 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
phantom887
How do I cheat?
![]() Reputation: 0
Joined: 27 Aug 2011
Posts: 7
|
 Posted: Sat Aug 27, 2011 2:35 pm Post subject: Civilization V Gold Address? |
 |
|
I've been trying to find the memory address for the gold value in Civilization V (DX 10+11), but I've run into a problem. OK so I know that it's either stored as a float or double because it uses decimals to round to the correct number. However, the exact value search didn't return anything useful, so I decided to start with an unknown initial value search, and then use increased and decreased value to narrow down the results. I did this for both float and double. Eventually, I had narrowed it down to only one or a few addresses, but none of them made any sense and when I tried to change them, it didn't effect the gold. Anyone have any suggestions?
_________________
"The avalanche has already begun. It is too late for the pebbles to vote." -Kosh, Babylon 5 |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Sat Aug 27, 2011 2:47 pm Post subject: |
|
|
Use 4 byte values and look for values in the range of yourmoney*100 and yourmoney*199 (6.1:you can just type that like that. No need to calculate it manually)
Or you can use a custom type.
Start a new scan, rightclick the type and select custom auto assembler type
paste in this code:
| Code: |
alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)
TypeName:
db 'Special Float type',0
ByteSize:
dd 4
//The convert routine should hold a routine that converts the data to an nteger (in eax)
//function declared as: stdcall int ConvertRoutine(unsigned char *input);
//Note: Keep in mind that this routine can be called by multiple threads at the same time.
ConvertRoutine:
[32-bit]
push ebp
mov ebp,esp
push ecx
mov ecx,[ebp+8]
[/32-bit]
//at this point ecx contains the address where the bytes are stored
//save the used registers
push edx //fun fact about ce's assembler, because push ebx does not exist in 64-bit it becomes the 64-bit push rdx automatically
push ebx
//put the bytes into the eax register
mov eax,[ecx] //second fun fact, addressing with 32-bit registers doesn't work in 64-bit, it becomes a 64-bit automatically (most of the time)
xor edx,edx
mov ebx,#100
div ebx //divide eax by 100 and put the result in eax (and leftover in edx)
pop ebx
pop edx
//and now exit the routine
[64-bit]
ret
[/64-bit]
[32-bit]
pop ecx
pop ebp
ret 4
[/32-bit]
//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
ConvertBackRoutine:
[32-bit]
push ebp
mov ebp,esp
push edx //save the registers
push ecx
mov edx,[ebp+0c]
mov ecx,[ebp+08]
[/32-bit]
//at this point edx contains the address to write the value to
//and ecx contains the value
push eax
push edx
push ecx
mov eax,ecx //eax gets the given value
xor edx,edx //clear edx
mov ecx,#100
mul ecx //multiply eax and put the results into edx:eax (edx is ignored for this routine)
pop ecx
pop edx
mov [edx],eax
pop eax
[64-bit]
//everything is back to what it was, so exit
ret
[/64-bit]
[32-bit]
//cleanup first
pop ecx
pop edx
pop ebp
ret 8
[/32-bit]
|
Now you can use the 'special float type' variable and scan and work with values that are stored in civ5 (tech progress is one of them)
also, this aa script will give you the address goldaddress which will get the address of gold:
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
alloc(goldaddress,4)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(goldaddress)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
lea eax,[ecx+08]
mov [goldaddress],eax
mov ecx,[ecx+08]
mov eax,51EB851F
exit:
jmp returnhere
CvTreasury::GetGold:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
dealloc(goldaddress)
CvTreasury::GetGold:
mov ecx,[ecx+08]
mov eax,51EB851F
//Alt: db 8B 49 08 B8 1F 85 EB 51
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
phantom887
How do I cheat?
![]() Reputation: 0
Joined: 27 Aug 2011
Posts: 7
|
| Posted: Sat Aug 27, 2011 3:39 pm Post subject: |
|
|
Ah thank you! But I still have a question. How did you know to search for values between gold*100 and gold*199? And why would I use 4 byte if it has decimal numbers? I'm looking to understand these concepts, not just hack this game individually and then be done with it.
_________________
"The avalanche has already begun. It is too late for the pebbles to vote." -Kosh, Babylon 5 |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Sat Aug 27, 2011 4:14 pm Post subject: |
|
|
well, the *199 isn't really correct, more *100+99, just saying that if you have 5 gold, the value is between 500 and 599
--
Anyhow, I started with a 4 byte value as money didn't contain a decimal part at that moment (and goldpieces are usually whole)
When I didn't find it, I used unknown initial value and used increased value scans each time I gained money and decreased value when I spent some
Then after a while I found that when I had 40 gold pieces the value was 4000 gold, and when I had 41 gold pieces the value was 4100
I then changed the value to 50000 and bought something and noticed I had 500 minus the amount I just bought
And the decimal part came later when I noticed it wasn't always a full 00 at the end.
--
also, if increased/decreased didn't work I would have tried float/double, then all, and then 4 byte with changed/unchanged (that will always find it, but it slow)
As for the auto assembler code. Once I found the money I used the function what accesses on it and found a bunch of useful places I could use to do a code injection to obtain the current money address
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
phantom887
How do I cheat?
![]() Reputation: 0
Joined: 27 Aug 2011
Posts: 7
|
| Posted: Sat Aug 27, 2011 5:45 pm Post subject: |
|
|
Thank you for taking the time to explain that to me. I really do appreciate it.
_________________
"The avalanche has already begun. It is too late for the pebbles to vote." -Kosh, Babylon 5 |
|
| Back to top |
|
|
Swordmage
Newbie cheater
![]() Reputation: 1
Joined: 15 Mar 2011
Posts: 21
|
| Posted: Tue Sep 27, 2011 5:51 am Post subject: |
|
|
| I'm trying to do a custom type scan, but it's not giving me an option. Nothing happens when I right click. I'm using 6.1 64-Bit if this makes a difference. I can execute the AAscript through the memory view, but it just gives me a constantly changing address...
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Tue Sep 27, 2011 6:19 am Post subject: |
|
|
click on new scan first so that the type can be changed and clicked
As for the aa script for goldaddress, that will stay constant for as long as it is your turn and you do not enter the diplomacy screen. (make sure you add goldaddress to the list as a pointer : [goldaddress]+0 )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
