Cheat Engine

CodeReaver · Newbie cheater Reputation: 0 Joined: 19 Apr 2005 Posts: 24

I've had to download 5.2 on the university computers while I don't have the internet at home right now, so I havn't tried this out but I had a look at the list of what was added and the pointer scanner seemed really interesting and I was wondering if it worked the way I thought. If not, then I have a suggestion.

I imagine you give it a reigon to scan and it lists all the values that is thinks might be pointers. I was wondering if it could perhaps produce some kind of structure descrpition files. Like, say it found a pointer 'pA' to address 'aA' and a pointer 'pB' to address 'aB' and the difference between aA and aB was 16 bytes, then it would guess that pointer 'pA' was pointing to a 16 byte array, but you could also set it to an array of four DWORDs or something.

There'd be a table of each pointer it had found in a specific reigon and the columns would be pointer address, a column for it's name, the data type for the array (includes custom types that you could specify) and then a drop down box where the values in the array could be listed. If a custom data type had been added then the drop down list would show members of the custom data type if the data type happened to be a struct. I'm thinking it would work a bit like the quick watch feature in visual studio.

The thing would try to guess the data structures (assuming arrays first) but then if it gets it wrong, the user would be able to spot the adjustments to help define the struct. It would also try to recognise whether the pointer was pointing to any collection of other pointers. The user would be able to specify the number of levels to keep scanning through (the max depth of the tree) if it happened to be a tree struct or a linked list. That way if there are too many pointers to pointers to other pointers it would stop before the task got too big to handle.

Also if it found a pointer to another pointer that is outside of the reigon it was originally told to scan, it would stop then as well, saying it had found a pointer but not what to. Would anything like this be possible to implement?

Dark Byte · Posted: Tue Dec 13, 2005 7:35 am Post subject:

try using the return key once in a while. I didn't read all of it but here are some answers:

the pointer scanner scans for possible pointer paths to the address you give with as base address the region you gave, and only does the ones in the filter region

it can go multiple levels deep

If you want to define data structures use the option "dissect data" , it also supports pointers, and you can make it so that a pointer points to a structure.
If you defined a custom structure it will be possible to choose it from the list, either appending it, or as a pointer to it. You can then click on the + to see the structure's data it points to

CodeReaver · Newbie cheater Reputation: 0 Joined: 19 Apr 2005 Posts: 24

Dark Byte · Posted: Tue Dec 13, 2005 12:16 pm Post subject:

With base address I mean that it uses that as static address, the first address of the pointer. The pointer path can lead to other addresses out of the range, but the base address has to be in that region. You can also limit that range with the options in the pointer scanner.

To get a list of all possible pointers use the dissect data option, and let ce map the region for you if you give it a good size of the structure you think it is (Look at the code, e.g with eax+120 then the minimum size is 288)

it detects pointers if the value is a actual address, checks if something matches a float value, etc....

But guesing to what a pointer points to is quite hard without user input. It is possible that 5000 structures can match the address the pointer points to

CodeReaver · Newbie cheater Reputation: 0 Joined: 19 Apr 2005 Posts: 24

My suggestion was to assume to that it points to an array, then search for the next pointer to an address after the one the first pointer refered to. It's a was of guessing the size of what the pointer is pointing at. Once you have an idea of the size, then you can have it map a reigon of that size to that address. Then in the likely event that it gets some of the data types wrong, at least you have an estimate of the size of the structure and any pointers in it.

EDIT: The Disect Data was a lot closer to what I had in mind than the pointer scanner was but I still would like to suggest that the addresses in the address list be in a combo box in the Data Dissect menu (to jump to them quickly) and that on the address list you can choose any structures you defined as the addresses data type. Then when you go to the address in Data Dissect, the structure would be the default for that address. There was a bit more stuff I wanted to mention but I'm out of time.
Maybe you could also have an option of it using the data types in the address list as a guide for figuring out what's in the structure or if a structure has a pointer to something in the address list then it would use the data type in the address list as a default. Maybe you could add something to switch that on and off when trying to map the structure.
I wanted to be able to use the structure thing to navigate so you can double click a pointer to move to the place in memory it points to. It would need to turn the structure off or rescan the new area or something when that happens though.

I saved this a while ago and you might have fixed this already, but in the last version I tried:

23 c1
3b c1
75 07

should be

and eax, ecx
cmp eax, ecx
jnz (7 bytes)

but is displayed as

and eax,ecx,
sar [ebx],c1
jne (7 bytes)