| 
			
				|  | Cheat Engine The Official Site of Cheat Engine
 
 
 |  
 
	
		| View previous topic :: View next topic |  
		| Author | Message |  
		| wardlee99 How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 03 May 2009
 Posts: 5
 
 
 | 
			
				|  Posted: Sun May 03, 2009 8:14 pm    Post subject: Dynamic Memory Allocation - Giving me hell, help! ;_; |   |  
				| 
 |  
				| I simply cannot find the static address for my HP in Darkfall! I am a quick learner and in the last week have picked up the info and skills I think I need to accomplish finding it, but I hit a wall every time. 
 I know how memory, offsets, and pointers work and I can do hex in my head, altho I check with calculator
   
 I can locate two dynamic addresses for the health as doubles or floats, always 0x8 away from each other. Ex: 0x191234A0 and 0x191234A8.
 
 I try the manual 'find what accesses/writes' and trace what's in the []s...with both before/after debug options, and even using breakpoints to get the registers.
 
 Every way leads to a dead end, I traced almost 40 pointers back and didn't get anywhere! I refuse to believe a game would have even more than 5 before I hit some static address..
 
 Every time I use the injected pointer scanner, the .exe crashes, whether its the tutorial the game or notepad! So I use the default one, reverse and oridnary, 5.4 and 5.5 versions.
 
 I have tried all kinds of levels and structsizes, and every option, and it finds lists of hundreds to thousands of lists, but there is not ONE left over when I rescan for the new HP address after I restart the game.
 
 I just don't know what to do at this point, manual and automatic nothing works. I've tried every tutorial and bit of info I can find on this forum now. :/ Halp...
 |  |  
		| Back to top |  |  
		|  |  
		| Monkeys I post too much
 
 ![]() Reputation: 29 
 Joined: 20 Jul 2006
 Posts: 2411
 
 
 | 
			
				|  Posted: Mon May 04, 2009 12:23 am    Post subject: |   |  
				| 
 |  
				| I always preffered manual pointer scans, so I'll see if it's something you do. 
 What steps do you make -exactly- when doing a manual scan?
 
 And give some example codes you get at times when running the debugger.
 
 Often people think they know how, but they make a slight mistake, making every attempt fail.
 _________________
 
 Get a lid on that zombie,
he's never gonna be alri-i-ight.
 Oooh get a lid on that zombie,
 or he's gonna feed all night.
 |  |  
		| Back to top |  |  
		|  |  
		| wardlee99 How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 03 May 2009
 Posts: 5
 
 
 | 
			
				|  Posted: Mon May 04, 2009 5:59 pm    Post subject: |   |  
				| 
 |  
				| Note: Wtf, I cannot post images? How inconvenient :/ Or URLs?! 
 Okay I took some images to tell the story!
 
 First I find my HP and find out what writes to it.
 
 
   
 I get something after a regen tick (.5 a tick in Darkfall)
 
 
   
 So I search for the value suggested and remember the offset...
 
 
   
 Five results...later on it gets more and more when you think it'd be less and less!
 
   
 I check to make sure it works as a pointer, and use the offset of 70 from the first opcode check, and it works fine.
 
 
   
 Now for this pointer I get 4 events every regen tick, each with the same offset (34) and the same ecx for each one.
 
 
   
 I search and viola, 10 results.
 
 
   Pointers work again, so I'm not making any mistakes that I can see so far.
 
   
 Some pointers show NOTHING in access/write when I damage myself and let my HP regen...which is really weird because I feel like that might be my problem. But for the ones that do show codes, here's what they say (but not on the regen tick seemingly random):
 
 
   
 00000001 with an offset of 9C. At this point darkfall crashed for some reason so I'll take you through the rest. I hex searched 4bytes for 00000001 and found two static pointers, 00408018 and 00408030. Adding them to my address list crashed darkfall I dunno why...
 
 They both pointed to 00000001, but when I added a 3-level pointer double, it was like this:
 
 
 00408018 + 9C -> 00000001
 
 00000001 didn't point to ANYTHING, just ???????s....so what the heck?
  It told me to look for it, but it was not really a pointer... 
 When I use memory access instead of debug registers I get the same issues of running into pointers with nothing accessing them, or ones that refer to themselves over and over.
 
 P.S. This looks very nice with embedded images...why can't I post them? Now it looks shit. :/
 |  |  
		| Back to top |  |  
		|  |  
		| Dark Byte Site Admin
 
  Reputation: 470 
 Joined: 09 May 2003
 Posts: 25806
 Location: The netherlands
 
 | 
			
				|  Posted: Tue May 05, 2009 4:46 am    Post subject: |   |  
				| 
 |  
				| On the results you get from a scan, don't just pick the first one. You should try them all out. (There can be multiple paths to the same pointer, and in some cases you get a looping pointer path, so always helps to have other possibilities) 
 as for the last image of movzx eax,[eax+ebx]:
 that's where the message at the bottom comes into play.
 eax is overwritten by the value stored at [eax+ebx] and the register value you see is after that write.
 
 anyhow, with some basic math you can find out the base yourself:
 address you used find what accesses on-9c=eax
 _________________
 
 Do not ask me about online cheats. I don't know any and wont help finding them.
 Like my help? Join me on Patreon so i can keep helping
 |  |  
		| Back to top |  |  
		|  |  
		| wardlee99 How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 03 May 2009
 Posts: 5
 
 
 | 
			
				|  Posted: Sat May 09, 2009 3:05 pm    Post subject: |   |  
				| 
 |  
				|  	  | Dark Byte wrote: |  	  | On the results you get from a scan, don't just pick the first one. You should try them all out. (There can be multiple paths to the same pointer, and in some cases you get a looping pointer path, so always helps to have other possibilities) 
 as for the last image of movzx eax,[eax+ebx]:
 that's where the message at the bottom comes into play.
 eax is overwritten by the value stored at [eax+ebx] and the register value you see is after that write.
 
 anyhow, with some basic math you can find out the base yourself:
 address you used find what accesses on-9c=eax
 | 
 
 Thanks that did help, now I am much better at tracing without having to read the registers, but now I get something like this.
   
 img9.imageshack.us/img9/7237/infinite.png
 
 It seems to be repeating the same offsets for everything I look at, half of the ones at the bottom are +8, some +10, some +34...
 
 Maybe I should turn to the pointerscan? :S Default is the only option that works because injected crashes, dunno why.
 
 I'm not sure what normal options should be...but if I set the level as high as the stuff I traced in the image I don't think it will ever finish! What about structsize? I tried a few scans at 1024, 2048, 4096 at levels 2-3-4 I think, and nothing stayed on rescan.
 
 Thanks again
 
 EDIT:
 
 Bump, anyone? This is still driving me insane.
 
 I guess the problem is that every layer of pointer has the same offsets and references the same line in the exe.
 
 Ex: Every pointer with +8 offset is referencing line 610efb or something. Every pointer with +34 offset is referencing line 10828a...etc.
 |  |  
		| Back to top |  |  
		|  |  
		| Xereles How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 13 May 2009
 Posts: 1
 
 
 | 
			
				|  Posted: Wed May 13, 2009 11:34 am    Post subject: |   |  
				| 
 |  
				| Did you get anywhere? I've been trying too(but with stamina), but haven't gotten anywhere. Tried a pointer scan overnight with no results when I rechecked. |  |  
		| Back to top |  |  
		|  |  
		| wardlee99 How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 03 May 2009
 Posts: 5
 
 
 | 
			
				|  Posted: Fri May 15, 2009 9:43 pm    Post subject: |   |  
				| 
 |  
				| I found x,y,z, I think. 
 The problem is that Darkfall seems to run with Java, and that there are likely to be 1000 pointers until it hits the static address.
 
 I have take apart every .dll and found nothing. This seems almost hopeless, but I know there are teleport hack programs so someone must have found SOME addresses that worked, how else could they give it out to people.
 |  |  
		| Back to top |  |  
		|  |  
		| phillydub Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 11 Aug 2007
 Posts: 10
 
 
 | 
			
				|  Posted: Sun Aug 02, 2009 10:08 pm    Post subject: |   |  
				| 
 |  
				| Bump - Has anyone made any progress in Darkfall lately? I've been able to easily find the values in memory, but am having a lot of trouble with the endless chain of pointers. I've been able to figure this out in other games such as shadowbane, vanguard, etc.. however Darkfall is really being a pain in the ass. 
 Anything special I'm unaware of about reversing Java games?
 
 Thanks guys
 |  |  
		| Back to top |  |  
		|  |  
		| ooitchyoo How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 13 Aug 2009
 Posts: 3
 
 
 | 
			
				|  Posted: Thu Aug 27, 2009 9:23 am    Post subject: |   |  
				| 
 |  
				|  	  | wardlee99 wrote: |  	  | I found x,y,z, I think. | 
 
 Yup, I've found my x,y,z and what appears to be other player coords in non-static address space... I'm assuming everything that's visible to the client is in some sort of linked list but I've not connected the dots yet.
 
 Gonna play more with it this weekend.
 
 Wardlee99, were you able to find positional indicator?  I toy'd with if for about an hour... I'm starting to believe that directional indicator may be just another set of x,y,z coords corresponding to wherever your crosshair is at.   Not sure, just a hunch.... more later.
 |  |  
		| Back to top |  |  
		|  |  
		| Psy Grandmaster Cheater Supreme
 
 ![]() Reputation: 1 
 Joined: 27 Mar 2008
 Posts: 1366
 
 
 | 
			
				|  Posted: Thu Aug 27, 2009 10:29 am    Post subject: |   |  
				| 
 |  
				| You'll find it's more likely Y,X,Z or Y,Z,X. Rarely is it X,Y,Z. Not like it matters, as they are all close. 
 Heading/view aren't co-ordinates! They are vectors. Although, again, usually close-by to the co-ords. You'll bring these up with unknown memory scans of the float type though just as you would co-ords. If you take the Y-axis real quick and imagine that right in front of you as a pole going into the ground. As you look down the pole, past the plane (0 degrees) the value tends to go negative, and as you look up it goes positive. Simple eh. The range can vary but tends to be 180 degrees in total. 90 up, 90 down. You'll find em, just keep looking
  |  |  
		| Back to top |  |  
		|  |  
		| ooitchyoo How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 13 Aug 2009
 Posts: 3
 
 
 | 
			
				|  Posted: Thu Aug 27, 2009 10:36 am    Post subject: |   |  
				| 
 |  
				|  	  | [Psych] wrote: |  	  | You'll find it's more likely Y,X,Z or Y,Z,X. Rarely is it X,Y,Z. Not like it matters, as they are all close. 
 | 
 
 Yes, you are correct, it's actually ordered Y,Z,X in memory.
 
 And now that you mention it, I did find some values that tended to "adjust" as I was moving my mouse.  I was looking for a narrow range at the time so the numbers didnt impress upon me, but they certainly moved pos/neg as I used mouse-look, I'll have to re-evaluate them...
 
 Ty.
 
 
 
 
  	  | [Psych] wrote: |  	  | As you look down the pole, past the plane (0 degrees) the value tends to go negative, and as you look up it goes positive. | 
 
 Yes indeed... 3 values (as you predicted, close to the y,z,x values) which move between -1 and 1 during mouselook.  Good stuff, will figure out how to interpret those later but most certainly the indicators of position.
 
 Last edited by ooitchyoo on Fri Aug 28, 2009 7:55 am; edited 1 time in total
 |  |  
		| Back to top |  |  
		|  |  
		| phillydub Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 11 Aug 2007
 Posts: 10
 
 
 | 
			
				|  Posted: Thu Aug 27, 2009 9:24 pm    Post subject: |   |  
				| 
 |  
				|  	  | ooitchyoo wrote: |  	  | And now that you mention it, I did find some values that tended to "adjust" as I was moving my mouse.  I was looking for a narrow range at the time so the numbers didnt impress upon me, but they certainly moved pos/neg as I used mouse-look,.
 | 
 
 You got the value for the position of the camera.. find the values for the actual character position, they are different and do not change when you look around...
 
 good luck finding anything static... it's just pointer after pointer, after pointer... after pointer... I was never able to get anywhere..
 |  |  
		| Back to top |  |  
		|  |  
		| ooitchyoo How do I cheat?
 
 ![]() Reputation: 0 
 Joined: 13 Aug 2009
 Posts: 3
 
 
 | 
			
				|  Posted: Thu Aug 27, 2009 9:31 pm    Post subject: |   |  
				| 
 |  
				|  	  | phillydub wrote: |  	  | good luck finding anything static... it's just pointer after pointer, after pointer... after pointer... I was never able to get anywhere.. | 
 
 Yup i have both my position as well as my camera...
 
 I spent the last 4 hours trying to find something static...
 
 It must be possible because there are radars out there...
 
 
  	  | phillydub wrote: |  	  | good luck finding anything static... it's just pointer after pointer, after pointer... after pointer... I was never able to get anywhere.. | 
 
 I concede... It's a futile effort to find static offsets... On to other methods i guess... more learning...
 |  |  
		| Back to top |  |  
		|  |  
		| private00x Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 21 Apr 2009
 Posts: 19
 
 
 | 
			
				|  Posted: Thu Oct 15, 2009 4:24 am    Post subject: |   |  
				| 
 |  
				| any progress yet guys? please post anything you've found out, thanks |  |  
		| Back to top |  |  
		|  |  
		| private00x Newbie cheater
 
 ![]() Reputation: 0 
 Joined: 21 Apr 2009
 Posts: 19
 
 
 | 
			
				|  Posted: Tue Jan 25, 2011 5:10 am    Post subject: |   |  
				| 
 |  
				| No progress still? |  |  
		| Back to top |  |  
		|  |  
		|  |  
  
	| 
 
 | You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 You cannot attach files in this forum
 You can download files in this forum
 
 |  |