Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Raising Max Money Cap

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
SaturnineSpy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2024
Posts: 4

PostPosted: Thu Jul 04, 2024 9:51 am    Post subject: Raising Max Money Cap Reply with quote

Hey peeps!

So glad I've started hacking with CE, I've always wanted to hack into my favourite childhood game and expand and make it more replayable!

I'm still a beginner but have managed to track down a few cool things like health and money etc however I'm stuck on raising the max cap of money.

So I've got the address which stores the money and I tracked which writes the address here

------------------------------------------
30114616:
3011460E - 01 C1 - add ecx,eax
30114610 - 0F88 EA0ADCD2 - js pcsx2.exe+2BD5100
30114616 - 66 89 11 - mov [ecx],dx <<
30114619 - 8B 0D 10A04901 - mov ecx,[pcsx2.exe+119A010]
3011461F - 81 C1 06010000 - add ecx,00000106

EAX=20000000
EBX=30114619
ECX=209F06D6
EDX=000026DD
ESI=0022BB5C
EDI=00000000
EBP=0E34FBB4
ESP=0E34FB84
EIP=30114619


First seen:16:39:19
Last seen:16:40:40
----------------------------------------

So the max cap of money in the base game is 9999, I can modify the value to say 15000 fine but when I buy something, it gets shifted back to 9999 instantly.

So in the addresses above, dx (which holds the calculated value after the transaction) moves into [ecx]. I was just wondering where I go from here in tracking down that max cap? I like to play the game legit so no infinite money I want to earn it all but want to earn a lot more than 9999

Also if I raise my money past 32000 then it glitches to a negative number so it's a signed 16bit integer right? any way to increase it to 32bit?

Thanks so much for your time and help!!
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4570

PostPosted: Thu Jul 04, 2024 11:17 am    Post subject: Reply with quote

Typically, I'd debug the code near what accesses the address and see where it got 9999 from. This isn't really a good option for an emulator, however. Even ones that JIT compile code aren't that great to debug.
It would be great if the emulator had a feature to debug and disassemble the emulated architecture.

Maybe you can search for the value and find it. Given it's a constant, it might be stored as a value in memory or it might be encoded as an immediate in an instruction (executable & unaligned memory).

There's no practical way of changing a 16-bit integer to a 32-bit integer without doing so in the source code.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SaturnineSpy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2024
Posts: 4

PostPosted: Thu Jul 04, 2024 3:10 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Typically, I'd debug the code near what accesses the address and see where it got 9999 from. This isn't really a good option for an emulator, however. Even ones that JIT compile code aren't that great to debug.
It would be great if the emulator had a feature to debug and disassemble the emulated architecture.

Maybe you can search for the value and find it. Given it's a constant, it might be stored as a value in memory or it might be encoded as an immediate in an instruction (executable & unaligned memory).

There's no practical way of changing a 16-bit integer to a 32-bit integer without doing so in the source code.


Hey mate, thanks so much for replying! I set up some breakpoints a few lines before the actual instruction where the money gets written and found some interesting stuff, you can see in the attached image the breakpoint in red there's that static value 9999 which is moved into edx. the 16000 was my current money and the item was only 50 so yeah hard capping lol

I copied the address to the address list but while the game runs that value is constantly changing....

I guess I could add some code at that point which just adds works out the difference then adds it back and if I can somehow find the item price then subtract it again but I'm guessing I'd need to store a variable somewhere and it just seems a bit messy.

Just checking if you have anymore thoughts after seeing this?

Thanks so much for your time man![/img]



2024-07-04_21h25_51.png
 Description:
 Filesize:  206.99 KB
 Viewed:  3796 Time(s)

2024-07-04_21h25_51.png


Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4570

PostPosted: Thu Jul 04, 2024 5:54 pm    Post subject: Reply with quote

My thoughts haven't changed much. Debugging an emulated architecture from the native architecture is annoying at best.
You'd need to scroll up to see what writes to that global. It could also be in a caller.

It's possible to set a break-on-write breakpoint at that address and only stop when 9999 was written to it; however, that's probably going to kill performance.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SaturnineSpy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2024
Posts: 4

PostPosted: Mon Jul 08, 2024 12:59 pm    Post subject: Reply with quote

ParkourPenguin wrote:
My thoughts haven't changed much. Debugging an emulated architecture from the native architecture is annoying at best.
You'd need to scroll up to see what writes to that global. It could also be in a caller.

It's possible to set a break-on-write breakpoint at that address and only stop when 9999 was written to it; however, that's probably going to kill performance.


Hey man! thanks for the tips!

I've managed to track down where the comparison is made to cap the money, it's checking if my current money is above 10,000 then capping it, I just put a breakpoint in where the price of the item is accessed when I buy an item and found the calcualtion below by stepping over a bunch of code.I can find the address too and manipulate the cap up to the max 16bit signed value so around 32,000 or whatever which is awesome! Trouble is now the address changes on reload or even if I just leave the shop and come back lol I've tried a bunch of pointer scan comparisons which return absolutely nothing haha I guess this comes down to what you were saying last time about emulators right? Haven't delved oo much into scripting but I guess the script address will change too right?

I have a fair bit of coding knowledge in C# but all this is completely new to me, it's exciting though and I'm really determined to make this work on the emulator, have such good plans for this game!



2024-07-08_19h49_10.png
 Description:
 Filesize:  442.67 KB
 Viewed:  3717 Time(s)

2024-07-08_19h49_10.png


Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4570

PostPosted: Mon Jul 08, 2024 1:38 pm    Post subject: Reply with quote

Good job finding that.

If changing `jb` (conditional jump) to `jmp` (unconditional jump) works, you can use the Auto Assembler to make a script that changes it for you. Memory Viewer -> Tools -> Auto Assemble, then Template -> AOB Injection. Delete some stuff you don't need, and you'll end up with something that looks like this:
Code:
[ENABLE]
aobscan(NoMoneyCap,83 3D ?? ?? ?? ?? 00 7C 10 7F 0C 81 3D ?? ?? ?? ?? 10 27 00 00 72 02 31 C0 A3) // make sure this is unique

assert(NoMoneyCap+15,72 02)

NoMoneyCap+15:
  db EB  // jmp rel8

registersymbol(NoMoneyCap)

[DISABLE]

NoMoneyCap+15:
  db 72  // jb rel8

unregistersymbol(NoMoneyCap)


// big comment that shows the original code here
When you're done: File -> Assign to current cheat table, then close window (don't click "Execute")
You'll probably need to find a good AOB pattern yourself. In the main window, set the "Value Type" to "Array of byte", and under "Memory scan options", right click in the area with "Writable" / "Executable" / "CopyOnWrite" and select "Preset: Scan all memory". The bytes that correspond to addresses should be replaced with wildcards. In your script, adjust the offset from the start of the pattern as needed (it's in hexadecimal).

If that is a JIT compiler, that code probably won't exist until it's run for the first time. You'll have to play the game for a bit and do something to make that code run before you can enable that script.

This might cause problems if you get near the cap. e.g. go over 32767 and it'll become negative. If you don't want to deal with that, maybe you should change 10000 to 30000 instead:
Code:
...
assert(NoMoneyCap+11,10 27 00 00)
NoMoneyCap+11:
  dd #30000
...
[DISABLE]
NoMoneyCap+11:
  dd #10000
...

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SaturnineSpy
How do I cheat?
Reputation: 0

Joined: 04 Jul 2024
Posts: 4

PostPosted: Thu Jul 11, 2024 6:17 am    Post subject: Reply with quote

Hey mate! thanks so much for the tips! I didn't fully understand aobscans or the script you gave so I spent the last few days researching and it's finally making sense! Here's the script I came up with

Code:
[ENABLE]
aobscan(arrayStart,7C 10 7F 0C 81 3D ?? ?? ?? 01 10 27 00 00 72 02 31 C0 A3 20 9F ?? 01)

registersymbol(_cap)
label(_cap)

arrayStart+A:
_cap:
 
[DISABLE]
unregistersymbol(_cap)


I then just add an address with the variable name and when I run the script after buying something it finds the address then I can make the cap increase! Brilliant, I'm making so much progress so thanks!

So I had another question if you have the time? I now face the other problem that the capping gets accessed in other places, so when you buy something, pick up money, get paid etc..... This script does work for those instances too but I have to wait for those things to happen and then toggle the script again which of course still caps me before... is there a way to have to script run when I start the game and execute automatically when these things happen?

This could be solved so much easier if I could just find that static 10000 somewhere haha in fact I can find it but of course pointers on emulator are bi**hes lol

Thanks for your time mate!
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 147

Joined: 06 Jul 2014
Posts: 4570

PostPosted: Thu Jul 11, 2024 11:43 am    Post subject: Reply with quote

SaturnineSpy wrote:
is there a way to have to script run when I start the game and execute automatically when these things happen?
Not really.

The "correct" thing to do would be to target the emulated architecture itself- in this case, change the rom to make your modifications permanent. After browsing through PCSX2's source on github, it seems like there's some support for debugging the emulated architecture. I don't know how many features are available, but that could help. If you have no interest in learning the MIPS ISA, you're better off just forgetting about it.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites