Cheat Engine

[f100]

i could help with following situation:

i found the adress of a value i want to freeze. lets say its the address: 1FF34A34. i did view what access this address. it was
CMP [ECX+00000010c],EAX
so i searched after the value stored in ECX and found the 1 address(202A9140) , i added a pointer that value(1FF34A34) of it and the 10c ofset and froze it - everything nice and fine.

but

it wasnt a static pointer i guess - cuz it also changes after gamereload/mapchange.

so i looked WHAT ACCESSES 202A9140 i got that thing:
code :005bde2b - 8b 4b 14 - mov ecx,[ebx+14]
code :005c25ab - 8b 4e 14 - mov ecx,[esi+14]
code :005c97d1 - 8b 47 14 - mov eax,[edi+14]
all 3x info said the value of pointer to find that address is 202A912C

but there was no search result.
then i tried search base pointer ON the pinter, but i didnt know what address he asks me for.
and the option find out what accesses this pointer on the pointer also end up in nothing

how can i go on now ?

[Dark Byte]

Look at the assembler code above it and try t figure out how the register gets it's value.

e.g from a different register and then adding a value, or from the stack (and then you'll have to do some stacktracing to find out what called that function, and then look there gow that value got on the stack...)

it's going to be hard.

it would be easier to just nop the code that decreases the address, or if that doesn't give the results you want (e.g same also goes for the enemy) then do some basic code injection. (e.g find the code that is accessed only to read the address and draw it on the screen and then use that register+offset to set it o the value you want)

[f100]

ty DB for your reply.
nop not possible due crc
stacktracing imho also not due debugger prevention

welcome to planet nprotect

i'll try harder

[Turtle]

Does code injection affect the CRC also? Or just Noping?


There is another method for finding static pointers:

in mhs,

After you find a value that you want to resolve, and you find it's address, say it's address is (34891278). Try the following:

1. Select the pointer search.

2. Choose a "range" type search.

3. For the max value of the range put the address of the value you want resolved, for example (34891278). For the lowest part of the range set all the last 5 digits to '0' so (34800000). Make sure that the "only find static" pointers" box is ticked.

The first box is for the lowest value of the range, and the 2nd box, (the one on the right) is for the max value of the range.

That should search for static pointers that point to addresses in that range that are before the address of the value that you want resolved. Also, in the box that says "save offsets from", just put in the same address as the max value of the range (34891278).

Now in the results window it will show each static pointer and the offset distance between the address that they point to and the address of the value you want resolved. All the offsets distances will be listed with a "-" sign in front of them, since we are saving offsets from the max part of the range, so pick the one with the smallest negative offset, so "-500" is better than "-1000". The decimal offset distance is shown in brackets. It's easier to work with decimal offsets. There is also a "go to closest" button on the results window which should automatically show you the pointer with the smallest offset distance, it will highlight it.

Now with that static pointer, to test it just remember that you are adding that 500 to the address that the pointer points to, in order to get the value that you want resolved. So test it.

If that static pointer turns out to be unreliable, then you can try the next best one, for example the next best one could be "-600", it's a larger offset, but it may be a more reliable static pointer.

[Dark Byte]

It's basicly the same. (nopping is just code injection and write nop's instead of normal code)

But you may be able to rewrite the crc check routine to always return the same value.