Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Guides: Pointer Scanner + Injection Copies + AOB To Data
Goto page Previous  1, 2, 3, 4, 5
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
Kawaii desu ne
How do I cheat?
Reputation: 0

Joined: 13 Sep 2016
Posts: 7

PostPosted: Fri Sep 16, 2016 5:51 am    Post subject: Reply with quote

So I have a problem doing this with a game. I have multiple resources that are not too far away from each other. For example: Wood = 0F77C1F8 and Stone = 0F77C230 and Wool = 0EEBEB30.

My problem is, that the instruction that adds resources has no offset.
Just an add [eax],ecx. Heres what I see. Red is the add instruction.

Code:

"Game.exe"+93417: 8B CE                 -  mov ecx,esi
"Game.exe"+93419: 6A 00                 -  push 00
"Game.exe"+9341B: E8 D0 6D F9 FF        -  call Game.exe+2A1F0
"Game.exe"+93420: 85 C0                 -  test eax,eax
"Game.exe"+93422: 74 6F                 -  je Game.exe+93493
"Game.exe"+93424: 56                    -  push esi
"Game.exe"+93425: B9 80 A8 5B 01        -  mov ecx,Game.exe+53A880
"Game.exe"+9342A: E8 21 95 FC FF        -  call Game.exe+5C950
"Game.exe"+9342F: 8B 4D 0C              -  mov ecx,[ebp+0C]
"Game.exe"+93432: 8B 3D AC 9A 5B 01     -  mov edi,[Game.exe+539AAC]

"Game.exe"+93438: 01 08                 -  add [eax],ecx <--- Used instruction
"Game.exe"+9343A: 85 FF                 -  test edi,edi
"Game.exe"+9343C: 75 32                 -  jne Game.exe+93470

"Game.exe"+9343E: 68 14 B2 02 00        -  push 0002B214
"Game.exe"+93443: FF 15 48 C9 48 01     -  call dword ptr [Game.exe+40C948]
"Game.exe"+93449: 83 C4 04              -  add esp,04
"Game.exe"+9344C: 89 45 08              -  mov [ebp+08],eax
"Game.exe"+9344F: 89 7D FC              -  mov [ebp-04],edi
"Game.exe"+93452: 85 C0                 -  test eax,eax
"Game.exe"+93454: 74 0B                 -  je Game.exe+93461
"Game.exe"+93456: 8B C8                 -  mov ecx,eax
"Game.exe"+93458: E8 F3 92 16 00        -  call Game.exe+1FC750
"Game.exe"+9345D: 8B F8                 -  mov edi,eax


Its all the same with Wood,Stone and Wool. But how can I find the base address without any offsets? Is that even possible or am I just to stupid to understand what I should be doing?[/code]
Back to top
View user's profile Send private message
paul44
How do I cheat?
Reputation: 0

Joined: 20 Jul 2017
Posts: 4

PostPosted: Mon Aug 21, 2017 2:07 pm    Post subject: some Qs + feedback Reply with quote

Great article, as usual!

I do have some questions though (see [imgur_com/a/TluBh] for details):
a. is there a way to "dealloc" the 'globalalloc'? Yes, we are talking 4-8 bytes here, but I see it as a "correct coding" principle...
(I assume this function acts similar as the msdn fn? which counterpart is Globalfree)
(see 1st image)
b. based on prev AOB experience (another one of your tutorials), I learned that the aobscan Label already received the appropriate address. And it works in the same way with the 'AOB to Data' approach. Ie you can use the AOBscan label; no need to introduce an additional label?!
Tested and working, but - just to be sure - can I expect "trouble" this way?
(see 2nd image)
c. I'm actually a bit amazed that I've not seen anyone mentioning the 'Userdefined Symbol' table. I find it incredibly useful while working with these scripts! As you dis/enable scripts, you'll see the appropriate labels dis/appearing... And jump to their memory locations from there.
And hence my question in pt b. (when nothing is enabled, the table is empty ~ sort of)
(see 3rd image)

Sidequestions:
1. is there a way to identify whether a structure is a 'struct' or 'class'; and whether or not it contains Virtual Functions?
2. (see 4th image)
one of the structures I found (SoM) started with pointers (or these values were identified as such). What I understand from a book I'm currently reading is, that one of the features of a structure is that all its values are aligned to the same size (in my case 4 bytes; or so I assume). But since SoM is 64bit, that would imply that pointers have a 8 byte size?!
- note that in the image some pointers (?) are 2 bytes long?
- note that I've changed some of the initial types to 'Float' (as being the correct type)
3. if one uses the same label (eg INJECT for each AOBscan) in several scripts (active in the address list), will this not cause any conflicts? Not tested myself (yet)...
Back to top
View user's profile Send private message
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 52

Joined: 06 Jul 2014
Posts: 1749
Location: Arcadian Suburbia

PostPosted: Mon Aug 21, 2017 2:57 pm    Post subject: Reply with quote

paul44 wrote:
a. is there a way to "dealloc" the 'globalalloc'? Yes, we are talking 4-8 bytes here, but I see it as a "correct coding" principle...
Not really. That's the point of globalalloc. It only allocates memory once and it's there forever. If you don't like that, then use alloc in place of globalalloc and dealloc that memory in the disable section.
paul44 wrote:
b. based on prev AOB experience (another one of your tutorials), I learned that the aobscan Label already received the appropriate address. And it works in the same way with the 'AOB to Data' approach. Ie you can use the AOBscan label; no need to introduce an additional label?!
I don't know exactly what you're talking about, but if you mean something like this:
Code:
aobscan(foo,AA BB CC DD)
label(bar)
registersymbol(bar)

foo:
bar:
The label "bar" is unnecessary since the symbol "foo" could be registered instead.
Code:
aobscan(foo,AA BB CC DD)
registersymbol(foo)

paul44 wrote:
I'm actually a bit amazed that I've not seen anyone mentioning the 'Userdefined Symbol' table. I find it incredibly useful while working with these scripts! As you dis/enable scripts, you'll see the appropriate labels dis/appearing... And jump to their memory locations from there.
And hence my question in pt b. (when nothing is enabled, the table is empty ~ sort of)
I didn't see any question in those statements. If you're wondering why no one seems to talk about the symbol handler form, then IMO it's because that form is more of a trifle than anything else. I don't have any significant use for it.
paul44 wrote:
1. is there a way to identify whether a structure is a 'struct' or 'class'; and whether or not it contains Virtual Functions?
There's very little difference between a struct and a class (at least from the perspective of C++). Objects of a class using virtual functions should have a pointer to a vtable as their first member.
paul44 wrote:
2. (see 4th image)
one of the structures I found (SoM) started with pointers (or these values were identified as such). What I understand from a book I'm currently reading is, that one of the features of a structure is that all its values are aligned to the same size (in my case 4 bytes; or so I assume). But since SoM is 64bit, that would imply that pointers have a 8 byte size?!
I don't know if you posted the wrong image, but everything CE automatically deduced as a pointer is clearly 8 bytes long. This can be seen from their offset from the start of the structure. Perhaps it's confusing that CE doesn't show leading 0s after 8 characters, but that's as aesthetically pleasing as CE can make displaying addresses IMO.
paul44 wrote:
3. if one uses the same label (eg INJECT for each AOBscan) in several scripts (active in the address list), will this not cause any conflicts? Not tested myself (yet)...
If you register that symbol, then of course there will be conflicts.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
paul44
How do I cheat?
Reputation: 0

Joined: 20 Jul 2017
Posts: 4

PostPosted: Tue Aug 22, 2017 2:46 am    Post subject: Class vs Struct (andwhatnot)... Reply with quote

@ParkourPenguin: thx for your reply.
Q1: I first assumed that one HAD to use Globalalloc() to have it picked up in the address list; apparently alloc() will do as well...
Q2: that is indeed what I meant
Q3: from a beginners point of view, this table is great (when I picked up this technique, I had no idea what was saved/referred to these labels
(for a Pro this is old news; I get that Cool ). Still, it is an easy way to get around in memory...
Q4: yep, I concluded that myself, about struct vs class. But I'm getting there evt... (meaning about identifying structures & VFs)
Q5: pointers at the start of the structure (last image):
the 1st ptr is 8 bytes (fair enough), but the 2nd one just 2 bytes (?); or am I reading/interpreting this incorrectly? Also (I need to check this), but the 1st 2 entries seem to point to my game's exe memory, while the others point to data memory?!
How would one (possibly) interpret those pointers? F.i. does (could it) mean that the 1st 2 are (virtual) functions? And what about the other ones?
AND: there is a "regularity" here: 8+2, 8+2, etc...

-EDIT-
As soon as you mentioned "hex", it hit me (like a stick on a donkey's ass Embarassed). sorry about that: blame it on my feminin side, talking before her turn Wink.
As for the VF table stuff: way too early for me - as a beginner - to dig/debug into that. But I'll get there eventually...
And fyi: alloc() works as well. thx


Last edited by paul44 on Wed Aug 23, 2017 3:38 am; edited 1 time in total
Back to top
View user's profile Send private message
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 52

Joined: 06 Jul 2014
Posts: 1749
Location: Arcadian Suburbia

PostPosted: Tue Aug 22, 2017 8:40 am    Post subject: Reply with quote

paul44 wrote:
Q1: I first assumed that one HAD to use Globalalloc() to have it picked up in the address list; apparently alloc() will do as well...
If you want to use it in the address list, make sure to register the symbol. globalalloc does this automatically; alloc does not.

paul44 wrote:
the 1st ptr is 8 bytes (fair enough), but the 2nd one just 2 bytes (?); or am I reading/interpreting this incorrectly?
That's hexadecimal. 0x10 = 16 in decimal. 16 - 8 = 8.

paul44 wrote:
Also (I need to check this), but the 1st 2 entries seem to point to my game's exe memory, while the others point to data memory?!
How would one (possibly) interpret those pointers? F.i. does (could it) mean that the 1st 2 are (virtual) functions? And what about the other ones?

As I said before, if a class has virtual functions, then objects of that class will have a pointer to a vtable as their first member. The first pointer could be pointing to a vtable, but I don't know. The others, I have no idea what they're used for. If you're curious, debug the game and figure out how it's using those members and/or the data those members are pointing to.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
kennethas
How do I cheat?
Reputation: 0

Joined: 14 Aug 2017
Posts: 4

PostPosted: Wed Aug 23, 2017 5:31 am    Post subject: Reply with quote

@ParkourPenguin can you help me about something in aobscan codes? I can't pm you maybe because I'm new Crying or Very sad
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5
Page 5 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites