Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


A quick method
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials
View previous topic :: View next topic  
Author Message
Turtle
Advanced Cheater
Reputation: 7

Joined: 25 Jul 2004
Posts: 78

PostPosted: Tue Jan 24, 2006 11:19 am    Post subject: A quick method Reply with quote

When using mhs

After you find a value that you want to resolve, and you find it's address, say it's address is (34891278). Try the following:

1. Select the pointer search.

2. Choose a "range" type search.

3. For the max value of the range put the address of the value you want resolved, for example (34891278). For the lowest part of the range set all the last 5 digits to '0' so (34800000). Make sure that the "only find static" pointers" box is ticked.

The first box is for the lowest value of the range, and the 2nd box, (the one on the right) is for the max value of the range.

That should search for static pointers that point to addresses in that range that are before the address of the value that you want resolved. Also, in the box that says "save offsets from", just put in the same address as the max value of the range (34891278).

Now in the results window it will show each static pointer and the offset distance between the address that they point to and the address of the value you want resolved. All the offsets distances will be listed with a "-" sign in front of them, since we are saving offsets from the max part of the range, so pick the one with the smallest negative offset, so "-500" is better than "-1000". The decimal offset distance is shown in brackets. It's easier to work with decimal offsets. There is also a "go to closest" button on the results window which should automatically show you the pointer with the smallest offset distance, it will highlight it.

Now with that static pointer, to test it just remember that you are adding that 500 to the address that the pointer points to, in order to get the address of the value that you want resolved. So test it.

If that static pointer turns out to be unreliable, then you can try the next best one, for example the next best one could be "-600", it's a larger offset, but it may be a more reliable static pointer.


Last edited by Turtle on Wed Jan 25, 2006 9:16 am; edited 2 times in total
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Tue Jan 24, 2006 12:05 pm    Post subject: Reply with quote

problem with this method is that it's only a level 1 pointer, and doesn't take into account module addresses that change

Another method that might be easier to use is ce's pointer scanner. To get the results described here, just do a max level of 1 and structsize of at least 1024 and it'll scan quickly. (but I recommend a higher value because only very few games use level 1 pointers)

When the scan is done just doubleclick the address and it'll be added to the list with all offsets filled in for you

You can also easily test the results, by saving the addresses it found, and reboot, or restart the game, then reopen the game, reload the list, and then use the option "rescan memory" to filter out the wrong ones

and another thing, if you want to have a list with more addresses, then use the option to use static code as base instead of dissecting

Also, for people using the injected pointerscan feature of 5.2.28 , use max level of 2 for max level 1, max level of 3 for max level 2, etc... (small bug, but the scanner is working)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Turtle
Advanced Cheater
Reputation: 7

Joined: 25 Jul 2004
Posts: 78

PostPosted: Tue Jan 24, 2006 3:05 pm    Post subject: Reply with quote

Ok.

For "size of structure" I put 1024, and for "max level" I put 3, but what should I put for "level 0 structsize"?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Tue Jan 24, 2006 3:16 pm    Post subject: Reply with quote

depends on your method
if you use the option to use module data as static address then 4, but if you use dissection I recommend something like 30 or 40

I recommend the injected pointer scan though, it's more accurate, and faster

another thing you might want to watch, is that some modules have a more direct path to a address than others.
For example if the base module at 00400000 has a level 7 pointer to your address , it then might also be that there is another module that can reach it with only a level 2 or 3 pointer. (e.g gamex86.dll will have a shorter path to health than quake4.exe, which links to gamex86.dll which links to your address)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Turtle
Advanced Cheater
Reputation: 7

Joined: 25 Jul 2004
Posts: 78

PostPosted: Tue Jan 24, 2006 3:29 pm    Post subject: Reply with quote

I tried the injected scanner, it's fast. It seems a bit different to the regular scanner.

Also, how would I know which module has the shortest path?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Tue Jan 24, 2006 3:36 pm    Post subject: Reply with quote

yes, it is a complete rewrite, and even fixes some bugs, has a small change on how I keep track of successfull and unsuccessfull pointer paths, and shows more data (so you now see it hasn't crashed on one address but is dissecting a base path, which can sometimes be quite large)

But choosing the right module can be tricky. You can usually find it using the base module and a big enough max level, but each level increases the number of addresses to find with the factor of your structsize. (worst case scenario with no skipping of unsuccessfull paths and all addresses it encounters are pointers: addresses to scan*structsize*structsize*structsize*.....)

But usually you want to scan the game engine itself for the pointer. The modulenames usually have a name that is interpretable, (e.g gamex86.dll, unrealengine.dll, civ4core.dll,...) or perhaps you found a few easy to find pointers yourself that lead you to a certain module each time

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Turtle
Advanced Cheater
Reputation: 7

Joined: 25 Jul 2004
Posts: 78

PostPosted: Tue Jan 24, 2006 3:47 pm    Post subject: Reply with quote

When I do an injected scan and then try to do another one right after, I get an error msg: "Access violation at address 00000000. Read of address 00000000."
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Tue Jan 24, 2006 3:49 pm    Post subject: Reply with quote

I know, thats a bug. (was to be expected with raw cvs snapshots)
If the settings window gets closed it frees it, it shouldn't have done that anymore

it's already been fixed in the cvs

to fix it now: just close the old pointer scanner, and reinject using ce

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Turtle
Advanced Cheater
Reputation: 7

Joined: 25 Jul 2004
Posts: 78

PostPosted: Tue Jan 24, 2006 4:03 pm    Post subject: Reply with quote

Not all dynamic pointer equations are simple addition, are they? Simple addition ones may look something like: "mov eax, [esi+1a]"

That's fairly straightforward, but I don't know if they are all that simple. Does CE deal with all types of equations when scanning?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Tue Jan 24, 2006 4:06 pm    Post subject: Reply with quote

in a way, it scans from 0 to structsize, so if it was something like eax+esi*8 it will find the first 128 elements when using a structsize of 1024, but you're right if it is a movable element, but if the element is fixed like esi=0 for first player, esi=1 for 2nd player, esi=2 for 3th player, then it will find it

and there is usually another path to it as well, like the current object under the cursor, or lastselected object, or something

Let's just say: if it can be written down as a pointer address, it can be found. (may take some years if you have to resort to structsizes of 10kb or bigger, but it will find it Wink )

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
Turtle
Advanced Cheater
Reputation: 7

Joined: 25 Jul 2004
Posts: 78

PostPosted: Wed Jan 25, 2006 8:51 am    Post subject: Reply with quote

Dark Byte wrote:


another thing you might want to watch, is that some modules have a more direct path to a address than others.
For example if the base module at 00400000 has a level 7 pointer to your address , it then might also be that there is another module that can reach it with only a level 2 or 3 pointer. (e.g gamex86.dll will have a shorter path to health than quake4.exe, which links to gamex86.dll which links to your address)


Could someone make their own injected .dll to provide a shorter pointer path? Or would it have to be one of the existing .dlls?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Wed Jan 25, 2006 12:56 pm    Post subject: Reply with quote

you can inject any dll you want with the dll injection option. (the injected pointer scanner that comes with ce is also injected using that same method, the userinterface is part of the dll)

But I don't completly understand what you mean with a shorter path. If you know a shorter path, you don't really have to scan because you already know it.
Or if you mean that you did find the first and perhaps even 2nd level pointer for a address, but the base address still isn't green, then you can also do a pointer scan for that base address, and then later just append the offsets you already found

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
TheBaron88
How do I cheat?
Reputation: 0

Joined: 06 May 2006
Posts: 2

PostPosted: Sat May 06, 2006 6:36 am    Post subject: Reply with quote

Quote:
the injected pointer scanner that comes with ce
is this the "Pointer Scan" in the "Tools" menu?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 340

Joined: 09 May 2003
Posts: 19908
Location: The netherlands

PostPosted: Sat May 06, 2006 6:43 am    Post subject: Reply with quote

kinda, i'm talking here about the injected pointer scan option that comes with the weekly compile. (I also posted the dll seperately a while back in a prince of persia thread) It's basicly the same, but a lot faster.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
TheBaron88
How do I cheat?
Reputation: 0

Joined: 06 May 2006
Posts: 2

PostPosted: Sat May 06, 2006 7:28 am    Post subject: Reply with quote

Got a link for the dll or the latest build plz, cant find that thread,
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites