 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
TurtleCray
How do I cheat?
![]() Reputation: 0
Joined: 13 Dec 2009
Posts: 6
|
 Posted: Tue May 03, 2016 10:33 am Post subject: Help making a cheat entry use the value of another entry. |
 |
|
Hi I was trying to make a cheat table using AOB for the game Akiba's Trip.
So far I have been able to sucessfully gather the player's base address with this code:
| Code: | [ENABLE]
aobscan(PLAYER_BASE,00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 02 00 00 00 50 4C 41 59 45 52)
label(_player_base)
registersymbol(_player_base)
PLAYER_BASE:
_player_base:
[DISABLE]
unregistersymbol(_player_base) |
I have also been able to use relative addresses from that Label, where:
| Code: | Name = _player_base +1A4
Base Attack = Name +88 (Byte)
Base Defence = Name +84 (Byte)
Head Durability Max = Name +78 (4Byte)
Head Durability = Name +6C (4Byte)
Upper Durability Max = Name +7C (4Byte)
Upper Durability = Name +70 (4Byte)
Lower Durability Max = Name +80 (4Byte)
Lower Durability = Name +74 (4Byte) |
What I woud like to make such that when I activated the cheats the Max Values would be used on the current Values.
I also have the base as a Pointer, can anyone help me on how it would be possible on AOB and if it is possible to do it on Pointer addresses?
Thanks a lot.[/code]
| Description: |
| Current table I'm using to test AOB, I'm currently on Steam's version. |
|
Download |
| Filename: |
AkibasUU.ct |
| Filesize: |
4.98 KB |
| Downloaded: |
410 Time(s) |
|
|
| Back to top |
|
 |
PinPoint
Expert Cheater
 Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Tue May 03, 2016 11:00 am Post subject: |
|
|
I dont use relative address as i like to see the offset from the base.
simple script to set the value of the base attack to 100 when activated is as easy as this:
| Code: | [ENABLE]
_player_base+237:
db 63
[DISABLE] |
say the base of the pointer for base attack was Akibas.exe+7fafb, the 1st offset was 3c, 2nd offset was 978 and 3rd offset was +c
the script would just be:
| Code: |
[ENABLE]
[[[Akibas.exe+7fafb]+3c]+978]+c:
db 63
[DISABLE] |
or you could do a codecave to put the pointer in a register and move 100 into the value of the stored address with something like this:
| Code: |
mov eax,[Akibas.exe+7fafb]
mov eax,[eax+3c]
mov eax,[eax+978]
mov [eax+c],#100
|
Last edited by PinPoint on Tue May 03, 2016 11:07 am; edited 3 times in total |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Tue May 03, 2016 11:05 am Post subject: |
|
|
So is your attack at "[_player_base+1A4]+88" or "_player_base+1a4+88"?
Assuming it's the first one:
| Code: | mov eax,[_player_base+1A4]
mov ebx,[eax+78]
mov [eax+6C],ebx |
If it's the second, an easy alteration would be to change the first mov to lea.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
TurtleCray
How do I cheat?
![]() Reputation: 0
Joined: 13 Dec 2009
Posts: 6
|
| Posted: Tue May 03, 2016 6:34 pm Post subject: |
|
|
| ParkourPenguin wrote: | So is your attack at "[_player_base+1A4]+88" or "_player_base+1a4+88"?
Assuming it's the first one:
| Code: | mov eax,[_player_base+1A4]
mov ebx,[eax+78]
mov [eax+6C],ebx |
If it's the second, an easy alteration would be to change the first mov to lea. |
Hi I was trying to use your method but haven't had much luck, Here's how I'm doing:
In a child entry to the AOB I'm putting this script
| Code: | [ENABLE]
alloc(PLAYER_HP, 2048, _player_base+1A4)
PLAYER_HP:
//Head HP
mov eax,[PLAYER_HP]
mov ebx,[eax+78] //MAX
mov [eax+6C],ebx
//UPPER HP
mov eax,[PLAYER_HP]
mov ebx,[eax+7C] //MAX
mov [eax+70],ebx
//LOWER HP
mov eax,[PLAYER_HP]
mov ebx,[eax+80] //MAX
mov [eax+74],ebx
[DISABLE]
dealloc(PLAYER_HP) |
Without the memory allocation I was unable to turn it on. The structure of the current cheats is
| Code: | PLAYER_BASE // Base AOB Address
├ Where I want to put the script
└ (+1A4) NAME // Start of main char values
├ (+6C or PLAYER_BASE+210) Head Dur
├ (+70 or PLAYER_BASE+214) Upper Dur
├ (+74 or PLAYER_BASE+218) Lower Dur
├ (+78 or PLAYER_BASE+21C) Head Dur Max
├ (+7C or PLAYER_BASE+220) Upper Dur Max
├ (+80 or PLAYER_BASE+224) Lower Dur Max
├ (+84 or PLAYER_BASE+228) DEF
└ (+88 or PLAYER_BASE+22C) ATK
|
Thanks a lot.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4719
|
| Posted: Tue May 03, 2016 6:49 pm Post subject: |
|
|
I just checked out your .ct; it's the second scenario I previously mentioned.
Adding that third parameter to alloc(...) won't do anything significant in a 32-bit target. It doesn't specify what address you want to allocate the memory at; its only purpose is to guarantee the memory it allocates will be around that memory region so that you don't have to do a long version of the jmp instruction in 64-bit targets.
As such, all your reference to [PLAYER_HP] are pointless in that script since all it will access is its own allocated memory. Use the registered symbol _player_base instead:
| Code: | PLAYER_HP:
lea eax,[_player_base+1A4]
//Head HP
mov ebx,[eax+78] //MAX
mov [eax+6C],ebx
//UPPER HP
mov ebx,[eax+7C] //MAX
mov [eax+70],ebx
//LOWER HP
mov ebx,[eax+80] //MAX
mov [eax+74],ebx |
Of course, this won't do anything if the processor doesn't run this sequence of instructions. If you're not going to hook any instruction, you'll need to create a thread to run the code.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
PinPoint
Expert Cheater
Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Wed May 04, 2016 12:57 am Post subject: |
|
|
using Parkour penguins code from above with createthread
| Code: | [ENABLE]
globalalloc(inf_HP,$1000)
CREATETHREAD(inf_HP)
registersymbol(end)
label(end)
inf_HP:
lea eax,[_player_base+1A4]
//Head HP
mov ebx,[eax+78] //MAX
mov [eax+6C],ebx
//UPPER HP
mov ebx,[eax+7C] //MAX
mov [eax+70],ebx
//LOWER HP
mov ebx,[eax+80] //MAX
mov [eax+74],ebx
push #500
call sleep
cmp [end],01
jne inf_HP
ret
end:
dd 0
[DISABLE]
end:
dd 01 |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
