Cheat Engine

[Varstal]

Hello,

So I'm able to locate the value for health, I'm able to change it, freeze it, and scan it, and I'm able to trace the pointers back about 5 levels. After that I get about 300 values and sooner or later the game crashes. I've tried creating an AOB script based on the value of the last address I can find, but that's not working. I've tried scanning at different levels but I always end at zero. Every game restart I have to find the value again, which isn't hard, but I'm wanting to really pursue this and learn. I must be overlooking something, so if anyone could point me in the right direction I'd appreciate it. Oh and I do have the offset values up to the address I'm able to trace to.

Here's a current look at what's happening:

HP address: 5C19EB14

The Following opcodes accessed...
5E0A564D - F3 0F10 40 24 - movss xmm0,[rax+24]
1F406B29 - F3 0F10 47 24 - movss xmm0,[rdi+24]
1F406C3F - F3 0F10 47 24 - movss xmm0,[rdi+24]
14DBC63E - F3 0F10 46 24 - movss xmm0,[rsi+24]
1F406C7C - F3 0F10 47 24 - movss xmm0,[rdi+24]
14DBC665 - F3 0F10 4E 24 - movss xmm1,[rsi+24]
14DBC6A4 - F3 44 0F11 7E 24 - movss [rsi+24],xmm15 (this is the one I used)
1F45907F - F3 0F10 40 24 - movss xmm0,[rax+24]
1F406DCA - F3 0F10 41 24 - movss xmm0,[rcx+24]

Which gave me the value of the pointer needed to find this address is probably 5C19EAF0

Searched that and came up with 5C2DE8B0 4 bytes 5C19EAF0

The Following opcodes accessed...
1F40655F - 48 8B 47 10 - mov rax,[rdi+10]
1F40663E - 48 8B 47 10 - mov rax,[rdi+10]
5E0A5643 - 48 8B 40 10 - mov rax,[rax+10]
1F46E1ED - 48 8B 40 10 - mov rax,[rax+10]
1F459174 - 48 8B 40 10 - mov rax,[rax+10]
1F40666A - 48 8B 47 10 - mov rax,[rdi+10](used this one)
7FEEAA86353 - 49 8B 36 - mov rsi,[r14]

which gave me the value of the pointer needed to find this address is probably 5C2DE8A0

Searched that and came up with 14C97320 4 bytes 5C2DE8A0

The following opcodes accessed...
5E0ACB0C - 48 8B 80 20030000 - mov rax,[rax+00000320]
5E0ACB6F - 48 8B 80 20030000 - mov rax,[rax+00000320]
5E0A563C - 48 8B 80 20030000 - mov rax,[rax+00000320]
1F47D98C - 48 8B 86 20030000 - mov rax,[rsi+00000320]
1F47D9AE - 48 8B 86 20030000 - mov rax,[rsi+00000320]
1F46E1E6 - 48 8B 87 20030000 - mov rax,[rdi+00000320]
1F457CD3 - 48 8B 80 20030000 - mov rax,[rax+00000320]
1F47DCD3 - 48 8B 80 20030000 - mov rax,[rax+00000320]
1F41A863 - 48 8B 80 20030000 - mov rax,[rax+00000320]
1F405C4E - 48 8B 86 20030000 - mov rax,[rsi+00000320]
1F45916D - 48 8B 87 20030000 - mov rax,[rdi+00000320]
1F45917A - 48 8B 87 20030000 - mov rax,[rdi+00000320]
1F41A79C - 48 8B 80 20030000 - mov rax,[rax+00000320]
1F41A7FC - 48 8B 80 20030000 - mov rax,[rax+00000320]
7FEEAA86507 - 49 8B 1E - mov rbx,[r14]
1F48D957 - 48 8B 8F 20030000 - mov rcx,[rdi+00000320](used this one)
1F46ED90 - 48 8B 87 20030000 - mov rax,[rdi+00000320]

which gave me the value of the pointer needed to find this address is 14C97000

And this gave me like 5k address results...not sure what to do here

[++METHOS]

Write a script. Inject your code at an instruction that accesses your health address, but does not access any other addresses.

If you really want to use pointers, use the pointer scanner.

[Varstal]

Sorry for being a beginner at this, but could you elaborate a little more on this? I'm guessing I can use one of the other pointers I've found, but these pointers have been dynamic and I'm not sure how to go about it. Thank you for responding though, I appreciate it!

[++METHOS]

To see which instructions access your health address...

Right-click on the health address in your cheat table (can be a pointer address...doesn't matter as long as it's currently the correct address) and select 'find out what accesses...'.

To see if the instructions access any other addresses...

Right-click on an empty area in the debugger window that just popped up and select 'see if found opcodes access...'. Return to the game and attack an enemy player. If you see any instructions in the debugger window that still have a (1) next to it, you can probably use that.

If you've found one, right-click on an empty space in the debugger window again and deselect 'check if found opcodes...'. Click stop on the debugger window. Highlight the instruction that you want to use and click on 'Show disassembler'.

In memory viewer, with the instruction highlighted, click on tools, then Auto Assemble. In the Auto Assemble window, click on Template, then Cheat table framework code. Click on Template again, then click on Code Injection.

In your script, change the original code to add whatever health value you want in to [rsi+24] (or whatever). So, it may look something like this:

[Varstal]

Ok, I understand that part now, but the addresses that pull up when I click check if opcodes are accessed elsewhere this is what pulls up:
(8)648DB81D - F3 0F10 40 24 - movss xmm0,[rax+24]
(8)6586E2E9 - F3 0F10 47 24 - movss xmm0,[rdi+24]
(8)6586E430 - F3 0F10 47 24 - movss xmm0,[rdi+24]
(8)0456AC3E - F3 0F10 46 24 - movss xmm0,[rsi+24]
(8)6586E46D - F3 0F10 47 24 - movss xmm0,[rdi+24]
(4)0456AC65 - F3 0F10 4E 24 - movss xmm1,[rsi+24]
(4)0456ACA4 - F3 44 0F11 7E 24 - movss [rsi+24],xmm15
(4)658B65AF - F3 0F10 40 24 - movss xmm0,[rax+24]

The ones with 8 pull up close to 20 or so addresses when I look at addresses have been changed by, but the one with 4 pulls up 2 addresses. So how do I use data/structure to filter out the address I do not want. Also, the bottom 3 only happen upon damage.

[++METHOS]

It is best to not use the bottom three. Instead, use an instruction that accesses your health address several times per second.

To learn about data structure dissection, refer to the Cheat Engine tutorial and see Geri's guide.

You can also check the registers for hero health and compare those against enemies.

[Varstal]

Alright,

So I found a point where the other addresses add up but not my health so I was going to do a comp and a je to filter out the other addresses. The issue is under offset I had to click down a couple pointers so I'm not sure what that would look like. Here's a picture of the data structure

[Sohail__Saha]

I understand how it feels to be a beginner.
At first, find the address of the health value (usually float). Then, add it to the cheat table. Right-click on it and select the option "What writes to it"(this is because there may be hundreds of opcodes accessing the current health address but there are only a few addresses that write to the health adress).
Then, go in game, get hurt, and come back to the cheat engine. You will see some opcodes. Pick anyone (LUCK) and click on "Show in Diassembler". Then, press Ctrl+A and go to the Templates menu. At first, click on the last option. Then, again go to the Templates menu and click on the first option. You will get a script. For example,

[Varstal]

Tried that, it didn't crash the program but was not altering my health and I'm sure I have the health bar because when I manually alter it, it changes.

[++METHOS]

Varstal-

17EB2000 - Is this address correct? If so, I would choose a different instruction. If you view a given instruction in memory viewer, you can right-click on it to see which addresses it accesses. A new window will pop up and you will be able to see the value of all of those addresses. In the case of health, you will want to change the data type so that they are all displayed as float type. In the list, you will be able to see if there are any oddball (non-health) values. If you see any that don't look like health values, try to use a different instruction. The reason for this, is because you want to use an instruction that ONLY accesses health values...and nothing else.

Also, if you see question marks inside of a pointer tree, and all of your addresses are correct, then you should probably skip that pointer because when you try to perform a compare, the game will crash.

Also, make sure to add the offset to your addresses...for example, if the instruction is:

[Varstal]

Thank you for the information and no the 17EB I missed deleting made too many address slots. I don't know what I'm doing wrong but I can't seem to find a static offset with the same value upon reboot. I input the addresses as specified 1234ABCD-24 for health and the others in same format. I separate it into 2 groups, my health and the others and then I look for addresses color coded as group being different. I'm using one of the pointers that counts a couple times per second, but all of them have 8+ addresses that they change.

[++METHOS]

It can take time. It will get easier.

Always be sure to check your register values.

If all else fails, there are other things that can be done.

[Varstal]

Thank you soo much for that information, I was able to compare registers and found that after each reboot RDX still equals 00000FFF and all others that accessed it did not. However, I'm not 100 percent sure what to do with this info. I tried putting together what you showed me earlier, but it's not changing my health. As of right now this is what I have going on.

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048,0397826E)
label(returnhere)
label(originalcode)
label(exit)
label(health)

newmem:
cmp RDX,00000FFF
jne originalcode
jmp health

health:
mov [rsi+24],(float)100.0

originalcode:
movss xmm0,[rsi+24]

exit:
jmp returnhere

0397826E:
jmp newmem
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0397826E:
movss xmm0,[rsi+24]
//Alt: db F3 0F 10 46 24

[++METHOS]

In memory viewer, make sure that 'show module addresses' is checked. Rebuild your script and try this:

[Varstal]

Ok,

I finally got one working, however whenever I reboot the code no longer works.