Cheat Engine

wizboy11

I already made one trainer for Rome Total War v.1.2 but it only worked when you were building anything, not when you ended your turn. All it does is replace a single line of code with code that does nothing. The main problem is the game is a bitch when you attach a debugger, if you even get to attach a debugger!

So I start the game and cheat engine, If I go to try to attach a debugger the mem adresses change. So I find the Money adress, again, I double click the name of the app. and then go to the mem. and do that 000000000+bc thing and then I change the first 4 bytes (or however much it is) to 00 00 00 00.

The game then becomes highly unstable and often charshes and I can't make a bigger or better trainer.

Any suggestions? Thx in Advance.
PS- my trainer that I made is attached.

Dark Byte · Posted: Wed Sep 21, 2005 9:45 pm Post subject:

try this:
go to settings->extra and enable use kernel debugger when possible
Then open rome total war with ce (do not attach the debugger) and then rightclick a address and choose "find out what accesses this address" or "find out what reads from this address"

wizboy11 · Posted: Sun Sep 25, 2005 10:44 am Post subject:

Hey, what do ya know, it works!

So when I do find out what accesses this adress, that would include what writes and reads to it?

Dark Byte · Posted: Sun Sep 25, 2005 10:56 am Post subject:

you can also use "find out what writes" (it's just that for read only you do need the old debugger)

but to determine it by looking at it:
opcode [xxxxxxxxxxx],xxx is a write operation
opcode xxx,[xxxxxxxxxxxx] is a read operation.

notice that the [xxx] part is 'usually' on the left side for a write and on the rightside for a read

wizboy11 · Posted: Sun Sep 25, 2005 11:21 am Post subject:

Thanks, that will help a lot. To bad some one else beat me to it to realease a 100% working trainer (with more options.)

wizboy11 · Posted: Mon Sep 26, 2005 5:31 pm Post subject:

I'm sure that people have asked you this before but could someone please point me in the right direction.
How would I go about finding a pointer. Even though I have had to have read about 100 pages on the subject I have yet to do it myself. I still find it very confusing.

Thx

Zhoul · Posted: Mon Oct 24, 2005 7:53 pm Post subject:

Download a copy of ArtMoney, which is a memory scanner/editor. Not really geared for gaming, but the documentation gave a great description on pointer finding.

Quick pointer finding intro:

Lets say the address of the value for bullets is 00000020 .

Firstly, values are parts of memory blocks. Therefore, finding a pointer that points directly to your value is not likely. What you need to find is the pointer to the begining of the memory block, then add whatever you have to, to 'reach' your value. When you do a "Find out what reads/writes to this value" search in CE, hitting the "More Information" button shows info on the code, and states "The value of the pointer to find this address, is probably XXXXXXXX".
That number is derived from the code that changed the value. Lets say the code was mov [esi+04], EDX
[esi+04] is the address that was written to. We hope that ESI is the memory block 'start' address, and +04 is the 'offset' in that memory block, for your value.

- The first thing I would do, is use CE to "Find what writes to this address". If the address is written to, by mov [ESI+04],EDI , I would subtract 04 from 00000020, which would be 0000001C (cheat engine simplify's this for us). The reason, is because the pointer is obviously pointing to 0000001C, and the code adds 04 to that (as this is probably the start of the memory block, which contains many values). ArtMoney gives an option to 'find begining of memory block' but what I just described is usually better.
- Search for 0000001C, using the 4 byte hex search. You're going to find a lot of results most likely, simply because 0000001C could be used for anything.

If you only get 1 result, that result is probably the pointer. Add a new value to the cheat engine table, as a pointer, with the found address, and, in this example, 04 as the offset. (remember, 04 is just an example)

Here, the method splits into two sub methods. Try the first, if it doesn't work, try the second:

Sub-Method 1
- If you only get a few results, you can add them all to the address list, try adding pointers for all of them, etc.

Sub-Method 2
- If you get a lot of results, Quit the game, then reload it. (or load a save game. This usually changes what address is used).
- Open a 2nd copy of cheat engine (installed to a completely different directory), and find the value again.
- Switch back to the first copy of cheat engine re-open the process if you had to quit the game, but keep the search/address list when prompted.
- Search for the new address you just found.
- Keep doing this until results are narrow enough to either add a pointer and test it, or simply use sub-method 1 at this point.
- Kick yourself when you mess this up, after 45 minutes of filtering, as I've done many times =).

Sometimes, in the example of ESI+04, ESI isn't even the address the real pointer contains, as ESI might have been added to already. I.e. say you have a double barrel and you find 2 values, one for each chamber. When you do the 'find what writes to this value' - you may be suprised to find that [ESI+04] is used for both. How is this possible?!? ESI is being added to, between the first time its used to set chamber 1, and chamber 2. We usually see this when a memory block contains multiple values, and the same code accesses each value.

Another thing you can do,is search for hex that starts with the same 4 bytes (by searching Array of byte, and using wild cards, i.e. 00 00 * *). But, as you can imagine, this returns an ungodly number of results, hard to sift through.

Whatever the case, the pointer value will always contain a number equal to , or less then, the address of the final value. This helps... kinda... heh..

Also, the best pointer will reside in the lower areas of memory, the ones that won't be changing much (i.e. 038213B4 is good, and 29384123 is probably not).

The real problem comes when pointers are buried multiple levels deep, which is actually more-and-more the case these days, some going 5, 10, 15 levels deep. What this means is that neither of the above methods will work, because the pointer, 1 level back from the value, keeps changing as well.

There are other methods, but in the end, its simply easier to write code caves, or change the existing assembly that reads/writes values. Much, MUCH easier.

Dark Byte · Posted: Tue Oct 25, 2005 12:59 am Post subject:

To find multi levels do exactly the same as above.
After finding the pointer, try to find the pointer to the previous pointer (same method, 'find out what accesses this address'), and so on, till you've got yourself a pointer that resides in a dll