - 48 63 46 30 - movsxd rax,dword ptr [rsi+30]

which fed me precisely the number and hp of the boxes in the game. I tried starting up another round and it fed me the correct number and hp.

I'm getting somewhere. Now's the harder part of what to do with what I have.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites