Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


how do i find a value that is generated at random?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Sun Dec 03, 2017 4:56 pm    Post subject: how do i find a value that is generated at random? Reply with quote

As the title says, I have a number that is randomly generated. my only way to find it is add one to value right after it is generated. so I can only find the value once but it is not being used again so I cant find what writes to it. I want to find a pointer to said value without using pointer scan. pls help!







Game: Knights of Pen and Paper 2
Wanted Value: any/all dice roll values
Extra: Use items in game-room to add 1 to any roll
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sun Dec 03, 2017 11:17 pm    Post subject: Reply with quote

cheat engine tutorial is your friend to practice on, there are many steps that generate a random number.

cheat engine tutorial is a perfect example for many cheat types.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Mon Dec 04, 2017 11:36 am    Post subject: Reply with quote

OldCheatEngineUser wrote:
cheat engine tutorial is your friend to practice on, there are many steps that generate a random number.

cheat engine tutorial is a perfect example for many cheat types.


I completed the tutorial long ago. perhaps you misunderstand that the value is random on the same address so I will give an example.

Step A
First step: speedhack to slow game down so I can catch the value.
2nd: value is 12 > first scan 4byte = 12
3rd: after 0.25 second, value is 13 > next scan = 13 >Value found address = 18#####
4th: change value to 20 to get bonus. (Finding what writes to this value is useless because the writing is done and the code is abandoned after each roll)
5th: Find what writes this code
6th: Re-roll > no codes found

Step B
First step: speedhack to slow game down so I can catch the value.
2nd: value is 15 > first scan 4byte = 15
3rd: after 0.25 second, value is 16 > next scan = 16 >Value found address = 17A####
4th: change value to 20 to get bonus. (Finding what writes to this value is useless because the writing is done and the code is abandoned after each roll)
5th: Find what writes this code
6th: Re-roll > no codes found


So what I mean that each re-roll is written on a different address and that addresses are used only once each.
How do I get a pointer for the dice rolls?
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Dec 04, 2017 11:48 pm    Post subject: Reply with quote

yes, i misunderstood but because of you said random value.

but now its about addresses, anyways finding what writes to the address cant be useless as you are saying.
for your info addresses get changed but CODE does not get change unless it meant to be changed with software update.

try placing the debugger before changing the value to 20 to get bonus, then you might be able to find whats writing to it.

or instead the second you find the address see whats accessing it and use that instruction as a pointer, remember that you can pause the game while scanning or you can also pause it from advanced options.
this will give you more time to deal with this, as the game might be creating and destroying threads.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Tue Dec 05, 2017 5:19 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:
Helpful Advice


Thanks! I found a pointer that works -on some conditions...- and found a code.
Finally, I want to make it so when activate this script it always writes to 20. here is the code after CE framework and code injection template.

Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

originalcode:
mov [edi+30],eax
mov eax,[00ABEDE0]

exit:
jmp returnhere

137223C4:
jmp newmem
nop
nop
nop
nop
returnhere:


 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
137223C4:
mov [edi+30],eax
mov eax,[00ABEDE0]
//Alt: db 89 47 30 8B 05 E0 ED AB 00


how do i read this code and how do I get the roll always to 20?
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Dec 05, 2017 10:01 pm    Post subject: Reply with quote

Code:
newmem:
mov eax,14


you might need aob injection, since code injection gonna be useless at this point where no module addresses are used.
your script might not activate next time you reload the game.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Wed Dec 06, 2017 2:06 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:
Helpful Advice again. Thanks!


I tried to use AOB scan and found the unique AOB and added the mov eax,14 code under newmem , I did it all and my pointer value turns to 20...BUT! it wrecks up both the codes and the game does not complete the roll and crashes.

Here is the AOB Injection Code:
Code:
{ Game   : kopp2.exe
  Version:
  Date   : 2017-12-06
  Author : Hp7600

  This script does blah blah blah
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
aobscan(ROLL20,89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  mov eax,14

code:
  mov [edi+30],eax
  mov eax,[0063EDE0]
  jmp return

ROLL20:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(ROLL20)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
ROLL20:
  db 89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28

unregistersymbol(ROLL20)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 0EF79804

0EF797E8: 6A 00                 -  push 00
0EF797EA: 50                    -  push eax
0EF797EB: 39 00                 -  cmp [eax],eax
0EF797ED: E8 86 D5 74 F5        -  call 046C6D78
0EF797F2: 83 C4 10              -  add esp,10
0EF797F5: 83 EC 08              -  sub esp,08
0EF797F8: 6A 15                 -  push 15
0EF797FA: 6A 01                 -  push 01
0EF797FC: E8 87 B3 F5 FF        -  call 0EED4B88
0EF79801: 83 C4 10              -  add esp,10
// ---------- INJECTING HERE ----------
0EF79804: 89 47 30              -  mov [edi+30],eax
0EF79807: 8B 05 E0 ED 63 00     -  mov eax,[0063EDE0]
// ---------- DONE INJECTING  ----------
0EF7980D: 8B 40 28              -  mov eax,[eax+28]
0EF79810: 85 C0                 -  test eax,eax
0EF79812: 7E 0C                 -  jle 0EF79820
0EF79814: 8B 05 E0 ED 63 00     -  mov eax,[0063EDE0]
0EF7981A: 8B 40 28              -  mov eax,[eax+28]
0EF7981D: 89 47 30              -  mov [edi+30],eax
0EF79820: 8B 05 50 BF 46 11     -  mov eax,[1146BF50]
0EF79826: 83 EC 0C              -  sub esp,0C
0EF79829: 50                    -  push eax
0EF7982A: 39 00                 -  cmp [eax],eax
}


And here are my observations about the memory changes :

Code:
===A===Original
13604FD2 - 6A 01                 - push 01 { 1 }
13604FD4 - E8 775FF6FF           - call 1356AF50
13604FD9 - 83 C4 10              - add esp,10 { 16 }
=======================Inject Here===================================
13604FDC - 89 47 30              - mov [edi+30],eax
13604FDF - 8B 05 E0EDF903        - mov eax,[03F9EDE0] { [0FC87E10] }
=======================-----------===================================
13604FE5 - 8B 40 28              - mov eax,[eax+28]
13604FE8 - 85 C0                 - test eax,eax
13604FEA - 7E 0C                 - jle 13604FF8
=======
===B===Activated
13604FD2 - 6A 01                 - push 01 { 1 }
13604FD4 - E8 775FF6FF           - call 1356AF50
13604FD9 - 83 C4 10              - add esp,10 { 16 }
======================Injected Here==================================
ROLL20   - E9 1FB09FF3           - jmp 07000000
13604FE1 - 90                    - nop
13604FE2 - 90                    - nop
13604FE3 - 90                    - nop
13604FE4 - 90                    - nop
=======================-------------=================================
13604FE5 - 8B 40 28              - mov eax,[eax+28]
13604FE8 - 85 C0                 - test eax,eax
13604FEA - 7E 0C                 - jle 13604FF8
=======
===C===Deactivated
13604FD2 - 6A 01                 - push 01 { 1 }
13604FD4 - E8 775FF6FF           - call 1356AF50
13604FD9 - 83 C4 10              - add esp,10 { 16 }
=======================Injection Removed=============================
13604FDC - 89 47 30              - mov [edi+30],eax
13604FDF - 8B 05 90909090        - mov eax,[90909090] { -1869574000 }
=======================-----------------=============================
13604FE5 - 8B 40 28              - mov eax,[eax+28]
13604FE8 - 85 C0                 - test eax,eax
13604FEA - 7E 0C                 - jle 13604FF8
=======


so the code permenantly changes the 2nd line from
Code:
13604FDF - 8B 05 E0EDF903        - mov eax,[03F9EDE0] { [0FC87E10] }


to

Code:
13604FDF - 8B 05 90909090        - mov eax,[90909090] { -1869574000 }

while the 1st line remains unchanged. how do make it so the 2nd line returns back to its original value as well? and why does the code prevent the roll from completing?
Back to top
View user's profile Send private message
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space

PostPosted: Wed Dec 06, 2017 4:15 pm    Post subject: Reply with quote

Do AOB injection one line up. So it doesnt mess with the :

code:
mov [edi+30],eax
mov eax,[0063EDE0] <----
jmp return

Or try this :

Code:
[ENABLE]

aobscan(ROLL20,89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28)
alloc(newmem,$100)
label(SaveThis)
label(return)

newmem:
  mov eax,14
  mov [edi+30],eax
  jmp return

SaveThis:
  reassemble(ROLL20+3)
  jmp return

ROLL20:
  jmp newmem
  nop
  nop
  nop
  nop
return:
registersymbol(ROLL20)
registersymbol(SaveThis)

[DISABLE]

ROLL20:
  db 89 47 30

reassemble(SaveThis)

unregistersymbol(ROLL20)
unregistersymbol(SaveThis)
dealloc(newmem)
Back to top
View user's profile Send private message
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Wed Dec 06, 2017 6:53 pm    Post subject: Reply with quote

Betcha wrote:
Do AOB injection one line up


Although I had to add
Code:

newmem:
  mov eax,14<<
code:
  mov [edi+30],eax<<


Now it works thank you. but I still don't understand why using the code itself would break the next one apart?


this is the working code:
Code:

{ Game   : kopp2.exe
  Version:
  Date   : 2017-12-07
  Author : Hp7600

  This script makes Travel Roll always 20.
}

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

 
 
aobscan(ROLL20,83 C4 10 89 47 30 8B 05 ?? ?? ?? ?? 8B 40 28) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  mov eax,14
code:
  add esp,10
  mov [edi+30],eax
  jmp return

ROLL20:
  jmp newmem
  nop
return:
registersymbol(ROLL20)

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
ROLL20:
  db 83 C4 10 89 47 30

unregistersymbol(ROLL20)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 13CAAC61

13CAAC45: 83 EC 08              -  sub esp,08
13CAAC48: 6A 00                 -  push 00
13CAAC4A: 50                    -  push eax
13CAAC4B: 39 00                 -  cmp [eax],eax
13CAAC4D: E8 26 C1 91 F0        -  call 045C6D78
13CAAC52: 83 C4 10              -  add esp,10
13CAAC55: 83 EC 08              -  sub esp,08
13CAAC58: 6A 15                 -  push 15
13CAAC5A: 6A 01                 -  push 01
13CAAC5C: E8 7F 02 F8 FF        -  call 13C2AEE0
// ---------- INJECTING HERE ----------
13CAAC61: 83 C4 10              -  add esp,10
13CAAC64: 89 47 30              -  mov [edi+30],eax
// ---------- DONE INJECTING  ----------
13CAAC67: 8B 05 E0 ED E9 00     -  mov eax,[00E9EDE0]
13CAAC6D: 8B 40 28              -  mov eax,[eax+28]
13CAAC70: 85 C0                 -  test eax,eax
13CAAC72: 7E 0C                 -  jle 13CAAC80
13CAAC74: 8B 05 E0 ED E9 00     -  mov eax,[00E9EDE0]
13CAAC7A: 8B 40 28              -  mov eax,[eax+28]
13CAAC7D: 89 47 30              -  mov [edi+30],eax
13CAAC80: 8B 05 50 BF 57 11     -  mov eax,[1157BF50]
13CAAC86: 83 EC 0C              -  sub esp,0C
13CAAC89: 50                    -  push eax
}
[/code]
Back to top
View user's profile Send private message
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space

PostPosted: Thu Dec 07, 2017 1:51 am    Post subject: Reply with quote

tottiy wrote:
I still don't understand why using the code itself would break the next one apart?


Instructions like this mov eax,[0063EDE0] love to change each time game is restarted.
As you can see, you did injection one line up and now the instruction is mov eax,[00E9EDE0]
It moves Address into eax, while that address holds some value what affects your dice rolls.
Once script is active it doesnt do its function or even worse the address replaces with wrong one.
So, yeah, thats why game can crash or bug the hell out when do injections with instructions like this.

The script i posted is with reassemble, what makes skip / save marked array of bytes while script active.
So when script is deactivated everything goes back to its original look. Have you tried it?
Back to top
View user's profile Send private message
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Thu Dec 07, 2017 12:43 pm    Post subject: Reply with quote

Betcha wrote:
The script i posted is with reassemble, what makes skip / save marked array of bytes while script active.
So when script is deactivated everything goes back to its original look. Have you tried it?


I tried it but it gave me an error when I tried to assign it to my list
ERROR: Error in line 32 (reassemble(SaveThis)):SaveThis could not be found

reassemble? I've never seen this command before. what is it supposed to do?
Back to top
View user's profile Send private message
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space

PostPosted: Thu Dec 07, 2017 12:53 pm    Post subject: Reply with quote

Remove the line 32 and after Assign add it back.
Ignore the error when pressing Ok, just click yes.

You can read my old post with similar problem, will see what reassemble supposed to do.
http://forum.cheatengine.org/viewtopic.php?p=5695436
Back to top
View user's profile Send private message
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Thu Dec 07, 2017 2:06 pm    Post subject: Reply with quote

Betcha wrote:
.....

It doesn't work it changes the AOB right after the code to A1 E0 instead of 8B 05
Back to top
View user's profile Send private message
Betcha
Expert Cheater
Reputation: 4

Joined: 13 Aug 2015
Posts: 232
Location: Somewhere In Space

PostPosted: Thu Dec 07, 2017 2:16 pm    Post subject: Reply with quote

What happens in game, does the dice work or not?
When deactivate script game crashes or everything fine?
After deactivation it restores the instruction below as it was?
Back to top
View user's profile Send private message
tottiy
Newbie cheater
Reputation: 0

Joined: 29 Jul 2013
Posts: 14

PostPosted: Thu Dec 07, 2017 4:02 pm    Post subject: Reply with quote

Betcha wrote:
What happens in game, does the dice work or not?
When deactivate script game crashes or everything fine?
After deactivation it restores the instruction below as it was?


The roll doesn't complete, probably because next code is lost.

Here is the code:

Code:
===A===Original
13D72A02 - 6A 01                 - push 01 { 1 }
13D72A04 - E8 B7A3F7FF           - call 13CECDC0
13D72A09 - 83 C4 10              - add esp,10 { 16 }
=======================Inject Here===================================
13D72A0C - 89 47 30              - mov [edi+30],eax
13D72A0F - 8B 05 E0ED1701        - mov eax,[0117EDE0] { [11647E10] }
=======================-----------===================================
13D72A15 - 8B 40 28              - mov eax,[eax+28]
13D72A18 - 85 C0                 - test eax,eax
13D72A1A - 7E 0C                 - jle 13D72A28
=======
===B===Activated
13D72A02 - 6A 01                 - push 01 { 1 }
13D72A04 - E8 B7A3F7FF           - call 13CECDC0
13D72A09 - 83 C4 10              - add esp,10 { 16 }
======================Injected Here==================================
ROLL20   - E9 EFD590F0           - jmp 04680000
13D72A11 - 90                    - nop
13D72A12 - 90                    - nop
13D72A13 - 90                    - nop
13D72A14 - 90                    - nop
=======================-------------=================================
13D72A15 - 8B 40 28              - mov eax,[eax+28]
13D72A18 - 85 C0                 - test eax,eax
13D72A1A - 7E 0C                 - jle 13D72A28
=======
===C===Deactivated
13D72A02 - 6A 01                 - push 01 { 1 }
13D72A04 - E8 B7A3F7FF           - call 13CECDC0
13D72A09 - 83 C4 10              - add esp,10 { 16 }
=======================Injection Removed=============================
13D72A0C - 89 47 30              - mov [edi+30],eax
13D72A0F - A1 E0ED1701           - mov eax,[0117EDE0] { [11647E10] }
13D72A14 - 90                    - nop
=======================-----------------=============================
13D72A15 - 8B 40 28              - mov eax,[eax+28]
13D72A18 - 85 C0                 - test eax,eax
13D72A1A - 7E 0C                 - jle 13D72A28
=======
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites