|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
SaturnineSpy How do I cheat? Reputation: 0
Joined: 04 Jul 2024 Posts: 4
|
Posted: Thu Jul 04, 2024 9:51 am Post subject: Raising Max Money Cap |
|
|
Hey peeps!
So glad I've started hacking with CE, I've always wanted to hack into my favourite childhood game and expand and make it more replayable!
I'm still a beginner but have managed to track down a few cool things like health and money etc however I'm stuck on raising the max cap of money.
So I've got the address which stores the money and I tracked which writes the address here
------------------------------------------
30114616:
3011460E - 01 C1 - add ecx,eax
30114610 - 0F88 EA0ADCD2 - js pcsx2.exe+2BD5100
30114616 - 66 89 11 - mov [ecx],dx <<
30114619 - 8B 0D 10A04901 - mov ecx,[pcsx2.exe+119A010]
3011461F - 81 C1 06010000 - add ecx,00000106
EAX=20000000
EBX=30114619
ECX=209F06D6
EDX=000026DD
ESI=0022BB5C
EDI=00000000
EBP=0E34FBB4
ESP=0E34FB84
EIP=30114619
First seen:16:39:19
Last seen:16:40:40
----------------------------------------
So the max cap of money in the base game is 9999, I can modify the value to say 15000 fine but when I buy something, it gets shifted back to 9999 instantly.
So in the addresses above, dx (which holds the calculated value after the transaction) moves into [ecx]. I was just wondering where I go from here in tracking down that max cap? I like to play the game legit so no infinite money I want to earn it all but want to earn a lot more than 9999
Also if I raise my money past 32000 then it glitches to a negative number so it's a signed 16bit integer right? any way to increase it to 32bit?
Thanks so much for your time and help!!
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4570
|
Posted: Thu Jul 04, 2024 11:17 am Post subject: |
|
|
Typically, I'd debug the code near what accesses the address and see where it got 9999 from. This isn't really a good option for an emulator, however. Even ones that JIT compile code aren't that great to debug.
It would be great if the emulator had a feature to debug and disassemble the emulated architecture.
Maybe you can search for the value and find it. Given it's a constant, it might be stored as a value in memory or it might be encoded as an immediate in an instruction (executable & unaligned memory).
There's no practical way of changing a 16-bit integer to a 32-bit integer without doing so in the source code.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SaturnineSpy How do I cheat? Reputation: 0
Joined: 04 Jul 2024 Posts: 4
|
Posted: Thu Jul 04, 2024 3:10 pm Post subject: |
|
|
ParkourPenguin wrote: | Typically, I'd debug the code near what accesses the address and see where it got 9999 from. This isn't really a good option for an emulator, however. Even ones that JIT compile code aren't that great to debug.
It would be great if the emulator had a feature to debug and disassemble the emulated architecture.
Maybe you can search for the value and find it. Given it's a constant, it might be stored as a value in memory or it might be encoded as an immediate in an instruction (executable & unaligned memory).
There's no practical way of changing a 16-bit integer to a 32-bit integer without doing so in the source code. |
Hey mate, thanks so much for replying! I set up some breakpoints a few lines before the actual instruction where the money gets written and found some interesting stuff, you can see in the attached image the breakpoint in red there's that static value 9999 which is moved into edx. the 16000 was my current money and the item was only 50 so yeah hard capping lol
I copied the address to the address list but while the game runs that value is constantly changing....
I guess I could add some code at that point which just adds works out the difference then adds it back and if I can somehow find the item price then subtract it again but I'm guessing I'd need to store a variable somewhere and it just seems a bit messy.
Just checking if you have anymore thoughts after seeing this?
Thanks so much for your time man![/img]
Description: |
|
Filesize: |
206.99 KB |
Viewed: |
3796 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4570
|
Posted: Thu Jul 04, 2024 5:54 pm Post subject: |
|
|
My thoughts haven't changed much. Debugging an emulated architecture from the native architecture is annoying at best.
You'd need to scroll up to see what writes to that global. It could also be in a caller.
It's possible to set a break-on-write breakpoint at that address and only stop when 9999 was written to it; however, that's probably going to kill performance.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SaturnineSpy How do I cheat? Reputation: 0
Joined: 04 Jul 2024 Posts: 4
|
Posted: Mon Jul 08, 2024 12:59 pm Post subject: |
|
|
ParkourPenguin wrote: | My thoughts haven't changed much. Debugging an emulated architecture from the native architecture is annoying at best.
You'd need to scroll up to see what writes to that global. It could also be in a caller.
It's possible to set a break-on-write breakpoint at that address and only stop when 9999 was written to it; however, that's probably going to kill performance. |
Hey man! thanks for the tips!
I've managed to track down where the comparison is made to cap the money, it's checking if my current money is above 10,000 then capping it, I just put a breakpoint in where the price of the item is accessed when I buy an item and found the calcualtion below by stepping over a bunch of code.I can find the address too and manipulate the cap up to the max 16bit signed value so around 32,000 or whatever which is awesome! Trouble is now the address changes on reload or even if I just leave the shop and come back lol I've tried a bunch of pointer scan comparisons which return absolutely nothing haha I guess this comes down to what you were saying last time about emulators right? Haven't delved oo much into scripting but I guess the script address will change too right?
I have a fair bit of coding knowledge in C# but all this is completely new to me, it's exciting though and I'm really determined to make this work on the emulator, have such good plans for this game!
Description: |
|
Filesize: |
442.67 KB |
Viewed: |
3717 Time(s) |
|
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4570
|
Posted: Mon Jul 08, 2024 1:38 pm Post subject: |
|
|
Good job finding that.
If changing `jb` (conditional jump) to `jmp` (unconditional jump) works, you can use the Auto Assembler to make a script that changes it for you. Memory Viewer -> Tools -> Auto Assemble, then Template -> AOB Injection. Delete some stuff you don't need, and you'll end up with something that looks like this:
Code: | [ENABLE]
aobscan(NoMoneyCap,83 3D ?? ?? ?? ?? 00 7C 10 7F 0C 81 3D ?? ?? ?? ?? 10 27 00 00 72 02 31 C0 A3) // make sure this is unique
assert(NoMoneyCap+15,72 02)
NoMoneyCap+15:
db EB // jmp rel8
registersymbol(NoMoneyCap)
[DISABLE]
NoMoneyCap+15:
db 72 // jb rel8
unregistersymbol(NoMoneyCap)
// big comment that shows the original code here
| When you're done: File -> Assign to current cheat table, then close window (don't click "Execute")
You'll probably need to find a good AOB pattern yourself. In the main window, set the "Value Type" to "Array of byte", and under "Memory scan options", right click in the area with "Writable" / "Executable" / "CopyOnWrite" and select "Preset: Scan all memory". The bytes that correspond to addresses should be replaced with wildcards. In your script, adjust the offset from the start of the pattern as needed (it's in hexadecimal).
If that is a JIT compiler, that code probably won't exist until it's run for the first time. You'll have to play the game for a bit and do something to make that code run before you can enable that script.
This might cause problems if you get near the cap. e.g. go over 32767 and it'll become negative. If you don't want to deal with that, maybe you should change 10000 to 30000 instead:
Code: | ...
assert(NoMoneyCap+11,10 27 00 00)
NoMoneyCap+11:
dd #30000
...
[DISABLE]
NoMoneyCap+11:
dd #10000
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SaturnineSpy How do I cheat? Reputation: 0
Joined: 04 Jul 2024 Posts: 4
|
Posted: Thu Jul 11, 2024 6:17 am Post subject: |
|
|
Hey mate! thanks so much for the tips! I didn't fully understand aobscans or the script you gave so I spent the last few days researching and it's finally making sense! Here's the script I came up with
Code: | [ENABLE]
aobscan(arrayStart,7C 10 7F 0C 81 3D ?? ?? ?? 01 10 27 00 00 72 02 31 C0 A3 20 9F ?? 01)
registersymbol(_cap)
label(_cap)
arrayStart+A:
_cap:
[DISABLE]
unregistersymbol(_cap) |
I then just add an address with the variable name and when I run the script after buying something it finds the address then I can make the cap increase! Brilliant, I'm making so much progress so thanks!
So I had another question if you have the time? I now face the other problem that the capping gets accessed in other places, so when you buy something, pick up money, get paid etc..... This script does work for those instances too but I have to wait for those things to happen and then toggle the script again which of course still caps me before... is there a way to have to script run when I start the game and execute automatically when these things happen?
This could be solved so much easier if I could just find that static 10000 somewhere haha in fact I can find it but of course pointers on emulator are bi**hes lol
Thanks for your time mate!
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 147
Joined: 06 Jul 2014 Posts: 4570
|
Posted: Thu Jul 11, 2024 11:43 am Post subject: |
|
|
SaturnineSpy wrote: | is there a way to have to script run when I start the game and execute automatically when these things happen? | Not really.
The "correct" thing to do would be to target the emulated architecture itself- in this case, change the rom to make your modifications permanent. After browsing through PCSX2's source on github, it seems like there's some support for debugging the emulated architecture. I don't know how many features are available, but that could help. If you have no interest in learning the MIPS ISA, you're better off just forgetting about it.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|