Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Rydian's Value/Address Finding Examples
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Rydian
Grandmaster Cheater Supreme
Reputation: 29

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Feb 26, 2014 3:33 pm    Post subject: Rydian's Value/Address Finding Examples This post has 1 review(s) Reply with quote

- Foreword
I get a lot of people asking me how I've found certain values/numbers in games, so this will be a
listing of various situations that have come up, the different approaches games take, and what
I've done to find what I need in those situations.

First, though, run the Cheat Engine Tutorial (it gets installed alongside Cheat Engine) and complete
steps 1 through 4 (just get to step 5, you don't need to beat that for this guide). It's important that
you understand how to search for invisible values and values in other types, and also that you know
how to do changed/unchanged/increased/decreased searches!

Some edits/codes I do are not simple value/address freezes, but actually editing the game code (which
is much more powerful). I made a tutorial here explaining my process for making these scripts/codes.

Also, if you need to search for something in a game that goes away quickly (like a really short timer),
you may need to use Cheat Engine's speed hack settings to freeze the game so you can go back to
Cheat Engine and do your scanning stuff. If you check Cheat Engine's settings, you can set hotkeys
to different speedhack settings. I recommend settings for 0 (frozen time) and 1 (normal time).



- Invincibility
Most games have what's known as "mercy invincibility". That is, when you get hit you start flashing
or go semi-transparent, and during this time period you can't be hit again. What happens in most
cases is that when you get hit, a timer is set, and then the timer counts down (or up), and when it's
done counting down (or up) your invincibility stops. So there's two possible approaches to this.

A - Find the timer, get hit one more time, and then lock the timer right at the beginning so that it
never gets to finish its countdown, so you stay invincible as long as the value is locked.

B - Do an unknown initial value and changed/unchanged search to find the "invincible" flag.
Generally simple flags like this are 0 or 1, but it could be other values. Once you've found the flag
that determines if your character is invincible or not, lock it at the invincible value and enjoy.

Tip: If your player flashes/fades while invincible and continues to do it indefinitely while you have
the cheat on, then flashing may be another variable that you'll need to find and edit/lock too.



- Position/Teleporting
Games are programs and thus built scientifically and follow basic math. This includes the position
of characters/players/objects, they're generally kept track of with coordinates on a grid (think back
to math class and plotting stuff on the X/Y axis).



In almost all cases, to the left is less X (either a smaller number or negative) and to the right is
more X (positive and/or a higher number). However Y can vary depending on if the origin of the
grid (have some more math class flashbacks!) is in the upper-left or the lower-left. Generally, work
on finding your left/right coordinate first because that's the easier one, and once you know one
coordinate, the other one(s) is/are usually very close to it (if not right next to it) in the game's RAM,
which narrows down your search a lot.

For 3D games this is a little tougher to start with because you don't have an obvious plane. Instead
try to look at your surroundings to see if there's any obvious left/right/up/down orientation with
buildings, polygons of land slopes, or even if you always spawn into a map facing a cardinal direction.
Failing that, if the game has some sort of north/south/east/west indicator, these are sometimes
aligned to the map's grid/coordinates so you can figure out how to move left and right or forward
and back and do unknown -> increase/decrease searches to find your coordinates.

Tip: In modern games (that aren't grid-based), positions are most often the float/double format.


- Time of Day
Generally games will reset the "time of day" to 0 either in the morning, or after the in-game midnight.
Then they increase the time of day until it resets again. So you can search for increasing values
through the afternoon, then wait for midnight/morning to pass and search for a decreased value
(since it can be assumed in most cases that the time of day reset then). You may need to try other
value types like 8-byte or float/double.

In other cases, the game may keep track of separate numbers for day and night passing and then
have another address that keeps track of whether it's currently day or night.

Tip: When searching for time, use the "all" type because there's no real way to guess the format.


- Infinite (Air/Double) Jumping
Being able to jump infinitely is pretty useful in most games, but how to do it depends on the game.

