Cheat Engine

kzyadaking · How do I cheat? Reputation: 0 Joined: 27 May 2022 Posts: 9

4F5BC4B movss [rbx+000000E8], xmm7
4F5BC0B mov rbx, rcx
4F5B759 mov rcx, rbx
4F5B5E2 mov rbx,rcx
4F5B5BC mov rcx, rbx
4F5B59E mov rbx,rcx
4F5B57C mov rcx, rbx
4F5B55E mov rbx, rcx
4F5B53C mov rcx,rbx
4F5B51E mov rbx, rcx
4F5B4D9 mov rcx, rbx
4F5B4A9 mov rbx, rcx
4F5B3FF mov rcx, rdi
4F5B3F9 mov rdi, [rax]
4F5B36B mov rax, [rbp+08]
4F5AB9F mov rbp, rcx
4F5AB2C rcx, [rdi]
4F5AAC8 mov rdi,rcx
4F5AAA5 rcx [rcx]
4F5AA69 mov rcx,r14
4F5AA12 mov r14, [rdi+10]
4F5A992 mov rdi, [rdi+00000088]
4F5A97F rdi, [***.exe+=6D1C650] < base address

this is all the addresses i found for a pointer im looking for and im trying to add all the offsets starting from the bottom but i dont know what im missing

baseaddress + 88 should adress to AF5A992 afaik and + 10 should adress to AF5AA12 but how do i do the next which is mov r14,rcx and others as well. i tried to put just 0 but it doesnt work. sorry for my lack of understanding! but i'd appreciate it if someone could tell me!

cooleko · Posted: Mon Jun 13, 2022 12:10 am Post subject:

Traditionally, when someone is attempting to follow a pointer chain, they have something fairly clean:

[[[***.exe+P1]+P2]+P3]...

The way that appeared in memory was:

mov ecx,[***.exe+P1]
...
mov ebx,[ecx+P2]
...
mov eax,[ebx+P3]

The address you find first is ebx+P3, you then figure out what EBX means by looking up in the code, because code tends to process sequentially. To figure out what ECX means you continue looking up in the code. Once you find the base address you have the whole chain.

Then the pointer is easy to assemble because you step through the knowns: [[[***.exe+P1]+P2]+P3]

If you follow your list, you end up with:
***.exe+=6D1C650]+88]+10]+0]+0]+8]+0]+E8]

If the register isn't referenced, then it is merely passing the value and can be ignored. If the register is referenced then it is passing the value contained at that memory address.

I would take a closer look to ensure nothing was mistaken, but otherwise that should be your chain.

kzyadaking · How do I cheat? Reputation: 0 Joined: 27 May 2022 Posts: 9

ParkourPenguin · Posted: Mon Jun 13, 2022 10:52 am Post subject:

The outside square brackets are basically an extra offset of 0. Try removing them. i.e. [[game.exe+6D2A948]+D8]+E8

kzyadaking · How do I cheat? Reputation: 0 Joined: 27 May 2022 Posts: 9

cooleko · Posted: Tue Jun 14, 2022 1:02 am Post subject:

He is saying that you matched your example to the bracketing I picked, which was flawed. I created my first example thinking I was going to keep going and then never fixed the misrepresentation as I propagated the brackets through the example.

The last offset doesn't get a bracket.

If you have everything correct in CE even though you added the bracket in text, then I'd ask you to investigate further:

Firstly, double check your work, then ensure that the pointer points to a single address all the time. If the pointer points to multiple values and thus have the wrong value most of the time then it would mess your intended outcome up.

ParkourPenguin · Posted: Tue Jun 14, 2022 1:31 am Post subject:

kzyadaking · How do I cheat? Reputation: 0 Joined: 27 May 2022 Posts: 9

ParkourPenguin · Posted: Tue Jun 14, 2022 11:19 am Post subject:

Yes, that image is correct.

If the address it points to is wrong, then that pointer path is wrong. It might only work in that small section of code in the previous image. In that case, use the pointer scanner.