 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
 Posted: Sun Feb 08, 2015 1:32 pm Post subject: New pointerscan suggestion |
 |
|
So the current pointerscan, given a value or address, finds a static address, and some offsets, that always point the desired address.
The problem:
This particular game I'm trying to modify uses the same code to change the overall addresses, including camera position / enemy health / ammo, pretty much everything. To make it even harder to find the addresses, the game encrypts the values. Something like: 5 is stored as 0x40EF0590
This game has, somewhere in memory, stored some ASCII values like: FireGunAmmo.
So the thing is: after finding the address of the ammo for the FireGun, in the dissect data structures, I can find a pathway that points directly ( given some offsets ) to the ASCII value "FireGunAmmo"
The improvement:
It would be nice to have the pointerscanner be able to find the pathway between 2 addresses.
So, I give it the address of the ammo and the address of the ASCII value "FireGunAmmo" and the results would be:
ammoAddy + offset = addy1
addy1 + (found offset 2) = addy3
addy3 + 0xFE = address of the ASCII value "FireGunAmmo"
Please let me know if it's worth implementing.
Thanks!
_________________
... Fresco |
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Feb 08, 2015 2:12 pm Post subject: |
|
|
| Not completely sure what you're referring to, but the structure spider provides comparative analysis for multiple structures.
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Sun Feb 08, 2015 9:32 pm Post subject: |
|
|
Are you sure the value is encoded or encrypted and not just a data type you haven't checked? For example the 0x40ef0590 value can be interpreted as a float with a value of: "7.469429016" which is pretty close to 5 so maybe you grabbed that when it was actually 7.x but said it was 5...
Also there is something you can do about games that modify all or many of it's values using the same exact code!
Often times, for example when the game is writing your lives value or whatever. It will call the same code to modify the value, BUT it will be called from a different place then say when it's writing health...
What you can do is if you look at the full stack or a break and trace, etc.. while the value your trying to single out is written, the return address could be different...
So if you find that to be the case, you can either hook the specific place related to your value in question, or hook the place that writes everything and check for that return address...
What I mean is something like this:
| Code: |
LivesSpecificCode:
mov rax,[rbx+rdx] //blah blah whatever code
mov rcx,[game.exe+123214] //blah blah
call [WriteAllValuesFunction]
// <-- return address will bring you here when writing lives only
HealthSpecificCode:
mov rdx,Game.IsGameRuntime+481832
xor rbx,rbx
mov rcx,1
call [WriteAllValuesFunction]
// <-- return address will bring you here when writing health only
WriteAllValuesFunction
//<--- games code
//
// -->
mov [rdx+4c],rax //instruction that writes to many/all addresses
// <-- games code
//
// -->
mov rsp,rbp
pop rbp
ret //this will return to certain places only when certain addresses are written
|
So you can either hook before the call/the call itself in the specific places (if you can figure out how to get to the address you want from there)
Or from the WriteAllValuesFunction you can hook that and check for the return address to the place where it returns to for that specific address, as denoted by the "//<--return address will bring you here..."
This isn't always the case though, sometimes the game doesn't work like that and you have to find some other way to uniquely identify and single out the values you want.
The most recently I this worked was with dragon age inquisition the potions write code, also wrote to other things. So I was able to back trace and find a place where only the potions value was being prepared to be written to by the potions/other write code... I hooked that and then only potions would be written to with my script...
And for power and inquisition perks and influence, I compared [rsp+28] (where the return value happened to be stored from the place I hooked) to a certain return address. Only when it equaled the power return address I wrote power value, only when it equaled the perks address I wrote perks value, etc...
It's a nice trick when it works 
_________________
|
|
| Back to top |
|
|
Fresco
Grandmaster Cheater
![]() Reputation: 4
Joined: 07 Nov 2010
Posts: 600
|
| Posted: Sat Mar 14, 2015 9:37 am Post subject: |
|
|
[EDIT]
 nevermind, it was, a double... silly me...
the fact that the game only changed the high 4 bytes of the double confused me...
Yes, I have checked all the values ( types ) and they seem to be encrypted with some strange algorithm.
0x40100000 for integer 4
0x40080000 for integer 3
0x40000000 for integer 2
0x3FF00000 for integer 1
0x00000000 for integer 0
0x404F8000 for integer 63
0x404E0000 for integer 60
and yes, it's the whole 4 bytes
If I take an Object Oriented approach to the data structures (objects) they all seem to be generated by the same class.
as for the caller (setter/getter method) it's all the same, since it was generated by the same class, everything gets set by some ~80 lines of asm code and they would all be called by the same location with the same call stack (i.e. going only 2 calls up), I don't want to go further up, because as You may already know, interpreting assembly data is really difficult.
nopping the function that writes to ... everything ..., including health, ammo, etc... would just show up a black screen, although the sound would perfectly work and the game would still be operational ( no errors ).
Nopping only the branch that writes to the hp, ammo, ecc, would show the whole level, like in development mode ( with really strange physics ).
here's what the code looks like | Code: | callerNo1:
//blabla
call callerNo2
//retaddyNo1
callerNo2:
//doStuff
call FxThatChangesEverything
//retaddyNo2
FxThatChangesEverything:
//doStuff
//call some 4 or 5 functions
//if something ( that nopped only affects screen (visuals) ) == false
// do code that changes everything and return
//else
// execute all ~80 asm code and return
|
All the objects created by that "global class" look to be in an array.
so it would look like:
[cursor position], [hp], [video resolution], [mesh materials], [armor], [some other unk obj], [ammo], etc...
and thy all seem to be placed randomly, my guess is that the encryption as well as the randomness, as well as the fact that they are all created by the same class has to do with the fact that this game is protected by some anti-cheat system.
so far I've been able to narrow down the objects using their proprieties, ( since the call stack is all the same ).
for example if edx == 3 at the entrance of the fxThatChangesAll ( the modification has something to do with either ammo, health, position, and some other ( non graphics related ) stuff ).
Since I was unable to narrow it down further more, I created a simple logging cheat, that would log all the addresses which value gradually decreases by the hex values above ( 4, 3 , 2, 1 ), it would discard all the addresses that don't fit the profile, finally it would execute my custom code, only for the addresses that where able to pass trough.
so the code only gets activated when I have 4 bullets, and I fire them all, at the count of zero, the cheat gets activated and adds an extra of 60 bullets.
_________________
... Fresco |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
