Cheat Engine

Majin

Alright. First time posting, but I've been lurking pretty hard over the past few days; found a cheat engine table that works with the non-beta build, and I've been having a blast with the perma Gravelord and aggression hacks.

But, it's not going far enough. In the earlier areas, such as the Undead Burg and Undead Parish, the enemies have an AI that explicitly tells them to wait, even when the player has triggered their agro radius.

That's one of the things that need to be changed, and supposedly, it's possible.

There's a list of the enemy model & AI IDs, but I can't link to it right the now. Post count's too low, so just do a search for IllusoryWall Dark Souls Enemy IDs. Should promptly show ya an excel sheet of 'em.

The plan is to replace the Undead Hollow, Armoured Hollow and Balder Knight enemies' AI, with the AI of the Silver Knights that use the same weapon; sword, spear, that sort of thing.

Now, from what I've read, each enemy has it's own set of data (also shown by the debug build), that dictates the AI, the health, the team (attack/help/ignore player), and other such things.

In CheatEngine, this sort of data is called a structure, aye? Trick is to find each structure for each individual enemy, have checks (model ID? AI ID?) to exclude bosses and non-enemy NPCs, then have an assembly version of an "if then" statement to replace the AI of specific enemies.

---

Now, I loaded up CheatEngine, and figured that I'd search for an NPC's structure by using the id c2410, to get the structure of a Silver Knight Swordsman. 4Byte search, returned 10 million or so addresses...That's not so good. There should be no more than, what, 20 silver knights in the game.

First red flag is that I'm searching for a value, and not, say, a string. Someone in the Dark Souls trainer thread that you should search for a unicode string instead of a 4byte, but no addresses were returned. Odd.

Any idea where I should go from here? I've really no clue what I should now do. For reference, I have been able to, say, get the health base address of an enemy and freeze it, as well as modify inventory item amounts, so I do have an extremely basic understanding of Cheat Engine at the moment. Better than nothing, eh?

So, aye. Help would be fab, buds.

Edit: I should also mention, that I've a little experience with Pascal; used it to mod Skyrim and Fallout New Vegas, through the Tes5Edit/FNVEdit program, so if I have to do a bit of code, I won't be too imbecilic if it comes to programming some of this stuff, though I've not used LUA before.

ParkourPenguin · Posted: Fri May 06, 2016 9:34 am Post subject:

Actually, Microsoft is the one who calls it a structure (reference). Look at this topic for more information on structures.

Searching for a constant value isn't a good idea since you can't easily filter out the junk. While strings are more unique, I'm not sure you should search for it, either. The enemy structure could just be storing a pointer to it, in which case you'd have a somewhat hard time finding it. Try looking for a value that's reasonably easy to read and that you can change, like enemy health or coordinates, and find the base of the structure that way.

If you already have a table for it, then odds are some script in that table accesses something in the structure of enemies. The table might have even kept the structure around in the "dissect data/structures" window, in which case you should be able to easily find any enemy structure using a grouped value scan.

When you do find the structure, find the offset where the enemy's AI is stored at. Then, look at what instructions access that address of that particular enemy. Find an instruction that also accesses the addresses of all other enemy monsters' AIs by right clicking on the instruction and selecting "Find out what addresses this instruction accesses". Then, hook that instruction using the AoB injection template in the AA script window, and write whatever you want to the address of the AI.

Majin · Posted: Sat May 07, 2016 8:34 am Post subject:

Sorry for the late reply, I was busy playing Dark Souls with a bunch of random lads. The game's so good with the Aggression mod.

I took a look at the cheat table (attached it to post), but didn't find any structures. The steps I took:

Start Cheat Engine
Hook into DARKSOULS.exe
Load the table
Click "Memory View"
Tools -> Dissect Data Structures

Nada, nothing's shown.

I decided I'll choose finding the health, since I know exactly how much was detracted by attacking the enemy. The Undead Parish seems a great pick, since the AI isn't aggressive, the enemies are close to a bonfire, and I can single out the enemies.

So, I've now got three addresses, one for each enemy's health:

06FCFAF4 - Health of first sword hollow, encountered on player's left when facing the Parish
06FCE484 - Health of first crossbow hollow, encountered on player's right when facing the Parish
06FD1164 - Health of second sword hollow, further to the left

Getting those addresses was easy, but now I've got to figure out how to find these addresses in memory, so I can take a look at, uh, 'where they are', and then I've to figure out where the set of NPC data starts & ends.

Any tips on that? I feel like I've got ADHD when I look at the seemingly random hex values in the memory view.

I assume dynamically finding NPCs (pointers and aobscan functions?) will be for much later, after I figure out the data for these fellas.

Edit: Bollocks. Turns out that when you die, the addresses for the enemies change. Guess I should first figure out how to update addresses. Ergh. Googling didn't give me any help in that regard.

Edit2:

Right, so to find address dynamically, I need to use a few aobscan functions, from what I have gathered.

Before I died, I did manage to save some bytes that were awfully similar between NPCs. In Cheat Engine's memory view, after finding the health address, I went up by one line, and here's what the line had for the four different NPCs at the Undead Parish

First Sword Hollow:
BC FC 37 01 BC FC 37 01 80 46 27 0D 00 00 00 00

First Crossbow Hollow:
BC FC 37 01 BC FC 37 01 80 7E 26 0D 00 00 00 00

Second Sword Hollow:
BC FC 37 01 BC FC 37 01 C0 46 27 0D 00 00 00 00

First Balder Knight:
BC FC 37 01 BC FC 37 01 E0 34 26 0D 00 00 00 00

I'm going to go re-find the addresses for the enemies at the Sunlight Altar, see if their lines are similar to those at the Undead Parish.

Edit3: And they are similar.

First Crossbow Hollow (Left):
BC FC 37 01 BC FC 37 01 20 63 28 0D 00 00 00 00

First Spear Hollow (Center):
BC FC 37 01 BC FC 37 01 E0 62 28 0D 00 00 00 00

Second Crossbow Hollow (Right):
BC FC 37 01 BC FC 37 01 00 63 28 0D 00 00 00 00

I'm going to see if it's different for non-hollow enemies, such as the rat at Firelink. See how that goes.

Edit4: Not only does dying change the addresses, so does warping and going out of range (rendering range? area change?) of the enemy. I think this is why things such as bypassing the fog gates during coop, or taking control of an enemy, bugs out; the game essentially resets the address.

Maybe there's a way to freeze an address (not the value)?

Back to me original point, aye, the rat had a similar line.

Firelink Rat:
BC FC 37 01 BC FC 37 01 C0 D0 28 0D 00 00 00 00

Edit4:

Anor Londo Giant (right) - Atop the steps leading to the hall with boss fog gate:
BC FC 37 01 BC FC 37 01 E0 D3 28 0D 00 00 00 00

Right, from checking out a few of these mobs, it seems that the line is a prime candidate for an aobscan; it doesn't change when the NPC has been killed, and it's the exact same for the NPC even after the address has changed.

Is there a way to do an aobscan in the memory view? Didn't see anything that'd let me do that.

ParkourPenguin · Posted: Sat May 07, 2016 9:36 am Post subject:

When the enemy dies, you die, the game is restarted, you change levels, or anything at all in the game significantly changes, the addresses of stuff could (in this case very likely will) change. I guess you could see if an instruction that accesses the health of one enemy also accesses the health of all enemies (right click in the disassembler). Of course, being careful and pausing the game is also an option.

You could simply limit your scan region to the area very roughly around the health address (give or take 4kb) and see if you can find the value of the AI now. The game could be storing a pointer to an AI structure inside the enemy structure, in which case you won't be able to find that value with a simple value scan. You could try the pointer scanner with some specific settings, but depending on how much memory the game is using, it could take quite a while to complete. I'd recommend that as a last resort.

To answer your question on structures:

Majin · Posted: Sat May 07, 2016 10:29 am Post subject:

Alrighty, now it seems like the fun stuff has begun. I'll post the steps I've taken so far.

Found the health address for the First Crossbow Hollow (Left) @ the Sunlight Altar again.

This instruction was called on the health address when I attacked it:

00E6891D - 89 85 D4020000 - mov [ebp+000002D4],eax <<

Did the same for the First Spear Hollow (Center), attacked it 6 times:

ParkourPenguin · Posted: Sat May 07, 2016 11:00 am Post subject:

That's just the default struct size CE provides. It usually doesn't know how big the structure is, so it just offers a 4 kb default size, which should be more than enough for most structures.

To make it faster, look at how the structures relate to each other. Assuming all structures in a single group are the same type of enemy:

If an element is the same in one group but different in another, that's worth looking at.
An element that's the same between all of them isn't what you want but also signifies the structure probably hasn't ended yet.
An element that's different between all the structures probably isn't what you're looking for.
If many things in a row after a certain point are different between all the structures, then that's probably not a part of the structure, and you can delete all elements after that point to reflect that.

