Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need advice! Stuck with pointers!

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Fri Sep 17, 2010 7:26 am    Post subject: Need advice! Stuck with pointers! Reply with quote

I have this:
Check attachment. can't post links yet Sad
I need to find a pointer to 005DA043.
It changes my score and game which I am hacking, this game has got "seruiouzz seKurity", which closes the game after i change value of my scores. I can't just change my scores.
So i found code which adds me scores and i injected code which gave me "XXXXXX" scores instead of "XX" per hit.
now i need to find a pointer... tried again and again... everything failed.
I wouldn't create this topic if I knew how to find it.
And one more thing, it changes every time i restart the game. It doesn't change its location when you play the game, only when I restart application(game).
Any hints, tricks, tutorials?
Thank You!



Untitled2.png
 Description:
Screenshot
 Filesize:  199.49 KB
 Viewed:  29312 Time(s)

Untitled2.png


Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25252
Location: The netherlands

PostPosted: Fri Sep 17, 2010 7:55 am    Post subject: Reply with quote

If it's an online game give up

If it's not, then I suggest finding the pointer to 2695338 instead of 005DA043

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Fri Sep 17, 2010 8:33 am    Post subject: Reply with quote

Dark Byte wrote:
If it's an online game give up

If it's not, then I suggest finding the pointer to 2695338 instead of 005DA043

may i know how you got 2695338?
because this code changes its location every time i restart the game and now its not 005DA043.
Thank You.
EDIT: I know how you got it, will try it and post results.
EDIT2: Yes, this gives me 1 black address, but i need to find pointer to "add [edx+50],eax", not to my scores.
Any hints ?
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 91

Joined: 14 Jul 2007
Posts: 3093

PostPosted: Fri Sep 17, 2010 9:04 am    Post subject: Reply with quote

Did you complete the tutorial that comes with CE?
There is a bunch of good info about finding base addresses of pointers.

Sounds like a flash game (or some plugin-based game anyway). For flash games, expect a level 13-15+ pointer for values.
But. You won't find a pointer to a specific instruction in the code - ever.
But worry not, for AOB scan is very useful for this purpose. Did you try AOB scan to find the instruction?

AOB scan is relatively new, and not part of the tutorial. A note to Dark Byte: Should it be added?
If you need a starting point, download some tables or aa scripts and check how it's done.

PS. AOB scan is a very good way to cause crashes, so be sure to
- include read-only memory
- use at least 12 bytes
in your scans to avoid false positives.
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Fri Sep 17, 2010 9:15 am    Post subject: Reply with quote

TORPEDa wrote:
Csimbi wrote:
Did you complete the tutorial that comes with CE?
There is a bunch of good info about finding base addresses of pointers.

Sounds like a flash game (or some plugin-based game anyway). For flash games, expect a level 13-15+ pointer for values.
But. You won't find a pointer to a specific instruction in the code - ever.
AOB scan is very useful for that. Did you try AOB scan to find the instruction?

I did complete tutorial.
So, You are saying that its impossible to find a pointer to a specific instruction ?
Hmmm... What should i do if the only way(IMO) to change score without turning on alarm is to change this instruction, or to inject a code?

Csimbi wrote:
Did you complete the tutorial that comes with CE?
There is a bunch of good info about finding base addresses of pointers.

Sounds like a flash game (or some plugin-based game anyway). For flash games, expect a level 13-15+ pointer for values.
But. You won't find a pointer to a specific instruction in the code - ever.
But worry not, for AOB scan is very useful for this purpose. Did you try AOB scan to find the instruction?

AOB scan is relatively new, and not part of the tutorial. A note to Dark Byte: Should it be added?
If you need a starting point, download some tables or aa scripts and check how it's done.

PS. AOB scan is a very good way to cause crashes, so be sure to
- include read-only memory
- use at least 12 bytes
in your scans to avoid false positives.

ok, i downloaded some tables.
now i have go another question Smile
What AND Where should i learn to be able to do something like this:
Code:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(raddress)
registersymbol(raddress)
aobscan(raob,8B 96 50 04 00 00 89 55 F8)

raob:
raddress:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access
mov edx,[esi+00000450]
mov [esi+00000460],3B9AC9FF //999999999 minerals
mov [esi+00000468],3B9AC9FF //999999999 gas
//place your code here


originalcode:
//mov edx,[esi+00000450]

exit:
jmp returnhere

 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
raddress:
mov edx,[esi+00000450]
//Alt: db 8B 96 50 04 00 00
unregistersymbol(raddress)


Smile its Geri's code for starcraft 2 !
any links to tutorials ? Confused
Back to top
View user's profile Send private message
Falc0n
Expert Cheater
Reputation: 1

Joined: 04 Apr 2009
Posts: 104

PostPosted: Fri Sep 17, 2010 11:24 am    Post subject: Reply with quote

It's just simply auto assemblr code lol.... : /

It's basic asm and a bunch of easy to learn operations that db created himself.
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 91

Joined: 14 Jul 2007
Posts: 3093

PostPosted: Fri Sep 17, 2010 11:42 am    Post subject: Reply with quote

TORPEDa wrote:
I did complete tutorial.

Good, no need to explain the very basics then.
TORPEDa wrote:
So, You are saying that its impossible to find a pointer to a specific instruction ?

Correct. You could find pointer to the entry points of procedures, but it far too complicated to yield usable results.
TORPEDa wrote:
Hmmm... What should i do if the only way(IMO) to change score without turning on alarm is to change this instruction, or to inject a code?

That's where AOB scan comes to the picture.
Take the time to learn it, it is a great asset in CE.

TORPEDa wrote:
ok, i downloaded some tables.
now i have go another question Smile
What AND Where should i learn to be able to do something like this:

I added some comments to the code below - and removed pieces that are not relevant, so you should be able to figure it out from there.
Code:
[ENABLE]
...
// We register a symbol for the location of the address we will find during AOB scan, so we can easily restore the original code later on.
registersymbol(raddress)
// The following command performs the actual AOB scan. Syntax: aobscan(<symbol>,<byte sausage>).
// CE will can the memory (including the read-only memory) for <byte sausage>.
// When <byte sausage> was found, <symbol> takes the address of the location, and you can use that symbol just like any label.
// If <byte sausage> was not found, CE stops running the script and consequently, it will not be enabled.
// For this very reason, you should commence all AOB scans before performing any other things in the script - including symbol registrations, memory allocations, etc.
// Note: this is actually a mistake in Geri's script; symbol registration should be after the aob scan.
aobscan(raob,8B 96 50 04 00 00 89 55 F8)

// You use the AOB scan <symbol> like any other label.
// It represents the address of the first byte in <byte sausage>.
raob:
// You put here a symbol of your own that you have registered earlier.
// This way, that symbol will take the same address as <symbol>.
// What follows your symbol is your own code, usually an unconditional jump or a call to your code cave that containing the code you want to inject.
// Remember to pad your jumps/calls with nop.
raddress:
jmp newmem
nop
returnhere:

...
 
[DISABLE]
// You put here a symbol of your own that you have registered earlier.
// This symbol has taken the address of the aob scan <symbol> earlier, so it can be used conveniently to restore the original code.
raddress:
mov edx,[esi+00000450]
// You unregister the symbol when you don't need it anymore.
unregistersymbol(raddress)
// Note: usually put "dealloc(newmem)" last, after restoring the code and unregistering symbols.


TORPEDa wrote:
any links to tutorials ? Confused

I don't know. Search.
Having completed the tutorial, and with the comments in the code above you should be armed with everything you need.
Give it a go. Just remember the "read-only memory" and the "use at least 12 bytes" tips to avoid crashes.


Last edited by Csimbi on Fri Sep 17, 2010 12:02 pm; edited 6 times in total
Back to top
View user's profile Send private message
Geri
Moderator
Reputation: 111

Joined: 05 Feb 2010
Posts: 5636

PostPosted: Fri Sep 17, 2010 11:45 am    Post subject: This post has 1 review(s) Reply with quote

Yes, this is probably one of the most simple of scripts ever. Smile

If You want to read my tutorial on how to do this, check out the articles on this page:

http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

I have used exactly the same method on C&C Generals ZH and I have written down in details how to do it as an example. The same method was used in many other games. In SC2 too.

http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles/87-basic-assembly-instructions-opcodes-and-examples

_________________
My trainers can be found here: http://www.szemelyesintegracio.hu/cheats

If you are interested in any of my crappy articles/tutorials about CE and game hacking, you can find them here:
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Don't request cheats or updates.
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 91

Joined: 14 Jul 2007
Posts: 3093

PostPosted: Fri Sep 17, 2010 12:17 pm    Post subject: Reply with quote

Here's a draft(!) aob script for your case.
Study it and be sure to double-check the hack point and the byte sausage before you actually use it.
Code:
[ENABLE]
aobscan(aobHook, 01 42 50 8B 85 C6 FF FF FF 8B 48 34 39 09)
alloc(mCave, 1024)
label(cHook)
registersymbol(cHook)

mCave:
// Your code here:
// Original code:
add [edx+50],eax
mov eax,[ebp-00000094]
ret

aobHook:
cHook:
call mCave
nop
nop
nop
nop

[DISABLE]
cHook:
add [edx+50],eax
mov eax,[ebp-00000094]
unregistersymbol(cHook)
dealloc(mCave)


PS. You can use ?? as wildcards in aob scan.
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Fri Sep 17, 2010 2:56 pm    Post subject: Reply with quote

Csimbi wrote:
Here's a draft(!) aob script for your case.
Study it and be sure to double-check the hack point and the byte sausage before you actually use it.
Code:
[ENABLE]
aobscan(aobHook, 01 42 50 8B 85 C6 FF FF FF 8B 48 34 39 09)
alloc(mCave, 1024)
label(cHook)
registersymbol(cHook)

mCave:
// Your code here:
// Original code:
add [edx+50],eax
mov eax,[ebp-00000094]
ret

aobHook:
cHook:
call mCave
nop
nop
nop
nop

[DISABLE]
cHook:
add [edx+50],eax
mov eax,[ebp-00000094]
unregistersymbol(cHook)
dealloc(mCave)


PS. You can use ?? as wildcards in aob scan.

thank You! But what are those mCaves, cHooks, lables ?
When i try execting you code i get this: See Attachment

Geri wrote:
Yes, this is probably one of the most simple of scripts ever.

If You want to read my tutorial on how to do this, check out the articles on this page:

url
I have used exactly the same method on C&C Generals ZH and I have written down in details how to do it as an example. The same method was used in many other games. In SC2 too.

url

i checked your site few days ago, nice tutorials!



2.png
 Description:
 Filesize:  107.79 KB
 Viewed:  29203 Time(s)

2.png


Back to top
View user's profile Send private message
AhMunRa
Grandmaster Cheater Supreme
Reputation: 27

Joined: 06 Aug 2010
Posts: 1117

PostPosted: Fri Sep 17, 2010 3:22 pm    Post subject: Reply with quote

The C and the 6 are transposed. Switch them.

C6 should be 6C

_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.>
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Fri Sep 17, 2010 3:29 pm    Post subject: Reply with quote

AhMunRa wrote:
The C and the 6 are transposed. Switch them.

C6 should be 6C

oh, i didn't notice!
Thank You!
EDIT: Code works ! Very Happy
ok, now i need to learn some basics like: what are those mCaves, cHooks, lables are etc. Smile
YaY!
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 91

Joined: 14 Jul 2007
Posts: 3093

PostPosted: Fri Sep 17, 2010 7:03 pm    Post subject: Reply with quote

Oh, a typo, thanks AhMunRa!

This is what happens when you type Wink When you copy that from CE directly, you will not have this problem.

TORPEDa wrote:

ok, now i need to learn some basics like: what are those mCaves, cHooks, lables are etc.

Oh, those are just my own names for labels and stuff. I make the first letter lowercase, indicating what is the purpose of the symbol (m for memory, c for code, p for pointer, etc), the rest is just whatever comes to my mind...
There are nice tutorials around about the auto-assembler - and actually, it's part of the tutorial as well...
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Fri Sep 17, 2010 7:09 pm    Post subject: Reply with quote

Csimbi wrote:
Oh, a typo, thanks AhMunRa!

This is what happens when you type Wink When you copy that from CE directly, you will not have this problem.

TORPEDa wrote:

ok, now i need to learn some basics like: what are those mCaves, cHooks, lables are etc.

Oh, those are just my own names for labels and stuff. I make the first letter lowercase, indicating what is the purpose of the symbol (m for memory, c for code, p for pointer, etc), the rest is just whatever comes to my mind...
There are nice tutorials around about the auto-assembler - and actually, it's part of the tutorial as well...

in the tutorial you just need to inject 1 line...
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 91

Joined: 14 Jul 2007
Posts: 3093

PostPosted: Fri Sep 17, 2010 8:06 pm    Post subject: Reply with quote

Hit F1 in the auto-assembler window.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites