 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Mark Danielle
Advanced Cheater
![]() Reputation: 0
Joined: 22 Aug 2012
Posts: 97
|
 Posted: Sat Nov 01, 2014 9:16 am Post subject: Suggestion - Pointer Scan Reduce? |
 |
|
Hi, I have an idea which I will explain below.
Let us say that in a game, we would like to find the entity array.
We know that, for example:
The HP offset within Entity structure = 0x4
[[entityarray+offset]+offset] = Entity HP
[[?+?]+0x4] = Entity HP
Let us say that we found the proper HP addresses of 3 entities in the game.
We do not know what the offset is for each entity within the entity array, but we know that all entities must be in the same entity array (same entity array address).
So we know for a fact that:
? = entity array address
[[?+X]+0x4] = entity 1 hp
[[?+Y]+0x4] = entity 2 hp
[[?+Z]+0x4] = entity 3 hp
As we have the addresses for all 3 entities' HP, we can do a pointer scan for all 3 of them which end in the 0x4 offset and then find a common pointer (the entity array) between all three scans.
The only problem right now, is that filtering 3 pointer scans manually just takes way too long for a human being.
It would be great if cheatengine would have a method to filter common (base) pointers between many pointer scans.
Of course this could be used with more complicated structures like:
[[[[entity array+?](entity)+?](component list)+?](component)+0x4]
If you have 3 components then you can find the component array within the entity, etc.
So this would basically be an intersection between two or more pointer scans for the (base) pointer address.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Sat Nov 01, 2014 10:06 am Post subject: |
|
|
So basically do a normal pointerscan for entry1 hp and then 'fiddle' with each offset of every result to see if it matches entry2 hp and if so, store both paths
I might be able to add that, but it may take up to 2 to 4 gb extra ram to keep a reverse pointermap for the base pointermap, and will slow down scans quite a bit
It could be a thing for rescans only as well.
Not sure how to 'group' the addresses though
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Mark Danielle
Advanced Cheater
![]() Reputation: 0
Joined: 22 Aug 2012
Posts: 97
|
| Posted: Sat Nov 01, 2014 12:20 pm Post subject: |
|
|
| Dark Byte wrote: | So basically do a normal pointerscan for entry1 hp and then 'fiddle' with each offset of every result to see if it matches entry2 hp and if so, store both paths
I might be able to add that, but it may take up to 2 to 4 gb extra ram to keep a reverse pointermap for the base pointermap, and will slow down scans quite a bit
It could be a thing for rescans only as well.
Not sure how to 'group' the addresses though |
I did try the fiddling method without any luck.
Yes I thought of this as rescans only, as you would need to do other pointer scans beforehand and then rescan to reduce.
So you have 3 pointer scans for instance:
A, B, and C (A.ptr, B.ptr, C.ptr)
We know from set theory that:
A ∩ B ∩ C == A ∩ C ∩ B
so the order that the user does the reduce does not matter.
So the user would open A.ptr and then reduce it with B.ptr and then reduce the result with C.ptr, which gives us the intersection of the scans A, B and C where we should (hopefully) have very few pointers left.
I'm not quite sure what you mean with grouping, but reducing it this way only leaves you with the intersection so the user should know that the pointers belong to A ∩ B ∩ C.
Disclaimer: I do not know the internals of how cheatengine does the pointer scans / rescans or even if such a design is feasible, so please excuse me if I am spouting nonsense  .
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Sat Nov 01, 2014 12:58 pm Post subject: |
|
|
One pointerscan should be enough as that contains all the data you will need
with fiddle I mean let CE automatically do that for you.
e.g you have the following situation:
You have 2 classes. Game and Player
Static base address (game.exe+10000) points to the Game class
The Game class holds an staticsize array of players at offset 0x118
The player class has at offset 0x480 the player health
You do a pointerscan for the player health, and one of the billion of results the pointerscan finds is:
[game.exe+10000]+118]+480=player1 health
With a fiddle distance of 4 (and stepsize 4) CE would then check the following paths if they match player2 health: (just an example, you'd likely want to go with 64 or 128 distance with multiple players)
[game.exe+10000]+118]+47c
[game.exe+10000]+118]+484
[game.exe+10000]+114]+480
[game.exe+10000]+11c]+480
[game.exe+fffc]+11c]+480
[game.exe+10004]+11c]+480
It would then find [game.exe+10000]+11c]+480 to be a match for player2 health. So saves the pointer for player1 and player2
[game.exe+10000]+118]+480=player1 health
[game.exe+10000]+11c]+480=player2 health
the problem is how to prevent a third rescan from using both results to fiddle with while only the first one would be enough (ptr results are unordered)
(You can't really see pointerscan results as sets that you can compare. multiply the time it takes to sort a pointerscan by the number of results in it to get the time it takes to handle it like a set)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Nov 01, 2014 11:34 pm Post subject: |
|
|
"the problem is how to prevent a third rescan from using both results to fiddle with while only the first one would be enough (ptr results are unordered)"
Don't save those pointers at all and allow other workers to do their job, even when they repeat the very same (or almost the same) work?
RESCANNING:
If worker have this pointer [[[[[game.exe+10000]+offset0]+offset1]+offset2]+118]+480 which points to address1 (P1 Health),
Check if adjusted pointers (made from above pointer) will point to address2 (P2 Health). Max adjust value is 0x100.
If at least one points to address2, we will keep this pointer. If not, just drop/reject/flagAsInvalid this pointer.
| Code: | good=false
tmpaddress = [[[game.exe+10000]+offset0]+offset1]
for i=-0x100, 0x100, 4 do
for j=-0x100, 0x100, 4 do
for k=-0x100, 0x100, 4 do
if i=0 and j=0 and k=0 then continue
if [[tmpaddress+offset2+k ] +118+j ] +480+i = address2 then good=true & goto skip
end
end
end
skip:
if good then accept
else reject
end |
But it would be very slow:
Adjusting three ending offsets, when max adjust value is 0x100:
(0x100 / 2 + 1)^3 - 1 = 2146688 additional checks for every valid pointer we have.
Adjusting two ending offsets, when max adjust value is 0x50:
(0x50 / 2 + 1)^2 - 1 = 1680 additional checks for every valid pointer we have.
If other worker has, for example this pointer:
[[[[[game.exe+10000]+offset0]+offset1]+offset2]+08]+480
We just let him to do the very same job (checking if adjusted pointers will point to address2 ). Even when part of those adjusted pointers were already checked.
So, it isn't efficient... It is the price we have to pay.
But, that way pointer rescanner will filter out all other good pointers which don't point to address2 after adjusting few ending offsets.
Question, if we have 1680 checks per every valid pointer, does it mean overall rescanning will be 1680 times slower?
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Sun Nov 02, 2014 12:04 am Post subject: |
|
|
max adjust value of 0x50 (80) with a stepsize of 4 would mean 40 checks for each offset (20 below, 20 above)
on a level 6 pointer that would be 40*6=240 checks for each pointer. (it's useless to fiddle with multiple offsets at a time)
But yes, the rescan will take about 240 times longer than usual
Of course, assuming you follow the next CE's recommended scanning method(first make a snapshot, reboot or go to another system, then do a scan with help of the snapshot), you should only have a handful of results to work with
(I do think it should store which offsets should be changed to get to health 2 though, as it might not be clear to the user why that path got left in)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Nov 02, 2014 12:48 am Post subject: |
|
|
| Dark Byte wrote: | | max adjust value of 0x50 (80) with a stepsize of 4 would mean 40 checks for each offset (20 below, 20 above) |
Adjusting something by 0x10. We add 0x10 or subtract 0x10. And add/subtract the rest: 0x4,0x8,0xC
So, we have -0x10, -0xC, -0x8, -0x4, 0, 0x4, 0x8, 0xC, 0x10.
When fiddling one offset, we skip 0. Those left: -0x10, -0xC, -0x8, -0x4, 0x4, 0x8, 0xC, 0x10 (4 below, 4 above, sum:8, which is 0x10 / 2 = 16 / 2 = 8 )
When fiddling two offsets. 4 below 4 above and 0 for first offset, 4 below 4 above and 0 for second offset. We skip checking if both are 0. This gives 9*9 - 1 = 80
| Dark Byte wrote: |
it's useless to fiddle with multiple offsets at a time
|
Why? What if I want to find health pointer, which can be easily transformed (only ending offsets changes), for example to shield and oxygen
[[[[mod+modoffset]+offset0]+offset1]+394]+6C - health
[[[[mod+modoffset]+offset0]+offset1]+824]+6C - shield
[[[[mod+modoffset]+offset0]+offset1]+884]+14 - oxygen
| Dark Byte wrote: |
But yes, the rescan will take about 240 times longer than usual
|
OK, but, if we check two addresses (three total). It won't increase to 480 times longer. Probably to 241x or 250x
When 5th normal rescan takes 2 seconds, 6th rescan with offset fiddle: address2, address3 would take in worst case 500 seconds (8 minutes). It's not that bad.
Adjusting two ending offsets, when max adjust value is 0x50. Calc: (0x50 / 2 + 1)^2 - 1 = 1680
6th rescan will take 2*1700 = 3400 s = 56 minutes. It is bad.
