Cheat Engine
The Official Site of Cheat Engine

Author Message
Washington
Guest

Posted: Tue Apr 18, 2017 2:47 pm    Post subject: Pointer trouble; have pointer formula

Hi, I'm trying to figure out pointers for things like Gold, Lumber, and Oil in Warcraft II. I've figured out a formula that works for these addresses, however I'm not sure how to translate this into something usable with Cheat Engine.

Every address that holds the values I'm looking for has the following structure:

GOLD:
 Code: 100D31CC - (FFFFFFFF - dosbox.exe+38B9FC) - 1

LUMBER:
 Code: 100D318C - (FFFFFFFF - dosbox.exe+38B9FC) - 1

I derived these formulas after much trial and error, and I have consistently been able to get the addresses I want using them. Now, I'm trying to convert this into a pointer for Cheat Engine to use.

When I disassemble using Cheat Engine, the code I get is
 Code: mov [eax + ecx], edx

To show where my formula came from, for Gold,

eax+ecx = 1085801EC

As you can see, these values are intimately related. I figured out the formula by subtracting the ecx value from the maximum value of an address (FFFFFFFF) and then subtracting that new value from eax

eax - (FFFFFFFF - ecx) = eax - 7B52FDF = 85801ED

Clearly, this is just 085801EC + 1, so I subtracted 1 in the 'general' formula and here I am. Sorry for the long explanation of my process, I'm being overly didactic for the sake of clarity.

Back to the problem at hand.

The eax values never change, restart after restart. It is the ecx values that change slightly with every iteration of the program and every level change. However, the pointer to the ecx value is dosbox.exe+38B9FC
Thus I should have all of the information required to make a pointer for these values, and they should only be a trivial offset apart from one another, as I can easily find the other values by simply incrementing the value of one address by "10" in either direction.

Can anyone help me put this into a pointer format? I've tried messing with offsets and the like, but none of it is helping me figure this out. If you need any other info just let me know.
sbryzl
Expert Cheater
Reputation: 4

Joined: 25 Jul 2016
Posts: 136

 Posted: Tue Apr 18, 2017 7:35 pm    Post subject: Try entering in the address field without parenthesis: 100D31CC-FFFFFFFF+dosbox.exe+38B9FC-1
Guest

Posted: Thu Apr 20, 2017 7:47 am    Post subject:

 sbryzl wrote: Try entering in the address field without parenthesis: 100D31CC-FFFFFFFF+dosbox.exe+38B9FC-1

Unfortunately that didn't work. I tried to enter that address manually and it didn't resolve to anything. When I put dosbox.exe+38B9FC as a pointer I get the offset, which I can then use to calculate the values I want. However dosbox.exe+38B9FC itself isn't the address I need to be manipulating, it contains the address I need to be manipulating.
FreeER
Grandmaster Cheater
Reputation: 27

Joined: 09 Aug 2013
Posts: 666

Posted: Thu Apr 20, 2017 10:09 am    Post subject:

Hm if you try to simplify this like a typical math equation then (at least for a 32bit program which I think dosbox is)

 Code: 100D31CC - (FFFFFFFF - dosbox.exe+38B9FC) - 1
is just
 Code: 100D31CC - (-1 - dosbox.exe+38B9FC) - 1

 Code: 100D31CC +(1 + dosbox.exe+38B9FC) - 1

 Code: 100D31CC + 1 + dosbox.exe+38B9FC - 1

 Code: 100D31CC + dosbox.exe+38B9FC

 Code: dosbox.exe+38B9FC+100D31CC
which could be reduced to
 Code: dosbox.exe+1045EBC8

So perhaps try something like that.

Unless you're supposed to be reading the memory at FFFFFFFF - dosbox.exe+38B9FC (-1-dosbox.exe+38B9FC = -(dosbox.exe+38B9FD)) or even just dosbox.exe+38B9FC, in which case it doesn't simplify to just one line like that in the address list but rather something more like "dosbox.exe+38B9FC" as the base address, 0 as the first offset (so it read the address at +38...) and 100D31CCC-1 or just 100D31CCB as the second offset offset so it gets added to the value read from the base address...(lua could use something like "[dosbox.exe+38B9FC]+100D31CC-1" as an address but)
sbryzl
Expert Cheater
Reputation: 4

Joined: 25 Jul 2016
Posts: 136

Posted: Thu Apr 20, 2017 11:03 am    Post subject:

Basically what your saying is if dosbox.exe+38b9fc is a pointer then the value of gold is
 Code: 100D31CC+[dosbox.exe+38B9FC]

so that's what to put ini the address field or do the extra math if necessary:
 Code: 100D31CC-FFFFFFFF+[dosbox.exe+38B9FC]-1
Washington_
Guest

Posted: Thu Apr 20, 2017 1:50 pm    Post subject:

sbryzl wrote:
Basically what your saying is if dosbox.exe+38b9fc is a pointer then the value of gold is
 Code: 100D31CC+[dosbox.exe+38B9FC]

so that's what to put ini the address field or do the extra math if necessary:
 Code: 100D31CC-FFFFFFFF+[dosbox.exe+38B9FC]-1

This is close to what I need, however those addresses don't resolve at all in Cheat Engine.

I've tried doing an offset of the pointer dosbox.exe+38B9FC of +100D31CC, however that gives me the address 1085001EC, when I need 085001EC. That's why I came up with that formula in the first place, to try and work around the fact that I have that extra 1 digit in the front. Unfortunately my tinkering hasn't paid off, which is why I'm here in the first place.

A picture of the table I've got so far:
puu sh/vfT3j/d6c63ab3d3.png
Washington_
Guest

 Posted: Thu Apr 20, 2017 1:52 pm    Post subject: Whoops, wrong image link. That previous link was part of an experiment I was cooking up with some friends at university. puu sh/vqFaM/752a0c8d63.png
sbryzl
Expert Cheater
Reputation: 4

Joined: 25 Jul 2016
Posts: 136

 Posted: Thu Apr 20, 2017 4:27 pm    Post subject: Have you tried the pointer with an offset of 100D31CC-100000000? Or maybe an offset of FFFFFFFF100D31CC?
Washington_
Guest

Posted: Thu Apr 20, 2017 5:12 pm    Post subject:

 sbryzl wrote: Have you tried the pointer with an offset of 100D31CC-100000000? Or maybe an offset of FFFFFFFF100D31CC?

Yeah, I have. They both are automatically converted back to 1085001EC

What's weird is that the little equation next to the offset shows
 Code: F84AD020 + 100D31CC = 085001EC

However the address that is filled in automatically at the top is 1085001EC.
sbryzl
Expert Cheater
Reputation: 4

Joined: 25 Jul 2016
Posts: 136

Posted: Thu Apr 20, 2017 7:34 pm    Post subject:

Try creating an auto assemble script with this. Enable it and use baddy as a bas e address.
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 60

Joined: 06 Jul 2014
Posts: 1893

 Posted: Thu Apr 20, 2017 9:07 pm    Post subject: As an aside, I would like to point out that the value 1085801EC overflows to 085801EC when interpreted as a 32-bit value (i.e. an address). It's a bug on CE's part if it can't handle that. I've seen this happen with some debugging stuff in the past, but it seems to be working in CE 6.6 for the few things I've tested. If eax is 100D31CC and ecx is F84AD020, then eax + ecx = 085801EC. This is a result of modular arithmetic, but a simpler way to think about this is that the result is truncated to 32 bits. The address list and the auto assembler both seem capable of handling this in CE 6.6 (with the usual parsing restrictions, of course). (In a 64-bit process, addresses take up 64 bits instead of 32, but based on your use of eax/ecx instead of rax/rcx, I figured you were dealing with a 32-bit process) _________________I don't know where I'm going, but I'll figure it out when I get there.
Guest

Posted: Fri Apr 21, 2017 7:25 am    Post subject:

 ParkourPenguin wrote: As an aside, I would like to point out that the value 1085801EC overflows to 085801EC when interpreted as a 32-bit value (i.e. an address). It's a bug on CE's part if it can't handle that. I've seen this happen with some debugging stuff in the past, but it seems to be working in CE 6.6 for the few things I've tested. If eax is 100D31CC and ecx is F84AD020, then eax + ecx = 085801EC. This is a result of modular arithmetic, but a simpler way to think about this is that the result is truncated to 32 bits. The address list and the auto assembler both seem capable of handling this in CE 6.6 (with the usual parsing restrictions, of course). (In a 64-bit process, addresses take up 64 bits instead of 32, but based on your use of eax/ecx instead of rax/rcx, I figured you were dealing with a 32-bit process)

I was thinking of it as modular, which is how I arrived at my formula to begin with.

Turns out my issue was that I was using the 64 bit version of Cheat Engine, and I didn't even notice it until your post. Thanks a lot! You've saved me a lot of headache
 Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
 All times are GMT - 6 Hours Page 1 of 1

 Jump to: Select a forum Cheat Engine----------------Cheat EngineCheat Engine Lua ScriptingCheat Engine TutorialsGeneral GamehackingAuto Assembler tutorialsPointer tutorialsGame specific tutorialsWebbrowser stuff related tutorialsConsole ModdingLUA TutorialsLua Extensions General Discussions----------------General DiscussionsArtComputer TalkRandom spamArt RequestsArt TutorialsWillekeurige RotzooiGuestsHorse Excrement Cheat Requests----------------Single player cheat request Cheat Engine Downloads----------------TablesTrainersAuto Assemble scripts Coding----------------Cheat Engine SourceCETC Server and ClientsDBVMPlugin developmentGeneral programmingBinariesCrackmesGeneral programming+Game Development2D Graphics3D ModelingGameplay designWeb Development Games----------------Flash GamesGaia OnlineStick Arena
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum