Cheat Engine

[nonags]

Hi there,

I am new here and did some successfully pointer search. I can open the process and read the values. However each new patch of a game will have new pointers. After a short search I found that many developer have a special rescan algorithm. For example the TocaEdit team (or is it only one) do use a function called futurescan which seems to search for a key in the memory as orientation.
A google search for futurescan and the only found code snippet for the game "sleeping dogs":

[vng21092]

http://forum.cheatengine.org/viewtopic.php?t=561407, read read read

[nonags]

First thanks for the direction, very helpfully because there is much stuff and I do not know special CE functions like this aobscan.
Ok, as far I did read (please correct me) this is a tutorial to change a CE script to a aobscan script. This script will make CE able to find the pointers again and with the patern also in new games (if this part did not change).
Aobscan is not directly explained

Then my next question would be, howto get this into C++ and use in my own programs? Is there a API or library to use a CE script in a Tool or do I have to dig the CE code and copy aobscan out of it?

[vng21092]

well, it doesn't really find pointers per se. AOB scan finds the instruction that writes to the value in question. So, a specific instruction will write to health while others will modify other things, like ammo or w.e. Point is, if you have the instruction that writes to your value, whats the point in looking for pointers? You can modify said instruction to do your bidding. Pointers aren't consistent as you've stated, but AOB scans have a pretty high chance of sticking around through patches. As far as the C++ stuff goes, I've got no clue .

I really suck at explaining things so uhh, lets have a visualization. You have a friend named... Billy, Billy has a wallet holding your money. Billy is that instruction, HE handles your wallet. When you look for a pointer, its almost as if you're looking for the wallet, now it's hard finding the wallet because you have no clue where the fuck Billy put it. BUT, you know Billy always has the wallet, so you can tell Billy to do the work for you, and you won't have to care where the wallet is... cause you have Billy. Hope you get that?

[nonags]

So it seems to be a more complex scan than only searching a pattern in the memory. I though so because of the camkey in above example.
However I need this in a C++ solution so I change the topic a little bit to be more concret.
I have to find and read this aobscan to get more into it.
If I start a program I can hook this and search after startup. However there is no game started and the above futurescan will trigger often to find the values (shown in logfiles). Lets say I start the game an I am in the menu, there is no live count or health count. After I choose start there maybe, but I do not trigger again the aobscan.
How often I must start the aobscan?

[Zanzer]

Another reason why hacking into the game code to find an address is better.
You don't have to worry about all of the preconditions like waiting for the person to load up their character.
The game won't execute the code until it's supposed to and once it does, you now have the address.

Sorry, I don't have any sample code for doing this without CE.

In your case, I would not set the address scan on a timer or even on load.
Setup every one of your scripts to execute an initialization routine.
When the user attempts to enable something, that is when you run the initialization to find the address.
If it finds the address, cache it. Otherwise, the initialization routine will run again next time they enable a script.

[atom0s]

There are various ways you can accomplish AoB scanning in C/C++

The original common method of doing it is like this:

[nonags]

Thank you for the stuff. std::search seems for me very slow. Do you think they only search the lower memory addresses to find ingame values? I have no glue how long it may take but the futurescan is around 1 second to find the base offset.

[atom0s]

The more modern FindPattern I showed above works flawlessly for me. In one of my projects I search for about 30-40 patterns at once using it. The entire clump of scans all finish in under 1 second using std::async/std::future.

On smaller scale scans like 1-5 patterns only, the std::search method may perform slower than the first FindPattern (or other iterations of it). It is more beneficial when scanning for a large sum of objects rather then just a few.

[nonags]

Ok, to collect all the informations:
1. scan with CE for value in memory, i.e. health
2. let CE search for which code in memory writes to this address
3. take a bigger memory pattern of the code around the writing code
4. check if this pattern is unique in runing game, else make bigger pattern
5. make sure this code pattern exist from original game and the one with a game patch

In the monitor tool you may open the process or make a hook injection to directly access the memory.
Then you search the whole memory for the found pattern. Perhaps you only search the first 10 Megabyte of the virtual 4GB memory.

is this correct?

[atom0s]

Yes, pretty much correct. Always a good thing to ensure your pattern exists between two different files if that is what you are aiming for, which is the point of using AoB's.

As for memory searching, you can determine what exactly you should be scanning within based on where the pattern is located.

For example, if your pattern resides inside of the main executables code itself, you only need to scan within that executable's memory. If your pattern resides inside of a module, such as like 'Game.dll' then you only need to search inside of that modules memory. However in some cases the pattern you search for may be allocated at runtime causing the memory to be dynamic so you may need to scan each region of the memory the game currently has allocated to locate what you need.

All depends on the game though.

[nonags]

Hi, i am with you.
Here is a question about the pattern. I must think about dynamic runtime game code which exists after the level is started. (I come back to the scan trigger later) As far I see here it is called multilevel pointer, if you go the non aobscan (patchsave) method.

Ok, now I search with cheat engine for the value and the writing code. I have this area and the code is always the same EXEPT the dynamic values where the value is written to. Then I need a pattern with holes. Code yes, dynamic memory addresses no. So the pattern looks like 30 01 45 01 84 04 78, first value is code, next is step to next pattern byte, next is code etc.

Is there a pattern search algorithm in CE to generate such a pattern (I have looked for but did not find so far anything that sounds like this)? Or is this my part?

[Zanzer]

You can change the Value Type to Array of byte and search for: 30 01 45 01 84 04 78
If this AOB is an instruction, make sure you change the Writable checkbox to scan all memory.

You can create an AA script in CE to that address using: