Cheat Engine

Labyrnth · Moderator Reputation: 10 Joined: 28 Nov 2006 Posts: 6301

There are 3 things to find:
1. Function, is jumping 1/0
2. Y coord
3. Gravity

Good Luck...
Links:
http://forum.cheatengine.org/files/jumping-gravity_trainme_751.rar
Mirrors:
http://www.speedyshare.com/721570587.html
http://www.mediafire.com/?zlq9x9fmryc

Psy · Posted: Fri May 09, 2008 2:12 pm Post subject:

Ok, well...hehe...to help others..heres what I got:

- The addresses in question are stored below the default 32-bit memory range, easily solved by setting CE to scan 'all' memory

- Once that is done, you can set about searching for IsJumping?
It is logical to assume that the variable will be set to one when the box has jumped, and zero when it is on the ground
Simple searches will reveal this

- From there, I went to look for the y co-ord address, I chose to use unknown scans of the float-value type, co-ordinates in games are most of the time stored as 32-bit float values, and 4-bytes apart in structure (which doesn't apply here as there is only one co-ordinate to find)
This scan followed up by changed value scans (or inc/dec, your choice) soon revealed the address, you can test by freezing it, the box should..'jitter' a bit while it is frozen, so you know you got the right addy

- I had already noticed by this point, that the 2 address I already found were seperated by 4-bytes, so I wondered if the 3rd challenge (gravity) would be a further 4-bytes away, I was right... (cheap, I know, but I found it an easy, trouble-free way

Now, we have all the address here, but CE hasn't flagged them as been static. Everytime I load the trainme on my PC, the variables get allocated to the same offsets in memory, but this may not be the case on other peoples machines. There are many types of DMA/code-shifts to consider.

I decided to use a little known technique call 'DMA-Stealing'.
Actually its not little known, its used a lot in bigger things, such as multiplayer multihacks/aimbots and such...usually to grab a base address before an anti-cheat system kicks in, such as punkbuster for example, then store that value into an area of memory that won't be scanned for consistency, some random intro-movie .dll like bink32 or something...
In my .CT there is a little injection that you must first activate.
Once its on, move the box in the trainme app. This will cause my code to run in the cave and dump a pointer to an address of my choice.
Now from here, the pointers and offsets in my CT will activate.
CE will take the stored value I previously 'stole', then calculate the address we need from it. Because the address are not stored a +ve amount from the base, but instead, -ve away from it, I used the appropriate notation in my offset value...easily recognizable by many FFF's at the start.

Check it out.
Hope Lab's TrainMe and this explanation taught someone, somewhere, something Razz

Labyrnth · Moderator Reputation: 10 Joined: 28 Nov 2006 Posts: 6301

CT test fail hehehe: Hit F5 to see image Smile

If it doesnt load.

Psy · Posted: Fri May 09, 2008 2:58 pm Post subject:

Did you activate the first code then move the box?...

If so, i'll re-work it sometime...but same method applies Smile

atom0s · Posted: Fri May 09, 2008 7:16 pm Post subject:

0012FEDC - Ball position on the Y axis. Doesn't seem to change from computer to computer, tested it on 2 of mine worked on both. (Float value, 260.0 when the ball is on the ground.)

If you want to hook the functions that set this you will need to hook VirualAlloc inside the function at runtime and locate the address that the engine allocates for the script then you can hax up the script code easily.

nwongfeiying · Posted: Fri May 09, 2008 7:34 pm Post subject:

I hope you mean that 260.0 is the Y-point to where the box stops after jumping. I just downloaded it, I should finish it within a day or two.

Edit: Basically, what I found were two basic addresses that controlled all jumping. The first address is the Y-point where the box stops at and the second point is where it's return point is [after the jump]. I'll add the other addresses later after I finish all my tasks currently on my agenda(e.g. homework, requested trainer, etc).

Psy · Posted: Sat May 10, 2008 3:57 am Post subject:

Within a day or 2, hehe....5 minutes man...5 minutes.

I updated the CT I did, added in the static address...it seems what I suspected was right. They don't change, and are allocated the same in mem.

nwongfeiying · Posted: Sat May 10, 2008 9:23 am Post subject:

I have a huge list of things to do which is why it would take me two days.

Psy · Posted: Sat May 10, 2008 11:17 am Post subject:

Check your sig...

Labyrnth · Moderator Reputation: 10 Joined: 28 Nov 2006 Posts: 6301

Psy · Posted: Sat May 10, 2008 1:28 pm Post subject:

I noticed how the freeze allowed an 'addition' whereby you could keep jumping yeah.