Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Tutorial] Dissect data/structures in Cheat Engine
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
jackdaniels42
Cheater
Reputation: 0

Joined: 15 Jan 2013
Posts: 26

PostPosted: Sun Jun 02, 2013 9:55 am    Post subject: Reply with quote

GNIREENIGNE wrote:
jackdaniels42 wrote:
I'll try it since 6 months to find it

jackdaniels42 wrote:
GNIREENIGNE wrote:
http://forum.cheatengine.org/viewtopic.php?t=558286&sid=b928dd5414476494445ea5ee80ffb6f9





it's not what I'm looking for

Maybe you could try another 6 months. Very Happy



yes,or longer
Back to top
View user's profile Send private message
jackdaniels42
Cheater
Reputation: 0

Joined: 15 Jan 2013
Posts: 26

PostPosted: Mon Jun 17, 2013 6:56 pm    Post subject: Reply with quote

many in the forum call themselves master cheater, but seriously have no clue...had the experience I had solved my problem.
Back to top
View user's profile Send private message
jackdaniels42
Cheater
Reputation: 0

Joined: 15 Jan 2013
Posts: 26

PostPosted: Sun Jul 07, 2013 8:09 am    Post subject: Reply with quote

delete my account from this needless community
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Mon Oct 07, 2013 3:34 am    Post subject: Reply with quote

Hi! So this is an old thread and all. But it's been immensely helpful. Just had a question though. So I'm working on an invincible shield cheat for Distant Worlds: Legends and I've got it sort of working. Using the data/dissect trick I've found that at offset 20 of the ship base address is a pointer, which is the same for ships belonging to the same race. So I use that as the condition for my jump. The only problem is that that number changes, sometimes in midgame, which of course render the shields vulnerable again.

How would I go about finding the way that number is calculated and write an aa script that finds it automatically?

Thanks! Smile
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Mon Oct 07, 2013 8:13 am    Post subject: Reply with quote

Probably your pointer is pointing to an area where player info is stored, eg the resources of the player etc. I don't know because I didn't play this game. You may find a player ID in that area and you can use it to make a permanently working script.

I mean something like this:


ship structure:
0000 some value
0004 some value
0008 some value
000C some value
0010 pointer to player info


player info where the pointer is pointing:
0000 some value
0004 some value
0008 some value
000C money of the player
0010 some value
0014 some value
0018 ID of the player

Then you can make a script to check the area where the pointer is leading and check the player ID in that area.

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Mon Oct 07, 2013 3:57 pm    Post subject: Reply with quote

Thanks for the reply. That was quicker than I expected! Smile

So here's the script I'm using to give you an idea what my problem is..
Code:

[enable]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(address2)
registersymbol(address2)
aobscan(aob2,d9 98 0c 02 00 00 8b 85 ?8 fd ff ff 8d b8 7c 03 00 00)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [eax+28],4EBB4508
jne originalcode
fstp st(0)
jmp exit
originalcode:
fstp dword ptr [eax+0000020C]

exit:
jmp returnhere

aob2:
address2:
jmp newmem
nop

returnhere:
[disable]
dealloc(newmem)
address2:
db d9 98 0c 02 00 00
unregistersymbol(address2)


I might just not really understand pointers. The line cmp [eax+28],4EBB4508 is supposed to check a pointer value, which testing showed to be the same for all ships of single race. But that value changes. I'm not sure how I would replace [eax+28] with something that would point to the offset of the pointer though.

When enabled, the script takes a line that would store the new shield strength value from the floating point stack into a memory address, and instead make it just pop the value without storing it. It works, until that value changes.
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Tue Oct 08, 2013 9:02 am    Post subject: Reply with quote

I know what you mean, but I guess you didn't understand my reply.

Try to do this:

Check the pointer's value for your ships and enemy ships.
Jump to the memory address where the pointer is pointing. For both friendly and enemy ships. Then compare these memory areas and see if you find anything that could be used as a player ID.

If you find something, write down where is the value compared to the pointer's destination, eg if you follow the pointer and in that area, you find a player ID 10 bytes later, then pointer+10.

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Tue Oct 08, 2013 11:17 am    Post subject: Reply with quote

Ok, I think I may be getting somewhere. I found a nice low integer at [eax+24]+3a8. But I'm having trouble figuring out how to notate that in an aa script. I finally ended up with this

Code:

[enable]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(address3)
registersymbol(address3)
aobscan(aob3,DD 45 28 D9 9D 64 FD FF FF D9 85 64 FD FF FF 8B 85 7C FD FF FF D8 A8 0C 02 00 00)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
//cmp [eax+1c0],00000069
pushfd
push eax
add eax,24
mov eax,[eax]
add eax,3a8
mov eax,[eax]
cmp eax,00000001
pop eax
jne originalcode
fstp st(0)
popfd
jmp exit
originalcode:
popfd
fstp dword ptr [eax+0000020C]

exit:
jmp returnhere

aob3+1b:
address3:
jmp newmem
nop

returnhere:
[disable]
dealloc(newmem)
address3:
db D9 98 0C 02 00 00
unregistersymbol(address3)


After breaking and tracing, crashing, breaking and tracing, crashing some more I finally got the player id to go where it was supposed to. Only problem is it still crashes and I can't figure out why.

Is there some slick way to use lea here?
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Tue Oct 08, 2013 12:24 pm    Post subject: Reply with quote

To store the pointer, you can use lea, yes.

lea eax,[eax+24]

will store the pointer on eax and then [eax+3A8] is what you have to compare to 1.

But it should work as you did it too. You made a more complicated script, but it does the same.

Is the pointer always pointing to the player info? If has a value like 00000000 , that could crash the game in some cases.

It may also happen that fstp st(0) is not enough, maybe you should put something behind it, like

mov [eax+0000020C],(float)1000

to make sure that your health will get some valid value.

Other than this, I don't see anything in the script that would cause a crash.
Except that I don't know what is the

//cmp [eax+1c0],00000069

instruction that you have commented out.

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Tue Oct 08, 2013 12:59 pm    Post subject: Reply with quote

Thank you. Thank you!

The commented line was from an earlier version where I found what looked like a race specific id, but later looked like a ship class id.

It's weird. It did work before when I just used the first pointer as a player id. Not sure what I did, but it's still crashing. There is also the shield capacity value right above the current shield value in the structure, so I guess I could just stick that in.

Really appreciate the help! Smile
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Tue Oct 08, 2013 4:22 pm    Post subject: Reply with quote

Well if you don't know whats wrong, debug your own code. Set a breakpoint before the code that you modify and see what happens when the script is executed. Then you will see what is causing the crash or where is it taking an unexpected turn.

If you are not sure that the pointer is always working, you can try to add one more compare to ensure that the value of the pointer is not 0 or something similar. If the pointer has a 0 value, that could cause a crash. Check it and make sure that [eax+24] is never 0.

You should also check that the script is crashing right at the first execution or sometimes it's working and sometimes it's crashing. You will see it if you debug it.

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Wed Oct 09, 2013 12:01 am    Post subject: Reply with quote

I did actually take a look at that. I did a break and trace as opposed to manually setting a breakpoint just because I can never tab out of the program when it hits the breakpoint.

Since the code is injected in the routine that writes to the shield value, the condition is always false the first time it runs because I have to start the fight by shooting at some enemies. Although I suppose I could easily change the 01 value to an 04 to get it to be true.

It is interesting that the program crashes even when it doesn't execute the alternate code. There does seem to be a lot of code that ran between my injection and the actual crash (although less than a second of time). Maybe something weird with push/pop eax and pushfd popfd? Hopefully I can figure it out now that I haven't looked at it for a while.
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Wed Oct 09, 2013 1:50 am    Post subject: Reply with quote

Well you can try to remove the pushfd/popfd instructions. It happened to me maybe once or twice that they have caused some problem, but usually not. Still, you can try.
_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Telecide
Cheater
Reputation: 0

Joined: 30 Sep 2012
Posts: 42

PostPosted: Wed Oct 09, 2013 2:25 am    Post subject: Reply with quote

Hmmm, well removing push/pop makes it crash on the compare. Putting 'em back, it run up to a, well here, I'll post the trace. I don't know if this matters but I think because it's a .net game there is a lot of unusual behavior. I have to do everything with aob because the game code moves all over the place. And even then I sometimes have to modify the aobs between different sessions.

Code:


12744788 - fld qword ptr [ebp+28]
0018DAAC = (double)38.42
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=12744788

EFLAGS=00000246

-
1274478B - fstp dword ptr [ebp-0000029C]
0018D7E8 = (dword)00000000(0)
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=1274478B

EFLAGS=00000246

-
12744791 - fld dword ptr [ebp-0000029C]
0018D7E8 = (float)38.42
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=12744791

EFLAGS=00000246

-
12744797 - mov eax,[ebp-00000284]
0018D800 = (dword)05654F94(90525588)
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=12744797

EFLAGS=00000246

-
1274479D - fsubr dword ptr [eax+0000020C]
056551A0 = (float)303.47
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=1274479D

EFLAGS=00000246

-
127447A3 - jmp 08CE0000
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=127447A3

EFLAGS=00000246

-
08CE0000 - pushfd
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=08CE0000

EFLAGS=00000246

-
08CE0001 - pushad
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7DC
EIP=08CE0001

EFLAGS=00000246

-
08CE0002 - lea eax,[eax+24]
05654FB8 = (dword)056284C4(90342596)
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7BC
EIP=08CE0002

EFLAGS=00000246

-
08CE0005 - mov eax,[eax]
05654FB8 = (dword)056284C4(90342596)
EAX=05654FB8
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7BC
EIP=08CE0005

EFLAGS=00000246

-
08CE0007 - cmp [eax+000003A8],00000001
0562886C = (dword)00000004(4)
EAX=056284C4
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7BC
EIP=08CE0007

EFLAGS=00000246

-
08CE0011 - popad
EAX=056284C4
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7BC
EIP=08CE0011

EFLAGS=00000206

-
08CE0012 - jne 08CE0020
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7DC
EIP=08CE0012

EFLAGS=00000206

-
08CE0020 - popfd
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7DC
EIP=08CE0020

EFLAGS=00000206

-
08CE0021 - fstp dword ptr [eax+0000020C]
056551A0 = (float)303.47
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=08CE0021

EFLAGS=00000246

-
08CE0027 - jmp 127447A9
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=08CE0027

EFLAGS=00000246

-
127447A9 - cmp dword ptr [ebp-48],00
0018DA3C = (dword)00000000(0)
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=127447A9

EFLAGS=00000246

-
127447AD - jne 127447C6
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=127447AD

EFLAGS=00000246

-
127447AF - mov eax,[ebp-00000284]
0018D800 = (dword)05654F94(90525588)
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=127447AF

EFLAGS=00000246

-
127447B5 - lea edi,[eax+0000037C]
05655310 = (float)-69838.19
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=0018DA74
EBP=0018DA84
ESP=0018D7E0
EIP=127447B5

EFLAGS=00000246

-
127447BB - lea esi,[ebp+20]
0018DAA4 = (float)-87138.05
EAX=05654F94
EBX=4487AEDC
ECX=0C3217C8
EDX=00000008
ESI=05654F94
EDI=05655310
EBP=0018DA84
ESP=0018D7E0
EIP=127447BB

EFLAGS=00000246

-


That's goes a couple of commands past code injection

And here's how it ends.

Code:

27BDDE7A - mov eax,[esp+000002FC]
0018DDB4 = (float)1085.56
EAX=4487B1C4
EBX=00000000
ECX=4487B258
EDX=00000008
ESI=0018DB88
EDI=448D67EC
EBP=0018DDDC
ESP=0018DAB8
EIP=27BDDE7A

EFLAGS=00000246

-
27BDDE81 - mov esi,[eax+08]
4487B1CC = (dword)05654F94(90525588)
EAX=4487B1C4
EBX=00000000
ECX=4487B258
EDX=00000008
ESI=0018DB88
EDI=448D67EC
EBP=0018DDDC
ESP=0018DAB8
EIP=27BDDE81

EFLAGS=00000246

-
27BDDE84 - mov edx,esi
EAX=4487B1C4
EBX=00000000
ECX=4487B258
EDX=00000008
ESI=05654F94
EDI=448D67EC
EBP=0018DDDC
ESP=0018DAB8
EIP=27BDDE84

EFLAGS=00000246

-
27BDDE86 - mov ecx,027FF848
EAX=4487B1C4
EBX=00000000
ECX=4487B258
EDX=05654F94
ESI=05654F94
EDI=448D67EC
EBP=0018DDDC
ESP=0018DAB8
EIP=27BDDE86

EFLAGS=00000246

-
27BDDE8B - call mscorwks.dll+938A
EAX=4487B1C4
EBX=00000000
ECX=027FF848
EDX=05654F94
ESI=05654F94
EDI=448D67EC
EBP=0018DDDC
ESP=0018DAB8
EIP=27BDDE8B

EFLAGS=00000246

-
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Wed Oct 09, 2013 7:47 am    Post subject: Reply with quote

You should try removing parts from your script to see what is causing the problem. Here are some things that you should try:

1. I would say check if code injection itself may cause the problem, but if your old script worked fine, this is done I guess. Unless that was crashing too sometimes.

2. Replace fstp st(0) and replace it with the original code, so in both cases, the original code will be executed.

3. Remove the cmp code. Remove pushfd/popfd, replace your jne with a jmp instead.

4. Use another register instead of eax in your script. ESI, EDI is the usual choice for me, depending on the game.

5. Don't use push eax and pop eax, store the value "manually". Eg

mov [allocatedmemory],eax
mov eax,[allocatedmemory]

Preferably combine this with the 4th point and don't use eax at all, use another register.

6. Leave out the whole

push eax
add eax,24
mov eax,[eax]
add eax,3a8
mov eax,[eax]
cmp eax,00000001
pop eax


part from your script to see if any of these instructions are causing the problem.


You mess with the stack and the value only. If one of them is causing a crash, removing these parts from the script one by one or in combination should reveal which part is causing the error.

It doesn't matter that your cheat will not work while you are debugging your script, just make a functional script even if it has no effect in the game, only for the sake of testing which part is causing the crash.


Also, these are not just independent versions, try to combine them. Eg remove all push/pop instructions from your script so the stack is not used by it at all. You can do this if you get rid of the cmp instruction and also get rid of the messing with the register part at the same time, or if you store the register on an allocated memory address instead of using push/pop and while you are there, use something else instead of eax.

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Page 6 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites