Cheat Engine

ranseier · Newbie cheater Reputation: 0 Joined: 27 Sep 2015 Posts: 23

Hi,

I hope this question isn't too dumb...

usually I am using the pointer scanner to find the enemy array doing the following steps:
- find a address of a specific value (x coordinate of a single enemy)
- pointer scan for this address, repeat until you get a static pointer (with offsets) to the x coordinate
- enter the pointer in the Dissect Data/Structure window and expand the treeview: first offset, second offset, third offset until you find something that holds all the enemies. done.

Now I am trying the AOB scan but I don't know how to get the enemy array here.

Steps I have done:
- find a address of a specific value (x coordinate of a single enemy)
- find out what accesses this address
- show in disassembler

Using these bytes found in the memory browser only leads to the same specific enemy I guess. But I am looking for a way to get the address that holds all the enemies.

Thanks

Zanzer · Posted: Sun Oct 04, 2015 2:26 pm Post subject:

That instruction likely accesses all enemies. Possibly the player as well.
If you wanted to immediately do something to each enemy, that would be the place.
So if you want to freeze everyone, prevent that instruction from updating addresses.
If you want to vacuum everyone, set each address to your own value.
But, chances are you will never find a pointer to an array of every enemy's structure.

ranseier · Newbie cheater Reputation: 0 Joined: 27 Sep 2015 Posts: 23

Using the pointer scanner on Assault Cube gave me a pointer with several offsets. Adding these offsets to the pointer step by step revealed an array of all bots in the game at the third offset if I remember correctly.

Now I am trying to get the same result with the AOB scan technique because pointer scans sometimes take a long time to finish and I have heard the AOB scan technique is more realiable.

Thanks

Zanzer · Posted: Sun Oct 04, 2015 2:40 pm Post subject:

Well, you would first want to get that pointer from a pointer scan. Once you determine you're able to increment one of those offsets to find the next enemy, you would remove that offset and all of the ones after it. Then you would find out what accesses the new pointer address. From there, you would save the value into a custom variable using an AOB injection.

ranseier · Newbie cheater Reputation: 0 Joined: 27 Sep 2015 Posts: 23

Thanks.

I am facing the problem that sometimes the array of enemies/bots is unrealiable. Either this array does not contain all bots or the array no longer shows any bots.

Will the technique you described in your last post help me here or does it mean I have made a mistake using the pointer scanner and found an unstable pointer?

My goal is to have a more reliable way to find the enemies array in games. I thought I can do a sig scan instead of a pointer scan but I seems that I have to do both now.

vng21092 · Posted: Mon Oct 05, 2015 8:06 am Post subject:

may I ask what game this is? Usually there are instruction(s) that handle all entity coordinates (player + NPC), find that, and apply a filter, and have them jump to two different scripts of your own, now you'll have one specifically handling your coordinates, and one that handles all the enemies coordinates.

Zanzer · Posted: Mon Oct 05, 2015 5:19 pm Post subject:

Would be an unstable pointer, but if you've already found the base of the array, find out what instructions access the offset before it.
You can setup an injection that will populate a custom variable with whatever address passes through.
Hopefully the game only keeps a single list and you've only been having problems because it recreates it every so often.

vng21092 · Posted: Tue Oct 06, 2015 9:14 am Post subject:

Here is a sample table I just made demonstrating what I've stated above, hopefully you can try and understand this rather then looking for pointers. The script covers all entities coordinates in a given map, but with a simple filter, one script only watches the player, while the other only watches the enemies. So whatever you want to do with the enemies, you'd put that in the "notMe" section, whereas anything player related would go to the "isMe" section, in the event that the instruction does access something that applies to neither filter, it'll jump directly to the original code.

ranseier · Newbie cheater Reputation: 0 Joined: 27 Sep 2015 Posts: 23

Thank you guys.

vng21092: I will check this out tomorrow. Just a quick question: You are using an AOB scan. How did you find the address you want to AOB-scan for?
Did you find it using the technique described by Zanzer? - Doing a pointer scan, remove the offsets until you are on the pointer that holds all enemies, do a "what accesses" on it --> show in disassembler. write an AOB scan from parts of bytes of the instructions around.
Is this correct?

vng21092 · Posted: Tue Oct 06, 2015 3:21 pm Post subject:

uhhhh no. What I did has nothing to do with pointers. I found my Z coordinate (you could look for X,Y or Z, doesn't matter). I found out what wrote to it, and I checked what else that instruction accessed. Just so happens the instruction wrote to every entities Z coordinate on the map. The AOB scan is looking for that instruction I'm using as an injection point. The instruction handles all coordinates, that way I don't have to search for anything. If you wanted a Big Mac, you wouldn't go around to every deli and food cart asking if they serve Big Macs, because you know only McDonald's serves them. Therefore, by finding a McDonald's, you're guaranteed to find a Big Mac, the same way if you found the instruction accessing all coordinates, you'd have access to all coordinates.

ranseier · Newbie cheater Reputation: 0 Joined: 27 Sep 2015 Posts: 23