CE highlights elements depending on how the values in each group relate to each other, so use that as a quick reference. And try to get at least 2 groups with at least 2 addresses in each group.

You could also do a basic value scan for it like I suggested earlier. If you can't find it by that way, then the constant AI value is probably in some structure pointed at by a pointer in the enemy structure. In this case, the structure spider is probably the fastest thing you could use to find it (you'll need to search at least 1 level deep).

Majin · Posted: Sat May 07, 2016 11:52 am Post subject:

Alright. I think I've managed to pin down the addresses that deal with the model and AI. Thing is, uh, they're split up.

At offset 038, there is the unicode string c25, which is the beginning of the model number.

After that, is offset 03E with the value 53, and offset 03F has a value of 0.

Copying them over as addresses individually just screws each of them up, when you edit one of them. So I'm guessing that it's supposed to be a 4byte thing, but it's split up.

How would I recombine 'em into one set of bytes?

ParkourPenguin · Posted: Sat May 07, 2016 12:24 pm Post subject:

That's what I meant when I said "CE could've guessed the value of that address incorrectly." It really makes no difference since you could just add that address to your table manually as a 4 byte value, but if you want to change it in the structure window, right click on it and select "Change element".

Majin · Posted: Sat May 07, 2016 2:19 pm Post subject:

Right, I think I've managed to deduce where the beginning of an NPC's structure is. Compared several hollows from the Sunlight Altar, a giant and a silver knight from Anor Londo. Looked at what was similar after subtracting the health offset, and came up with this:

ParkourPenguin · Posted: Sat May 07, 2016 2:37 pm Post subject:

When calling aobscan, it will always return the address of the first byte in your AoB signature, assuming it finds something.

Are you certain that AoB signature also works when you restart the game and/or your computer?

If changing the health of an enemy via the address list doesn't work, then either you didn't find the right address or there's an anticheat trying to block you.

Why even do an AoB scan for data, anyways? You have the address of the NPC's AI. Just find out what instructions access that address, find an instruction that also accesses the other NPCs' addresses, and hook it.

Majin · Posted: Sat May 07, 2016 3:01 pm Post subject:

Yeah, the AoBscan works, even for other people; testing with another guy at the moment.

I don't have the address of the NPC's AI, sadly. I thought I had the model and AI address, but changing them did nothing; not even too sure that I actually found them.

Aye, might be an anti-cheat that was stopping me from changing the health, since I've got PvPWatchdog running.

Good to know that the aobscan brings you to the beginning.

But, uh, finding the instruction that access the address, then hooking it? Uh, err, uh, um, I miiiight have to do some serious Googling. That sounds uber complicated to me at this moment. Shocked

ParkourPenguin · Posted: Sat May 07, 2016 3:07 pm Post subject:

It's really not. CE's Auto Assembler makes it easy for beginners to do stuff. Just go through the CE tutorial (steps 7 and 9) for information on it. There are also many CEF topics, YouTube videos, and other tutorials about it. This just takes a lot of time to learn.

Majin · Posted: Sat May 07, 2016 3:29 pm Post subject:

My friend managed to find the offset for an NPC's "team" (whether they help the player or attack the player). Default is 6 for normal mobs, setting it to 2 causes them to attack mobs and not damage the player.

The offset for it is +74

When hooking these assembly instructions, won't that specific code have to be run (i.e, have to damage an enemy to get the health instruction hook to work) before it can do anything?

..Actually, there are some instructions that are run many times each second. The health of the player has this running:

0046DC68 - 89 11 - mov [ecx],edx <<

It's being run so many times that ya can't pinpoint a specific number of counts, but since it doesn't have an offset, it's useless?

ParkourPenguin · Posted: Sat May 07, 2016 3:44 pm Post subject:

Yes, the processor will need to run an instruction for it to do whatever it's suppose to do.

No, that instruction isn't useless. It could be calculating the offset beforehand. For example:

Majin · Posted: Sat May 07, 2016 5:26 pm Post subject:

Alright, managed to find the offset for the modelid. It's at offset +38, as a unicode string with a length of 10. Changing it doesn't do anything, sadly.

New discovery: The phantom visuals are at offset 70.

The guide you linked to, said that if the base addresses change a bunch, you're to use aob scans. Though me interpretation could be wrong.

Haven't yet found the AI IDs either. I tried looking at the instructions that write to the modelid, but nothing happens. Changing area (unloading them) and coming back causes a few instructions to appear, but the memory region has completely changed, so they're not really any use either.

I'm feeling really stupid, as I took a gander at the cheat engine table to see how it intercepts the code...It's so alien to me, man.