Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


What are pointers?
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials
View previous topic :: View next topic  
Author Message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Fri Nov 25, 2005 6:46 pm    Post subject: Reply with quote

Have you checked out the "Basic Assembler" section, in the CE help file? This *really* nails down the basics of instructions like mov , sub, various jumping and other things. Also, if you pick any single ASM line in the Memory View area, the little white area between the top and bottom sectin gives a pretty good description of what that line is doing. DB: Both of those have been a god-send. This is the only disassembler i've messed with that actually does this (altho I must admit that I have only messed with a few other disassemblers).

"At least i am able to attach one after editing those 4 Bytes." <---- I have been searching for this very method for a while, as I knew of its existance, but never knew it was right under my nose the whole time =) Thanks!!
*Edit* - My god man. That was to easy! Worked like a charm. I have 2 copies of CE 5.1 installed and batch files that 'set' their default settings, one for 'normal' scanning , the other for stealth. In order to get this to work, I had to use my stealth loadout to change debug value - but once I did that, I was able to use my 'normal' profile to scan and debug. Because the stealth variation usually takes a good deal of CPU time, it scans much slower, so it's nice to be able to use 'normal/non-stealth' settings.

If you want to learn how to setup multiple CE's that use different settings profiles, check this thread.
http://forum.cheatengine.org/viewtopic.php?t=4597

If you can give me an exact example of when you're trying to execute the method you first mentioned, I will try to go through it myself and post my results, then post how I would have resolved the pointer as well, as a side-by-side comparison. If the method you mention 'breaks' at any point, I'll also post why it broke. As I said, there are a great many reasons as to why it could break, and thats why I have abandoned the method for other methods, since figuring them out.

When I say exact example, All I really need is the value that you're trying to find the pointer to (i.e. nitro, speedbreaker, etc)

"That much work and generous insight..." <--- At least there's still people out there that appreciate and realise the work involved in doing these things Smile For every one of you, there is a good 50 other people who shrug and move on, never trying to understand, or ask a question. Then, all those words I thoughtfully put together are wasted =)

- Zhoul
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Fri Nov 25, 2005 10:33 pm    Post subject: Reply with quote

Glad to be able give some back at last, so even newbies can be of some use... Laughing
Okay, since you offered it, here's my approach (posted the whole thing though, to make possible errors more obvious):
I start search engine, go to the settings tab and under extra i have everything disabled except the "open process" and "read/write process memory" setting enabled.
So i open the speed.exe, started by changing those 4 Bytes to make it debugger ready, switch to NFS and look up my current amount of money (9.996.499 since i once saved after directly changing my value to 9.999.999 Wink ).
So i fire up an exact value search for that and it returnes (luckily) a single address (in this case the 02B9CEB4), which i verify by setting some values and the money account in NFS changing accordingly.
At this point after double-clicking it, i right-click it in the lower window, attaching a "what writes to" debugger, switch to NFS, go to a garage and buy a new car-color, switch back to CE, and get the following in the watcher window:

0056d627 - 89 41 0c - mov[ecx+0c], eax

So i click on more information and get:

0056d622 - ret 0004
0056d625 - sub eax,edx
>>0056d627 - mov [ecx+0c],eax
0056d62a - ret 0004
0056d62d - int 3
Copy memory
The value of the pointer needed to find this address is propably
02B9CEA8
EAX=009886DF EDX=000001F4 ESP=0012FDA4
EBX=087971B0 ESI=000001F4 EBP=0BF04BA8
ECX=02B9CEA8 EDI=009B8E80 EIP=0056D62A

After that i start a new hex search for 02B9CEA8 (4Byte, exact value),
and this one always returns nothing...
Compared to the tutorial this should return some addresses, which i would enter one by one via "add address manually", (clicking pointer) in the address field of that window, using the "0c" as offset...
Or am i getting something wrong here?
Thanks in advance,
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Sat Nov 26, 2005 12:19 am    Post subject: Reply with quote

Finding a pointer path, in Need for Speed - Most Wanted v1.2 (out of the box install).

Money, is the value we're going to deal with...

- Got address of current money. (This is not a 'scanning' how-to, so I'll spare you that process).
- Right-clicked and did a "What Writes to this value"

- 0056d627 - mov [ecx+0c],eax
- Supposed Pointer: 01C8CEB8 + 0C

- I too turned up nothing on search results.

At this point, we have to see if ECX was modified prior to it being used. This is a perfect example of how this process can break down easily. We *Have* to use some other method at this point, and this is why I completely stopped using this method a while ago. We're just lucky it broke at the first place in the chain, rather then getting 5-6 pointers deep, then having it break.

- Open Disassembler at 0056d627 - mov [ecx+0c],eax

- Scroll up and see if ECX was modified at all in the current code block.

[a whole bunch of int 3's here, which is 'nothing' code]
0056d610 - mov eax,[ecx+0c]
0056d613 - mov edx,[esp+04]
0056d617 - cmp edx,eax
0056d619 - jna 0056d625
0056d61b - mov [ecx+0c],00000000
0056d622 - ret 0004
0056d625 - sub eax,edx
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
0056d62a - ret 0004
[more int 3's, which is 'nothing' code]

We see here that the creation or modification of ECX did not take place in this small chunk of code. That means we have to find a way to find the code that called this code chunk. Good thing this code returns to where it was called from. Do the following...

- Select mov [ecx+0c],eax
- Click "Debug" then "Toggle Break Point" (also F5)
- Buy something, at which point the game will seem to lock up. It's CE freezing the game, at the line you chose your break point on.
- Click "Debug" then "step" (or F7). You'll notice it goes to the ret line below the mov line.
- Hit F7 again to return to where this chunk was called from.
- jmp 007babad <--- Will be the next thing you see selected.
- Scroll up 1 line and we see this... call 0056d610
- Scroll up 1 line and we see this... 007bab62 - add ecx,000000a8

A ha! So ecx *WAS* modified before it was used.

--------------------------------------------------
!! Method 1 Start !! (this method winds up not working. Simply an example of how/why. This is also the way that CE's help file gives, to finding poitners. In code.. Especially in assembly... there is always another way... another way to accomplish anything Cool )
--------------------------------------------------
If we were to continue your method here:
- Open Windows calc, click "View" then "Scientific" (this setting will stay once selected, between uses)
- Click the "Hex" feature
- Type in the original suspected pointer value, which for me, was 1C8CEB8
- Subtract a8 from it and get 1C8CE10

At this point, the path stands as...

[some addresses value] = 1C8CE10 (this is only true, if ECX wasn't changed yet again, prior to the +A8 line.)
1C8CE10 + (A8+0c) = The address of money

Keep a listing like this in notepad.. it gets very complex.

- Now do a hex search. I found 2 results. Sometimes though, you'll find a LOT more results. This is bad Smile you'll see why.
- I add both results to my list, then right click the first one and 'Find out what accesses this address"
- I go through the steps of applying a new car color, and through the whole thing, it was never accessed. We can scratch this one off our list.
- I right-click the 2nd one and find out what accesses it (we're really looking for reads here, but accesses is much nicer to the system, but will show reads/writes).
- Wow! Before I even get as far as buying a new color, results start appearing. But I want to make sure it's accessed when I buy a new color.
- I go through the motions of buying a new color, ignoring the results that keep popping up.
- Just before I confirm the purchase, I look at the list and see which is the last one.
- I click confirm and immediately, more results pop up. This is indeed the right pointer.

So now, the path stands as...
[0BA252D0] = 1C8CE10
1C8CE10 + (A8+0C) = The address of money

Remember, the actual addresses can be dynamic, so if you quit/restart, they will most likely change (however, in NFS, unlike 95% of games out there, they seem to keep a lot of the same addresses between reloads).

- We can no longer use 'what writes' , as pointer addresses are written as they are created. We must find out what reads, but like i said, use "What accesses" first.
- I buy more car paint, and as I'm doing this, a lot of results pop up. They all look the same..
- mov ecx, [eax+10]
- EAX is 0BA252C0 , +10 = Address to next pointer

So now, the supposed path stands as...
[0BA252C0] + 10 = 0BA252D0
[0BA252D0] = 1C8CE10
1C8CE10 + (A8+0C) = The address of money

- I do a search for that but find nothing. Once again, this method is broken.

Ok, screw this method, it keeps breaking. Now, lets apply the method I suggested earlier in this thread, starting from the point where "!! Method 1 Start !!" appears above.
--------------------------------------------------
!!Method 1 Dies Here!!
--------------------------------------------------

--------------------------------------------------
!! Method 2 Start !!
--------------------------------------------------
I will re-cap this method at the end of this post, but scroll back up to the top and re-read until you see "!!Method 1 Start!!", then jump back down here.

What we're trying to do, is find out exactly how ECX became ECX. We've already 'returned' to the point where the first code chunk was called. Scroll up a few lines and we see this.

007bab62 - add ecx,000000a8 <--- Add a8 to ECX

So, at this point...
ecx+(A8+0c) = Money Value Address

- Scroll up until you see ECX being modified again. This happens to be 2 lines above the current line.

007bab5e - mov ecx,[eax+10]

So now we have...

[eax+10] = ecx
ecx+(A8+0C) = Money Value Address

Now we have to find out how EAX became EAX. Scroll up until you see what created EAX. Luckally, this is only 1 line above the previous.

007bab59 - mov eax,[0091bf50] <--- get master pointer, put it in EAX

OMFG! We found it! We found the master pointer. How do we know? Because EAX is being written to, by a 'static defined' address, directly in ASM. We know ASM doesn't change between loads, so this is indeed a static address.

So at last, we have...

[0091BF50] + 10 = ECX
ECX + (A8+0C) = Money Value Address

That's only 2 pointer levels, so to add this pointer to CE...
- Add a new value to CE's list, as a 2 level pointer.
- The start address (bottom left area, only place you can type an address) will be 0091BF50
- The offset we apply is 10
- Then, the next offset we would apply is (A8+0C) which is B4.
--------------------------------------------------
!!Method 2 Ends Successfully At This Point!!
--------------------------------------------------

See the picture posted at the bottom of this thread, to get an idea of how it should look.

This will indeed work for you too, even though your DMA pointer offsets are different. Try adding it now!

--------------------------------------------------
Now: A recap of how to execute Method 2.
--------------------------------------------------

- Got address of current money.
- Find out "What Writes to this value" (You could even find out what accesses this value. It doesn't matter which way you go. But for this example, do writes...)
- Buy up a new car color, then click on one of the codes that accessed the value.
- In this example, the followign code wrote to the value. 0056d627 - mov [ecx+0c],eax
- [ecx+0c] is the address of our value.
- ecx, is the address, of the start of the memory block.. and the value is +0c ahead of the start of the memory block/area.
- We have to find out how ECX became ECX.
- The computer has to find out every time it reads/writes to the value.. somehow, right?
- It's all in code, just look for the 'way' it became what it is and 'duplicate' it.

- Open Disassembler at this location, scroll up a bit, we see...

[a whole bunch of int 3's here, which is 'nothing' code]
0056d610 - mov eax,[ecx+0c]
0056d613 - mov edx,[esp+04]
0056d617 - cmp edx,eax
0056d619 - jna 0056d625
0056d61b - mov [ecx+0c],00000000
0056d622 - ret 0004
0056d625 - sub eax,edx
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
0056d62a - ret 0004
[more int 3's, which is 'nothing' code]

- Again, we still don't see where ECX was 'created'.
- Select mov [ecx+0c],eax
- Click "Debug" then "Toggle Break Point" (also F5)
- Buy something, at which point the game will seem to lock up. It's CE freezing the game, at the line you chose your break point on.
- Click "Debug" then "step" (or F7). You'll notice it goes to the ret line below the mov line.
- Hit F7 again to return to where this chunk was called from.
- It will jump to this line...

007BAB6D - jmp 007babad

- Obviously, it wasn't this that called our previous code chunk, but the line above it.
- If we scroll up a bit, we see this...

007bab59 - mov eax,[0091bf50] <--- get master pointer, put it in EAX
007bab5e - mov ecx,[eax+10] <--- Get DMA pointer, using EAX+10
007bab61 - push esi
007bab62 - add ecx,000000a8 <--- Add a8 to ECX
007bab68 - call 0056d610 <-- the line that called our original code chunk
007BAB6D - jmp 007babad

Bam, Right here, we have the entire path.

[0091BF50] + 10 = ECX
ECX + (a8+0c) = Money Address

Then, we just add that pointer path to CE's list and we're done.
--------------------------------------------------


"How do I know when another level is added?"

Whenever your registers pull values from [whatever], this means its a new pointer level.
Whenever your registers are changed by lines like "add ecx, a8" - this means you are to add that value to the current pointer level, instead of making a new pointer level.

Here are the lines of code that created ECX in the end. (lines between have been removed) - and the final line where ECX is used to write to money.

007bab59 - mov eax,[0091bf50] <--- get master pointer, put it in EAX
007bab5e - mov ecx,[eax+10] <--- Get DMA pointer, using EAX+10
007bab62 - add ecx,000000a8 <--- Add a8 to ECX
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.

See how only 2 of the lines that create ECX, contain brackets? That means its a 2 level pointer.

All this method does, is reverse engineer how ECX became ECX. Even if other registers are used, you must keep track of this.. I.e. EAX was actually the starting register written to, and the final address was written to ECX.

Back when we first started to reverse engineer, we wanted to know how ECX became ECX. We got to a point where ECX was created like so... 007bab5e - mov ecx,[eax+10] Now, our mission is to find out how EAX became EAX. Our mission ends, when the register we're dealing with, is written to by an actual hex value, as seen here... 007bab59 - mov eax,[0091bf50]

Luckally, once we find one pointer path, a LOT of other values use the same path, the only difference is the ending +offset, which in this case, is +B4.

Try adding another pointer path using this formula...

A !! 1 Byte !! - 2 Level pointer:
0091BF50 + 10
+B0

What you will get, is the player ranking value. A number between 1-15 , depending on where you stand in the rankings. (be careful, modifying this value has odd results heh, its just an example).

Also, try right clicking a value and "Browse this memory region". You can find/add values to your list, and if they are in the same area, they usually have the same pointer path.

There is so much more I could go on to say - but since you seem to be on the same exact path as i was, I think you'll do just fine figuring it all out yourself =)

- Zhoul

*Edit* - I think even I , somehow, messed up method 1 at some point, altho, since I dont use it anymore, because it simply doesnt work 95% of the time, I've blocked out that part of my memory =) At any rate, Method 2 is by far the fastest way to resolve pointers usually.

*Edit 2* - Now I really need a cig after all that... And I can't find my lighter. Does anyone have a Lighter Finding Method they can share with me?!

*Edit 3* - I'm going to correct myself here...

Zhoul wrote:
- Find out "What Writes to this value" (You could even find out what accesses this value. It doesn't matter which way you go) "


Finding out "What Writes" to a value returns a lot less results then "What Accesses this value". Doing the latter, you can also get a list of what reads from it. This gives you a much better chance to find a pointer path, as some, will be much easier/direct then others.

Another thing that should be noted:
Some people seem to think that because only 1 code writes to all values (lets take 'unit health' for instance) - that there is no way other then scripting up some ASM, to easily find a way to only affect *their own* health.

While that statement is true...

There is usually a way, however, to differentiate your own health from theirs. Your health is displayed in some form, on your game interface, isnt it? This means that something must read only your health... Find out what read code only accesses your health value, then use Method 2 above, to find that specific poitner path.

I have not faced a game where that wasn't possible.

Lastly: I have noticed that read codes are usually a lot easier to find pointer paths in, then write's. In the example above, we only had to look at about 15 total lines of ASM code to find out how ECX became ECX. In Black & White 2, I sometimes had to go through 8-10 different code blocks/returns before I found the origin of the register, but surely noticed that investigating read codes took less time, with less hops.



NFS-Pointer.jpg
 Description:
 Filesize:  22.1 KB
 Viewed:  50746 Time(s)

NFS-Pointer.jpg




Last edited by Zhoul on Wed Dec 14, 2005 3:48 am; edited 6 times in total
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Sun Nov 27, 2005 11:42 am    Post subject: Reply with quote

This is totally amazing, i already hoped, i'd be able to find something like this somewhere, yet i was not expecting to have a lot of success in looking for it.
I looked at the code and quickly realized, that i didn't know yet, how to correctly read it due to my lack of expirience and knowledge:
mov eax, esi and sub eax, 00000002, are they both relevant for finding pointer paths, or not? Are the instructions read simply straight bottom to top or are they broken up into blocks and jumps by the ret commands? How do i trace bace, what jumped to that adress? These were the questions i quickly ran into and didn't quite dare to ask, regarding these to go a bit OT and stressing your courtesy more than enough. But thanks to you i think i can learn a lot from this step-by-step "guide", so once again i can only thank you for what you've done here.
The length and detail of this post is simply amazing, regard yourself as an rare yet much apprechiated kind, people like you make forums like this a joy and pleasure to read. Keep it up, there are people acknowleging the amount of work that has been put into this.
BIG thanks,

G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Sun Nov 27, 2005 3:25 pm    Post subject: Reply with quote

Now that I'm rested... Let's have a little fun with the above code, and also dissect it a bit. Besides, Who needs a pointer to a value, when you can simply modify the code, which never changes memory position?. I'm going to use the small chunk that writes to your money, after buying stuff at the shop.


[a whole bunch of int 3's here, which is 'nothing' code]
0056d610 - mov eax,[ecx+0c]
0056d613 - mov edx,[esp+04]
0056d617 - cmp edx,eax
0056d619 - jna 0056d625
0056d61b - mov [ecx+0c],00000000
0056d622 - ret 0004
0056d625 - sub eax,edx
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code.
0056d62a - ret 0004
[more int 3's, which is 'nothing' code]


Let's first define what each line does. I can tell you right now that I couldn't read it from top to bottom and label each line, until I have seen what they all do, then I can go from bottom to top, and label them (even though it might 'appear' as if I had labeled them from top to bottom).


[a whole bunch of int 3's here, which is 'nothing' code]
0056d610 - mov eax,[ecx+0c] <---- "Copy, to EAX, Our current money."
0056d613 - mov edx,[esp+04] <---- "Copy, to EDX, The grand total of our parts we've selected."
0056d617 - cmp edx,eax <---- "Compare EDX to EAX" (its important to know the compare order here, for the next line).
0056d619 - jna 0056d625 <---- "JNA means "Jump if not above" Jump to 0056D625, if EDX (total cost) was not above EAX (total money)"
0056d61b - mov [ecx+0c],00000000 <---- This line will only be executed, if total cost was higher then total money. This line writes 0 to your total money value. Why? I dunno... it just does..
0056d622 - ret 0004 <---- Return
0056d625 - sub eax,edx <---- Line that is jumped to , if cost was not above money total. Subtract, from eax (total money) - edx (total cost). *note* notice how registers are being added/subbed, but not the actual money value, just yet. That comes next line...
0056d627 - mov [ecx+0c],eax <--- This was the original 'writes to' code. Copy, to the address ecx+0, the value of EAX
0056d62a - ret 0004 <---- Return
[more int 3's, which is 'nothing' code]


Now that we know what each does, lets mess with individual lines.

The first obvious answer, is to NOP the code that finally writes to money. This will simply make your money never decrease. Other code writes to money to make it increase, so luckally, we're not NOP'n that out too.
0056d627 - mov [ecx+0c],eax <--- You actually said you had NOP'd this in a previous post. Works!

This example will add the total cost of parts, to your total money, rather then subtract it.
Orig: 0056d625 - sub eax,edx
New: 0056d625 - add eax,edx

This example gives you 1 million dollars if you don't have enough money (but code before this block actually interrupts the purchase of gear. Once you get the money though, you could then re-purchase).
Orig: 0056d61b - mov [ecx+0c],00000000
New: 0056d61b - mov [ecx+0c],000f4240
How did i come up with 000f4240 ? Windows calc, typed in 1000000 in decimal form, then clicked 'hex'.

This example simply sets your money to 1mil no matter what.
Orig: 0056d619 - jna 0056d625
Orig: 0056d61b - mov [ecx+0c],00000000

New: 0056d619 - nop
New: 0056d61a - nop
New: 0056d61b - mov [ecx+0c],000f4240


"So how do I use this in a triner? (aside from NOP'n).

Lets use the following example...

This example will add the total cost of parts, to your total money, rather then subtract it.
Orig: 0056d625 - sub eax,edx
New: 0056d625 - add eax,edx

Looking at the Memory Viewer (upper section), i see that...
Orig: 0056D625 - 2b c2 - sub eax, edx
When I change the line from sub, to add.. those two bytes change to..
New: 0056D625 - 01 d0 - add eax, edx

- In the bottom part of Memory View, right click and select "Goto"
- Type in 56d625
- If your line was changed to 'add', then the first 2 bytes you see are 01 d0, else, its still 2b c2
- Select then Right click the first byte, and 'Add this address to the list'
- Description: Code: Sub Money - Orig( 2bc2 ) New( 01d0 )
- Type: Array of Byte - Nr of Bytes 2

The reason we use "Array of Byte" instead of "2 bytes", is because in hex, 2 bytes would be 'backward'. It would show as c22b and d001, instead of the way it shows above. Also, a lot of codes you'll change won't be 2 or 4 bytes different, but 3, or 7, or 9 bytes different. Using Array of Bytes keeps things in the same order as you view them in memory view. Also, Array of Byte already shows the byte/hex values, where as using the others, you have to right-click then 'show hex value'.

2 more examples: I actually already use these in my current NFS-MW trainer. What they actually do, is 'strange' Wink But these are perfect examples of why you cant go around just NOP'n the shit out of code that changes things Wink well, without reading it first...

Nitro:
The following code writes to nitro when it's being decreased
00693646 - fstp [esi+000000f8]

fstp means 'store current value on stack, then pop the stack'. As in previous examples, you may have seen stuff like 'pop esi' 'pop edi' , etc. This is pulling those registers off of the stacks total value. You can almost look at the 'stack' as register of its own, which is a combination of the registers currently on the stack. (push is the opposite of pop, push esi would place ESI on the stack).

Now, If we simply NOP this code, then the value on the stack is never stored , but the seriously bad part, is that the registers are never popped off the stack. This causes all kinds of 'funky stuff' to occur after this line, because the code is expecting those values to be off the stack. In short, when I didn't even realise that this was an FSTP, and NOP'd it, after about 30-45 seconds of using nitro, i crashed.

So what can we do when FSTP writes to our value and we don't want it to? You could try to figure out what registers are on the stack then replace the FSTP code with pop codes, but theres an easier way...Find another place 'in the vacinity' that it can be written to and change the +000000f8 part. Somewhere that won't mind being written to. For this example, I write only 4 bytes forward. 4 bytes forward happens to be the value that determines how much boost you're getting from nitro (as when you initially hit nitro boost, you are given a little extra umph).

Because nitro is full, and the value being written in this case is full - a little bit... and becuase the value of full blast nitro is about the same as 'full nitro', we are doing 2 things! We don't lose any nitro, and we get full blast nitro, constantly. Smile Might be hard to wrap your mind around at first =)

Why does it give inf nitro?..
Picture this
[nitro] [some other value]
The modified code does this..
- Read from [nitro] value
- Subtract a set ammt of nitro per cycle, from the read in value
- Write new nitro value, to [some other value]

As you can see, if we infinitely looped this code, [nitro] would never decrease Wink, neither would [some other value]

I did the same thing for speed breaker, altho I have no idea what 'value' im writing to with the 'new' code (its only 4 bytes ahead of the current speed breaker value though). It hasnt caused any issues, so im going to say , its working Wink

Here are the 2 entries in my CE list for the nitro/speed breaker codes. Keep in mind that these are 'addresses added to the address table' and not 'codes added to the advanced options codes table'.

Both, Array of Bytes (length = 1, because only 1 byte changed).

*EDIT* - I bet no one realised that F8+4 = FC, not FF Smile While this indeed gave infinite nitro, it did not give 'fully boosted' nitro, as I was writing 8 bytes ahead of nitro, instead of the intended 4. I found that using FF instead of FC, in the below code change, eventually causes the game to lag hard and eventually crash. Below example has been 'fixed'.
00693648 - Code - Nitro - New( FC ) Orig( F8 )
006EE8E5 - Code - Speed Breaker - New( 88 ) Orig ( 84 )

In my trainer, I actually have 2 different buttons. One to toggle both on, one to toggle them both off.

I hope this doesn't further confuse you Wink

- Zhoul


Last edited by Zhoul on Sun Dec 04, 2005 5:02 am; edited 2 times in total
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Sun Nov 27, 2005 6:14 pm    Post subject: Reply with quote

Wink Well i have to admit, i'm not completely getting it yet, but not because it's misleading or because of your description, it's more or less just really crazy how much info i can pull out of your last posts. Let's say, even at the first glance i recognized the idea behind it, so it's must be really great. I think, if i'm going through it step by step, it should be totally clear by then, very cool... Cool
If got one problem though, already looking for a solution, but haven't worked it out yet, maybe you're familiar with this problem and have a suggestion:
After setting a breakpoint and having the game frozen by CE i can't switch to CE anymore, ALT-Tab switches to the normal windows mouse, but the whole screen is still the NFS shop frame, no luck even by bringing up the task manager and telling it to switch to CE, it's like my grafic card staying locked on NFS, even the resolution isn't changed back to windows settings.
So i have to kill the NFS process to get back to the memory view, but since it's all cleared once the process is killed, it's not doing any good.
Annoying, keeps me from trying out my newly gained knowledge and playing around with it Evil or Very Mad
I'll have to find a soulution TONIGHT! Laughing

G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Sun Nov 27, 2005 6:29 pm    Post subject: Reply with quote

I know exactly what the problem is and actually thought you might encounter this after reading my tutorial over.

Once you set the break point, and the break point is reached, the debugger 'freezes' the game at the current instruction/code. Pressing F7 'steps' through the current instruction, jumps your cursor to the next instruction, and freezes once more. Pressing F9 (run) will tell the debugger to release its lock *until* the next break point is reached. Since you still have a breakpoint set on a certain line, the next time it reaches that line, it will freeze the game once more.

Heres the process I usually execute, when setting break points.

- Set break point
- Once the break point is reached, I press F5 again to unset the breakpoint. The game will still be frozen though. Then I'll use F7 to step through what I need.
- I press F9 (run) before ever returning to the game. This lets the game run as it should, and since I undid the breakpoint earlier, it wont freeze again until I set another breakpoint.

The reason you cant tab back out, is because the game actually 'handles' your alt+tab request. Since you are freezing it on its curent instruction, it can never get to the code it executes to let you tab out Wink

- Zhoul
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Sun Nov 27, 2005 6:47 pm    Post subject: Reply with quote

Huh? Sorry, don't quite get this one:
- Set break point <- Clear
- Once the break point is reached, I press F5 again to unset the breakpoint. The game will still be frozen though. <- Seems also clear
Then I'll use F7 to step through what I need. <- Seems clear, if i get it right, this performs a step-by-step execution of the following code lines
- I press F9 (run) before ever returning to the game. This lets the game run as it should, and since I undid the breakpoint earlier, it wont freeze again until I set another breakpoint. <- That one i don't get, why return to the game? How and when can i get out of the game and to CE? Will CE keep track of the lines it executed after the breakpoint, or how am i supposed to see where it had jumped after the breakpoint and me letting it run again before tabbing over to CE?
Thanks in advance,
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Sun Nov 27, 2005 6:52 pm    Post subject: Reply with quote

F5 sets a break point. A break point, is a place for the debugger to stop everything thats happening in the game, and doesn't execute the code in the break point until you...

1. Press F7 to step through that instruction, and stop at the next instruction.

or

2. Press F9 to 'resume normal running' of the game.


Unless you unset the previous break point, the next time the game goes to execute that code at that break point, it will freeze again.

Comprende'?

F9 doesn't put you back in the game... It merely lets the game 'continue running'.

You don't want to try to tab *to* a game that is currently frozen by a breakpoint.


Ooh damn.. I just realised Wink

See, I use 2 PC's to do all this. I never have to tab in/out of the game... One PC is in the game, the other is remote desktop'd to the first pc..

Ahh i get it..

*thinking*
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Sun Nov 27, 2005 6:59 pm    Post subject: Reply with quote

Wink I see, thanks... Very Happy
_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Sun Nov 27, 2005 7:04 pm    Post subject: Reply with quote

ClaireValentine wrote:
Wink I see, thanks... Very Happy


Try this.

- Set your break-point.
- Tab back to the game.
- When the game locks up, do *exactly* as follows even though nothing appears to happen.
- Hold Ctrl+Alt+Del for 3 seconds then release.
- Wait 1 second
- Hold alt, then press F firmly and release.
- Hit enter
- Type cmd then press enter
- Hold Alt and firmly press enter

At this point, hopefully, your screen will finally change and a big DOS window (in full screen view). Simply hold alt, press enter and you should return to windows with the DOS box in view. you can type "exit" in the dos box and hopefully view CE. Just "F9/Run" again before returning to the game, else you'll have to do the above process all over again.

Some keyboards give extra keys. of those, some give the ability to 'map' a key to a command (like an exe or bat).

If you can do that, then map a key to cmd.exe so you dont have to use the 'trick' above, to use task manager to start it. Once you map that button, you can hit it once you lock up, then hit alt+enter to change to full screen. then again to change back. You could even make a shortcut that starts DOS in full screen already, then map the key to that shortcut.


2nd possible method:
Once you freeze and hit Ctrl+Alt+Del, try Windows Key+D or Windows Key+M. This *might* just 'show desktop' or 'minimise' properly.

- Z
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Sun Nov 27, 2005 7:29 pm    Post subject: Reply with quote

Wink Nice idea, didn't think of that one.
No luck though, it's more or less a graphical problem, i can switch to CE by your method, but it's windows just isn't displayed because the screen doesn't refresh anymore (by tabbing and entering around i was able to bring up the additional information window out of nowhere for example). If i drag the task manager around the screen for example, it creates a "copy" of its window on any position i place it. Sh**, NFS doesn't release the card completely, until it's killed completely. Hmph, there's nothing i can do about it right now, guess i'll have to wait till tomorrow, until i can get my hands on a second PC as well.
Thanks anyway Sad ,
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Sun Nov 27, 2005 7:35 pm    Post subject: Reply with quote

When you do get that 2nd PC... and if you have WinXP Professional (not home).

http://forum.cheatengine.org/viewtopic.php?t=4056

Next, hit me up on AIM. If you don't have it, my apologies, I keep to 1 client and AIM just happens to be the one most of my co-workers used. So... get it Wink

LqdGroover = screen name


Also.. you did try entering dos mode in full screen, after locking up eh? That usually resets the vid card and fixes the windows issue you described, but I can see where it may not work, especially on a console to PC port.

*edit* - Just tried all this myself and yep, not workin...
Back to top
View user's profile Send private message AIM Address
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Sun Nov 27, 2005 7:51 pm    Post subject: Reply with quote

Jupp, got it and tried it, but sadly no luck. Guess it's tomorrow then, can't be helped. Thanks nevertheless, that way i'll have something to play with tomorrow and might get some sleep right now... Think positive Very Happy
Maybe i can find a way to force my ATI into a VPU recover manually, will try that one tomorrow also...

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
ClaireValentine
Newbie cheater
Reputation: 0

Joined: 25 Nov 2005
Posts: 11

PostPosted: Mon Nov 28, 2005 11:14 am    Post subject: Reply with quote

Easy solution for this one, too stupid i didn't think of it yesterday, just had to go to the cellar and pick up my good old monitor, plugged it in and switched extended desktop on. Once done placing CE on the second monitor, i don't need to tab around anymore, i just move my mouse off the NFS screen and onto the extended area to be able to get to the CE window without any problems, NFS automatically minimizes, but can be brought up again after hitting the F9 key as you said. Seems this should work with any fullscreen DirectX game that doesn't release DirectDraw while running...
Finally was able to go through your guide and got money working at first try, very cool, thanks.
Just to make sure that i totally understood your extended info on nitro and co.:
If i get it right, that means, the game will read the current nitro from stack,
decrease it by a certain amount (which results in a value that will in fact always stay the same, since we never write that one back over the original nitro value in stack), and write that new (and never changing) result back to another item in stack ahead of the nitro, hopefully not changing something important by doing so, which must be try and error controlled, since there's no easy way to tell, what exactly gets written to.
Did i get it right?
So, now i think i'm going to play around some time to get used to all this, thanks again for all your help!!!
*happy*
TY VM!
G.

_________________
All the excitement of a trip to hell - without the negative side-effects
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> Pointer tutorials All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Page 4 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites