Cheat Engine

rnoles4444 · How do I cheat? Reputation: 0 Joined: 20 Nov 2022 Posts: 2

Okay so I have hacked many games and have even made many scripts to make values not change. But there's on game out there that has me completely stuck and I have spent about a week now trying to locate the value of.

In the game Banjo Tooie (Not Banjo Kazooie), the programmers of the game REALLY do not want you finding the golden feathers value in the game. Basically you can store up to 10 feathers. When I searched for the value, the main value is not the same as the display value.

So I did what any game hacker would do and try all methods. I've tried a break and trace, tried using pointers, tried nop sections of the machine code. NOTHING. I even tried doing a full "Value Changed & Unchanged" in all data type scans. NOTHING.

What's weird is when I do a full all data type scan and run the "changed" or "unchanged" scans I am eventually left with values that possibly are linked to the value of the golden feathers. So what I did was add all of them to the list, and then FROZE all the values and STILL the value goes down.

This is the only game that has me completely stuck and I officially given up and am asking for help in trying to find the golden feathers value. I have absolutely no idea on what to do now. I have followed EVERY YouTube tutorial in finding encrypted values or values not linked to the display value. It seems like the way the programmers are storing the value is very unique from most games so it's making this one of the most challenging things I have every dealt with.

For example, let's say the value of golden feathers I have is 10. I search all data types for the value 10. I eventually get left with 4 addresses. I noticed the r10 register is holding the 9 value because the value went down to 9 when I activated the Golden feather ability. I stop it when it reaches 9. When I do a "find out what writes to this address" or "find out what access this address", I get a few hits but I mostly get brackets like moveb [eax,100200C],r10l

If I do a break and trace, the only thing I noticed is after the call is being performed there is a sub,68 every time is the same sections before the write happens. When I nop that section STILL nothing happens.

Am I possibly looking at this the wrong way? Shocked

EDIT: I have provided screen shots to show what exactly I am doing to find the value.

EDIT: before an admin asks, yes my settings are set correctly in cheat engine. I have MEM_MAPPED enabled with big Indian data type enabled. Big Indian is required to use in Xenia emulator. GitHub provided what specific settings I had to use in cheat engine to make it work fluently in Xenia.

Frouk · Posted: Mon Nov 21, 2022 9:25 am Post subject:

see what access this value and watch registers? or maybe this is xor value encryption

ParkourPenguin · Posted: Mon Nov 21, 2022 12:33 pm Post subject:

Emulators can be awful from CE's perspective. If it's JIT compiled, looking at the assembly is a little better, but it's not something I'd sink any significant amount of time into.

`sub rsp,68` is just making room on the stack for local variables. Maybe also scratch space for other function calls (win x64 calling convention)

The value you want to find could be a cached temporary that's comprised of other values. For example, imagine a game with skill points you can allocate to certain skills. The "real" values are your character's level (this determines the total skill points) and the level of your skills (this determines the spent skill points). Your "current" skill points gets dynamically calculated from these values: it's never actually relevant other than to display it on the screen. Changing it or a cached version of it will have no effect. The only way you can affect it is to change your level or the level of your skills.
I've worked on a game like this before years ago, but I forget what it was...

Maybe the value is stored in a way you aren't expecting. e.g. finite collectables can be stored as a bitfield or many booleans.

It could also just be reallocating memory every time it gets written to. That's bad, but I've seen it before (ActionScript 2 interpreter)

rnoles4444 · How do I cheat? Reputation: 0 Joined: 20 Nov 2022 Posts: 2

I do notice that the game saves when entering in and out of certain areas. I'm betting when this happens it's writing the value to the save file. Xenia stores the saves in a file called savegame.dat in the Xenia folder under C:/Users/*****/Documents. I wonder if doing a unknown fuzzy search "changed value" every time the saving part execution happens would be something to try. It's just a theory but a good idea I just came up with.