 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
 Posted: Tue Feb 04, 2014 1:15 am Post subject: Teleglitch and Mystery Base Addresses |
 |
|
Hi guys, I have noticed something odd about using pointers in Teleglitch,
When I hack this game and try to find base addresses and use pointers to make my codes permanent, I had problems closing the program and entering it again because it interferes with the memory locations of where certain values are held. I thought that pointers are supposed to fix this issue. So now while I can now save my "cheats" to use later, sometimes they will stop working on a value like health etc right in the middle of the game.
And to my second question, I have noticed something really interesting: Teleglitch: Die More Edition seems to reference the exact same base address (found using pointers) for every single ammo type! When you add a new address for what you think will be a new weapon's ammo, it "unlinks" itself from the old weapon ammo and only alters the values of the new weapon ammo. None of these pointers save properly either it would seem. I have no idea why it does this and whether or not I'm doing something wrong.
Can anyone perhaps give some pointers on pointers? 
|
|
| Back to top |
|
 |
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
| Posted: Tue Feb 04, 2014 8:32 pm Post subject: |
|
|
| Bump
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Wed Feb 05, 2014 12:25 am Post subject: |
|
|
| If pointers aren't working, use injection.
|
|
| Back to top |
|
|
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
| Posted: Wed Feb 05, 2014 1:59 am Post subject: |
|
|
| What is injection?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Feb 05, 2014 2:27 am Post subject: Re: Teleglitch and Mystery Base Addresses |
|
|
| raelharris wrote: | | So now while I can now save my "cheats" to use later, sometimes they will stop working on a value like health etc right in the middle of the game. |
It means your pointer is unstable, it's the number 1 common issue with pointers. Solution: just try another.
| raelharris wrote: | | I have noticed something really interesting: Teleglitch: Die More Edition seems to reference the exact same base address (found using pointers) for every single ammo type! |
Just to make sure we're speaking about the same thing: when you edit a pointer, the base address is the one at the bottom, usually in the "game.exe+123456" format.
Having the same base address for all ammo is normal, actually it's abnormal/suspicious if they are different (bat there are lots of different ways to code a game...).
| raelharris wrote: | | When you add a new address for what you think will be a new weapon's ammo, it "unlinks" itself from the old weapon ammo and only alters the values of the new weapon ammo. [...] I have no idea why it does this and whether or not I'm doing something wrong. |
It means you have found a pointer to the ammo for the gun currently in your hand, instead of a pointer to the ammo for gun 1/2/3...
Finding an ammo pointer for whatever gun you hold is usually harder (due to deeper pointer level) the just finding a pointer to pistol/smg/sniper/explosive ammo, but it's a rather good thing if it matches your needs.
| raelharris wrote: | | Can anyone perhaps give some pointers on pointers? |
Use the pointerscanner (right click on your cheat entry->pointerscan for this address) instead of the method described in the tutorial. Even after several rescans you'll still have plenty of pointers to choose from.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
| Posted: Wed Feb 05, 2014 11:33 pm Post subject: Reply to Gniarf |
|
|
Hi Gniarf,
Thanks for your detailed answer. I some responses to the things you mentioned below. Sorry that my images are attachments. The forum won't let me paste urls.
| Quote: | | It means your pointer is unstable, it's the number 1 common issue with pointers. Solution: just try another. |
I always thought that you could only have one pointer. In this instance I think I only have one choice because my searches always filter down to a single value.
See "Only one pointer or address" attached.
| Quote: | Just to make sure we're speaking about the same thing: when you edit a pointer, the base address is the one at the bottom, usually in the "game.exe+123456" format.
Having the same base address for all ammo is normal, actually it's abnormal/suspicious if they are different (bat there are lots of different ways to code a game...). |
So this is what I do: I find the base address using the "Find what writes to this address" feature. I go through the steps I have seen in tutorials and I add my offset etc. I never see anything with a ".exe" in it. Could I be doing something wrong? I do see ">>00088321 - mov [edx+000000FC],ecx" (see my next image and do forgive me if I am being stupid. I'm still not 100% sure of which of these things is the pointer).
See "Adding bade addresses" attached.
| Quote: | It means you have found a pointer to the ammo for the gun currently in your hand, instead of a pointer to the ammo for gun 1/2/3...
Finding an ammo pointer for whatever gun you hold is usually harder (due to deeper pointer level) the just finding a pointer to pistol/smg/sniper/explosive ammo, but it's a rather good thing if it matches your needs. |
Could I fix this by doing the search while the weapon is out of my hands? That way it won't find the Ammo value displayed in the games hud?
| Quote: | | Use the pointerscanner (right click on your cheat entry->pointerscan for this address) instead of the method described in the tutorial. Even after several rescans you'll still have plenty of pointers to choose from. |
I suppose I should find a tutorial on this because the results I got from the pointer scan make no sense to me. But I found "teleglitch.exe"+0011B36C! That's new and looks similar to what you mentioned above.
See "Pointer scan" attached.
I hope to hear from you soon! 
| Description: |
|
| Filesize: |
117.76 KB |
| Viewed: |
20258 Time(s) |
|
| Description: |
|
| Filesize: |
142 KB |
| Viewed: |
20258 Time(s) |
|
| Description: |
|
| Filesize: |
104.22 KB |
| Viewed: |
20258 Time(s) |
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Thu Feb 06, 2014 12:31 am Post subject: Re: Reply to Gniarf |
|
|
| raelharris wrote: | I always thought that you could only have one pointer. In this instance I think I only have one choice because my searches always filter down to a single value.
See "Only one pointer or address" attached. |
There is only one New York city (place that holds your ammo) but many signs (pointers) pointing to it. Look at your Pointer scan.png: it's written pointercount:23586495 that's... a lot of pointers.
Let's take an example in an FPS: the game needs a pointer to the list of entities (players and enemies) in the game, and a list is just a collection of pointers in any decently coded game. So you have a game base->list->player (and his health) pointer.
On the other hand the game also needs a pointer to the hub, which must know where the player's health is to display it. So you also have a game base->hud->player pointer.
It's just one example based one one way to code an FPS, but my point is: there may be several pointers to your data, it's normal.
| raelharris wrote: | | So this is what I do: I find the base address using the "Find what writes to this address" feature. I go through the steps I have seen in tutorials and I add my offset etc. I never see anything with a ".exe" in it. Could I be doing something wrong? |
Yep you're doing something wrong... like wasting your time. Addresses like game.exe+123 or library.dll+456 are called static addresses and are displayed in green in the result window. Unless your pointer has a static base it won't work when you restart the game (or it's an accident).
Those accidents may happen often on windows xp since this OS doesn't use ASLR (address space layout randomization).
| raelharris wrote: | | Quote: | It means you have found a pointer to the ammo for the gun currently in your hand, instead of a pointer to the ammo for gun 1/2/3...
Finding an ammo pointer for whatever gun you hold is usually harder (due to deeper pointer level) the just finding a pointer to pistol/smg/sniper/explosive ammo, but it's a rather good thing if it matches your needs. |
Could I fix this by doing the search while the weapon is out of my hands? |
Yes, exactly. I recommend doing the pointerscaner's "rescans" instead of searches though.
| raelharris wrote: | | I suppose I should find a tutorial on [the pointerscanner] because the results I got from the pointer scan make no sense to me. |
Yeah you should, really, forum search button is here for that.
'Ma, just double click on one result to add it to your cheat table, from there you should be on known grounds.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
AltairPL
Newbie cheater
![]() Reputation: 2
Joined: 25 Jan 2014
Posts: 24
|
| Posted: Thu Feb 06, 2014 12:47 am Post subject: |
|
|
In your case 03E9D314 is current value address - if changing it in CE changes value in game, it's good.
What you get from Find out what writes to this address is info that FC is probably last offset of the pointer, which can speed up search for pointer.
If you have value address entry in list, right-click on it and select Pointer scan for this address. Option Stop traversing... can decrease number of found pointers and in most cases should be sufficient. Since you know that FC is most likely offset, click on Pointers must end with specific offsets and type FC in the field.
When scan is done, do something like changing area, restarting the game or even steam. When you're back in game you have two options:
- find current value address and do pointer rescan using new address or
- do pointer rescan using current value
To do pointer rescan, select Pointer Scanner -> Rescan memory in pointer scan window, select Address/Value to find and enter in the field address/value (respectively) and hit OK.
Do this few times and list of possible pointers should decrease considerably - with luck, to single one, but that doesn't mean that only one pointer is valid. Most likely, valid pointers will have a base address like "teleglitch.exe"+ but that depends on the game.
If you add pointer to the address list, its address will be displayed as P->03E9D314 and should always point to the address where value is stored. If you double-click on this address you will see window similar to Add address window from your Adding base addresses.PNG. 2 represents base pointer address, positions below 3, like FC in your screenshot, are offsets. Close this window without changing anything and you should be good to go.
Have fun!
|
|
| Back to top |
|
|
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
| Posted: Thu Feb 06, 2014 10:37 am Post subject: |
|
|
Thank you Gniarf and AltairPL for your awesome responses!
I looked up some tutorials on pointer scanning last night and I am trying it out. I did not know that I could use the "Pointers must end with specific offsets" option to speed things up.
Right now I am at work so I'm unable to test it till this evening, but I cannot wait to give it all a try and let you know how it goes! 
|
|
| Back to top |
|
|
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
| Posted: Thu Feb 06, 2014 10:18 pm Post subject: |
|
|
Good news! Following your advice and reading the "Pointer Information" tutorial by inuyasha0011, I Managed to find my first base value! It seems stable and it works every time I load the game. (It is infinite health for Teleglitch.)
Ammo still seems to stump me though. When I search for it I always get 3 addresses. The strange thing is that they are all the same address but are of different value types. How can a single address be both 1 byte, 2 bytes and 3 bytes at once? Also when I run a pointer scan for these and filter using offset FC (which I got by checking what writes to the address) as AltairPL suggested, I ultimately end up with 0 results. (I have attached images detailing my process for anyone who wants to try and help me work out what I'm doing wrong.) 
(If anyone wants my infinite health base address and my pointer scan files please let me know how I can send them to you.)
| Description: |
| I ran my first few scans for ammo using all value types to get this. |
|
| Filesize: |
32.91 KB |
| Viewed: |
20170 Time(s) |
|
| Description: |
| Then I attempted to find the offset. |
|
| Filesize: |
21.11 KB |
| Viewed: |
20170 Time(s) |
|
| Description: |
| I then ran the pointer scan for the first time. I landed up with loads of values! |
|
| Filesize: |
57.25 KB |
| Viewed: |
20170 Time(s) |
|
| Description: |
| After that I restarted Teleglitch and scanned for a new address pointing to ammo so that I could filter my pointer scan results. My results filtered significantly. |
|
| Filesize: |
64.35 KB |
| Viewed: |
20170 Time(s) |
|
| Description: |
| And then I did it again. However, this time all my values got filtered out and I was left with nothing. |
|
| Filesize: |
51.56 KB |
| Viewed: |
20170 Time(s) |
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Thu Feb 06, 2014 11:03 pm Post subject: |
|
|
| raelharris wrote: | | Ammo still seems to stump me though. When I search for it I always get 3 addresses. The strange thing is that they are all the same address but are of different value types. How can a single address be both 1 byte, 2 bytes and 3 bytes at once? |
It's due to how integers are stored in RAM:
8 as an 8 byte integer is stored as 08 00 00 00 00 00 00 00
8 as a 4 byte integer is stored as 08 00 00 00
8 as a 2 byte integer is stored as 08 00
8 as a 1 byte integer is stored as 08
In all cases nothing prevents you from reading only the first byte and saying it's a 1 byte int. But if the following 2 bytes are also zero then the address also matches the patterns of a 2 or 4 byte integer.
Since the code that writes to it is mov [***],ecx, your variable is actually a 4 byte int.
| raelharris wrote: | | Also when I run a pointer scan for these and filter using offset FC (which I got by checking what writes to the address) as AltairPL suggested, I ultimately end up with 0 results. |
There are 4 possible causes:
1-FC may not be your "true" offset, there may be an addition earlier in the code. Since you have found a lot of semi-working pointers that ended with FC, I don't think this is the case.
2-Pointers may be longer than the max level you chose. Try increasing max level.
3-One (or several) offset(s) in your pointer may be bigger that the max offset you chose (2048). Try increasing max offset value.
4-One offset in your pointer may be variable (like mov eax,[ebx+ecx*4+10] where the offset depends on ecx). For now we'll assume/pray it's not the case.
Increasing level/max offset are the first things to try when you end up with 0 results. Beware that it dramatically increases scan times and required HDD space so don't put insane values.
When you where manually finding your pointers, did you ever stumble on an instruction that had a "something*4" between brackets? Did you see an offset bigger that 0x800?
EDIT: paste that in cheat engine's main menu and activate it:
(quote post and copy from there, otherwise the forum/browser will add spaces where it shouldn't) | Code: | <?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>0</ID>
<Description>"Ammo?"</Description>
<LastState Activated="0"/>
<Color>80000008</Color>
<VariableType>Auto Assembler Script</VariableType>
<AssemblerScript>[enable]
aobscan(AmmoPatch,83 E9 01 8B 55 EC 89 ** FC 00 00 00 8B 45 EC 8B 88 34 01 00 00)
registersymbol(AmmoPatch)
AmmoPatch+6:
mov dword [edx+FC],esp
[disable]
unregistersymbol(AmmoPatch)
AmmoPatch+6:
mov dword [edx+FC],ecx
</AssemblerScript>
</CheatEntry>
</CheatEntries>
</CheatTable> |
If it works remember that sometimes pointers may not be the easiest approach.
If it doesn't work, ah, well, that was a wild gamble anyway.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
raelharris
Newbie cheater
![]() Reputation: 0
Joined: 04 Feb 2014
Posts: 11
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Feb 07, 2014 12:17 am Post subject: |
|
|
| raelharris wrote: | | Thank you for the lesson on understanding how bytes are written. I'm not sure I understand how the e in ecx tells you that it's 4 bytes though. |
In x86 assembly programming you have things called registers: like al, ah, ax, eax, cl, ch, cx, ecx...
al,cl,ah, and ch are 8 bit registers so any mov [***], cl writes 8 bits = 1 byte.
ax and cx are 16 bit register so any mov [***], cx writes 16 bits = 2 bytes.
eax and ecx are 32 bit register so any mov [***], ecx writes 32 bits = 4 bytes.
Since having a single instructions write several variables at once is something done in select specific cases (not yours) I deduced your variable takes 4 bytes.
| raelharris wrote: | | As for your question about the multiplied variable *4, I never saw anything like that. However I only pay attention to the line highlighted in red when looking at what writes to my scanned addresses. Should I be looking elsewhere? |
No. My question was only about the lines in red.
| raelharris wrote: | | I do not see anything bigger than 0x800, I think... (Is that the same as writing 00 00 08 00? |
No, it's the same as 00 08 00 00. Note: 0x12345678 is written 78 56 34 12 in RAM.
| raelharris wrote: | | As in... 2048 when converted to decimal? |
Yes.
| raelharris wrote: | | That is the same number as what my max offset was! Is there a link? |
Yes. If you had seen an offset bigger than your max offset I'd have told you to increase your structure size past it.
Note: If you know that your pointer ends in ]+0x9999]+0xFC AND you specify the pointers must end with offsets 9999 | FC, then you do NOT need to increase structure size past 0x9999.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
AltairPL
Newbie cheater
![]() Reputation: 2
Joined: 25 Jan 2014
Posts: 24
|
| Posted: Fri Feb 07, 2014 12:40 am Post subject: |
|
|
| Quote: | | I doubled the max offset and max level values. I have 3TB HDD space so I think it should be fine... I hope. |
doubling max level is not a very good idea - even if you have enough disk space it can take a VERY long time
as i wrote FC is most likely offset, so if scan with FC offset didn't work, do a scan without it - will take more time, but can actually give results
| Quote: | | Thank you for the lesson on understanding how bytes are written. I'm not sure I understand how the e in ecx tells you that it's 4 bytes though. |
read assembler tutorial section of CE help - you will know why
@Gniarf
out of curiosity, why did you used esp in your script? wouldn't it be better to nop sub ecx,01 instruction? not picking, just asking 
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Feb 07, 2014 1:03 am Post subject: |
|
|
| AltairPL wrote: | | out of curiosity, why did you used esp in your script? wouldn't it be better to nop sub ecx,01 instruction? not picking, just asking |
It's an habit of mine, when I want to have a lot of something I overwrite with esp.
When doing health hacks esp is usually so big that it gives some protection against 1 hit kills.
When doing spare ammo hacks, well, take a situation where your clip can hold 30 bullets but so far you only have found 10 bullets for that gun. If you nop the subtraction you'll have to reload 3 times, but if you overwrite spare ammo with a random bigass number you don't have that problem.
That being said it seems the OP is doing a bottomless clip hack so nopping the sub should be enough, but I was like "Why bother? Let's do it as usual".
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
