Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Pointer trouble; have pointer formula

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions -> Guests
View previous topic :: View next topic  
Author Message
Washington
Guest





PostPosted: Tue Apr 18, 2017 2:47 pm    Post subject: Pointer trouble; have pointer formula Reply with quote

Hi, I'm trying to figure out pointers for things like Gold, Lumber, and Oil in Warcraft II. I've figured out a formula that works for these addresses, however I'm not sure how to translate this into something usable with Cheat Engine.

Every address that holds the values I'm looking for has the following structure:

GOLD:
Code:
100D31CC - (FFFFFFFF - dosbox.exe+38B9FC) - 1


LUMBER:
Code:
100D318C - (FFFFFFFF - dosbox.exe+38B9FC) - 1



I derived these formulas after much trial and error, and I have consistently been able to get the addresses I want using them. Now, I'm trying to convert this into a pointer for Cheat Engine to use.

When I disassemble using Cheat Engine, the code I get is
Code:
mov [eax + ecx], edx


To show where my formula came from, for Gold,
Code:
eax=100D31CC
ecx=F84AD020


eax+ecx = 1085801EC
Address for Gold: 085801EC

As you can see, these values are intimately related. I figured out the formula by subtracting the ecx value from the maximum value of an address (FFFFFFFF) and then subtracting that new value from eax

eax - (FFFFFFFF - ecx) = eax - 7B52FDF = 85801ED

Clearly, this is just 085801EC + 1, so I subtracted 1 in the 'general' formula and here I am. Sorry for the long explanation of my process, I'm being overly didactic for the sake of clarity.

Back to the problem at hand.

The eax values never change, restart after restart. It is the ecx values that change slightly with every iteration of the program and every level change. However, the pointer to the ecx value is dosbox.exe+38B9FC
Thus I should have all of the information required to make a pointer for these values, and they should only be a trivial offset apart from one another, as I can easily find the other values by simply incrementing the value of one address by "10" in either direction.

Can anyone help me put this into a pointer format? I've tried messing with offsets and the like, but none of it is helping me figure this out. If you need any other info just let me know.
Back to top
sbryzl
Advanced Cheater
Reputation: 3

Joined: 25 Jul 2016
Posts: 97

PostPosted: Tue Apr 18, 2017 7:35 pm    Post subject: Reply with quote

Try entering in the address field without parenthesis:
100D31CC-FFFFFFFF+dosbox.exe+38B9FC-1
Back to top
View user's profile Send private message
Guest






PostPosted: Thu Apr 20, 2017 7:47 am    Post subject: Reply with quote

sbryzl wrote:
Try entering in the address field without parenthesis:
100D31CC-FFFFFFFF+dosbox.exe+38B9FC-1


Unfortunately that didn't work. I tried to enter that address manually and it didn't resolve to anything. When I put dosbox.exe+38B9FC as a pointer I get the offset, which I can then use to calculate the values I want. However dosbox.exe+38B9FC itself isn't the address I need to be manipulating, it contains the address I need to be manipulating.
Back to top
FreeER
Master Cheater
Reputation: 10

Joined: 09 Aug 2013
Posts: 298

PostPosted: Thu Apr 20, 2017 10:09 am    Post subject: Reply with quote

Hm if you try to simplify this like a typical math equation then (at least for a 32bit program which I think dosbox is)

Code:
100D31CC - (FFFFFFFF - dosbox.exe+38B9FC) - 1
is just
Code:
100D31CC - (-1 - dosbox.exe+38B9FC) - 1

Code:
100D31CC +(1 + dosbox.exe+38B9FC) - 1

Code:
100D31CC + 1 + dosbox.exe+38B9FC - 1

Code:
100D31CC + dosbox.exe+38B9FC

Code:
dosbox.exe+38B9FC+100D31CC
which could be reduced to
Code:
dosbox.exe+1045EBC8


So perhaps try something like that.

Unless you're supposed to be reading the memory at FFFFFFFF - dosbox.exe+38B9FC (-1-dosbox.exe+38B9FC = -(dosbox.exe+38B9FD)) or even just dosbox.exe+38B9FC, in which case it doesn't simplify to just one line like that in the address list but rather something more like "dosbox.exe+38B9FC" as the base address, 0 as the first offset (so it read the address at +38...) and 100D31CCC-1 or just 100D31CCB as the second offset offset so it gets added to the value read from the base address...(lua could use something like "[dosbox.exe+38B9FC]+100D31CC-1" as an address but)
Back to top
View user's profile Send private message
sbryzl
Advanced Cheater
Reputation: 3

Joined: 25 Jul 2016
Posts: 97

PostPosted: Thu Apr 20, 2017 11:03 am    Post subject: Reply with quote

Basically what your saying is if dosbox.exe+38b9fc is a pointer then the value of gold is
Code:
100D31CC+[dosbox.exe+38B9FC]

so that's what to put ini the address field or do the extra math if necessary:
Code:
100D31CC-FFFFFFFF+[dosbox.exe+38B9FC]-1
Back to top
View user's profile Send private message
Washington_
Guest





PostPosted: Thu Apr 20, 2017 1:50 pm    Post subject: Reply with quote

sbryzl wrote:
Basically what your saying is if dosbox.exe+38b9fc is a pointer then the value of gold is
Code:
100D31CC+[dosbox.exe+38B9FC]

so that's what to put ini the address field or do the extra math if necessary:
Code:
100D31CC-FFFFFFFF+[dosbox.exe+38B9FC]-1


This is close to what I need, however those addresses don't resolve at all in Cheat Engine.

I've tried doing an offset of the pointer dosbox.exe+38B9FC of +100D31CC, however that gives me the address 1085001EC, when I need 085001EC. That's why I came up with that formula in the first place, to try and work around the fact that I have that extra 1 digit in the front. Unfortunately my tinkering hasn't paid off, which is why I'm here in the first place.

A picture of the table I've got so far:
puu sh/vfT3j/d6c63ab3d3.png
Back to top
Washington_
Guest





PostPosted: Thu Apr 20, 2017 1:52 pm    Post subject: Reply with quote

Whoops, wrong image link. That previous link was part of an experiment I was cooking up with some friends at university.

puu sh/vqFaM/752a0c8d63.png
Back to top
sbryzl
Advanced Cheater
Reputation: 3

Joined: 25 Jul 2016
Posts: 97

PostPosted: Thu Apr 20, 2017 4:27 pm    Post subject: Reply with quote

Have you tried the pointer with an offset of 100D31CC-100000000?
Or maybe an offset of FFFFFFFF100D31CC?
Back to top
View user's profile Send private message
Washington_
Guest





PostPosted: Thu Apr 20, 2017 5:12 pm    Post subject: Reply with quote

sbryzl wrote:
Have you tried the pointer with an offset of 100D31CC-100000000?
Or maybe an offset of FFFFFFFF100D31CC?


Yeah, I have. They both are automatically converted back to 1085001EC

What's weird is that the little equation next to the offset shows
Code:

F84AD020 + 100D31CC = 085001EC


However the address that is filled in automatically at the top is 1085001EC.
Back to top
sbryzl
Advanced Cheater
Reputation: 3

Joined: 25 Jul 2016
Posts: 97

PostPosted: Thu Apr 20, 2017 7:34 pm    Post subject: Reply with quote

Try creating an auto assemble script with this. Enable it and use baddy as a bas e address.
Code:
[ENABLE]
label(baddy)
registersymbol(baddy)

[dosbox.exe+38B9FC]+FFFFFFFF100D31CC:
baddy:                       

[DISABLE]
unregistersymbol(baddy)
Back to top
View user's profile Send private message
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 52

Joined: 06 Jul 2014
Posts: 1774
Location: Arcadian Suburbia

PostPosted: Thu Apr 20, 2017 9:07 pm    Post subject: Reply with quote

As an aside, I would like to point out that the value 1085801EC overflows to 085801EC when interpreted as a 32-bit value (i.e. an address). It's a bug on CE's part if it can't handle that. I've seen this happen with some debugging stuff in the past, but it seems to be working in CE 6.6 for the few things I've tested.

If eax is 100D31CC and ecx is F84AD020, then eax + ecx = 085801EC. This is a result of modular arithmetic, but a simpler way to think about this is that the result is truncated to 32 bits. The address list and the auto assembler both seem capable of handling this in CE 6.6 (with the usual parsing restrictions, of course).

(In a 64-bit process, addresses take up 64 bits instead of 32, but based on your use of eax/ecx instead of rax/rcx, I figured you were dealing with a 32-bit process)

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Guest






PostPosted: Fri Apr 21, 2017 7:25 am    Post subject: Reply with quote

ParkourPenguin wrote:
As an aside, I would like to point out that the value 1085801EC overflows to 085801EC when interpreted as a 32-bit value (i.e. an address). It's a bug on CE's part if it can't handle that. I've seen this happen with some debugging stuff in the past, but it seems to be working in CE 6.6 for the few things I've tested.

If eax is 100D31CC and ecx is F84AD020, then eax + ecx = 085801EC. This is a result of modular arithmetic, but a simpler way to think about this is that the result is truncated to 32 bits. The address list and the auto assembler both seem capable of handling this in CE 6.6 (with the usual parsing restrictions, of course).

(In a 64-bit process, addresses take up 64 bits instead of 32, but based on your use of eax/ecx instead of rax/rcx, I figured you were dealing with a 32-bit process)


I was thinking of it as modular, which is how I arrived at my formula to begin with.

Turns out my issue was that I was using the 64 bit version of Cheat Engine, and I didn't even notice it until your post. Thanks a lot! You've saved me a lot of headache
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions -> Guests All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites