 |
Cheat Engine The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
cold_moon How do I cheat?
Reputation: 0
Joined: 08 Sep 2011 Posts: 9
|
Posted: Sun Oct 02, 2011 6:55 am Post subject: Help me in this case: Pointer Of Offset |
|
|
HELLO EVERYBODY !
Please help me solve this:
The OpCode is: MOV ECX,DWORD PTR DS:[EAX+ECX*8+4]
My address require the offset is [EAX+ECX*8+4]. The problem is CE just can add offset is constant but in my case EAX and ECX hold the address change every i restart the game and i have the pointer of them are:
EAX = [[Game.dll+0xACE5E0]+0xC]
ECX = [[[[Game.dll+0xAE54CC]+0x3C4]+0x130]+0x124]+0xC0]
Total for my address: [[[Game.dll+0xACE5E0]+0xC]+[[[[[Game.dll+0xAE54CC]+0x3C4]+0x130]+0x124]+0xC0]*8+0x4]
How can i add this offset to my address???
Btw, is there a solution to tiny offset or calculate to combine it.
Thanks for your attention.
|
|
| Back to top |
|
 |
haunted5 Cheater
Reputation: 1
Joined: 23 Aug 2011 Posts: 35
|
Posted: Sun Oct 02, 2011 7:42 am Post subject: |
|
|
I would like to know this aswell. I came across a game recently that had similar code to yours where 2 variables were pointer addresses.
Although I couldnt add the real offsets to the cheat table, I worked around it by performing a pointer scan at a lower offset.
In my case, the code similar to [EAX+ECX*8+4] was used by too many addresses. So i did a pointerscan 1 level above that. So in your case
[[Game.dll+0xACE5E0]+0xC]+[[Game.dll+0xAE54CC]+0x3C4]
I think you have the code where the pointer is at the above offset. If you find out what the address is at that level by 'Find out what addresses this code uses' option and then do a pointerscan that is ending in 0x3C4. After that just reload saves and restart the game and keep using 'Find out what addresses this code uses' option to find the right address at the above offset level and keep rescanning the pointerscan. This is how I worked around it but hopefully someone can answer your original question as I would like to know about it too.
|
|
| Back to top |
|
 |
cold_moon How do I cheat?
Reputation: 0
Joined: 08 Sep 2011 Posts: 9
|
Posted: Sun Oct 02, 2011 11:51 am Post subject: |
|
|
Thanks haunted5.
But base on your method, we can do it easier by Pointer Scan from start.
I rarely use result of Pointer Scan because it have to many result although i rescanned several times, all work in "the computer do the scan" but when i take them to another computer (my laptop), all wrong (maybe because i scan with Maximum offset value = 2048, it not big enough, scan with bigger value like 63352 make my computer suspend or very lag)
Anyone have solution for my problem. I expect for it.
To Dark Byte,etc... who CE coder: If can, i suggest the function similar "Use Complex Address" of MHS (Memory Hacking Soft) in CE.
|
|
| Back to top |
|
 |
Geri Moderator
Reputation: 112
Joined: 05 Feb 2010 Posts: 5627
|
Posted: Sun Oct 02, 2011 12:22 pm Post subject: |
|
|
| Quote: | | To Dark Byte,etc... who CE coder: If can, i suggest the function similar "Use Complex Address" of MHS (Memory Hacking Soft) in CE. |
You can use module+address form for giving addresses.
And you can type in addresses in complex form, CE will make a pointer with it, showing the address where it points.
_________________
|
|
| Back to top |
|
 |
Dark Byte Site Admin
Reputation: 474
Joined: 09 May 2003 Posts: 25956 Location: The netherlands
|
Posted: Sun Oct 02, 2011 2:15 pm Post subject: |
|
|
Alternatively, use lua to set the address
But really, what kind of sick code is [EAX+ECX*8+4] if ECX is a pointer as well.
Is this an emulator? (flash, java, .net )
If it is just an index instead of a pointer then I would suggest trying a different approach. the "ECX pointer" gives you the current index for whatever you are looking into that array.
Isn't there a pointer in that region that points to the path needed to find EAX+ECX*8+4 ?
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
 |
gameplayer Advanced Cheater
Reputation: 2
Joined: 26 Jun 2011 Posts: 97 Location: Vietnam
|
Posted: Sun Oct 02, 2011 9:07 pm Post subject: |
|
|
| Dark Byte. You're really smart. I have been successful with the different approach. These guys seem to play warcraft III. The ecx is actually a offset. However, the ecx is belong to a structure that contains another pointer of hero's information. This part of hero's structure is pointed by [[[[Game.dll+0xAE54CC]+0x3C4]+0x130]+0x124]+1F0] in my playing version 1.24.4.6387. I used to attemp to find the final pointer but fail because of the changing offset. I'd been given up for a long time before I read this thread. I still wonder how the game separate hero's information. I've just found the experience, skill points, base strength (not work in campaign), and base agility (not work in campaign). I hope someone else could find more valuable information.
|
|
| Back to top |
|
 |
cold_moon How do I cheat?
Reputation: 0
Joined: 08 Sep 2011 Posts: 9
|
Posted: Mon Oct 03, 2011 3:01 am Post subject: |
|
|
Omg, probability of 1 person read my post is war3 player not less but this person also hack war3 game and know this offset belong to war3 game with in exact version and know what the offset do and etc .... I think the probability is 0.00...1. BUT IT HAPPENED. I post the real offset and thinking about percent of some one recognize this offset use for war3 game and what it do. Last night, i dream it happened. I very very surprising and amazing when today, the probability occurred. Hello @gameplayer, i hope you can complete your unfinished work (value of [[[[Game.dll+0xAE54CC]+0x3C4]+0x130]+0x124] not only point to the hero it also point to any unit you selected by click in it, i call it is "UnitIndexValue" so you can use it to change any unit you want following structure UnitIndexValue + Offset of value you want like HP, MP, attack damage e.t.c. and it can use forever in 1.24.4.6387 version with any map, local or single, i haven't tried campaign yet). In my ability, if i can help you something, discuss with me and we can exchange some knowledge. I'm always willing.
@Geri, I already do that before post this question. With constant offset CE can do but with variable offset, CE can't.
@Dark Byte, can you exam code of Lua Script for my case, i just know AA Scripts.
In the past, when i approached to use Lua Script, the first i try is AOBScan. Code:
addr = AOBScan("Array byte off opcode like 8B 44 24 10 89 6C 24 10 8D 6C 24 10 2B E0")
showMessage(addr)
I choose these binary in address i had known but the message show up different my address. Was i wrong in code's structure or something else?
After that problem, i didn't try lua anymore until ... now . Please exam me the code for set address has variable offset
Reason edit: Fix some spelling
Last edited by cold_moon on Mon Oct 03, 2011 6:50 am; edited 3 times in total |
|
| Back to top |
|
 |
haunted5 Cheater
Reputation: 1
Joined: 23 Aug 2011 Posts: 35
|
Posted: Mon Oct 03, 2011 5:06 am Post subject: |
|
|
Hi cold_moon,
I think you misunderstood what I was trying to say. I was just mentioning a pointerscan at a lower offset because if your pointer has over 6 offsets it can take very long time and disk space. I remember a pointerscan I did for trying to find a pointer that had 8/9 offsets, it was taking too long but the main problem was it was taking 70+ GB and was still climbing. I was running out of any the free space I had on the computer so had to stop it.
Thats why I mentioned pointerscan at a lower offset. Im sure there will be a valid pointer that points to the what you are looking for but probably it will have around 10 offsets.
|
|
| Back to top |
|
 |
Dark Byte Site Admin
Reputation: 474
Joined: 09 May 2003 Posts: 25956 Location: The netherlands
|
Posted: Mon Oct 03, 2011 6:04 am Post subject: |
|
|
untested and might need some modifications, but this is the general idea
| Code: |
EAX=readInteger("[Game.dll+ACE5E0]+C")
ECX=readInteger("[[[Game.dll+AE54CC]+3C4]+130]+124]+C0")
Address=EAX+ECX*8+4
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Entry you want to change")
memoryrecord_setAddress(mr, Address)
|
Perhaps put it in a timer to continuously set the value, or use writeInteger(address, value) to set the value immediately (writeFloat if it's a float of course)
---
Also, for the pointerscan, remember that there are multiple paths, even those you've never seen.
I assume this is because you want to find the currently selected unit. The method I usually take it going with access only (so not find what writes) This way I can find the code used by the rendering of the health value in the units info box, which coincidentally is the same code used for the currently selected unit.
Another method would be to do a pointerscan of the selected unit, then select another unit and do a rescan for this address (or value)
If that fails, try one level higher, and if that doesn't take too long, another level again. If it does take too long, try a smaller structsize. (Or a smaller level with a bigger structsize)
and not sure if war3 is the same as star3 but there a lot of memory is in static locations. To scan there disable the option to stop traversing a path when a static has been found
| Quote: |
In the past, when i approached to use Lua Script, the first i try is AOBScan. Code:
addr = AOBScan("Array byte off opcode like 8B 44 24 10 89 6C 24 10 8D 6C 24 10 2B E0")
showMessage(addr)
|
AOBScan does not return a string or a number, but it returns a StringList object
strings_getText(addr) will return the strings as one whole list and strings_getString(addr,0) will return the first address
Also, the byte array might be used for other units as well
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Mon Oct 03, 2011 8:24 am; edited 1 time in total |
|
| Back to top |
|
 |
cold_moon How do I cheat?
Reputation: 0
Joined: 08 Sep 2011 Posts: 9
|
Posted: Mon Oct 03, 2011 7:32 am Post subject: |
|
|
Thanks for all.
I will immediately retry pointerscan with method of Dark Byte and haunted5, also start to learn Lua Script (I started to like it hehe). Good health for everyone.
|
|
| Back to top |
|
 |
cold_moon How do I cheat?
Reputation: 0
Joined: 08 Sep 2011 Posts: 9
|
Posted: Wed Oct 05, 2011 7:48 am Post subject: |
|
|
Hi everyone.
I have problem with lua: What script command to change caption or text color?
Ex: I want to change color caption of CELabel1 in UDF1 form. I use control_setColor(UDF1_CELabel1_Caption, clWhite) but it show Access violation error (i think i wrong in code structure again). Help me.
@Dark Byte, i had solved the complex offset with your code. Thanks you very much.
|
|
| Back to top |
|
 |
Dark Byte Site Admin
Reputation: 474
Joined: 09 May 2003 Posts: 25956 Location: The netherlands
|
Posted: Wed Oct 05, 2011 11:40 am Post subject: |
|
|
To change caption you use control_setCaption. (e.g: control_setCaption(UDF1_CELabel1,"WEEE"); )
As for color it's something I forgot to add in 6.1, you can't change the color of a label's text with code (I didn't export the Font property)
What you can do is have 2 labels with the same text and make one visible and hide the other...
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
 |
cold_moon How do I cheat?
Reputation: 0
Joined: 08 Sep 2011 Posts: 9
|
Posted: Wed Oct 05, 2011 1:06 pm Post subject: |
|
|
Dark Byte. You are so kind.
Sorry for disturb again. Is there command to convert Decimal -> Hexadecimal and command to convert String to Int like ParseInt in C. For Dec2Hex, i use command getNameFromAddress and of course, the result is string same as an address has 8 digits.
Thanks for your help.
|
|
| Back to top |
|
 |
Dark Byte Site Admin
Reputation: 474
Joined: 09 May 2003 Posts: 25956 Location: The netherlands
|
|
| Back to top |
|
 |
gameplayer Advanced Cheater
Reputation: 2
Joined: 26 Jun 2011 Posts: 97 Location: Vietnam
|
Posted: Wed Oct 05, 2011 9:55 pm Post subject: |
|
|
I've found more information about the war3 heroes. The game cause many trouble with the next scan because the values seem to be inactive. Most of the cases, I've been successful with the first scan only and then make some guesses. I don't really know how the game do the trick. I've released a table. The hero's structure has been splitted into 4 parts. The first part contains level, base intelligence. The second part contains health's info. The third part contains mana's info. The final part (major part) contains a lot of other info such as attack, armor, experience, skill points, and so on. If anyone have more info, please share with me.
| Code: | EAX=readInteger("[Game.dll+ACE5E0]+C")
ECX=readInteger("[[[[[Game.dll+AE54CC]+3C4]+130]+124]+1F0]+74")
if ECX~=nil then
Address=readInteger(EAX+ECX*8+4)
level=Address+0x78
intelligence=Address+0xF8
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Level")
memoryrecord_setAddress(mr,level)
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Intelligence")
memoryrecord_setAddress(mr,intelligence)
end
ECX=readInteger("[[[[[[Game.dll+AE54CC]+3C4]+130]+124]+1F0]+30]+A0")
if ECX~=nil then
Address=readInteger(EAX+ECX*8+4)
health=Address+0x78
healthregeneration=Address+0x7C
maxhealth=Address+0x84
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Health")
memoryrecord_setAddress(mr,health)
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Health Regeneration")
memoryrecord_setAddress(mr,healthregeneration)
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Max Health")
memoryrecord_setAddress(mr,maxhealth)
end
ECX=readInteger("[[[[[[Game.dll+AE54CC]+3C4]+130]+124]+1F0]+30]+C0")
if ECX~=nil then
Address=readInteger(EAX+ECX*8+4)
mana=Address+0x78
manaregeneration=Address+0x7C
maxmana=Address+0x84
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Mana")
memoryrecord_setAddress(mr,mana)
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Mana Regeneration")
memoryrecord_setAddress(mr,manaregeneration)
mr=addresslist_getMemoryRecordByDescription(getAddressList(), "Max Mana")
memoryrecord_setAddress(mr,maxmana)
end
|
|
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|