Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


What are pointers?
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials
View previous topic :: View next topic  
Author Message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Mon Nov 28, 2005 1:56 pm    Post subject: Reply with quote

That's a damn good synopsis of what you're doing, altho the word 'stack' is the only thing not properly used, but the idea you're describing is indeed what's happening Wink

Just to clairify "stack".
The 'stack', from what I know, is the 'total of all registers, currently pushed onto the stack. Registers are pushed onto the stack and popped off the stack. It's just a way to do several different calculations on individual registers, then combine and store them at an end point.

The one thing you may have missed or forgot to mention is "why" we have to do that though. Why not just NOP out the code that writes to nitro? Let's look at the write-to nitro value code...

fstp [esi+000000f8]

FSTP = Store current stack (which is all registers currently pushed onto the stack, combined) , to a location, (the P in FSTP means pop) then auto-pop all values on the stack (take them off the stack, however, each individual register value remains the same).

If we NOP this line, all the registers currently 'on the stack' are left on the stack. The next time instructions do anything with the stack, certain registers that are not supposed to be on the stack, remain on the stack, therefore, messing up that instruction or set of instructions.

Everything else past that is correct!

As for what my example writes to. I *believe* it's the value that determines how much nitro boost you're currently 'getting'. If you look in the preformance settings (pause the game, then go to preformance screen), you'll see an option that lets you change how nitro is used. Either you get more boost for less nitro time, or less boost for more nitro time. So i *think* we're writing 99% boost time (because 100% nitro, and 100% boost seem to be the same number. the 99% is because we're writing 100% - 1 cycles worth of nitro use.)

Sense it does make? It sounds like it from your post =)

Really, we could probably find a set of 0's that separates the current memory block from the next. Usually, 16-32 0's separate memory blocks, so we'd just start at the nitro value in memory viewer, and find the next place 16-32 0's appear, then try writing in there somewhere. Usually, you don't want to write *right* next to the original location as alot of other data is stored and used near values, but it just so happened, that the 'nitro boost' value was right there.

Really, theres all kinds of options as to where to write to, just as long as the FSTP executes so the registers are auto-popped.

Another option...
- We know that it pulls our current nitro value in, then subtracts from it. We could find this sub line and NOP it, so it just keeps writing the current nitro value back up.


- Zhoul

p.s. If anyone else knows of ways around FSTP's, it'd be handy.

P.P.s. I think we should resume this conversation or any further info on it, in a separate thread... maybe the one directly related to NFS-MW =)
Back to top
View user's profile Send private message AIM Address
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Mon Nov 28, 2005 8:50 pm    Post subject: More info on pointers, more specifically, values. Reply with quote

This info is something that "Comes to you" eventually, but knowing it before-hand would have been helpful. Also, being a programmer, I can explain why this happens Very Happy


As with the above NFS-MW saga, we can already gather that certain values sit close to eachother. Initial Conclusions:

- Once we find a pointer path to one thing, we can assume that other things will be in the 'area'.
- When we find new addresses via searches, we will want to check their address, VS any pointer paths we have found, so we don't have to do so much work for successive additions.

But questions remain...
- "Just what things should we 'expect' to pluck from a specific memory region?
- "What distances will they be from eachother most likely?
- "It all just looks like a whole bunch of numbers and letters to me Zhoul"

Coders need to 'define' each piece of memory they use, before they use it. Take a gun and it's ammo. You usually have Rounds in a Clip, then 'extra rounds' to reload a clip with. Right there are 2 'values' that need to be defined.

When coders define values, it's usually at the begining of a script. They usually group all the defines for 'like' values, together. In Visual Basic, defining these two values might look something like this...

Dim lngRoundsInClip as Long, lngRoundsExtra as Long

When that code is compiled into ASM, then executed, 2, 4-byte values would be created in memory, right next to eachother.

So if you find one or the other, you're pretty sure that the one you didn't find, is either the previous/next value, or pretty close (Give or take a few hundred bytes, sometimes...).

In Deer Hunter 2005, I was trying to figure out how to give inf ammo. Well that wasn't hard... I figured out how to keep the clip full, but my darn cross-bow... It had no clip it appeared. 0 ammo in clip. Ahh, there must be a "Ammo in Chamber" value.

I opened the memory viewer at the location of clip ammo, and with inf ammo on, shot a few rounds of a double-barrel shotgun. Ahh, about 16 bytes away, there were 2 , 4-byte values, that were 1 before I shot, 0 'during' the shot, then 1 again at the end of the shot.

I force-set both values to 1, the results: amazing.

- One was a true/false (1,0) - as to if there was a round in the chamber.
- The other was a true/false - as to if the 'reload' animation were done.

Force setting them both to 1, not only gave my crossbow the reloads it needed, but all my weapons, the ability to fire as quick as I could click the mouse button. Of course, I eventually wrote a .vb script that would "mouse click" 20 times, at the press of a button Wink


What won't I find near eachother?

You probably won't find the 'mouse cursor' values, next to 'Computer AI Character Location'. Or "Resolution" next to "Current difficulty".

Just think about 'when' the value would have been loaded since the time you started the game. If you've always had mouse control, then values concerning it will be in the 'earlier' parts of memory. If it's somethign like a pop-up message from something in-game, its probably defined way later in memory (and will not use the same pointer path).

You can use that knowledge to 'guess' how many pointer levels deep things will be, after getting 1-2 complete pointer paths. With need for speed, everything is 2-3 deep, but never deeper (so far). With Black and White 2, tribute, mana, health, was all 1-3-deep, but other things like creature stats (strength, muscle, hunger) were all 4 deep, while his feelings, were 3 deep.

If a game has a menu system, you can expect that in game 'stat' values are usually going to be at least, 2 deep. Only in older games, do we find that we can use a 'static pointer', to point directly to a value like ammunition, health, stamina, etc.

Today, Static Pointers usually point to a block filled mostly with DMA pointers, and other values, like the initial menu system, menu selection, etc. In most cases, there is only 1 static pointer you'll use, it's simply the 'branching path' from there, that will differ.
Back to top
View user's profile Send private message AIM Address
JONG
Expert Cheater
Reputation: 0

Joined: 30 Nov 2005
Posts: 130

PostPosted: Wed Nov 30, 2005 3:20 am    Post subject: Reply with quote

Hi Zhoul, first thanks for share your know how.

How can I change NFSMW speed ?

I mean is let my car have very fast speed immediately.

Thanks for your help.
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Wed Nov 30, 2005 9:12 pm    Post subject: Reply with quote

I started a new thread for NFS-MW talk...

http://forum.cheatengine.org/viewtopic.php?p=27950#27950
Back to top
View user's profile Send private message AIM Address
finger49059
How do I cheat?
Reputation: 0

Joined: 11 Dec 2005
Posts: 4

PostPosted: Sun Dec 11, 2005 7:43 pm    Post subject: Okay Reply with quote

Dark Byte wrote:
the pointer will propably be edx


Well you know what they say, stranger things have happened...

_________________
Back to top
View user's profile Send private message Visit poster's website
van Dijk
Newbie cheater
Reputation: 0

Joined: 08 Apr 2006
Posts: 13

PostPosted: Mon Apr 24, 2006 11:28 am    Post subject: how togo on !!! Reply with quote

dear readers,

I wanted to find the static address if i am correct.
afther playing the game i have found the cheat address who changed always afther playing the game again again etc etc.
1. the address who i found this time is; 0E1958CE
2. Right click on address 0E1958CE and click ( find out what Accesses...).
3. a empty window (the following opcodes accesed ....)
4. cheat in game again
5. see in (the following opcodes assed..... window );
005a8da8 - 0f bf 7d 00 - movsx edi, word ptr [ ebp + 00 ]

6. dubble click on it and see the next Extra Info window turns;
005a8da0 - lea ebp,[eax+000000be]
005a8da8 - jae 005a8dae
>> 005a8da8 - movsx edi,word ptr [ ebp+00 ]
005a8dac - jmp 005a8db0
005a8dae - xor edi,edi

....address is probably 0E1958CE

EAX = 0E195810 EDX = 0202003F ESP = 0012FC88
EBX = 00000000 ESI = 22BA124C EBP = 0E1958CE
ECX = 0E19585C EDI = 00000070 EIP = 005A8DAC

( oke thats a lot typing for me whit 2 fingers )
so please what is for me the next stap and afther that, the next stap
would someone be kind to help me to explain and so yes, would the one who wanted to help me stap by stap that he or she has the time and patience to do it.

thank you.

( i have seen and reading all kind off actions who are different to find the real address for cheating.
but i wanted to see one time stap by stap so i could afther a good explenation do it self the next time so i could help another newbee like myself )
Back to top
View user's profile Send private message
me
Grandmaster Cheater
Reputation: 2

Joined: 24 Jun 2004
Posts: 733
Location: location location

PostPosted: Mon Apr 24, 2006 11:45 am    Post subject: Reply with quote

do a hex search for the contents of EAX,

EAX = E195810,

so Arrow 005a8da0 - lea ebp,[eax+000000be] Arrow 005a8da0 - lea ebp,[E195810+000000be] ,




Arrow that means EBP ends up holding [E195810+000000be] which is E1958CE ...


Idea Idea Idea
so tick the hex box and search for the contents of EAX,,

then the offset for your cheat table is [000000be] you can just enter the "be" without all the noughts though..




Shocked

_________________
Back to top
View user's profile Send private message
van Dijk
Newbie cheater
Reputation: 0

Joined: 08 Apr 2006
Posts: 13

PostPosted: Mon Apr 24, 2006 2:19 pm    Post subject: me problem i think Reply with quote

Me:

when i am right whit your staps

1. HEX search off address 0e188756 ( <<this time) gives me 2 addresses.
230b4c10 and 3389f124

( I sure it is the first address 230b4c10 )
( then you are telling me the line below how it works )
( only this time the addresses are different from the first time off my
question address )

2. the EBP ends up holding [0e188756+000000be] which is e188814

( so here i am going stuck i think )
( why first HEX search on address 0e188756 which is given
230b4c10 and the 3389f124 )
( and then the second search e188814 which is nothing found )
Back to top
View user's profile Send private message
me
Grandmaster Cheater
Reputation: 2

Joined: 24 Jun 2004
Posts: 733
Location: location location

PostPosted: Mon Apr 24, 2006 3:01 pm    Post subject: Reply with quote

that seems about right,, that is how you can find out which one is stable ,, you start the game with those addresses in the address list and see which ones still hold the pointer to your address and delete the ones that don't,

EAX will be changing when you start new games cos thats what a pointer does, its quite normal and a little annoying at times,

anyway whatever address EAX is holding, you do the hex search for, if that is a stable pointer that holds the address you need then just use that with the offset,

but you might as well put a breakpoint on that pointer and see what changes that as well, you might get to the static pointer with a bit of luck, static being a direct address like [01234567] as an imaginary example,

so you done the right thing and see that the contents of EAX changes as the new pointer is loaded,

if the pointer trail is a bit long you can alway use that like I did with the xgen defend your castle table, just see what the code writes to each time you start a game,
or auto assemble to write the max value to that address whenever the game calls it,

if it holds multiple game varibles then you just get it to change when it holds your address or holds a value that is unique to your found address,

for example whenever EDI is holding 70hex, (that is just what edi is holding in your post,) you make sure is is not decreased, you can just pop 70h or whatever the maximum value is in hex,

anyway for now try your found pointer 230b4c10,



Arrow add address manually,

Arrow click on the box to add the address as a pointer,

Arrow enter 230b4c10 .. as your address,

Arrow then in the offset box enter Arrow be



see if that is stable enough and holds your ammo health or items or whatever,

if not its a case of going down some more pointer levels, code caveing or just seeing what your code writes to....... Confused

_________________
Back to top
View user's profile Send private message
van Dijk
Newbie cheater
Reputation: 0

Joined: 08 Apr 2006
Posts: 13

PostPosted: Tue Apr 25, 2006 11:11 am    Post subject: again Reply with quote

Me;

oké iam lost in this.

1. i found the cheat address E188ADE
2. "find out what accesses this address"
3. 0047e2af -0f bf 84 51 be 00 00 00 - movsx eax, word ptr [ ecx+edx*2+000000be]
0046f6bf - 0f bf 84 41 be 00 00 00 - movsx eax,word ptr [ ecx+eax*2+000000be]
00636090 - 66 2b 10 - sub dx, [eax]
006361a2 - 66 8b 5c 7e 72 - mov bx,[esi+edi*2+72]
0063621d - 66 89 44 7e 72 - mov [esi+edi*2+72],eax

now i don't what i have to do.

sorry
Back to top
View user's profile Send private message
van Dijk
Newbie cheater
Reputation: 0

Joined: 08 Apr 2006
Posts: 13

PostPosted: Tue Apr 25, 2006 12:05 pm    Post subject: do re Me, Reply with quote

you where talking about:

see if that is stable enough and holds your ammo health or items or whatever,
if not its case of going down some more pointer levels, code caveing or just seeing what your code writes to ... Wink

what do you mean about that; going some more pointer levels....

this thime it isn't stable the new pointer who i did made...
when i start de game up again the address is changed....
Back to top
View user's profile Send private message
me
Grandmaster Cheater
Reputation: 2

Joined: 24 Jun 2004
Posts: 733
Location: location location

PostPosted: Tue Apr 25, 2006 12:53 pm    Post subject: Reply with quote

hmmm,,,

did you try using a pointer with 230bfc10+be,
and does 230bfc10 still turn up in your original hex search !!!

still looking at Arrow 3. 0047e2af -0f bf 84 51 be 00 00 00 - movsx eax, word ptr [ ecx+edx*2+000000be]

and

0046f6bf - 0f bf 84 41 be 00 00 00 - movsx eax,word ptr [ ecx+eax*2+000000be]

well taking the second one you got to look at the registers, take the value held in ECX, add 2 times the value held in EAX, and finally add 000000be to it, "be" for short,

use the windows calculator in scientific VIEW to use hex calculations,
once you have added all that up you can do a hex search for the address that holds that value,
if you get none then you might have to set a breakpoint to find the right address using the debug in the memory viewer to step through the code one line at a time when the breakpoint is tripped,

I don't think your ready for the stepping through code part yet though,

another thing to try and cut out a few lines of code in your searches is to use "find out what writes to this address" instead of what accesses it, that returns a lot more code to search through,

notice that "000000be" offset is still there,

there are a couple of pointer tut's around here you might want to go over that go into a bit more detail,

_________________
Back to top
View user's profile Send private message
van Dijk
Newbie cheater
Reputation: 0

Joined: 08 Apr 2006
Posts: 13

PostPosted: Tue Apr 25, 2006 3:06 pm    Post subject: me Reply with quote

your first 2 questions are:


hmmm,,,

did you try using a pointer with 230bfc10+be,
and does 230bfc10 still turn up in your original hex search !!!


1. yes i did using the pointer 230bfc10 and be
2. Yes somehow someway it turns always back afther "find out what accesses bla bla bla..

3. eax*2 is this meaning lets say 0e196630 + 0e196630 ( hex )
so if i am correct it means all together the som off:ecx+eax*2+000000be
ecx + eax 2 ( hex ) = address pointer and be = offset

and about; I don't think your ready for the stepping through code part yet though yeh you are right about that, that's for me to far to understand it.
This all that you wanted to explain to me how it works is for me a little bit to understand it.
I did learn for you a lot more then from the another helpers in this forum.

a small question. when i use find out what accesses or writes
and see a lot off addresses i think they call them so.
i have to spit them one by one of them out, or is there always a special one who you can see in one time, thats the one !!!??

Well Me thanks for your time and help.
I try this one that you send to me and if it doesn't work then i will close this supject for always.
but i will mail you back to let you now if it did work or not and the last one is for me 99% the trou......

sleep well if not i will.
i read your last mail i hope tomorrow or something.
regards JP.
Back to top
View user's profile Send private message
me
Grandmaster Cheater
Reputation: 2

Joined: 24 Jun 2004
Posts: 733
Location: location location

PostPosted: Tue Apr 25, 2006 3:24 pm    Post subject: Re: do re Me, Reply with quote

your last post was posted as I was writing this so it may seem a bit disjointed, and I diddn't feel like rewriting it so bear with it, and thanks for the appreciation


van Dijk wrote:
you where talking about:

see if that is stable enough and holds your ammo health or items or whatever,
if not its case of going down some more pointer levels, code caveing or just seeing what your code writes to ... Wink

what do you mean about that; going some more pointer levels....

this thime it isn't stable the new pointer who i did made...
when i start de game up again the address is changed....



it means a pointer that holds the pointer to the pointer that holds the pointer to the.............. Arrow untill you get as far back into the code as you can, preferably to a static address like [01234567] that has not got any registers or offsets,

then you ladder your pointer and offsets so you control what they hold,
so if 230b4c10 was for arguments sake stable or the only pointer you needed and it was an ammo address you could always use 230b410+be ,

but if you got

Arrow movsx eax,word ptr [ ecx+eax*2+000000be] pointing to the 230b410,
and ECX and EAX contain steady values then you got to put there numerical values as a lower level pointer with the "be" offset, the offset is at least stable(always the same),
so you got [ECX+(2 timesEAX)+be] as the lower level pointer, then 230b410+be as the higher level pointer,,,,,

as we got the same offsets here I suspect the code you have given here is dealing with the same address you started with ?? its a bit difficult to work out what your working with from here..
here is a link to an explanation using the tutorial that takes you to the static pointer that the cheat engine tutorial uses Arrow http://forum.cheatengine.org/viewtopic.php?t=6821&highlight=


one last thing to remember,, don't get stuck on one method of breaking a game,try all sorts of different angles if one seems to make you run in circles,
some programmers like to make god mode or infinite ammo and other cheats very hard to get,
just use any trick that works, or look for something a bit different in the game that they might not have covered up so well


* done a bit of editing here to add a better explanation bit still peek at that link to get a fuller understanding *


well here is an example of how you stack up the pointer to pointers using the cheat engine tutorial, if you use that link above you will see how I got the addresses,

Arrow anyway you enter your highest level pointer,,,, that is the first pointer you find and its offset,


Arrow then the lower level pointer + its offset,,

Arrow till you get to the lowest level offset that you can find, in this case we got the static address ,--- I'll put in my old pic off that link to show you the the static address of step six in the ce tutorial,

as you can see from the pics you build up from the static address to your high level pointer ,,

you enter the highest level pointer and its offset first,
then you hit the ADD POINTER button and add the next level down pointer and its offset,
you hit the ADD POINTER BUTTON again to finally add the tut's static pointer and its offset,

oh and as it's an old pic used before it's got the old text I typed into it with paint hoho

pictures paint a thousand words apparently so try these out

so start up cheat engine add these pointers to your address list,
start cheat engine tutorial.exe,
attache cheat engine to cheat engine tutorial.exe,
enter the step 6 password (PW=098712) to get to,er um step 6,

look at your nice pointy address list and its got a value of 100,
change that to 5000 and freeze it,
hit the change pointer button and you finished the tut again,

thats the idea of different levels of pointers....







got our code address.JPG
 Description:
 Filesize:  115.08 KB
 Viewed:  74210 Time(s)

got our code address.JPG



step 6 of cheat engine tutorial.JPG
 Description:
 Filesize:  28.08 KB
 Viewed:  74210 Time(s)

step 6 of cheat engine tutorial.JPG



_________________
Back to top
View user's profile Send private message
van Dijk
Newbie cheater
Reputation: 0

Joined: 08 Apr 2006
Posts: 13

PostPosted: Wed Apr 26, 2006 11:42 am    Post subject: me, Reply with quote

I did everything what you did tell and show me how it should be done.
for more then 5 days i did read and try to understand it all and reading again,make some small notes to make it easyer for me.
More then 10 times i did used the tutorial and even there i didn,t make it better even there i walk stuck on it.
How is that posible.
so i wanted to say ME, thank you for everything to try in different ways to help me.
And don't forget the time you made those help letters whit and whithout pic.
It doesn't metter, i fail i fail very low lower then low.
So i queit.
That easy, no, but my brain is burning..
i see things but i lose those small importent little things.
and my englisch is also bat to understand those highwords.
Me, i do hope you understand me what i wanted to tell you....
And who nose we sell type in the future maybe something else.


regards Johan van Dijk
the Netherlands
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Page 5 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites