 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
 Posted: Sun Dec 02, 2012 9:21 pm Post subject: |
 |
|
Once you have found the physical address run this script in the lua engine. (ctrl+alt+shift+l in the main window) after changing the physical address in the script (I assume you are running a 64-bit windows os)
| Code: |
physMemAddress=0x26ea03000 --<---change this!
--[[
some experimenting to refresh how it worked again
fffff68000000000=base
FFFFF6FB7DBED000=cr3
max usermode virtual address=7FFFFFFFFFF
pagetable start=fffff68000000000
pagetable stop=FFFFF68400000000 (usermode)
pagedir start=FFFFF6FB40000000
pagedir stop=
in 32-bit: (with pae)
c0000000=pagetable
pagetable start=c0000000
pagetable stop=C0400000 (usermode)
in 32-bit: (without pae)
c0000000=pagetable
pagetable start=c0000000
pagetable stop=C0200000 (usermode)
return string.format("%x", x % 0x10000000000 - (x % 0x1000))
--]]
--according to the image I assume XtraartX uses 64-bit windows
pagetablestart="fffff68000000000"
pagetablestop="FFFFF68400000000"
ptsa="0x"..pagetablestart
--convert physMemAddress to an aob
--first fix the physMemAddress to a page boundary
physMemAddress=physMemAddress - (physMemAddress % 0x1000)
--convert physMemAddress to an aob
aob="** ** " --start with a wildcard as the first byte is something we need to manually check (avail bits set that mess up the lower 4 bits)
i=0
b={}
for i=2,6 do
b[i-1]=string.format("%.2x", math.floor((physMemAddress % 0x100^i) / (0x100^(i-1))))
--print(b[i])
if (i>=3) then
aob=aob..b[i-1].." "
end
end
neededuppernibble=string.sub(b[1],1,1)
--Init dbk and force kernelmode memory access
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
dbk_useKernelmodeQueryMemoryRegions()
--get the processlist
pl=createStringlist()
getProcesslist(pl)
ms=createMemScan()
fl=createFoundList(ms)
lastfoundprocess=0
for i=1, strings_getCount(pl)-1 do --skip system
local previous=getOpenedProcessID();
pid=strings_getString(pl, i)
j=string.find(pid,'-')
pid='0x'..string.sub(pid,1,j-1)
openProcess(tonumber(pid))
if getOpenedProcessID()~=previous then
--print("success")
--scan this process for the aob
memscan_firstScan(ms, soExactValue, vtByteArray, 0, aob, "", pagetablestart, pagetablestop, "", fsmAligned, "8", true, false, false, false)
memscan_waitTillDone(ms)
foundlist_initialize(fl)
c=foundlist_getCount(fl)
if c>0 then
--found something
for j=0, c-1 do
a="0x"..foundlist_getAddress(fl, j)
bt=readBytes(a+1,1)
bts=string.format("%.2x", bt);
uppernibble=string.sub(bts,1,1)
--print(uppernibble.." needed: "..neededuppernibble)
if (uppernibble==neededuppernibble) then
print("The process :"..strings_getString(pl, i) .." has mapped this physical address at virtual address :".. string.format("%.8x", (a-ptsa) / 8*0x1000) )
lastfoundprocess=pid
end
end
end
foundlist_deinitialize(fl)
end
end
object_destroy(fl)
object_destroy(ms)
if lastfoundprocess~=0 then
openProcess(tonumber(lastfoundprocess))
else
print("No process found")
end
|
Cheat Engine will freeze for a minute, but just let it do it's thing. When it's done and you're lucky, it should have found something. (It currently doesn't deal with 2MB pages, and doesn't scan kernelmode pages)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
 |
Gvaz
Expert Cheater
![]() Reputation: 0
Joined: 16 Jul 2011
Posts: 126
|
| Posted: Fri Dec 07, 2012 5:47 pm Post subject: |
|
|
How the heck do you find the physical address?
I'm trying to see where it's stored via exe and I'm coming up nothing but I should.
For example for one app (game dev story) it seems to be stored as a float (numbers such as 420.2 K, and only displayed as that) but 420200 doesn't come up with anything either.
I'm very stumped.
|
|
| Back to top |
|
|
arniuxx3
How do I cheat?
![]() Reputation: 0
Joined: 25 Jun 2009
Posts: 2
|
| Posted: Sun Dec 09, 2012 4:13 pm Post subject: |
|
|
Hello.
Seems like I need help too 
I found the process in which the address is, but when i change value nothing happens. I thought value could be server sided, but since i get money even when playing off-line, it couldn't by could it?
Game that i am trying to hack is "Wannabat EX".
P.s Tried same thing with "Drag racer", but got only money value, couldn't get RP value, seems to by same as wannabat.
P.S.S.s Pointer scan isn't quite working.
P.S.s I am almost totally new about this stuff, sorry if something is wrong. 
|
|
| Back to top |
|
|
Mtn Dew
Master Cheater
 Reputation: 0
Joined: 09 Oct 2007
Posts: 273
|
| Posted: Fri Dec 28, 2012 12:13 am Post subject: |
|
|
I've searched and searched, can't find a god damn thing. Using the methods posted.
Anyone find the process yes?
_________________
|
|
| Back to top |
|
|
riser
How do I cheat?
![]() Reputation: 0
Joined: 09 Jun 2009
Posts: 8
|
| Posted: Tue Jan 08, 2013 1:27 am Post subject: |
|
|
Looking at this Topic every day  guess noone got a clue on Cheat Engine with Bluestacks :-/ but if there is someone Out there who does, please Let us know
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Jan 08, 2013 5:12 am Post subject: |
|
|
Have you tried scanning the [Physical Memory] process as I posted on the previous page ?
And change the value there
Also, remember that it will not work in online games
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pretinaverse
How do I cheat?
![]() Reputation: 0
Joined: 08 Jan 2013
Posts: 3
|
| Posted: Tue Jan 08, 2013 9:09 am Post subject: |
|
|
| Dark Byte wrote: | Have you tried scanning the [Physical Memory] process as I posted on the previous page ?
And change the value there
Also, remember that it will not work in online games |
Hi, i have the same problem. I've been trying the way you say and is impossible, i dont find the values that im searching in physical memory. Im playing zenonia 2 and dont find anything... maybe is the game, i dont know u.u
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Tue Jan 08, 2013 9:35 am Post subject: |
|
|
perhaps the ARM emulator encodes the values stored in memory
_________________
... Fresco |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Jan 08, 2013 9:45 am Post subject: |
|
|
According to XtraartX it is encoded using little endian, since changing the 4 byte value of score to 7777777 (0x76ADF1) resulted in the proper value ( in this post )
but yes, try a different variable type, like float or double
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Pretinaverse
How do I cheat?
![]() Reputation: 0
Joined: 08 Jan 2013
Posts: 3
|
| Posted: Tue Jan 08, 2013 10:00 am Post subject: |
|
|
| Dark Byte wrote: | | According to XtraartX it is encoded using little endian, since changing the 4 byte value of score to 7777777 (0x76ADF1) resulted in the proper value, but yes, try a different variable type, like float or double |
I used the value type "all" and dont find anything. Also tried 2 bytes, 4 bytes, float and double, with CopyOnWrite marked and not marked. Also used rounded when truncated didn't work. Tried the process watcher, the mem_mapped and the read/write process memory.
I'm still trying differents combinations, but losing hope every time i try u.u
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Jan 08, 2013 10:09 am Post subject: |
|
|
First scan doesn't find ANY address when doing a first scan ? Because you will at least find the temporary variable in ce's memory when doing a physical memory scan
also, grey them all out, not checked or unchecked
and target the [Physical Memory] process in the processlist. The one at top.
To confirm you have opened the physical memory read address 00000000 and make sire it's not all ??'s
And use this cheat engine version http://cheatengine.org/download/d1/CheatEngine62.exe , That way you don't have to reboot your system to enable unsigned driver support
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Tue Jan 08, 2013 10:13 am Post subject: |
|
|
you guys could try a reverse scan.
when the value increases, you scan decreased value etc...
_________________
... Fresco |
|
| Back to top |
|
|
Pretinaverse
How do I cheat?
![]() Reputation: 0
Joined: 08 Jan 2013
Posts: 3
|
| Posted: Tue Jan 08, 2013 10:45 am Post subject: |
|
|
| Dark Byte wrote: | First scan doesn't find ANY address when doing a first scan ? Because you will at least find the temporary variable in ce's memory when doing a physical memory scan
also, grey them all out, not checked or unchecked
and target the [Physical Memory] process in the processlist. The one at top.
To confirm you have opened the physical memory read address 00000000 and make sire it's not all ??'s
And use this cheat engine version CheatEngine62.exe , That way you don't have to reboot your system to enable unsigned driver support |
Yes, i use cheat engine 6.2 and make sure of select physical memory. Also grey them all and still nothing. In the first scan it gave me over 44 million of results when i use value type all :O and i cant search for unknown initial value because it gave me the error failure allocating memory for copy.
EDIT
In the end i gave up. Used Android SDK (i hate this emulator 'cause is so slow in my pc), hacked stats with cheatengine and then transfered the save data to bluestacks
|
|
| Back to top |
|
|
riser
How do I cheat?
![]() Reputation: 0
Joined: 09 Jun 2009
Posts: 8
|
| Posted: Sun Jan 13, 2013 7:34 am Post subject: Solution |
|
|
I tried all that stuff over and over again and i finally got it to work The way it works is pretty much described on page one
1. Cheat-Engine/Settings/Extra activate Read/Write Process Memory
2. Cheat-Engine/Stan Settings activate MEM_MAPPED
3. Select Physical Memory First
4. Start 4 Bytes search
I always got a crash so i just canceled the scan after 50% and always found what i was looking for... now just fighting to find pointer! hope it helped those who always had a crash like i did
edit: ok i ran ur script but i wasnt lucky no process found...
is there a way to find pointers to the address?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Sun Jan 13, 2013 10:37 am Post subject: |
|
|
riser, do you use 64-bit windows ? (Since that script is for 64-bit only)
Also, it's recommended to have more than 4GB ram (so the memory doesn't get paged to disk)
(Also, start a new ce when using that script. The transition from physical to user doesn't always work)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
