 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
private00x
Newbie cheater
![]() Reputation: 0
Joined: 21 Apr 2009
Posts: 19
|
 Posted: Fri May 22, 2009 1:54 am Post subject: Finding multi level pointer keeps returning same hex value |
 |
|
Hi there,
I'm trying to get a pointer for an address of a game. All pointers have multiple levels. The problem is that, for any address I have tried so far, after like 1 or 2 levels the next opcode scan will return an opcode that suggests me the same hex value to search for as the previous one. This will obviousely not be possible. I copied the opcode where it returns the same hex value again, resulting in a dead end:
| Code: | EAX=1843AB58
EBX=1DFAC700
ECX=1843AAF8
EDX=00000003
ESI=00000003
EDI=1843AAF8
EBP=0017CEC8
ESP=0017CEA0
EIP=11F3386C
Probable base pointer =1843AB58
11f3385f - cmp edx,[eax+08]
11f33862 - jae 11f33880
11f33868 - mov eax,[eax+edx*4+0c]
11f3386c - mov esp,ebp
11f3386e - pop ebp |
What is also interesting is that when I put a breakpoint on the opcode, it will return a different registry value then the one suggested. However, if I search for it, it returns 0 results - if it does return something, it will point to a wrong address with the new offset.
Another interesting thing about this game is that it seems to be allocating it's on memory after the core has been loaded - resulting in module-less addresses if you know what I mean. This means, that the addresses of these opcodes are changing after restarting the game (this was a problem for me when I tried hooking, but that's an other subject).
Thanks in advance.
Edit:
another example of opcode where I get the same problem:
| Code: | EAX=00000190
EBX=1DEF0258
ECX=0000018A
EDX=166FE1C0
ESI=0000000A
EDI=11EFF204
EBP=0017CE28
ESP=0017CDF0
EIP=11EFF23C
Probable base pointer =166FE1C0
11eff22f - cmp esi,[edx+08]
11eff232 - jae 11eff2ea
11eff238 - mov edx,[edx+esi*4+0c]
11eff23c - mov esi,[esp+24]
11eff240 - cmp edx,00
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25870
Location: The netherlands
|
| Posted: Fri May 22, 2009 6:05 am Post subject: |
|
|
Remember the text at the bottom of the more info window? All register values are shown AFTER the instruction has been executed.
mov eax,[eax+edx*4+0c] will affect EAX, which is a problem, since eax is part of the calculation. (small part)
2 ways to get by this
1: use exceptions instead of hardware bp's (can cause crashes so you may only be able to use it once)
2: my preferred, use basic math to figure it out:
Let's look at the instruction: mov eax,[eax+edx*4+0c]
Means that eax+edx*4+c will result into the address you've chosen the option "Find what accesses" on
fun thing is, you KNOW that address
what we can find out is that edx*4+c = 3*4+c=c+c=18
so:
eax+18=known address
known address-18=eax=base pointer value to scan for
Also, what are you looking for? The instructions you're looking at are for array's. If it's the units health in a RTS, I recommend going with code injection instead
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
private00x
Newbie cheater
![]() Reputation: 0
Joined: 21 Apr 2009
Posts: 19
|
| Posted: Fri May 22, 2009 8:50 am Post subject: |
|
|
| Dark Byte wrote: | Remember the text at the bottom of the more info window? All register values are shown AFTER the instruction has been executed.
mov eax,[eax+edx*4+0c] will affect EAX, which is a problem, since eax is part of the calculation. (small part)
2 ways to get by this
1: use exceptions instead of hardware bp's (can cause crashes so you may only be able to use it once)
2: my preferred, use basic math to figure it out:
Let's look at the instruction: mov eax,[eax+edx*4+0c]
Means that eax+edx*4+c will result into the address you've chosen the option "Find what accesses" on
fun thing is, you KNOW that address
what we can find out is that edx*4+c = 3*4+c=c+c=18
so:
eax+18=known address
known address-18=eax=base pointer value to scan for
Also, what are you looking for? The instructions you're looking at are for array's. If it's the units health in a RTS, I recommend going with code injection instead |
I appreciate your help Dark Byte.
I thought about that, option #1 made the game crash all the time - I am very interested in option #2 however. I tried it, and it works! Great!
One thing however, my pointer seems to have 23 levels - it took me around 3 hours to find it (after 2 months of finding out how this method 2 works, hehe). Do you think code injection is better?
It is the player's stamina pool in a RTS, yes. I did try code injection using a code cave and directing an opcode to this code cave. The code cave would then copy the memory address to an address in the code cave which I could then read. This gave me 2 problems:
1. many opcodes were in self-allocated memory sections, which made the opcode address variable - so after game restart the opcode would no longer be at that address
2. the opcodes were sometimes accessing thousands of addresses, resulting in the wrong address being written to the address I gave - I have no clue how to make it only write the address that I need
EDIT:
I thought it worked. When teleporting in the game, which causes a loading screen, the static pointer (and actually any pointer above level 6 I found) was still working. However, after restarting the game. None of the pointers are working, not even the one that was static. Damn, any idea?
PS. after this edit, the code injection thing is not that important anymore.. I just want to figure this multi level pointer out.. I thought I had it.. but no. 
EDIT 2:
I retried it with another address.. I'm currently at level 25 but the problem is that the pointer window is too big (its out of the screen area now) so I can not enter new pointers. Any idea ?
EDIT 3:
I made a screenshot of the situation:
http :// img200.imageshack.us/img200/126/cescr.gif
Last edited by private00x on Fri May 22, 2009 10:43 am; edited 2 times in total |
|
| Back to top |
|
|
FreeFry
Cheater
 Reputation: 0
Joined: 12 Jan 2005
Posts: 44
|
| Posted: Fri May 22, 2009 10:00 am Post subject: |
|
|
Hi Tom. :p
You might explain that you're writing a bot for a game, and that you wont be able to use the cheat-engine features(such as the auto assembler). 
|
|
| Back to top |
|
|
private00x
Newbie cheater
![]() Reputation: 0
Joined: 21 Apr 2009
Posts: 19
|
| Posted: Fri May 22, 2009 12:41 pm Post subject: |
|
|
| FreeFry wrote: | Hi Tom. :p
You might explain that you're writing a bot for a game, and that you wont be able to use the cheat-engine features(such as the auto assembler). |
This is true.
I updated my first post with a screenshot and other information.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 472
Joined: 09 May 2003
Posts: 25870
Location: The netherlands
|
| Posted: Fri May 22, 2009 3:18 pm Post subject: |
|
|
looking at the screenshot it looks like you only tried one pointer path
Try finding with accesses other addresses and go from there (e.g if they result in a different offset, really look into it)
And really, a 25+ level pointer, I usually go with auto assembler after the 5th level (and if you don't use ce, you could always rip out ce's aa and make a dll/lib from it and use it in your own app, it's open source, or even just look at the bytecode aa generates and make your trainer inject that instead, keeping in mind the relative jumps)
Also, usually when an array is involved it means trouble with pointers, because it is possible that the array won't be filled exactly the same way the next time the game is run (Especially on emulator games like those running in flash)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
private00x
Newbie cheater
![]() Reputation: 0
Joined: 21 Apr 2009
Posts: 19
|
| Posted: Fri May 22, 2009 3:23 pm Post subject: |
|
|
| Dark Byte wrote: | looking at the screenshot it looks like you only tried one pointer path
Try finding with accesses other addresses and go from there (e.g if they result in a different offset, really look into it)
And really, a 25+ level pointer, I usually go with auto assembler after the 5th level (and if you don't use ce, you could always rip out ce's aa and make a dll/lib from it and use it in your own app, it's open source, or even just look at the bytecode aa generates and make your trainer inject that instead, keeping in mind the relative jumps)
Also, usually when an array is involved it means trouble with pointers, because it is possible that the array won't be filled exactly the same way the next time the game is run (Especially on emulator games like those running in flash) |
Well, how would I know when to take an other address and which one to take? I did not get a dead end so far, the problem is that the window is too big - it doesn't fit in my screen to display more then 26 pointers, so I can't add any more.
Edit: I found a workaround by searching for the pointers for the pointer address in a new address window... so I found another static pointer, this time with 27 levels... unfortunately it doesn't seem to be a good one after restarting the game.
I wonder what I'm doing wrong...
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
