Cheat Engine

[Grizzly]

I'm trying to create a list of the entities and interactable items within the field of play. I've gotten fairly proficient with chasing a pointer back to its base, but im not sure that i'm doing this even remotely correct.

While playing with the Structure dissect window I noticed that many of the same type objects share a float at +BO from the start of their memory block. Since nearly none of the objects share a common name, I'd search for this float, once more to clean out some transient data, select all the values, drop them into the addresslist, recalculte the address of all of them by hex -BO change the type to string, and I now have a list of all the, lets say "trees" identified. The game happens to be very "Zone" orientated, think of the NES Zelda type. Once you move over all the data dumps to load the new things. I've never seen a Tree object end up replaced by a rock, or another player. On occasion the block is reused and immedatly I can see a few names of the objects, however if you dont run the pointer back to its base, a majority of the addresses are garbage. If I turn right back around and go back a fair bit stays intact.

So now your running pointer scans on 50 trees.... Yeaaa, thats going to take a month just for the trees in 1 of 400 different zones, taking 10mil+ pointers down to 5-6.

Now, time for the questions, since I can find out how big the memory block of each "tree" is, is there a way to continiously collect addresses from that float that they all share, so that when all of the memory blocks for an object type have cycled through, i'd be able to see exactly where this memory block falls divide that by the size of each object and find out how many could exist on any map?

Since you are going to eventually want to lower the pointer spread, to keep from seeing multiples of the same thing, or not having them even appear because you havnt found its range yet. Is it possible to script a pointer scan to an object that is using a description against where the address in the addresslist is showing? Basically a way to run multiple pointer scans via 1 script to narrow the search of dozens of objects at once, so you'd only have to relog say 10times to map a majority of a memory block, not relogging back in 4000 times a day for the next 3yrs.

Hopefully some of this makes sense to someone, if not when i wake up i'll try and clear it up, but since its 1pm and I still havnt gone to bed, it might be excusable =D

[++METHOS]

Yeah, not making much sense. It sounds like you are making something more difficult than it should be...but I don't know.

What is it, exactly, that you are trying to achieve (simply)?

[Grizzly]

The addresses of any NPC within a zone. Presumingly if I can manage to do that, the rest should be fairly easy.

[++METHOS]

Still not making sense.

[Grizzly]

Well there was a whole 3 important words to that reply. Address, NPC, and Zone, which do you not understand?

[++METHOS]

[Grizzly]

Address = The part of a running program where the AI or Object is being handled and all relevant information stored.

Zone = to divide into zones, tracts, areas, etc., as according to existing characteristics or as distinguished for some purpose. In cases is preceded by a Loading screen during which the material for the next area is readied.

NPC = Non player character, an interactable object that performs a set of actions according to a script or limitations governed by AI.

What am I going to do with that information? Hmm, lets see, could knowing exactly what NPCs and how many of them there are in a room possibly be helpful?

I do not mind rephrasing or explaining what I'd like to accomplish, but when I ask what you do not understand and you quote the entire post, say you still do not understand, and point the troll finger at me I'll happily return the favor.

If you need screen shots and snippets of code, I can certainly do that.

[++METHOS]

I am trying to help you.

Knowing how many enemy characters are being loaded in to a game, based on your character's location is not usually practical. Knowing which instruction writes to the coordinates of those characters is another matter.

I can not answer a question or offer help when I do not know what the question is.

I have a feeling that what you are trying to 'ultimately' accomplish is easier than you think. Unfortunately, if your mind is made up on how you should proceed, and you're getting hung up on the steps that you 'think' you need to take in order to reach your goal, I can not explain to you what you are doing wrong or how you should really approach it and the reasoning for that.

Tell me what your ultimate goal is and your reasoning for it. Maybe I can help you.

[Grizzly]

I appreciate it Gnireen. You were certainly right about that last post, Evidently the way i spent the last few days just doing how i ultimately felt it would work out... And to some degree, it would. Except it'd take me the next 6 months literally at the pace that was going. Hell, right now i cant even figure out how to parse an inventory.

I want to figure out how to make a list, of ANY one single type of object in the game.

IE, My ENTIRE inventory, its not limited by slots, but by weight, so you cant track by slot.

or, All of the AI/NPCs in the room.

or, All of one TYPE of AI/NPC in the room

or, All of 1 Resource type in the room.

All of the exits in a room.

Should make a little more sense? I need to move beyond single entity searches.

Separate question, ive seen a few people, most often Dark Byte mention that they frequently run a 7-8-9 deep pointerscan with a max offset of 4096. Now, thats going to create an ENORMOUS amount of data. Question is, is any of that scan data good for other scans as well? Or are people really running 12hr, 2TB pointerscans for 1 value?

Got any idea how to start on this, or a reference that someones done something like this that i could read?

[Gniarf]

Well personally, I'd find ONE stable pointer to one tree. Then find the next tree by looking at the memory block that contains trees, and find a pointer to that second tree.
Now compare both pointers, you'll likely find a pattern like:
pointer to tree1: [[[[game.exe]+1234]+100]+50]+0
pointer to tree2: [[[[game.exe]+1234]+100]+54]+0
Then make a copy of the pointer to tree2 and edit it. Most likely the pointer to tree3 is: [[[[game.exe]+1234]+100]+58]+0
Once you know the pattern, use excel, openoffice, or cheat engine lua to generate the other pointers. Remember that .ct files are just text files.

After that, if you really want an entity counter, you can make a lua script that will loop through all pointers in your cheat table, and count all floats that are equal to 1.0, 2.0, etc... I don't know how your game is made, but is is possible that it needs to know the number of trees for its own needs, so maybe this value is already stored somewhere. Either this or it knows the total number of entities.


As for pointerscanner configuration, I only run level 6+ scans when I know some of the lasts offsets. As a rule of thumb, I do scan_depth-known_offsets<=5. Desperation kicks that rule through the window though.
If you use the scanner in "address to find" mode, then results of a pointerscan are only valid for one value. If you do it in "value to find" mode, it is valid for all variables that had the value you scanned for.

EDIT: since you have strings, another way to identify the pointer pattern is to manually increase ONE the pointer offset that points to a string, until it points to another valid string. If after increasing a given offset by 0x400 by steps of 4 you do not find another string, you're probably not trying the right offset.
Tip: you can click and hold on the offset arrows.

[++METHOS]

You want to make a list...but for what purpose? What will the list be used for?

For example, you can find the X coordinate for one of the enemy characters in your vicinity. With that address, you can see which instruction accesses that address. Once found, you can see all of the other addresses that the instruction accesses (in addition to the X coordinate that you already found). Typically, this will yield many results. For many games, it is easy to find an instruction that will load all of the enemy characters (for example) within viewing range of your hero player. You may be able to write a script to collect all of these addresses, in bulk, without needing to find all of the pointers. Sometimes, the instruction that accesses your hero player, also accesses all of the other characters...making it easier to find.

But really, the approach that you should take, even from the start, will depend on what your purpose is for creating such a list in the first place.

[Grizzly]

There are a few things I'll eventually do with this. Right now it will just be a proof of concept. I've found the navigation to and from objects and what radius. The game already has a autonav to a selected target, there are no impassible objects here, so its easy to go in a straight line to your target.

Once all the targets in a room are dead, i can start the looting, take the keys and enter the next room.

And a lil bit outside the original question, If your scanning pointers on an Online game, and it DCs for any reason. Would that invalidate the scan, or can it still be used because the game window was never closed?

[++METHOS]

Proof of concept.

Well, since you still haven't answered my question, I can't give you a definitive answer.

I can tell you, that, having a permanent list will take a long, long time. Letting the instruction(s) 'generate' your lists for you, in real time, each time, will serve the same purpose without having to find all of those pointers and will also allow you to manipulate those addresses globally, with a simple script.

Nonetheless, if you insist on gathering hundreds or thousands of addresses and finding all of the pointers for all of those addresses, your best approach would be to still find the instruction(s) that control what it is you're looking for, and letting cheat engine populate all of those addresses for you, quickly and automatically. This should work for most PC games, as oftentimes, the instructions that effect characters/objects are single-focused and usually only control one parameter or factor. Those that don't, are usually easy to spot:

Instead of:
mov [eax+14],edi

You may see:
mov edi,ebx

...which is why, in your case, you want to search for instructions that access your address, and not for instructions that write to your address.

If the game is being emulated (such as in an old console game) or is an online game, some or all of what I have said may not even apply.

[Grizzly]

Haven't answered your question? I've answered it 4 times, gathering a list of enemies. I think your expecting a more grandiose answer like get them to make me breakfast or do laundry?

Its a list, the end.

I'll start having a look at the Access bits and see what I can come up with going that direction. Certainly sounds more promising that what i've been trying.

Yes, its online.

[++METHOS]

No, you haven't answered my question. The reason it is important to know why you want to create the list in the first place and/or what you plan on doing with the list, will help to determine how you should begin and which steps you should take.