Cheat Engine

[xtokenx]

Thank you Methos.

[xtokenx]

I don't really want to open another thread so I'll post what I'm having trouble with here.

So in a different game I found this (address) mov [esi+00006A34],00000001 when it activates it gives me a bonus. I found that out by using nop and I couldn't get any bonuses. But just from one glance it's different from the CE code injection tutorial. I'm assuming and I have no experience with this but I guess I need to go to Auto Assemble and make a code injection to the address and make a new code changing the original code which is mov [esi+00006A34],00000001 but if thats the case I have no idea what the new code should be.

What I can tell is the mov means 00000001 will move into the value of [esi+00006A34] and that's all I know. But maybe I got everything wrong so I need some help here.

[++METHOS]

Assuming you have the correct instruction, there are a couple of ways to handle it.

First, you need to check if that instruction accesses any other addresses by right-clicking on it and selecting that option. If it accesses multiple addresses, you either need to filter out the bad ones or find a different injection point. If it only accesses one address (maybe the one that holds the bonus value?), you can either set it up to constantly give you a bonus, only give you a bonus when you tell it to or manually control the bonus or score value altogether etc.

[xtokenx]

I tried your method Methos and it worked, partly anyway. So I did what you said. I right click and clicked on "Find out what addresses this code accesses." After getting a bonus a address appeared. I froze it so it would always give me a bonus after fights but there was a problem. After I leave the area and enter another fight there was no guarenteed bonus. In the windows another address popped up after I got another bonus. I froze that one too but again the darn same thing happen again when I move on to another area.

This is disappointing. I really thought this time everything would go perfectly. What do you suggest I should do? I'm pretty sure it's the right instruction. I mean after all it gave me the right address though it would stop working and another address would appear.

Would changing the code in Auto Assembly get me what I want? The whole proccess is foreign to me. Or maybe I shouldn't attempt to try that. I can't wrap my head around this, I don't know why this is happening. Have you encountered any similar cases to mine? and did you manage to solve it?

[++METHOS]

You can either inject code at that instruction (or) grab the address that the instruction gives you, add it to your table and perform a pointer scan on it (that way, your freeze will work even when the address changes).

If it were me, I would write a script. If you inject code, you might be better off looking for an instruction that accesses your address as opposed to writes to it...but we can look at that later, if you want.

In memory viewer, with the instruction highlighted, select 'tools' from the drop-down menu. Under tools, select 'auto assemble'. In the new auto assemble window, select 'template' from the drop-down menu. Under template, select 'cheat table framework code'. Select 'template' from the drop-down menu again. This time, select 'code injection'. Click okay. Once you are finished, copy everything from that window and paste it here...we can write a script to do what you want.

[xtokenx]

I followed your instructions here it is

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
mov [esi+00006A34],00000001

exit:
jmp returnhere

"NS3FB.exe"+4A1F7A:
jmp newmem
nop
nop
nop
nop
nop
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"NS3FB.exe"+4A1F7A:
mov [esi+00006A34],00000001
//Alt: db C7 86 34 6A 00 00 01 00 00 00

There I hope you can write the script using this. In the mean time I'll attempt to do a pointer scan again. My past try using pointer scan ended in failure. I'm still baffle why I get no results when I rescan. But I hope I can manage to do it. No guarantees but still it can't hurt to try.

I would be lost without your help Methos so thanks for your assistance in my dilemma. I have almost no doubts that your script will work but I'll try my best too.

[++METHOS]

Can you paste the memory viewer code around (above) this instruction, please?

I'm trying to make sense of what is happening. If moving 1 in to [esi+00006A34] gives you a bonus, then there may be a conditional jump prior to the instruction. If so, we want to inject there. Otherwise, I will need more information.

[xtokenx]

Here. These are the codes above the instruction.

NS3FB.exe+4A1F3D - FF D2 - call edx
NS3FB.exe+4A1F3F - 85 C0 - test eax,eax
NS3FB.exe+4A1F41 - 0F84 AF000000 - je NS3FB.exe+4A1FF6
NS3FB.exe+4A1F47 - 8B 06 - mov eax,[esi]
NS3FB.exe+4A1F49 - 8B 50 10 - mov edx,[eax+10]
NS3FB.exe+4A1F4C - 8B CE - mov ecx,esi
NS3FB.exe+4A1F4E - FF D2 - call edx
NS3FB.exe+4A1F50 - 69 C0 2C010000 - imul eax,eax,0000012C
NS3FB.exe+4A1F56 - 83 B8 A49A0B09 00 - cmp dword ptr [eax+NS3FB.exe+7CE9AA4],00
NS3FB.exe+4A1F5D - 0F84 93000000 - je NS3FB.exe+4A1FF6
NS3FB.exe+4A1F63 - 83 BE 346A0000 00 - cmp dword ptr [esi+00006A34],00
NS3FB.exe+4A1F6A - 0F85 86000000 - jne NS3FB.exe+4A1FF6
NS3FB.exe+4A1F70 - 8B 06 - mov eax,[esi]
NS3FB.exe+4A1F72 - 8B 90 64060000 - mov edx,[eax+00000664]
NS3FB.exe+4A1F78 - 8B CE - mov ecx,esi
NS3FB.exe+4A1F7A - C7 86 346A0000 01000000 - mov [esi+00006A34],00000001

From what I know and see there are a few jump commands above the instruction. I assume that's where we're injecting. I hope this satisfies the lack of information.

[++METHOS]

What happens when you receive a bonus? What is the bonus?

This is an odd instruction. I am curious as to how you found it. I think the best approach would be to right-click on the instruction to see what addresses it accesses. When an address shows up, add it to your cheat table. In your cheat table, right-click on the address to see what instructions access it (not writes to). In the debugger window, several instructions should populate the list. let it run for 2 or 3 seconds, then hit stop. In your list, some of the instructions will be accessed a lot more than others (we are looking for an instruction that gets accessed several times per second). Click on the first one that looks good and view it in memory viewer. Right-click on the instruction to see what addresses it accesses. Keep doing that until you find an instruction that is being accessed several times per second (and) only accesses 1 address (the address that you added to your cheat table). If you find one, follow the steps like before and copy that script here. You will probably be looking for an instruction that has [???+00006A34] in it. If you can't find one, but find an instruction that accesses multiple addresses where all of the values are 0 or 1, that might work too.

Again, assuming you have the right address...we basically want to force a value of 1 to be moved in to that address constantly. You can do the same with pointer scanner...but I'm not entirely sure you have the correct address, so that would be a waste of time.

[xtokenx]

Interesting. I did what you told me and I found 2 instructions and they're both accessing the 2 addresses that controls the bonuses. The 2 address values are 1 when I have the bonus and 0 when I don't They also have [???+00006A34] in it. Here I'll paste them here.

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
cmp dword ptr [esi+00006A34],00

exit:
jmp returnhere

"NS3FB.exe"+4A4CF6:
jmp newmem
nop
nop
returnhere:



[DISABLE]
//code from here till the end of the code will be used to disable the cheat

and the 2nd instruction.

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
cmp [esi+00006A34],edi

exit:
jmp returnhere

"NS3FB.exe"+4A2284:
jmp newmem
nop
returnhere:



[DISABLE]
//code from here till the end of the code will be used to disable the cheat

Could this be the instructions we're looking for? Also out of curiosity I use "Replace code that does nothing". Nothing happened when used on the 1st instruction but when used on the 2nd instruction my bonus went away. I don't know if thats any useful information but take it as you will. One more thing it's a 2 player game so one address controls the bonus for player 1 and the other address for player 2.

I hope the cmp commands means you can actually use them. It's not moving it's comparing now so I hope that's a significant change. Hopefully anyways. I still have only limited knowledge on this.

Edit: I see that the addresses still corresponds to the problem I had where the old address stopped working and new ones take place.

[++METHOS]

Try this:

[xtokenx]

Amazing, very amazing. Your script works perfectly. I now always have the bonus. Thank you. Just one more thing, could you explain what you did? I really want to know for future references. Your knowledge is admirable and maybe possibly in the future I can write my own scripts without anyones assistance. Anyways do you mind?

Once again thank you for your help.

[++METHOS]

All we are doing is forcing that value to be 1 every time our chosen instruction accesses it. So, before the compare is performed to check its value, we are literally setting the value to be what we want. The reason we are using an instruction that accesses our address instead of writing to it, is because the instruction that writes to the address only writes the value when it is supposed to (when all conditions are met and you are actually supposed to receive the bonus), and the instruction that accesses the address is constantly accessing it, allowing us to control that value constantly, at all times.

If the other instruction actually handles player 2 bonus, you could inject code at that instruction and force it to always be 0...just make sure it's actually accessing the other address and not your address.