Cheat Engine

[kik4444]

Well the game crashed while finding out what accessed that address but in the one second of playing it before it crashed, I managed to get this.
EDIT: and here are the ones that couldn't fit in the first pic

[mgr.inz.Player]

Much better. Look at your opcodes2.png file, look at third entry, do you see those three dots? You must change the size of the column a bit wider.


Anyway, from what I see, there are few frequent opcodes which only access one address, player coordinates. We can choose one and try to create teleport script.

[kik4444]

So we choose the code and then what? I'm still a bit confused about some parts of the script, mostly the ones with eax+30, as it is for far cry 3 and I can't find this game's equivalent.

[mgr.inz.Player]

Look at your screenshots from this page (too bad you didn't resize column properly). Those the most frequent opcodes (from what I see on that incomplete image):

516CFC - 348 hits
FAE1A2 - 342 hits
121AB4D - 342 hits
64EED3 - 345 hits
154B52F - 341 hits



Just pick one, for example 516CFC, bring CE window, press ctrl+M, press ctrl+g, type in 516CFC (or whatever you chose), click OK, press ctrl+A,

Click "template" and choose AOB injection, press OK button, leave default values, just keep going. Copy and paste script here.

[kik4444]

[mgr.inz.Player]

You are using CE6.3, why you didn't click "AOB injection" as I wrote?
(yes, it almost do the same thing, but, it adds few other informations too)

[kik4444]

I didn't have AOB injection as an option -

[mgr.inz.Player]

Ohh, my mistake. I forgot it is only in CE6.4beta. Sorry.

Anyway, looks good, we can try to create teleport. We'll do something similar to FarCry3 script, the script I posted before.

In FC3 it is mov edx,[eax+30]
in AC4 it is movaps xmm3,[eax+30]

So, pretty similar.

EDIT

script:

[kik4444]

THX, the script is much shorter than the initial one, but now that I've got a working teleport script in CT format, I'll definately be able to learn how to finally do teleport scripts. +rep for you! Also what do I do with the script if the value isn't with MOVAPS. Also do you mind explaining the full word of MOVAPS & MOVUPS?

[mgr.inz.Player]

movaps xmm3,[eax+30] - means: move aligned packed single(float) values from [EAX+30] to xmm3.

packed single means: four single(float) values. So, we can move to xmmX register all three coordinates. The fourth value usually is 00000000

movups - means: move unaligned packed single(float) values, it does exactly the same thing as above.


With movaps, if memory operand is not aligned on a 16-byte boundary, you will get "Exception".

http://www.rz.uni-karlsruhe.de/rz/docs/VTune/reference/vc181.htm
http://www.rz.uni-karlsruhe.de/rz/docs/VTune/reference/vc206.htm


"For example where did you get xmm4 and edi+60?"
first instruction
movaps xmm3,[eax+30] is 4 bytes code (0F 28 58 30)
second instruction
movaps xmm4,[edi+60] is 4 bytes code too (0F 28 67 60)

Code injection = we have to jump to new location, do our things, then return

jmp instruction takes 5 bytes, which is longer than first instruction, this is why we have to move the second instruction too.

8 - 5 = 3, this is why you see three NOPs just after jmp newmem

This piece of script overwrites original instruction (this is our jump, this is where we inject our code):

[kik4444]

So what if the code doesn't use MOVAPS and just uses MOV like in far cry 3?

[mgr.inz.Player]

You need more knowledge. Gain it by reading tutorials (they are buried on CheatEngine Forum), doing simple cheats,

If you need more information about specific asm instruction, use this link (bookmark it)
movaps

For example, you want to read about FMUL
FMUL


Instructions staring with "F" usually are coprocessor instructions, they work slightly different. You can not just NOP them, look here http://forum.cheatengine.org/viewtopic.php?t=566568

Many people still make mistakes. (even educated ones)

[kik4444]

Sorry to bump this topic up again, but do you know a different method to search for the address for coordinates? Cause selecting half and changing them always has an 80%+ chance of crashing the game. Out of 6 tries today, the game crashed on each one.

[++METHOS]

Once you find the address that you need, perform a pointer scan on it. If you do not know how to do this, learn it...it is critical.

Other than that, if you have the instruction, use that to find the address. If you are searching from scratch, there are things that can be done to eliminate bad addresses:

1. Limit your search range if you know whereabouts the address usually occurs (i.e. addresses such as 0001F224 are usually too low, and addresses such as 77F31D22 are usually too high). Once you have found a few addresses for other cheats that you have made, you may even be able to significantly limit your search range (e.g. only addresses between 01000000 - 03000000).

2. Pay attention to values that change when they shouldn't (e.g. when you pause the game). In the case of coordinate values, your X coordinate value should not change if you do not move your character, but your Y coordinate value may still change when your character breathes.

3. Limit your data type (e.g. coordinate values are typically stored as float, so searching for other data types and including them in your list is generally not required or recommended).

4. Only choose addresses that have values that make sense (i.e. don't add an address to your table if you see an oddball number - use common sense). Float values can be negative, but coordinate values are typically between -2000.0 and +2000.0, and when you move your character, you can usually tell by how much the value changes, if it makes sense or not.

5. Instead of changing the values for filtering/testing purposes, try freezing them (and vice versa).

6. When changing/freezing values, don't select too many at a time if the game keeps crashing. Try 10 addresses at a time (or less, if needed). Also, take note of where, in the list of addresses, the crashing occurs (i.e. if the crashing occurs near the start of the list, try starting at the end of the list next time etc.).

The best thing you can do is immediately perform a pointer scan on the address once you find it...that way, even if the game crashes when you try attaching the debugger (to find the instruction), you'll automatically have the address (or pointer list) and you won't have to find the address over and over again.

[kik4444]

Actually I tried doing a pointer scan once I found the address for money like this:
-right-click and select pointer scan
-select "find address" and wait to finish
-exit to menu and back in again, after which I find the address again
-2nd pointer scan searching for the new address
-I got 0 pointers