Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Too many addresses with shared opcodes
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Tue Apr 25, 2023 10:52 am    Post subject: Too many addresses with shared opcodes Reply with quote

Hey there, i am trying to play this game that has something called skull coins aka lives, and i am playing with my daughter, she's young and doesn't know how to play very well yet, her caracter dies often, so i am trying to increase the ammount of lives we can have, so we can move on instead of restarting the level constantly.
I tried the usual methods, pointer search 7, 8 levels, big offsets, many pointers, but when i restart the game and filter the results, nothing.
Then i searched for "what accesses this.." so i could do code injection, but every opcode gives out thousands of addresses very quick, and they keep increasing!
Tried to get a AOB signature with the value of lives, but eventually i was forced to introduce too many wildcards and the line just retrieves way too many results, the line had around 80 bytes.

At this point i am out of ideas, i turn to you experts for guideance, is there anything else i can try?

Thanks in advance.
Back to top
View user's profile Send private message
LeFiXER
Grandmaster Cheater Supreme
Reputation: 20

Joined: 02 Sep 2011
Posts: 1053
Location: 0x90

PostPosted: Tue Apr 25, 2023 11:33 am    Post subject: Reply with quote

Do you fully restart the game, as in exit the game entirely before starting it up again, when rescanning for pointers?

It's normal behaviour for the instructions in the "what accesses this..." window to show large values. It just means that particular instruction is accessed a lot.

Also, what is the name of the game?
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Tue Apr 25, 2023 11:46 am    Post subject: Reply with quote

Yes, i fully restart the game, search for the value again, filter the results.

Game is Gauntlet.
Back to top
View user's profile Send private message
LeFiXER
Grandmaster Cheater Supreme
Reputation: 20

Joined: 02 Sep 2011
Posts: 1053
Location: 0x90

PostPosted: Tue Apr 25, 2023 1:39 pm    Post subject: Reply with quote

Ah, I can imagine it's a shared value at least. You will have to scan for commonalities and then apply comparison logic based on that.
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Tue Apr 25, 2023 2:26 pm    Post subject: Reply with quote

I did went on to try that, but curiously, the address that i got that is in type "double", will not show up as one of the addresses read by the opcode, but one does come up that's similar to it / close. The sheer ammount of addresses doesn't help to find the commonalities, it basically locks up CE if it doesn't throw up an error. Is your opinion that a pointer should come up, or in some games they never show up?
Back to top
View user's profile Send private message
LeFiXER
Grandmaster Cheater Supreme
Reputation: 20

Joined: 02 Sep 2011
Posts: 1053
Location: 0x90

PostPosted: Tue Apr 25, 2023 2:29 pm    Post subject: Reply with quote

A pointer is just an address that is relative to another address by a specific offset. I would recommend watching this https://www.youtube.com/watch?v=fFHrJPnAY_g
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Wed Apr 26, 2023 5:35 pm    Post subject: Reply with quote

Update: Had the idea of adding a second condition to the code, since there seems to exist too many addresses with the same value at the same offset, finally got this to show up for an instant the correct address, the one i needed, but as soon as it did, the game crashed.
What am i messing up?

Code:
newmem:
  cmp [ecx+74],0
  jne isSameAddress1
  mov [ecx],eax
  mov eax,[esi]
  movzx ecx,ah
  jmp return

isSameAddress1:
  cmp [ecx+90],8
  je isSameAddress2
  mov [ecx],eax
  mov eax,[esi]
  movzx ecx,ah
  jmp return

isSameAddress2:
  mov [Coins],ecx
  mov [ecx],eax
  mov eax,[esi]
  movzx ecx,ah
  jmp return


I then have a pointer with [Coins] showing the address that the code has found.
Back to top
View user's profile Send private message
gir489
Grandmaster Cheater
Reputation: 14

Joined: 03 Jan 2012
Posts: 835
Location: Maryland, United States

PostPosted: Wed Apr 26, 2023 7:22 pm    Post subject: Reply with quote

careca777 wrote:
Update: Had the idea of adding a second condition to the code, since there seems to exist too many addresses with the same value at the same offset, finally got this to show up for an instant the correct address, the one i needed, but as soon as it did, the game crashed.
What am i messing up?

Code:
newmem:
  cmp [ecx+74],0
  jne isSameAddress1
  mov [ecx],eax
  mov eax,[esi]
  movzx ecx,ah
  jmp return

isSameAddress1:
  cmp [ecx+90],8
  je isSameAddress2
  mov [ecx],eax
  mov eax,[esi]
  movzx ecx,ah
  jmp return

isSameAddress2:
  mov [Coins],ecx
  mov [ecx],eax
  mov eax,[esi]
  movzx ecx,ah
  jmp return


I then have a pointer with [Coins] showing the address that the code has found.

Since you said this function is manipulating lots of other addresses, it's highly likely that some of the registers you're attempting to dereference (ESI, ECX, ECX+74, etc) contain null/invalid pointers.

My suggestion would be to attempt to find something on the stack that's only there when the coin address is manipulated that isn't there when the others are called.

Or, you could instead use "What writes to this address" on the coins, die, and then simply NOP out the instruction that decrements the coins. If it's a MOV instruction that manipulates it, check above it for a SUB or DEC instruction and NOP that instead.

EDIT: I just checked, and ESI has the value of 5 when the function is trying to populate the coins address. I sent you a table I made in your message box.
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Thu Apr 27, 2023 8:29 am    Post subject: Reply with quote

Thank you, i appreciate that.
But there was a problem, it seems like the value is only for the visual, it doesn't stick when the character dies.
I was looking into your suggestions and i set a breakpoint on

"gauntlet.exe"+19B8D3
89 69 04 89 01 8B 06
mov [ecx+04],ebp

and at some point i noticed XMM0 had the value for lives that i set, which was a bit specific, 247.
But i don't know enough to know what to do with it.
I think i need to learn some debug techniques.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Thu Apr 27, 2023 10:19 am    Post subject: Reply with quote

I am not familiar with this game, and it looks like there may be many variations of it. However, if any portion of this game uses online components, then it could be that the value that you are trying to manipulate is being handled remotely.
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Thu Apr 27, 2023 10:41 am    Post subject: Reply with quote

Well, im not sure what you mean, i can change it, although it only shows up on the screen after it calculates, so if i set the value in CE to 5, and then i die, when i respawn that value that shows up on screen is 4 and also 4 on CE.
I can search for it and manipulate it every time, but pointer search doesn't seem to work, comes up with zero in the second filtering, and the write opcode is shared by thousands making the compare option much harder.
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Thu Apr 27, 2023 11:07 am    Post subject: Reply with quote

I see. If using the pointer scanner (and the game is old), then you may consider experimenting by increasing the offset size (while decreasing level), and changing the option so that the results do not have to be 4 byte aligned.

Alternatively, when you right-click on the address in your cheat table, and check to see what accesses, in the new window that pops up, try right-clicking on the open white space and choosing the option that checks to see if the opcodes access any other addresses.

If you get any results with (1) next to them, then you can use that as your filter. Just be sure to return to game and let it run for a second before deciding on a result.

If you are familiar with the data structure dissection tool, then you can use that to find a value that might have an instruction that is exclusive, and use that for your filter.
Back to top
View user's profile Send private message
gir489
Grandmaster Cheater
Reputation: 14

Joined: 03 Jan 2012
Posts: 835
Location: Maryland, United States

PostPosted: Thu Apr 27, 2023 1:44 pm    Post subject: Reply with quote

I actually have been playing the game a lot, and noticed the reason you can’t find the true address is that it’s in Lua’s memory. All the coins for life and the gold for unlocks are all Doubles stored in the Lua cache. I don’t know of a way of attacking Lua games without injecting directly into the Lua engine itself.
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Fri Apr 28, 2023 1:42 am    Post subject: Reply with quote

Thank you, lots of ideas for me to try, i am familiar with the dissection tool, never used the "does it accesses any other addresses" option. Will look into it.

@gir489 could Lua, and what you mentioned, be a reason why the pointer scanner failed?
Back to top
View user's profile Send private message
careca777
Expert Cheater
Reputation: 0

Joined: 27 Jul 2013
Posts: 121

PostPosted: Mon May 01, 2023 3:32 am    Post subject: Reply with quote

After many hours of searching for values and editing an AOB, i got a massive line with many many wildcards, and i exhausted this option, AOB is not viable, things just change too much.
It was suggested that i hook Lua, and i went over this, even compiled a dll as the page instructed, but then got stuck when finding the offsets for the entry point and lua instructions, i guess it just goes over my head.
As far as the rest of the suggestions, it seems like i couldn't get any of them going. I guess that's it, i stand defeated.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites