Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Modifying life bar value One Piece for GBA Emulator

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
shonenfall
How do I cheat?
Reputation: 0

Joined: 31 Dec 2017
Posts: 4

PostPosted: Sun Dec 31, 2017 8:14 am    Post subject: Modifying life bar value One Piece for GBA Emulator Reply with quote

I'm using the NO$GBA emulator to play Shonen Jump's One Piece.
My goal is to modify the life (bar) value to be eventually able to have infinite life.

With the tuts I was already able to find the life bar value (scan > search for decreased value and repeat), though it seems that this found value is only the variable for the visual life bar, and not the actual life itself.

The value for the full life bar is 64 in dec. When I find the address to that life bar it takes me about 3 to 4 enemy hits where each hit reduces the life bar by 4, leaving me with with a 48-52 life bar value in the end.

In the picture I attached you can see two screenshots. The left one is the current state of the life bar with a value of 24. The right one is an attempt on modifying the value to 64 (full life). What happens though is that (similar to life bars in fighting games) a lighter bar fills up to max and then immediately goes back. Basically this is evidence that found address isn't the value for the life variable but only for the life bar. Freezing the address (by ticking the box under 'Active') didn't work either.


Next step was to see what [b]writes[/b] to this address. After receiving another enemy attack following instruction is found (with the instructions surrounding it):

[code]0040C1EC - 75 0A - jne NO$GBA.EXE+C1F8
0040C1EE - 03 9D 28550000 - add ebx,[ebp+00005528]
0040C1F4 - 66 89 03 - mov [ebx],ax <<
0040C1F7 - C3 - ret
0040C1F8 - 83 E3 FE - and ebx,-02[/code]

Genius me thinks that replacing the instruction at 0040C1F4 with NOP would solve everything, since genius me thinks that ax is the damage taken and [ebx] is the life bar value, so a NOP would essentially be the key. But unfortunately it is not. GBA freezes upon doing that.

This is where I'm stuck.
Any tips on how to further progress?
Sorry if I didn't provide enough information.



op.jpg
 Description:
 Filesize:  89.21 KB
 Viewed:  427 Time(s)

op.jpg


Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 5

Joined: 24 Feb 2017
Posts: 146
Location: Right Here Buddy.

PostPosted: Sun Dec 31, 2017 11:12 am    Post subject: Reply with quote

I would look above that to see what is writing to the EAX registry.
Quote:
EAX is the full 32-bit value
AX is the lower 16-bits
AL is the lower 8 bits
AH is the bits 8 through 15 (zero-based)

_________________
A: What manner of man are you that can summon up fire without flint or tinder?
T: I... am an enchanter.
Back to top
View user's profile Send private message
shonenfall
How do I cheat?
Reputation: 0

Joined: 31 Dec 2017
Posts: 4

PostPosted: Tue Jan 02, 2018 2:32 am    Post subject: Reply with quote

I have difficulties with finding the right instruction for when the enemy attack reduces the life bar. In other words scrolling up and searching for EAX didn't help me, I found some occurrences where EAX was the target in an instruction, though this instruction wasn't the one needed.

I figured if there was some way to jump to an instruction if the EAX register gets a certain value. So if somewhere there is an instruction that loads 0x00000034 into EAX the debugger should break.

Is there such a function that 'watches' a register and breaks the execution on condition and then even jumps to the instruction that caused the condition to be true?
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 5

Joined: 24 Feb 2017
Posts: 146
Location: Right Here Buddy.

PostPosted: Tue Jan 02, 2018 2:45 am    Post subject: Reply with quote

Set the break point, then View -> Break point list.
then highlight the break point in the list right click, and set condition is an option.

Then I think it's just say "EAX==0x123C" or what ever the condition is.

_________________
A: What manner of man are you that can summon up fire without flint or tinder?
T: I... am an enchanter.
Back to top
View user's profile Send private message
shonenfall
How do I cheat?
Reputation: 0

Joined: 31 Dec 2017
Posts: 4

PostPosted: Tue Jan 02, 2018 12:34 pm    Post subject: Reply with quote

Ok, so I found the instruction that loads the new life bar value into eax.
I still couldn't backtrack everything though.

The instruction I found is at +153EC (see picture), this is eventually the life bar value.
Theoretically I should be able to replace this instruction with something like

mov eax, 40

to at least have the life bar always stay the same, right?
Replacing the instruction though always ends up in either the emulator crashing or just freezing. When I replace the instruction cheat engine asks if I want to fill up with some nops, whether choosing yes or no both don't work.

I think I'm making some logical thinking mistakes, any help here?



inst.jpg
 Description:
 Filesize:  155.84 KB
 Viewed:  340 Time(s)

inst.jpg


Back to top
View user's profile Send private message
LewcowVaal
Cheater
Reputation: 0

Joined: 30 Dec 2017
Posts: 25

PostPosted: Tue Jan 02, 2018 12:43 pm    Post subject: Reply with quote

shonenfall wrote:
Ok, so I found the instruction that loads the new life bar value into eax.
I still couldn't backtrack everything though.

The instruction I found is at +153EC (see picture), this is eventually the life bar value.
Theoretically I should be able to replace this instruction with something like

mov eax, 40

to at least have the life bar always stay the same, right?
Replacing the instruction though always ends up in either the emulator crashing or just freezing. When I replace the instruction cheat engine asks if I want to fill up with some nops, whether choosing yes or no both don't work.

I think I'm making some logical thinking mistakes, any help here?


You first need to make sure that the instruction is correct, then before moving a value into an address, make sure that the instruction is accessing only that single address; otherwise that instruction is probably a shared one and you need to dissect the structures/registers of the addresses accessed and compare values at offsets.
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 5

Joined: 24 Feb 2017
Posts: 146
Location: Right Here Buddy.

PostPosted: Tue Jan 02, 2018 12:45 pm    Post subject: Reply with quote

Right click that instruction and select "See what addresses this instruction accesses", my bet is that that you are writing to more than just the player health. If so then you would need to find an identifier some where in the structure, for back trace the base address to a spot that only it is calculated for the player then store that to use as a check. Step 9 on the Cheat Engine tutorial goes over shared opcode and can be every helpful if completed.
_________________
A: What manner of man are you that can summon up fire without flint or tinder?
T: I... am an enchanter.
Back to top
View user's profile Send private message
shonenfall
How do I cheat?
Reputation: 0

Joined: 31 Dec 2017
Posts: 4

PostPosted: Thu Jan 04, 2018 8:06 am    Post subject: Reply with quote

Thanks for the tips. I went over the shared code tutorial but unfortunately the instruction I found is not the one I need. After that I tried "dissect data with selected addresses" for the instruction at +C1F4 (see further down) but except the life bar value itself there are only some pointers and weird values around it and nothing else. That's why I thought I'll RE some more through the instructions.



I decided to go from start again and put a breakpoint on the life bar address for when it is being written. I should add here that the instruction that is found upon breaking when receving damage is also used by other functions in the game, ie setting a breakpoint on that instruction without conditions will instantly break.
The found instruction is:

Code:
NO$GBA.EXE+C1F4 mov [ebx], ax

EBX is the life bar address, hence [ebx] is where the new value for the life bar is placed.


So after the break on write I did following:

What I did:
I went back about 2 to 3 calls to do a trace of 3000 instructions. My goal was to find the instruction jumping to +153CC in the picture (prior post), as there was no ret address in the stack. Upon doing that I found two instances where a jump to +153CC occured, both times from a different instruction.
Note: I'm not sure how the trace exactly works, but the game freezes during it so that receiving an enemy hit during it doesn't work.

Code:

First instance:

00413F2D - jmp dword ptr [ebx*4+0045DD34]
0045DF34 = (pointer)NO$GBA.EXE+153CC
EAX=00000002
EBX=00000080
ECX=00000000
EDX=00008008
ESI=084F9712
EDI=0000000C
EBP=02891100
ESP=0019FF48
EIP=00413F2D

EFLAGS=00000206

-
004153CC - mov ebx,edx
EAX=00000002
EBX=00000080
ECX=00000000
EDX=00008008
ESI=084F9712
EDI=0000000C
EBP=02891100
ESP=0019FF48
EIP=004153CC

EFLAGS=00000206
----------------------------------------------------------

Second instance:

00413E6A - jmp dword ptr [ebx*4+0045DD34]
0045DF34 = (pointer)NO$GBA.EXE+153CC
EAX=00000002
EBX=00000080
ECX=00000000
EDX=0000800A
ESI=084EE7A6
EDI=0000000C
EBP=02891100
ESP=0019FF48
EIP=00413E6A

EFLAGS=00000206

-
004153CC - mov ebx,edx
EAX=00000002
EBX=00000080
ECX=00000000
EDX=0000800A
ESI=084EE7A6
EDI=0000000C
EBP=02891100
ESP=0019FF48
EIP=004153CC

EFLAGS=00000206


I also noticed that in both instances the ESI register is still the same after the jump. Then going further down this rabbit hole leads me in both cases to the +C1F4 instruction where the ESI register is still the same!

I figured that for when I receive damage the process has to be the same.
In order to verify my theory the next step was to write down the ESI register from the inital break on write and to set a conditional breakpoint on +153CC with ESI == 0x81B8EEE (said ESI register value). Upon running the game and walking into an opponent to receive a hit, the debugger successfully performed a break.

And here is where I'm stuck. The two instances from the trace which jump to +153CC both don't run when an enemy hit is received. I tested this the same way as before: With a conditional breakpoint, ESI == 0x81B8EEE.

This tells me that the instruction at +153CC is being jumped to from somewhere else, and since it's a jump I have no chance of backtracking to it.

I know my explanation is kinda all over the place, sorry for that.
Any tips here?
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 5

Joined: 24 Feb 2017
Posts: 146
Location: Right Here Buddy.

PostPosted: Thu Jan 04, 2018 9:56 am    Post subject: Reply with quote

Well for the break and trace you can pause the process set the break and trace then set your condition, and then just unpause the process and this should allow you to break and trace conditionally. Break points for the break and trace show as just a break point.

Maybe try and find where the game pulls the value to setup for putting it on the screen, this should be a spot that only the player structure runs in and would constantly update and allow you to hook the address to use for a check in a script or you could just cram a max. value at that point as well, the max. should also be pulled around that point to know the filled point of the life bar. At least that is my thinking.

_________________
A: What manner of man are you that can summon up fire without flint or tinder?
T: I... am an enchanter.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites