Cheat Engine

Zhoul

Ever since I started using CE, I've always had a very specific problem with two options (that do the same thing).

"Find out what Reads from this address" and "Find out what address(es) this code reads from".

I'm guessing the 'code' behind both options is the same.

Example:
- Find Value X
- Right-click Value X and select "Find out what Reads from this address"
- Debugger attaches and window pops up, listing address(es)
- At this point, one of two things happen...

- 1. Everything starts running slow. If the game doesn't crash here, it will crash when I hit the "Stop" button.
- 2. Everything runs normally, *until* I hit the stop button, at which point, the game crashes. I can even go into the disassembler and look at the code, close it, open it for another value, etc, prior to hitting stop.

The odd thing is that "Find out what Writes to this address" and "Find out what accesses this address" work perfectly! I would imagine that "Accesses" finds all reads/writes, so my question is, why does simply finding out what reads, cause such a major catastrophy?

I've tried a multitude of settings within CE and I'd attach my config to this post here, but it appears to be scattered across multiple keys in the registry. Hardware/Int3 have no effect. Mem scanning size has no effect. By default, I don't scan read only /no cache / private memory.

The only thing that appears to effect this, is the value I choose. This could be for 1 of 2 reasons.
1. The value isnt 'accessed' as frequently as other values, therefore cutting down on CE's interaction.
2. Random occurance.

My computer setup is a P-4 3ghz with 768 megs of PC3200 + ATI Radeon 9800 pro, WinXP Pro. I run the bare minimum of services (going as far as disabling computer browser, and anything 'network neighborhood' related). I go as far as killing explorer.exe on both console and remote desktop sessions.

I can't even remember a time when this actually worked on my machine.

If "Find out what accesses this address" works the same as "reads", with the exception that it finds writes as well, then I'd love to see the code used , copy/pasted to the "reads" section, if possible, then modified to ignore writes.

If there is a difference, please let me know.

Again, not high priority, as I seem to get what I'm looking for, by using "Accesses".

- Zhoul

Dark Byte · Posted: Thu Nov 03, 2005 7:23 pm Post subject:

No, find out what reads is completly different from access and write

for access and write I can use a debug register that break when a address is read or when a address is written to, so fast and not very intrusive.
but find out what reads on the other hand can't use that, there is no debug register designed for only read, so the only other method to do that is by making the memory "NO ACCESS" and each time the game tries to access it it raises a access violation that the debugger captures.

The exception information does indicate what exception it was, read, write, execute.... So if it was a read it'll store that in the found list.
it'll then set the memory to readable, continue the game one small instruction long, and then sets the memory to unreadable again.

that it crashes when you click close may have to do that it is forgetting to handle the last few exceptions , or it is setting the memory back to no acess even when it has stopped, got to look into that (multithreaded thing)

Zhoul · Posted: Thu Nov 03, 2005 11:20 pm Post subject:

That is indeed a very interesting way to find out what reads a value.

What advantage does this have, over using debug registers to find out what accesses it? Would the output of "Reads" versus the output of "Accesses", minus the writes, be any different? If so, why?

Is this one reason Speedhack was invented? (to slow the game, thus letting CE do it's behind the scenes work, without the game crashing due to way too many access violations, in such a short time).

I would imagine , that adding a sleep time between exception/mark as writable and mark as read-only, Then, giving us an option box to define that sleep time in milliseconds would do the trick. (Even though it could miss a series of reads).

This raises another question, as surely there are other ways to find out 'what reads X value'.

Could Cheat Engine, or any other modified debugger be coded to follow each line of assembly as it's executed, to capture the address it's reading/writing to, based on the registers and current line of ASM?

I.e.

If cheat engine could follow each line being executed, and only pick up all the mov instructions, then figure out what address it read/wrote to, based on register(s) specified in ASM, and current register values at time of execution?

mov [eax+0000002b], ecx

Cheat engine would know to 'dissect' this line, look at EAX+0000002b, and see if it matches the address you are searching for.

Of course, further instructions could be added and dissected as necessary.

If CE could do that, it could automate my method of finding pointers, and give CE a faster-than-light ability of finding them automatically.

The method:
If I know instruction mov [eax+0000002b], ecx wrote to my value, then my 'search' for the pointer starts at, how EAX became EAX.

I scroll up and try to figure out how EAX was defined and possibly modified, prior to the instruction that was used to write to the value.

If I reach the top of the 'ASM block', i scroll down until it 'returns' or 'jumps' to a certain point, then using the disassembler, I step through that return/jump.

This usually puts me at the ASM block that jumped to the previous block to begin with. Usually have better luck when the previous ASM block returned, rather then jumps.

Once at the new 'ASM block' - I scroll up just past the jump that went to the previous block, and continue my search for the definition of EAX. Usually, it starts getting difficult when 3-4 other registers were used in the creation of EAX's final result, but notepad is a wonderful thing for keeping track of this. Eventually, I find *the* (or *a*) base pointer, referenced right there in the code.
I.e..
mov EDX, [018E8E68]
mov ESI,[EDX+0000001B]
mov EAX, ESI

From this point, I toggle a break-point, and step/follow it forward to the original ASM that read/wrote to the value, just to double-check my reversed engineered work.

The above example smashes EAX's creation into 3 simple lines, but usually, it is spread over a section of ASM that is doing other things as well.

Surely, there must be a logical way to code something that can automate this process. If DarkByte says 'sure, that wouldn't be too hard, just a lot of work' , then my arse will get to learnin' the differences between Delphi and C, at the drop of a hat.

If you know of a software that already offers this feature, even better!

- Zhoul

Turtle · Posted: Fri Nov 04, 2005 3:54 am Post subject:

Zhoul,

Cheat Engine has a static address/pointer scanner. It can be used to find static pointers, you just have to look in the scan results after the scan, and pick a pointer that points to an address that is near the value that you want to resolve. Then you just calculate the offset between the address pointed to by the pointer, and the value that you want resolved.

Also note that L. Spiro's program has a pointer searcher, and it has an option to only search for static pointers. I think that you just enter the address of a value, and the searcher then finds static pointers. It also finds the respective offset distance between the addresses that the static pointers point to, and the address of the value that you supply in the search.

L. Spiro's program: http://www.memoryhacking.com/

Also, for easy code injection, read the following as an example, your code will probably be different:

MOV EAX,[EBX+00000304]

To always find what EAX is, just go into the disassembler of L.Spiro's program, and then right-click the pointer line in the code, in this case "MOV EAX,[EBX+00000304]", then click "inject code", and then in this example you would just type the following line of code to be injected:

MOV [9000400], EBX

Where, for example [9000400] is a storage address, an empty address that can be used to store the value of the register. Every process will probably have empty storage addresses available at different locations, they will have to be found.

The only line that you have to write in the code injector is the
MOV [9000400], EBX
The injector automatically finds a code cave, and adds all the required injection-loop-code. When all the code looks ready, you can go ahead and inject it.

Now to find out what EAX is, all you have to do is read the value at 9000400, and then add 304 to it. The value of EBX will always be written to 9000400.

Dark Byte · Posted: Fri Nov 04, 2005 7:12 am Post subject:

zhoul:
The difference between read and accesses output is that the state of the registers it shows will be before it is executed with read, and after it is executed with accesses

And while it is possible to follow the path the code takes, it will be so slow it would take one hour to alt tab between the app and get the first glimpse of the screen.
With access violations the debugger only intervenes when something tries to access that particular region

turtle:
you can also do that with the auto assembler of cheat engine, and you don't even have to worry about code caves.
You just use the alloc command to allocate a block of memory and use labels to define other parts of memory.

e.g:

Turtle · Posted: Fri Nov 04, 2005 7:57 am Post subject:

Cool.

Also, in ASM does it matter if there is a space after the comma?

MOV [9000400], EBX
MOV [9000400],EBX

Are they the same?

Dark Byte · Posted: Fri Nov 04, 2005 8:04 am Post subject:

yes, they are the same

Zhoul · Posted: Sat Nov 05, 2005 1:32 am Post subject:

Poor Turtle. That looks like the last few posts I threw around here =) o well, At least others get to see it.. P'preciate the effort

In the 125 values I've found for Black & White 2, they all work off 1 "static" pointer, and and about 20 - 25 separate, dynamic pointers, so finding static pointers wont help. Pointer finding is simply slower right now, and I know theres gotta be a way for a PC to beat my ass in a pointer search Wink

I will not settle for the 4-7 hour wait for a pointer search that may or may not work, when I know a PC can do what i do quicker ;0)

However, That code injection sounds nice. Ive yet to take a look at the feature, because I thought it would 'clear away' upon closing CE, which would be just as pointless as the register editing (as I'm all about finding a final solution that will work in a trainer.)

Speaking of trainers folks, I am completely converting my Black & White 2 trainer into a VB application, fully built out with hot-keys, slider bars that 'adjust to the game' etc. If any of you would be interested in the visual basic project files , once i refine it a bit more, I'd be happy to send it to you.

I really work hard in my code and almost always offer 2 ways to get to the same place. I.e. The trainer was initially built out to find processes based on hWnd numbers (FindWindow) but when i got pissed that i couldnt use it through the remote desktop session, I built out a WMI way to access the process, but then paralleled them together, incase someone didnt have WMI.

That type of thinking is seen through the entire trainer make-up as well.

When all seems 'complete', I'll go ahead and make a final post... but I'm always up for someone to take it, and smack me in the face with the 'issues' it may have.

- Zhoul

p.s. If you'd like to 'beta' it.. please at least know a little about coding , else i'll slap j00 in the face with it... Wink