 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
ionut_baluca
Newbie cheater
![]() Reputation: 0
Joined: 08 Jan 2016
Posts: 15
|
 Posted: Wed Nov 06, 2024 7:08 am Post subject: Can't find the pointer for this float value |
 |
|
I'm pretty noob with CE, shortly I can find very easy the current HP value on my game, and is a float value. Problem is the game reset this value at each combat map, so I have to find it again. So now I try to make a pointer for it, I did the pointer tutorial of cheat engine but it's on 4Bytes and is quite simple, on float I'm stuck and I don't understand what should be done.
Here I will add a screenshot to make you understand:
https:
//prnt.sc/
mTSbmzxFFcs4
You have to merge the text since I can't post links yet.
So Xmm1 is my current health, xmm0 is base HP, xmm2-3-4-5 etc are damage variable on the combat zone.
Since xmm1 is [rcx+rax+50], how do I move forward from here on to make a pointer so I don't have to search same values every time I start a fight?
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 147
Joined: 06 Jul 2014
Posts: 4527
|
| Posted: Wed Nov 06, 2024 11:54 am Post subject: |
|
|
brave.exe - a browser? You won't find static pointers there. Everything is sandboxed to hell (for good reason); there's too much crap in the way to find a good static pointer path.
If that's a javascript game, use the browser's javascript tools to hack it
If that instruction only accesses that address (open in disassembler, right click instruction -> "Find out what addresses this instruction accesses", play in game for a bit), then use code injection and copy the address. Search "injection copy".
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ionut_baluca
Newbie cheater
![]() Reputation: 0
Joined: 08 Jan 2016
Posts: 15
|
| Posted: Thu Nov 07, 2024 1:16 am Post subject: |
|
|
| ParkourPenguin wrote: | brave.exe - a browser? You won't find static pointers there. Everything is sandboxed to hell (for good reason); there's too much crap in the way to find a good static pointer path.
If that's a javascript game, use the browser's javascript tools to hack it
If that instruction only accesses that address (open in disassembler, right click instruction -> "Find out what addresses this instruction accesses", play in game for a bit), then use code injection and copy the address. Search "injection copy". |
Thank you for you help.
Yes is a browser game and is made with unity I think (not a javascript game).
Unfortunately that instruction accesses more addresses, as for code injection I kind off got an idea from a tutorial here on forum, but that tutorial doesn't have images for it anymore so it's hard for me to visually understand everything. I've watched some youtube tutorials too, but on most the value is a simple 4byte not a complex value like mine. However seems like code injection is the way since the new generated address on each session is kind of similar to the last one.
https:
//prnt.
sc/c6IULVkdbTNm
^ This is what i get if i go your way.
Second attempt:
https
://prnt
.sc/sFbQ6wlcvVp9
And third:
https
://prnt.
sc/NmK5qURhUcxZ
And this is how addresses are kinda similar between them:
https:
//prnt.
sc/r3siUXXxsLoF
Sorry for all this mess, I can't add direct links yet.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 147
Joined: 06 Jul 2014
Posts: 4527
|
| Posted: Thu Nov 07, 2024 2:44 am Post subject: |
|
|
If the game offers a downloadable version you can play on desktop (i.e. not through your browser), it would be easiest if you used that.
You can try something like step 9 of the CE tutorial, but that's easier said than done.
The Unity code was probably compiled to web assembly. Maybe some browser has some low-level debugging tools for that, but I'm not familiar with any.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ionut_baluca
Newbie cheater
![]() Reputation: 0
Joined: 08 Jan 2016
Posts: 15
|
| Posted: Thu Nov 07, 2024 3:27 am Post subject: |
|
|
| ParkourPenguin wrote: | If the game offers a downloadable version you can play on desktop (i.e. not through your browser), it would be easiest if you used that.
You can try something like step 9 of the CE tutorial, but that's easier said than done.
The Unity code was probably compiled to web assembly. Maybe some browser has some low-level debugging tools for that, but I'm not familiar with any. |
No desktop version, this game is available for phones and browsers.
Step9 of CE tutorial is about when same function is shared between more players HP, which is not the case on this game. You start a session and fight against monsters that does not share your HP. The other values on screenshot provided where things that damaged my HP.
|
|
| Back to top |
|
|
ionut_baluca
Newbie cheater
![]() Reputation: 0
Joined: 08 Jan 2016
Posts: 15
|
| Posted: Fri Nov 08, 2024 4:44 am Post subject: |
|
|
| ParkourPenguin wrote: | If the game offers a downloadable version you can play on desktop (i.e. not through your browser), it would be easiest if you used that.
You can try something like step 9 of the CE tutorial, but that's easier said than done.
The Unity code was probably compiled to web assembly. Maybe some browser has some low-level debugging tools for that, but I'm not familiar with any. |
Hey man sorry for disturbing you but I did some big progresses following youtube tutorials, and now i'm stuck at another point:
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,45611BBD58C1)
label(returnhere)
label(originalcode)
label(exit)
alloc(hp,4,45611BBD58C1)
hp:
dd (float)90000
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [rcx+rax+D4],0
jne originalcode
movss xmm1,[hp]
vmovss [rcx+rax+50],xmm1
jmp exit
originalcode:
vmovss [rcx+rax+50],xmm1
mov [rcx+rax+50],(float)1
exit:
jmp returnhere
45611BBD58C1:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
dealloc(hp)
45611BBD58C1:
db C5 FA 11 4C 01 50
//vmovss [rcx+rax+50],xmm1 |
This code works like this: my hp becomes 90k and enemy 1, but i can't kill them, how i make the code let the enemy lose hp?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 147
Joined: 06 Jul 2014
Posts: 4527
|
| Posted: Fri Nov 08, 2024 12:13 pm Post subject: |
|
|
You did well to find that.
First of all, use Template -> AOB Injection. The address of that code might change location when you restart the game. If that happens, that script will stop working or overwrite something you didn't intend.
Only change enemy health to 1 if the new value is greater than 1. If the new health in xmm1 is less than 1, then don't overwrite it.
| Code: | [ENABLE]
aobscan(ChangeHealth,C5 FA 11 4C 01 50 ) // should be unique
alloc(newmem,2048,ChangeHealth)
alloc(playerHP,4,ChangeHealth)
alloc(enemyHP,4,ChangeHealth)
label(isPlayer)
label(exit)
label(return)
playerHP:
dd (float)90000
enemyHP:
dd (float)1
newmem:
cmp [rcx+rax+D4],0
je isPlayer
vminss xmm1,xmm1,[enemyHP] // xmm1 = min(xmm1,[enemyHP])
jmp exit
isPlayer:
vmovss xmm1,[playerHP]
exit:
vmovss [rcx+rax+50],xmm1
jmp return
ChangeHealth:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
ChangeHealth:
db 29 83 F8 07 00 00
unregistersymbol(ChangeHealth)
dealloc(newmem)
dealloc(playerHP)
dealloc(enemyHP)
{
// ORIGINAL CODE (don't delete this comment)
...
} |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ionut_baluca
Newbie cheater
![]() Reputation: 0
Joined: 08 Jan 2016
Posts: 15
|
| Posted: Fri Nov 08, 2024 12:24 pm Post subject: |
|
|
| ParkourPenguin wrote: | You did well to find that.
First of all, use Template -> AOB Injection. The address of that code might change location when you restart the game. If that happens, that script will stop working or overwrite something you didn't intend.
Only change enemy health to 1 if the new value is greater than 1. If the new health in xmm1 is less than 1, then don't overwrite it.
| Code: | [ENABLE]
aobscan(ChangeHealth,C5 FA 11 4C 01 50 ) // should be unique
alloc(newmem,2048,ChangeHealth)
alloc(playerHP,4,ChangeHealth)
alloc(enemyHP,4,ChangeHealth)
label(isPlayer)
label(exit)
label(return)
playerHP:
dd (float)90000
enemyHP:
dd (float)1
newmem:
cmp [rcx+rax+D4],0
je isPlayer
vminss xmm1,xmm1,[enemyHP] // xmm1 = min(xmm1,[enemyHP])
jmp exit
isPlayer:
vmovss xmm1,[playerHP]
exit:
vmovss [rcx+rax+50],xmm1
jmp return
ChangeHealth:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
ChangeHealth:
db 29 83 F8 07 00 00
unregistersymbol(ChangeHealth)
dealloc(newmem)
dealloc(playerHP)
dealloc(enemyHP)
{
// ORIGINAL CODE (don't delete this comment)
...
} |
|
Thank you!! Your code worked like charm and i'm gonna keep this code for future uses on other games.
My code also worked when I changed float value from 1 to 0 on last string, I just oneshotted whole map of enemies with a simple touch. INSANE, I never knew CE could be used for that, and all of this THANKS TO YOUR suggestion of code injection!!
Now I just start the game, get float HP, get what write to this address, copy the address that contains the xmmm1 registry and paste it into old code, seems like offset is the same even after game reload.
Would be nice to find a pointer for that but for now, after hours and hours of tutorials and tries I'm happy with what I got. I can apply the same concept of HP to increase my damage to hell and keep the enemy dmg low using same script with different addresses and registry values.
THANK YOU THANK YOU THANK YOU THANK YOU <3 <3 <3 <3 <3
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 147
Joined: 06 Jul 2014
Posts: 4527
|
| Posted: Fri Nov 08, 2024 1:11 pm Post subject: |
|
|
If you want a pointer, you can copy the address. Search "injection copy"
| Code: | alloc(addrPlayerHP,8)
addrPlayerHP:
dq 0
...
isPlayer:
// only run when [rcx+rax+50] is player's HP address
push rbx
lea rbx,[rcx+rax]
mov [addrPlayerHP],rbx
pop rbx
...
registersymbol(addrPlayerHP) |
Add a new address to the address list, check the "Pointer" checkbox, base address is addrPlayerHP, only offset is 50, type / description is whatever, click+drag that new record onto the script record, right click script record -> Group config -> Hide children when deactivated
The only downside to this is that the game must run the code for your injection to copy the address. e.g. if that code is only run when you get hit, then you must get hit for addrPlayerHP to be set correctly.
Obviously, if your code injection always sets your HP to 90000, any changes you make to it in the address list won't really affect anything.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
ionut_baluca
Newbie cheater
![]() Reputation: 0
Joined: 08 Jan 2016
Posts: 15
|
| Posted: Fri Nov 08, 2024 4:14 pm Post subject: |
|
|
| ParkourPenguin wrote: | If you want a pointer, you can copy the address. Search "injection copy"
| Code: | alloc(addrPlayerHP,8)
addrPlayerHP:
dq 0
...
isPlayer:
// only run when [rcx+rax+50] is player's HP address
push rbx
lea rbx,[rcx+rax]
mov [addrPlayerHP],rbx
pop rbx
...
registersymbol(addrPlayerHP) |
Add a new address to the address list, check the "Pointer" checkbox, base address is addrPlayerHP, only offset is 50, type / description is whatever, click+drag that new record onto the script record, right click script record -> Group config -> Hide children when deactivated
The only downside to this is that the game must run the code for your injection to copy the address. e.g. if that code is only run when you get hit, then you must get hit for addrPlayerHP to be set correctly.
Obviously, if your code injection always sets your HP to 90000, any changes you make to it in the address list won't really affect anything. |
May you try to explain further?
What I did understand from what you said is the following:
My code is:
| Code: | | alloc(newmem,2048,45611BBD58C1) |
and should become
| Code: | | alloc(newmem,2048,addrPlayerHP) |
where addrPlayerHP becomes the pointer to the address of xmm1 register that contains [rcx+rax+50] address.
But i don't understand a few things in your code:
1) Why addrPlayerHP is dq 0? (dq stands for a 8byte number right?)
2) Why isPlayer? Should it not be isaddrPlayerHP?
3) Why push and lea(load) a rbx register? Value being float should be contained in a xmm registry right? Actually xmm1 since like 20 sessions of the game, maybe on update they mess with that but for now it's that.
| Quote: | | The only downside to this is that the game must run the code for your injection to copy the address. e.g. if that code is only run when you get hit, then you must get hit for addrPlayerHP to be set correctly. |
Yeah the code only runs when I get hit, but that is not a problem since I just need to get hit once to find the value usually, and I guess your script do automatically what i did manually really quick.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 147
Joined: 06 Jul 2014
Posts: 4527
|
| Posted: Fri Nov 08, 2024 6:36 pm Post subject: |
|
|
| ionut_baluca wrote: | My code is:
| Code: | | alloc(newmem,2048,45611BBD58C1) |
|
Again, use the aobscan template
| ionut_baluca wrote: | | Code: | | alloc(newmem,2048,addrPlayerHP) |
|
I don't know where you got this from, but no, this is wrong
| ionut_baluca wrote: | But i don't understand a few things in your code:
1) Why addrPlayerHP is dq 0? (dq stands for a 8byte number right?)
2) Why isPlayer? Should it not be isaddrPlayerHP?
3) Why push and lea(load) a rbx register? Value being float should be contained in a xmm registry right? Actually xmm1 since like 20 sessions of the game, maybe on update they mess with that but for now it's that. |
"..." is an ellipsis. It's often used to express an omission of something (among other uses). In this case, I used it in place of code that I had already written in the post before that one.
1) `dq 0` explicitly initializes it to 0. It already should be 0 due to how windows allocates memory, but using `dq 0` explicitly indicates it's an 8 byte value that's initially 0.
2) `isPlayer:` corresponds to the label with the same name in the script before that one.
3) You should copy the address- not the value. push / pop backs up and restores the register. The lea instruction calculates rcx+rax and stores the result in rbx.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
