Cheat Engine

[aseerha]

Hi everyone

I faced a strange problem (to me)...

I'm trying to defeat DMA in Yuri's Revenge 1.001 and i was able to defeat some DMAs like the address which triggers the weather storm..
Now the problem is when i tried to defeat tanya's DMA thing, as usual I pressed on "Find out what writes to this address", and found this code:
0049fa48 - mov [eax], ecx >> eax contains the address of tanya, fine but that address keeps changing whenever I restart the game..

I've attached a screenshot... Please help

[GreenBeret]

I think you need to find the pointer of this?

I will use SS you attached for example:

Look for 0FAEE270 in hex 4 bytes, look for green address, if not keep looking, then click add address manually, Tick pointer, address is the 1 you found, offset is 0 in this case. This should bring you to the address.

[aseerha]

When i looked in 0FAEE270 .. The value in 0FAEE270 is 1 which is the status of tanya.... Not the pointer... I mean 0FAEE270 is the direct address for the value i was looking for when i increased and decreased search..etc and that address keeps changing when i restart, so its not the pointer...

and I'm sorry i didnt really understand u.. what do u mean by "look for green address" ?

[me]

well 2 things to try

firstly the address that is held in [eax] ... is first loaded previously into eax by
49af44 lea eax,[eax+ebx*4]

so really you need to open the disassembler at that location instead of using the more info button and scroll up and see if you can see whats loaded into eax above your code,

secondly ebx*4 is the offset, in this case ebx is holding the hex value 18, which is 24 in decimal,, you can use your windows calculator for converting that or learn hexadecimal anyhow,

so you can trace back to the pointer or learn to use the cheatengine autoassemble script and compare the contents of ebx to 18 hex to check that eax is holding the correct address you want to hack,,

you see it looks like the usual setup here where there is a structure of addresses,
your address is eax+18,

I cannot write the script for you since I dont have the game, It a C&C game isnt it ?
never got into them sorry , but the techniques for that sort of code are the same,,
look in the autoassemble tutorial sections,

you need something along the lines of

cmp [ebx],18
jne back to game
mov ecx,1
mov [eax],ecx
jmp back to game

I'm guessing you want to put 1 into your address at this stage..
you can put whatever value you need into ecx of course,
this way you dont need to find the pointer, you let the game find it for you,
of course some game protections look for code changes and online the server keeps tabs on the values usually ,, but for general single player games this is the usual old way,

thats a couple of ideas for you to work on to get you going,

[aseerha]

me..

Yeah its a C&C game..
I did as u said and checked for the value of eax at 0049fa44..

eax held an address... I checked the value of that address at Cheat Engine and the value was 2 which isnt helpful at all... But I noticed something...

See the address of tanya is 0FAEE270 which is eax at 0049fa48...

When i did what u told me and checked the value of eax at 0049fa44, eax was 0FAEE210 .. and this difference in values was always the same whenever i played.. 0FAEE270 - 0FAEE210 = 60 hex ... I dont know if this is useful because those addresses keep changing but the difference remains the same...

[me]

I meant look at the code that comes before 0049fa44..in the disassembler to find out what was loaded into eax, and try some code injection, but seeing as you only got 3 posts I am guessing you are still pretty new to this,

instead of the you can try and do another first scan with your address from eax in the more info window to try and find the pointer,, you need to click on the hex box next to the search field so you can enter you hex address,

another way that can save a lot of effort is a really nice thing dark byte put in cheat engine which is the pointer scanner,, this does the hard work for you,

just find your normal address like you did before, but instead of right clicking the address and using " find out what writes to this address "

use the Pointer Scan For This Address that is just above "Find Out What Accesses This Address"

try the default search first and just click ok,, and wait and see if it comes up with pointer addresses,

if it finds some just double click the pointer addresses to add them to the address list in the main cheat engine window,,

save the table ,

be a good idea for you to look at the pointer and auto assemble tutortials for a bit more info as well.. code injection is handy to know,
pointers are handy for games that check for code changes though. so you can cheat the game without hacking the game protection,

but remember if you try this online there will be server checks on all the player stats, but single player games should respond to cheats most times

[aseerha]

Back again.. I tried doing the find pointer thingy.. I tried everything u told me.. but returned nothing

anyhow I've attached a wider screenshot view of the assembly code...

I really appreciate your help thanks...

and yeah.. I know i can nop the INC or change it to DEC.. but the problem is.. During the game, if i did already selected tanya and tried to nop that INC, that will be of no use because it already INC before injecting and i wont be able to click on tanya again because it already increased the value of tanya to 1 meaning that she's alive and no more of her can be added until she's dead......

Thats why i need the pointer address.. To change the 1 to 0 directly from the address of tanya

[Labyrnth]

This is [almost] the same thing "me" was trying to explain on how we would do this.
Now like "me", since i dont have the game i cant tell what all would be needed in the part where "originalcode:" is, so i just put the instruction the break is on.
Now, for that address you say changes if you wasn't meaning this address 0049fa48. Then this AA should work. Providing you add the other instructions that should be in "originalcode:" section of it.

[me]

ah yes I think it might still need a cmp [ebx],18 first then jump back to original code if [ebx] is holding another offset,
load ecx,0 if [ebx]=18


yes its a pain trying to help with AA when you have'nt got the game cos the number of bytes in the original code are replaced by jmps and nops, then parts of the original code are reproduced in the allocated memory to balance the code up,

but Labyrnth's AA is the idea of what I meant by code injection, you just use the fact that it's ONLY when [ebx]=18....[eax] is loaded with zero,

if you still want to try and find the pointer you will probably need to put a break point at an earlier part of the code,, at 49fa30 at least to see whats originally loaded into eax,
you can do it with olldg and F7 to step throught the code or use the CE debugger in the memory view dissasembly window to step through,
i
t uses the same keys as olldg does, so you can F5 to set your breakpoint then F7 to step though code when the C&C game breaks, ( I guessing it will break a lot lol )

((((( also a handy thing to sometimes use here is the disect code feature to see where the calls and jumps to this area of code are coming from like the old windasm32 and ADA do, )))))

anyway this is why I got you to try the pointer scanner first to try and simpify your search first,

code injection is the next easiest in this case, and using the debugger to manually trace through the code it you know how to do it,

I would try out the code injection+offset method first and see what happens,
but when you do start using these methods you can sometimes be introduced to the wonderful world of crashes and lockups when you get it wrong heehee

[Labyrnth]

Yeah it is kinda hard to do it without seeing anything, But. they way he is talking it maybe be a bool, 1 or 0. Who knows....

[me]

[Labyrnth]

I dont know what happend to my pc,
every exe on it looks like it doenst know what to open it with lmao.

[aseerha]

Heyy guys.. What are you talking about

Its like you start your math course with full excitement and suddenly receive a long unexplained equation from your instructor which leads to total depression...

Ease on me a little please why do i have to compare ebx to 18? its already 18 ? plus where am i supposed to put this code.. how to put it and what does this code do?

I'm ready to ship the game to any of you guys or even put it here for download

Please help

[Labyrnth]

He is comparing it to see if it is 18, Then if it is = to 18 it will set it to 0

[me]

sigh this is why I dont post much lol,, here we go re-inventing the wheel again, promise me you will look in the auto assembly tutorial section to get a better idea of how to do this,, it takes a little pratice to get it right, anyway I jotted up a piccy with instrucions on how to make an suto assemble script using minesweepers timer,
just a simple bit of code to reset the timer to 1 every time it reaches 5,

just use those ideas to put the code in for your game, if it still dont work then you got to find out why yourself,

by the way all that mov [eax+ebx*4] is doing is increasing the 32 bit(4 byte) addresses held in eax,

its what they mean by structures, because in c&c for instance you got lots of soldiers and engineers for example,

00400000 address of health of solder 1
00400004 address of health of solder 2
00400008 address of health of solder 3
0040000c address of health of solder 4

and that is what I am guessing [ebx]=18 means when your searching for what triggers the weather storm,

cant be sure thats the right thing to search for without experimenting but the best I can guess from here,

also a good tip is to try and run games in window mode whenever possible when messing with code,, makes things easier to close down if you get a lock up,

so here is the piccy for you to work out what you want to try ,,( hope you appreciate the drinking time I gave up to post this

(by the way if ithe piccy dont show up hit refresh till you see it, phew think I'll retire from posting again for a while and stop to give the wheelwrights a chance lol )