A - If the game is one where air jumping is an in-game feature (like metroidvania games), then
once you have the air/double jump ability there's generally an address that keeps track of if you
have used your double jump yet (or how many air jumps you have left).

You can usually jump into the air normally and then search for 1 (since you still have your air jump
ability), then air jump and search for 0 before you hit the ground. Once you've found the address,
lock it at 1 (or whatever value is used to denote that you can do it) and enjoy.

B - If the game does not have air jumping as an in-game feature, then my general approach is to
find the "is the player standing on the ground" address. This could be 0 or 1, but it could also be
more complex things like a check for if "what type of terrain the player is standing on" matches a
value for normal ground you can jump off of (like in Cave Story).

So this is a situation where unknown initial scans and then changed/unchanged searching works best.
Stand on some ground you can jump off of and search, then jump into the air and search changed.
Then get back on the ground and search changed again, move to some different ground you can still
jump off of and search unchanged. Then jump and search changed, etc. Filter it down until you find it.

Tip: Try to avoid searching for "0" as your first search in any scan. It's usually much slower.


- Weapon/Attack Speed
In most games I've messed with, when you swing/attack with a weapon a timer is started. When that
timer is done counting, you can attack again. So you can try to apply some of the same info and ideas
from invincibility to this, since the basic logic is usually the same.

I've read that some games actually set a target time into the future and then allow you to re-fire when
that point in time is reached, so you may want to work off of that logic instead.

Tip: Attack speed is usually pretty quick, so this is a situation where the speedhack hotkeys help,
freezing time in-game so that you can scan multiple times before the attack/swing/reload finishes.



- One Hit Kill
When trying to make one-hit kills, it's tempting to attack monsters, search for the damage numbers that
pop up, then try to edit the addresses that contain those. The problem there is that those numbers are
generally just placeholders or display numbers that happen after the damage has already logically been
dealt, so you need to find what's actually applying the damage to the monster/enemy's health value.

First you should find the monster/enemy health value (doing an unknown scan if it's not displayed), then
once you have that, find and edit the game code that subtracts from the monster's health. Generally for
one-hit kills, the game calculates the damage done, stores the result in a register, and then subtracts that
register's value from the monster's HP. So what I generally do is to edit the register involved so that even
after calculating the right damage, the game instead subtracts something else, usually EBP, which holds
a memory address (which when converted from hex to decimal, equals billions of HP in damage).

Tip: So I basically change things like "sub [eax+123],ecx" into "sub [eax+123],ebp", depending on the game.


- Free Items/Money
When I make codes that let you buy things with no loss or use items without them being depleted, I'm not
actually searching for the cost of the items and then setting it to 0. That would take forever since there's so
many memory addresses to edit. Instead I'm finding the player's money and then checking what code is
writing to it when you buy something. I find the code that subtracts the cost from your money, and then edit
that code so that the cost for the items is never actually removed from your money.

Tip: This method is simple, but usually means that you still need to have enough money to buy the item in
the first place. If you dig around, you can usually find some sort of comparison that checks if you have enough
money to cover the cost of the item in the first place. Try to edit that comparison so that it always tells the
game that you can afford it, so that the game will let you buy anything for free no matter your money amount.

_________________
Back to top
View user's profile Send private message
Attack
Cheater
Reputation: 0

Joined: 21 Mar 2011
Posts: 46
Location: Canada

PostPosted: Tue Feb 03, 2015 9:17 pm    Post subject: Reply with quote

Hi,

I know this is an old thread, but I am trying to allow higher/longer jumps in Jet Set Radio. For that, what kind of value type do you usually look for?

The height of the jump depends on how long the button is pressed. It also does tricks jumping off rails if certain conditions are met. I'm more concerned with being able to heighten the standard jump.
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 29

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Feb 04, 2015 4:51 pm    Post subject: Reply with quote

Attack wrote:
Hi,

I know this is an old thread, but I am trying to allow higher/longer jumps in Jet Set Radio. For that, what kind of value type do you usually look for?

The height of the jump depends on how long the button is pressed. It also does tricks jumping off rails if certain conditions are met. I'm more concerned with being able to heighten the standard jump.
Hm, in cases like this there's generally some sort of flag or timer for the ability to increase jump strength if the button is held down (and the timer disables the flag).

Searching for the flag would just be 1 when you have the button held and can give it more, and then searching for 0 when you still have the button held but it won't take any more force (and repeating as needed). The issue there will be setting up hotkeys or something like that (or making use of speedhack to freeze the game) so that you can do searches in CE without the game thinking you let go of the button.

A timer-based search would be generally the same thing, you'd have to do an All search or guess at the type (I'm not familiar with the PC version of JSR) but it's more likely that it'd be decreasing instead of increasing. Depending on how it works you may still have to use the hotkeys or freeze the process to make it not realized you stopped holding jump while doing a scan.

_________________
Back to top
View user's profile Send private message
Attack
Cheater
Reputation: 0

Joined: 21 Mar 2011
Posts: 46
Location: Canada

PostPosted: Wed Feb 04, 2015 5:05 pm    Post subject: Reply with quote

I know where the player related structure starts and by looking at the memory viewer, I can see several things that are related only to jumping. The player structure is large, so I haven't seen it all yet.

There's a flag that indicates if you are standing still, jumping, grinding, falling, etc. There's one that is 0/1/2 for jumping. There are two bytes that correlate to that via height somehow.
None of these can be frozen, and freezing them does nothing or only shortens the height.

So far, looking at the code has returned nothing useful. As all they do is update the flag, nothing else.
At the same time I am trying to find the code for the speed boost as it works similarly.

I'm learning a lot, so maybe eventually I will find something that is checking these flags rather than only altering them.
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 29

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Feb 04, 2015 6:52 pm    Post subject: Reply with quote

Attack wrote:
I'm learning a lot, so maybe eventually I will find something that is checking these flags rather than only altering them.
Sounds like a plan, do "find what accesses" on them and see if there's any cmp functions that compare them to hardcoded values and?
_________________
Back to top
View user's profile Send private message
Attack
Cheater
Reputation: 0

Joined: 21 Mar 2011
Posts: 46
Location: Canada

PostPosted: Wed Feb 04, 2015 10:53 pm    Post subject: Reply with quote

Thanks. Eventually through analyzing I found the value that jump height is increased/decreased by. Only issue is that if I set it to 0, when the character does an air trick, he'll float forever, so you have to set a second variable to a negative value so he starts descending. Leads to some funny results.
Back to top
View user's profile Send private message
Raybrand
How do I cheat?
Reputation: 0

Joined: 17 Apr 2012
Posts: 8
Location: United Kingdom

PostPosted: Sat Feb 14, 2015 4:04 pm    Post subject: Reply with quote

Is it possible to find a way of increasing all enemy health or decreasing player damage? If so how would I go about doing it?

Another thing I wanted to explore if you are gaining money and exp how would you go about multiplying the amount that you would gain? I see it all the time in pokemon with exp multiplier hacks
Back to top
View user's profile Send private message AIM Address
Attack
Cheater
Reputation: 0

Joined: 21 Mar 2011
Posts: 46
Location: Canada

PostPosted: Sat Feb 14, 2015 5:17 pm    Post subject: Reply with quote

Raybrand wrote:
Is it possible to find a way of increasing all enemy health or decreasing player damage? If so how would I go about doing it?

Another thing I wanted to explore if you are gaining money and exp how would you go about multiplying the amount that you would gain? I see it all the time in pokemon with exp multiplier hacks
the answer is yes. Once you have found the value, you find what accesses it, then you'll have to find what actually alters it. Then you write a script to inject some code.
Back to top
View user's profile Send private message
annonymus
How do I cheat?
Reputation: 0

Joined: 20 Jul 2015
Posts: 3

PostPosted: Mon Jul 20, 2015 4:56 am    Post subject: Check Reply with quote

I'm trying to change a value with cheat engine,but when i'm looking for that value I get like 50-60k addresses. And if I try to change it cheat engine is getting stuck. How can I find the actual value that I need to change ? Is there any way ?
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 29

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Mon Jul 20, 2015 5:19 am    Post subject: Re: Check Reply with quote

annonymus wrote:
I'm trying to change a value with cheat engine,but when i'm looking for that value I get like 50-60k addresses. And if I try to change it cheat engine is getting stuck. How can I find the actual value that I need to change ? Is there any way ?
You're doing "next scan" to try to find the value when it changes in-game? That should lower the results by at least a bit each time. For some values you may need to do "next scan" 5-20 times or more.
_________________
Back to top
View user's profile Send private message
annonymus
How do I cheat?
Reputation: 0

Joined: 20 Jul 2015
Posts: 3

PostPosted: Mon Jul 20, 2015 6:13 am    Post subject: Reply with quote

It's like this: I have "9" gold and can't use it anywhere. If I try to modify all "9" values I get from scan my browser crashes. I can't modify the number so I could scan again...
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 29

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Mon Jul 20, 2015 2:52 pm    Post subject: Reply with quote

How many values are you left with? You should be filtering until you have like 1-5 left.
_________________
Back to top
View user's profile Send private message
annonymus
How do I cheat?
Reputation: 0

Joined: 20 Jul 2015
Posts: 3

PostPosted: Wed Jul 22, 2015 3:48 am    Post subject: Reply with quote

I have like 50.000 values after 30 or more filtering..
Back to top
View user's profile Send private message
Rydian
Grandmaster Cheater Supreme
Reputation: 29

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Jul 22, 2015 1:34 pm    Post subject: Reply with quote

You'll want to...

A - Figure out some ways to scan to filter it down more. Changed/unchanged, raise/lower it in-game mode.

B - Use a different browser, with only one tab, and only play that game in it. That way you should get way less stuff from other things in the way.

However if this is a flash game make sure you're attaching to the flash process and not the browser.

_________________
Back to top
View user's profile Send private message
Zares
How do I cheat?
Reputation: 0

Joined: 29 Aug 2015
Posts: 2

PostPosted: Sun Aug 30, 2015 12:08 am    Post subject: Reply with quote

Hey there Rydian, this 2 weeks I've been following most of your tutorial including your youtube's videos. I had no knowledge of assembly yet, but pretty much understand what's going on in the memory viewer thanks to your tutorial.

However, there's a few experiment I would like to try but I need a little explanation whether this are correct or not. I've been practicing all this stuff including aob's on terraria, so I know my information should be easier for you to understand what I am trying to achieve.

Basically, the game works (probably) similar to "Oh, this player pick up 1 wood, let's give 1 wood into his inventory".

So I change and tricked the game into thinking "Oh, this player pick up 1 wood, let's give 50 wood into his inventory".

It works, but sometimes the aob's stop working after couple of game-restart. But this is not the issue.

What I want to try is changing the thing that are being calculate. For example "Oh this player pick up 1 wood, let's give him 50 luminite bar instead".

To summary it, it's similar to changing-item hack, but I want to avoid using any inventory editor or stuff. Just CE and the games.

By finding the overall wood I have, and then picking up another wood would give a few log in "Find what writes..", and I manage to get "26b" as wood's item id, probably in hex number.

My question is, if I find a luminite bar, or diamond item id's, and then replacing it with the "26b", will this hacks works ? Does picking up 1 wood will give me 50 luminite bar as intended?

And if it works, how do I find out what are the item id's of something without actually get it to scan first? It's impossible to get luminite bar at the very start of terraria's world you know.

I added color for easier understanding, and sorry for the long post. I couldn't shortened it without deleting the important information.

_________________
I'm here just to learn everything about hacking, let me know if there's a tutorial about something I haven't learn yet.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter