Cheat Engine

[Dragonelf]

hello, I registered since I can´t understand or find a work around this and hope that anyone can help with this

I have an adress which shows my status, its either 1 or 0 (just some background). Now I want to a pointer and therefore a baseadress for it.

I do the "what access this adress" find my "the base adress is probably" adress and do a hex search for this adress which leads me to 1 new adress. I do this a few times until I get to my green (static) base adress. The base adress in one case was GameClient+2E1E3A

For this gamesession the pointer worked, showed to my adress with the 1 or 0 value, everything was fine.

The next time I started the game, my pointer did not work anymore, which confused me.

So I repeated my way above, it gave me the exact same 5 offsets again, I found the green static adress at the end, which was now GameClient+2A1D4B

My first baseadress lead to 0

I repeated it a few more times which the same results all the time. My offsets do not change, they stay the same, but my baseadress, which is shown as green in cheatengine changes everytime.

All tutorials I have read mention that the static adress is indeed static and won´t change as it does in my case

Can anyone explain why this happens and if there is a way around it

Thanks in advance

Greetings

Dragonelf

[eax.qbyte]

I think i'm having the same problem like you.
I guess the last instruction you found which picks a value from a static address should be a base address+some indexed offset.
I mean an instruction like this: MOV ECX,[ESI+EBX*4]or MOV ECX,[StaticAddress+EBX*4](the offset depends on a register)
If it is true, the ESI is always the same but EBX some times chanes.
Which means the value of EBX should be stored somewhere other in memory and we can find it's pointer too.
but how should we combine these two pointers? I know writing an AA script is a solution but
not everybody knows scripting and not all games allow editing their code easily.

[Dragonelf]

[eax.qbyte]

Can you add the assembly instructions found by "find out what accesses this address"?
In this way:
First in memory view go to view menu and activate "show module addresses" and "show symbols"
Open a Notepad
Then On every address

-Right click and choose find out what accesses this address
-When found stop the breakpoint and choose an instruction.
-Click on "show in disassembly"
-In memory editor(disassembly view) with instruction selected Press CTRl+C->Then click copy(with all ticks on)
-Paste it in notepad

Repeat them for all steps of tracing the pointer.
Post them in cheat engine forum. And I think you will get certain answers.

[Gniarf]

@Dragonelf: I recommend trying the pointer scanner, using an offset of 6 or more and making sure that "stop traversing when a static address..." in NOT checked. Since you know 5 offsets, input them in "pointer path must end with offsets...". The topmost offset is the "closest" one from your 0/1 flag.

If that doesn't work, try again without inputting the offsets you know, maybe the scanner will find/use a pointer that is actually for another variable, but that other variable is always at a fixed distance from the one you wanna hack, resulting in a valid pointer to your variable.

[Dragonelf]

[Gniarf]

That's odd, the pointerscanner should at least find the pointer you found manually. If it doesn't it means it's not properly configured for this game, so I'd suggest first getting it to find your manual pointer, and then increasing level/structure size to find a stable one.

Since GameClient+2A1D4B is an odd (as opposed to even) value, uncheck "addresses must be 32bit aligned".
What are your 5 offsets?
What structure size are you using?
Did you use "improve pointerscan with gathered heap data"? (Avoid it by default)

[eax.qbyte]

Well, Yes thank you.

[Dragonelf]

[Gniarf]

[Pingo]

That game is this? Not sure if you mentioned it in the thread, i didn't see it.

[Dragonelf]

The game is "Never****", a new mmorpg

Some more information about my process of finding the offsets and the pointer

I always do the "4 byte" scan

Adress which contains my value: 3157FE8C

What access-) The value of the pointer needed... 3157FE98 mov eax,[edx-0C] -) Offset -c
Hexscan 3157FE98 -) 372EB0D8
What access-) The value of the pointer needed... 372EB0CC cmp dword ptr [eax+0C],00 -) Offset c
Hexscan 372EB0CC -) 254A764C
What access-) The value of the pointer needed... 254A7648 mov eax,[ecx+edx*4] -) Offset 4
Hexscan 254A7648 -) 2CA3F4AC
What access-) The value of the pointer needed... 2CA3F4AC cmp dword ptr [eax],00 -) Offset 0
Hexscan 2CA3F4AC -) 22EC0F28
What access-) The value of the pointer needed... 22EC0C98 mov eax,[edx+00000290] -) Offset 290
Hexscan 22EC0C98 -) 2C16855C
What access-) The value of the pointer needed... 2C168460 cmp dword ptr [eax+000000FC],00 -) Offset fc
Hexscan 2C168460 -) 025E3B10 [GameClient.exe+2233B10] Shown as static (green) in cheatengine

What access 025E3B10 mov eax,[eax*4+GameClient.exe+2233560]

Eax contains 2C168460



Pointer: GameClient.exe+2233B10 fc 290 0 4 c -c points to my original adress 3157FE8C



When I repeat the process, everything is pretty much the same except my base adress changes. its always GameClient.exe+2233XXX, with the same pointers, the same function and the baseadress is always green in cheatengine


I hope someone can find what I am doing wrong here, I cant figure it out

[Gniarf]

[Dragonelf]