 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Aziixz
Cheater
![]() Reputation: 0
Joined: 26 Oct 2021
Posts: 31
Location: Earth
|
 Posted: Sun May 14, 2023 7:04 am Post subject: add to Value that is constantly written over without nop |
 |
|
I need to add float 13 to an address that is constantly written to by another address, checking this address shows that is also writes to thousands of other addresses, how can I isolate this address and only add a vlue to float 13 to it without nopping, I need the value to be accessed and written to by other values but want an additional float of 13 to be added onto whatever the address is showing. trying to compare these commonalities shows 3 results but I don't know what to do with them
| Description: |
|
| Filesize: |
230.64 KB |
| Viewed: |
1396 Time(s) |
|
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun May 14, 2023 12:42 pm Post subject: |
|
|
| Have you checked to see what 'accesses' the address, and then checked to see if opcodes access any other addresses (to see if there are any instructions that are exclusive to that address)?
|
|
| Back to top |
|
|
Aziixz
Cheater
![]() Reputation: 0
Joined: 26 Oct 2021
Posts: 31
Location: Earth
|
| Posted: Mon May 15, 2023 1:19 am Post subject: |
|
|
Yes I have checked there are 6 results but all access hundreds of other values
| Description: |
|
| Filesize: |
126.92 KB |
| Viewed: |
1340 Time(s) |
|
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon May 15, 2023 2:56 pm Post subject: |
|
|
Just to clarify, you right-clicked on an open space in that window to check if opcodes access other addresses?
If so, and none of the results have (1) next to them, then you can try to see if the register values contain a unique identifier that you may be able to use for your filter. If you are not sure how to use the commonalities feature, then you can do this manually.
Each register that is highlighted in red (see image below) will contain a value, as you can see. Using the ECX register as an example, you might set up your script to perform a compare at the start:
| Code: | newmem:
cmp ecx,870
jne originalcode
//manipulation code here
originalcode:
//original code here |
Then just do that for each register.
Once you activate your script each time, you can follow it from the injection point in the memory viewer to take you to your code cave. Here, you can right-click to see what addresses the instruction accesses (at your manipulation code), to see if the filter works well.
If you find a viable filter, you will want to save the cheat table and close the game and restart everything to see if the filter is still working.
If there are no viable filters being stored in the registers, then you can try to target an address that resides inside of the same data structure of the address/value that you are trying to manipulate. You may find that there is an instruction that is exclusive to one of those alternative addresses.
| Description: |
|
| Filesize: |
6.42 KB |
| Viewed: |
1302 Time(s) |
|
|
|
| Back to top |
|
|
Aziixz
Cheater
![]() Reputation: 0
Joined: 26 Oct 2021
Posts: 31
Location: Earth
|
| Posted: Tue May 16, 2023 3:41 am Post subject: |
|
|
can you please elaborate on the second option using data structures, using register filters did not lead to any viable filters, although using
cmp EDX,00000360 did only lead to 50 addresses affected instead of thousands.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue May 16, 2023 2:35 pm Post subject: |
|
|
Sure. There are probably videos on Youtube that will walk you through this process, however, I will give a brief explanation.
Once you have found the address/value that you are wanting to manipulate, you will want to right-click on it in your cheat table and select 'disassemble memory region'. The memory viewer window should pop up. From here, select 'Tools' from the drop-down menu, and then select 'Dissect data/structures'.
From here, a new window should pop up. You should see the address that you are interested in, auto-populate the text box. You will want to add the appropriate offset to that address, so that you can encompass the entire structure (hopefully).
In your case, the instructions that were accessing your address had an offset of +10 and one with +70. You can try both. I would start with +70, since that might indicate a larger structure.
In your example, your address was 5991B290. The instruction with the +70 offset was:
movdqa xmm7,[esi+70]
As such, you will want the text box in the Structure Dissect window to read:
5991B290-70
We use a minus sign instead of a plus sign because we want the structure to start at the base, or beginning of the structure.
From here, just click 'Structures' from the drop-down menu, and select 'Define new structure'. Click okay.
Now, at offset 70, you should see the address and value that you are interested in.
All of these addresses inside of this structure can be added to your cheat table. You can bulk-add them by highlighting them and then right-click, add to address list.
You can add as many as you like. Be sure to select all of the addresses before your important address, as well as some after.
From here, you will just go through each address, one-by-one, and right-click to see what accesses the address. In the new window that pops up, you will want to right-click an open space to see if opcodes access any other addresses.
If you see any results with (1) next to them, then you may use that for your injection point.
Be sure to click stop and also to cancel the checking of opcodes before you move on to the next address.
This is just one of many ways to go about this. A different (and better) way to access the data structure tool is from an instruction that is accessing your important address. Just right-click on it to find out what addresses the instruction accesses.
Once the new window opens and populates all of the addresses, you can find your important address and right-click on it to 'open dissect data with select addresses'. Going this route will auto-populate the address with the correct offset already appended to it. You can also compare with other addresses to see if there is a unique identifier that can be used for your filter.
I highly recommend completing the CE tutorial because it will help you to have a better understanding of these things. You can find many text and video walk-throughs that will guide you through the process if you get stuck on something.
Hope that helps.
EDIT: If you do get a result with a (1) next to it, then you will simply want to create an injection point using that instruction. The instruction may have an offset of +4, whereas, the address that you are interested in may have an offset of +10. These offsets are written as hexadecimal. You will need to keep this in mind for when you create your script.
For example, let's say that the instruction that you find with a (1) next to it, is this:
mov eax,[esi+4]
Now, you know that the value that you are interested in has an offset of +10 (or +70, but we will assume +10 for this example). That being said, you can either manipulate the value here e.g.:
| Code: | newmem_address:
mov [esi+10],#99999 //whatever you want to do
originalcode_address:
mov eax,[esi+4]
jmp return_address |
or, you can store the address of the value so that you can use it for your ID at a different injection point (in case you need to NOP the instruction that is directly accessing your important address, for example):
| Code: | [ENABLE]
{==================== address ====================}
aobscanmodule(aob_address,game.exe,xx xx xx xx xx)
alloc(newmem_address,1024,game.exe)
label(return_address)
label(originalcode_address)
label(stored_address)
registersymbol(aob_address)
registersymbol(stored_address)
newmem_address:
push edi
lea edi,[esi+10] //your important address
mov [stored_address],edi
pop edi
originalcode_address:
mov eax,[esi+4]
jmp return_address
stored_address:
dd 0
aob_address:
jmp newmem_address
return_address:
[DISABLE]
dealloc(newmem_address)
aob_address:
db xx xx xx xx xx
unregistersymbol(aob_address)
unregistersymbol(stored_address) |
|
|
| Back to top |
|
|
Aziixz
Cheater
![]() Reputation: 0
Joined: 26 Oct 2021
Posts: 31
Location: Earth
|
| Posted: Wed May 17, 2023 10:02 pm Post subject: |
|
|
thanks for the help but all of the addresses in the structure also
access multiple different addresses (hundreds), checked about 150
before I ran out of time is there a better way? used the check if
opcodes also access other addresses and all of them had (8).
Using the registers like you mentioned before here got me the closest
Code:
newmem:
cmp ecx,870
jne originalcode
//manipulation code here
originalcode:
//original code here
the lead me to one filter, edx which lead to only 4 addresses
being affected, Is there a further way to then filter the register
used again or some other way to only affect the 1 address I want ?
apologies if thats not how it works.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Wed May 17, 2023 11:27 pm Post subject: |
|
|
| Aziixz wrote: | | is there a better way? |
-There are other ways, sure. I cannot say if they are better or not, and some will depend on your level of understanding.
| Aziixz wrote: | the lead me to one filter, edx which lead to only 4 addresses
being affected, Is there a further way to then filter the register
used again or some other way to only affect the 1 address I want ? |
-You can add more filters. You can even check the registers again to see if adding an additional filter will be enough to narrow in on your address.
There are many ways. One way would be to use the data structure dissection tool again, except this time, look for a unique identifier. It would be better for you to work through the cheat engine tutorial so that you can have a better understanding of the process. As mentioned, there are many videos and walkthroughs that have been written, that can guide you, step-by-step, in lieu of me writing everything out.
You can also try the pointer scanner. In truth, it's not ideal, but it can work if you can find something reliable. The good thing about pointers is that you can use them inside of your scripts or as standalone. Other methods are more advanced and will probably not be easy to walk you through them.
|
|
| Back to top |
|
|
Aziixz
Cheater
![]() Reputation: 0
Joined: 26 Oct 2021
Posts: 31
Location: Earth
|
| Posted: Tue May 23, 2023 3:09 am Post subject: |
|
|
Figured it out looking at some tutorials and combining your compare registers
Thank You Methos
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue May 23, 2023 9:17 am Post subject: |
 |
|
| Oh, great. Glad to hear that.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