| Code: | good1=false
good2=false
tmpaddress = [[[game.exe+10000]+offset0]+offset1]
for i=-0x100, 0x100, 4 do
for j=-0x100, 0x100, 4 do
for k=-0x100, 0x100, 4 do
if i=0 and j=0 and k=0 then continue
tmp=[[tmpaddress+offset2+k ] +118+j ] +480+i
if tmp=address2 then good1=true
if tmp=address3 then good2=true
if good1 & good2 then goto skip
end
end
end
skip:
if good1 & good2 then accept
else reject
end
|
| Dark Byte wrote: | Of course, assuming you follow the next CE's recommended scanning method(first make a snapshot, reboot or go to another system, then do a scan with help of the snapshot), you should only have a handful of results to work with
(I do think it should store which offsets should be changed to get to health 2 though) |
Don't have 6GB of RAM 
_________________
Last edited by mgr.inz.Player on Sun Nov 02, 2014 1:11 am; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Sun Nov 02, 2014 1:08 am Post subject: |
|
|
Actually, I think this is a bad idea to do it in a scan or rescan
I think the original post might work better
Sort ptr1 and ptr2 on the base address
Delete all the .ptr.X entries that are unique and leave the ones that have a matching base
Then sort ptr1 and ptr2 on the first offset and delete all the .ptr.x entries that are unique and leave the ones that have a matching offset (or are negative)
repeat until there are no matching .ptr.x left and you'll have two lists of matching pointer starts
And I guess you could also go from the other side
| Quote: |
Don't have 6GB of RAM
|
I really recommend getting more RAM. 4GB isn't even enough for some scans right now
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Nov 02, 2014 1:34 am Post subject: |
|
|
| Dark Byte wrote: | Actually, I think this is a bad idea to do it in a scan or rescan
I think the original post might work better
Sort ptr1 and ptr2 on the base address
Delete all the .ptr.X entries that are unique and leave the ones that have a matching base
Then sort ptr1 and ptr2 on the first offset and delete all the .ptr.x entries that are unique and leave the ones that have a matching offset (or are negative)
|
Only in rescan.
"I think the original post might work better"
Lets see
pointer scan for address1 + several rescans = can take few hours
pointer scan for address2 + several rescans = can take another few hours
Sorting by base ptr1 : 1 to 5 minutes,
Sorting by base ptr2 : 1 to 5 minutes,
remove uniq
Sorting by offset0 ptr1 : 1 to 15 minutes,
Sorting by offset0 ptr2 : 1 to 15 minutes,
remove uniq
Sorting by offset1 ptr1 : 1 to 7 minutes
Sorting by offset1 ptr2 : 1 to 7 minutes
remove uniq
Sorting by offset2 ptr1 : 1 to 3 minutes
Sorting by offset2 ptr2 : 1 to 3 minutes,
remove uniq
...
...
In worst case: few hours+few hours+2*5min+2*15min+2*7min+2*3min
ptr sorting = hard drive bottleneck, right? I only use it when less than 1000 pointers left.
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25865
Location: The netherlands
|
| Posted: Sun Nov 02, 2014 8:07 am Post subject: |
|
|
The thing is that you (and likely other users) would assume it would be able to find pointers to semi-related fields instead of related fields seperated by a single array (which is a fair request else it'd be only useful in those few player array situations)
The problem with that is that offsets after the first change can not be guaranteed to be similar, so they have to be checked the full structsize of the original scan (eg 2048)
Meaning for every pointer you find a full secondary pointerscan would have to be done to find that address
So even with 1000 results you'd be doing 1000 times a level-1 pointerscan multiplied by the distance (since only the base would be aplicable to the change)
I think doing 2 to 3 scans and sorting them is probably faster
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Mark Danielle
Advanced Cheater
![]() Reputation: 0
Joined: 22 Aug 2012
Posts: 97
|
| Posted: Sun Nov 02, 2014 8:56 am Post subject: |
|
|
| mgr.inz.Player wrote: | | Only in rescan. |
Yes, only as rescan.
My pointer scans usually do not take that long. I also am running CE on GNU/Linux with Wine. The only times it runs abysmally slow is when I scan for value (which I no longer do), or when I run out of memory and the OS starts swapping out memory and thrashing the hard drive. Scanning for the address itself is quite fast, the initial snapshot(pointermap?) of the memory usually takes longer than the scan itself.
By the way, CE 6.4 works really well in Wine  .
I know that intersecting two or more large (1mil+) pointerscan results would take very long, but that was not my intent in the first place. I was thinking about smaller sets where you already have a low (1,000-10,000) amount of pointers per entity and would like to find the common pointer between two, three or more entities. Sure, intersecting large pointerscan results would drastically eliminate wrong pointers, but it would most likely take longer than doing rescans to reduce them to 1000-10,000 and then do an intersection.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sun Nov 02, 2014 11:30 am Post subject: |
|
|
@bmn
If you want to test the newest (not 100% tested) pointerscanner, you can try this:
https://googledrive.com/host/0BwMAnE6mjogMTmpYMGstY1NPQnc/
1 Download file "pure r2795.7z",
extra step: do a backup, WinRAR or 7Zip of whole CE directory.
2 extract with WinRAR or 7z
3 copy and paste into CE directory, overwrite existing files.
By default CE is installed in C:\{PF}\Cheat Engine 6.4,
where C is system drive, {PF} is your "program files" dir - could be "c:\Program Files" or "c:\Program Files (x86)".
As DB said, you need 6GB or more for some scans.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
