Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Can't Find Base Address (Float)

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Sun Nov 22, 2015 3:14 pm    Post subject: Can't Find Base Address (Float) Reply with quote

I am unable to find the base address for the variable I am looking for, usually I use Pointer scanner but I cannot seem to find the correct value that way.

The value of the address is a float which represents the direction my character is facing.

I have also tried the What access / what writes to this address (See Images Below)*NOTE* when I rotate in game it doesn't write / access the address but the value changes.



cehelp.png
 Description:
 Filesize:  34.54 KB
 Viewed:  23392 Time(s)

cehelp.png


Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Nov 22, 2015 3:52 pm    Post subject: Reply with quote

If the game you're doing this for is run on an emulator or interpreter (e.g. desmume, adobe flash, etc.), don't bother trying to find a base pointer, you're not going to be able to. An AoB injection on that fld is probably your best bet for getting this address (assuming that instruction doesn't access other addresses).

A few questions:
When are those instructions being run if it's not when the value changes?
Is this an online game, or is there a good chance an anti-cheat is meddling with things?
What are the ESI and EDI registers when one of the movsd instructions is run?

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Sun Nov 22, 2015 4:54 pm    Post subject: Reply with quote

ParkourPenguin wrote:
If the game you're doing this for is run on an emulator or interpreter (e.g. desmume, adobe flash, etc.), don't bother trying to find a base pointer, you're not going to be able to. An AoB injection on that fld is probably your best bet for getting this address (assuming that instruction doesn't access other addresses).

A few questions:
When are those instructions being run if it's not when the value changes?
Is this an online game, or is there a good chance an anti-cheat is meddling with things?
What are the ESI and EDI registers when one of the movsd instructions is run?


I've got base pointers already for different things in this game just can't seem to get this one.

As for when those instructions are run I have no idea, however when I rotate my character in game more instructions do not appear.

"An AoB injection on that fld is probably your best bet for getting this address (assuming that instruction doesn't access other addresses)."

Could you possibly send me a link explaining this a bit more?

Here is the full details of the movsd


Code:
67DA02CE - A5 - movsd
67DA02CF - A5 - movsd
67DA02D0 - A5 - movsd  <<
67DA02D1 - A5 - movsd
67DA02D2 - C6 40 7C 00 - mov byte ptr [eax+7C],00

EAX=08D17BD8
EBX=08D22B00
ECX=08D22B00
EDX=FF400000
ESI=08D22B20
EDI=08D17C64
ESP=005FE92C
EBP=005FE9EC
EIP=67DA02D1
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Nov 22, 2015 5:33 pm    Post subject: Reply with quote

The address you found might not be that important to the game. Does changing it in CE actually reflect it in the game? For example, does freezing that address make it so that you can't move your camera? If it doesn't, try searching more generally (all types, unknown initial value, changed/unchanged value scans). That'll definitely get you all the addresses related to your camera, but it may take a while to narrow the list of results down. Find out which one actually changes your camera angle in-game when you change it in CE, then do a pointer scan for that.

The instruction 67DA02D0 (movsd) is reading from your value, so ESI (source register) should be the address you found, and EDI (destination register) is the address where it's copying that memory to. I'm curious what's there. Add that address manually to your table. If the value is consistent with your camera angle, you can try to find a base pointer to that address if you're lucky.

If you absolutely can't find a base pointer to that address, you can make a code cave using that fld instruction as a jump point. In that code cave, copy ecx+8 into some memory address you registered and execute the original code. Then, you have a pointer to the address of your camera angle, and you can add it to your cheat table.
Tutorial on making scripts in general here.

Here's an example of what that script would look like:
Code:
[ENABLE]
aobscan(INJECT,D9 41 08 D8 21 D9 58 08) // should be unique
alloc(newmem,512)
alloc(cameraAddress,4)

label(return)

registersymbol(INJECT)
registersymbol(cameraAddress)

newmem:
  push eax
  lea eax,[ecx+08]
  mov [cameraAddress],eax
  pop eax
  fld dword ptr [ecx+08]
  fsub dword ptr [ecx]
  jmp return

cameraAddress:
  db 00 00 00 00

INJECT:
  jmp newmem
return:

[DISABLE]
INJECT:
  db D9 41 08 D8 21

unregistersymbol(INJECT)
unregistersymbol(cameraAddress)

dealloc(cameraAddress)
dealloc(newmem)

With this, add an address manually with the address [cameraAddress], or tick the "pointer" checkbox and put cameraAddress at the bottom (offset is 0).

2 main problems with this method, though:
1: That instruction has to only access that address. To figure if it does or not, right-click that instruction in CE's disassembler and select "Find out what addresses this instruction accesses". If anything besides your address pops up, that's bad. See this topic for how to resolve that.

2: That section of code has to be run before the address pops up in your cheat table. It's not that much of a problem, but if you don't know when that instruction is run, it can be annoying.

PS: I'm not sure if you've already tried this, but you can expand your search settings in the pointer scanner (i.e. increase max offset and level).

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Sun Nov 22, 2015 5:48 pm    Post subject: Reply with quote

ParkourPenguin wrote:
The address you found might not be that important to the game. Does changing it in CE actually reflect it in the game? For example, does freezing that address make it so that you can't move your camera? If it doesn't, try searching more generally (all types, unknown initial value, changed/unchanged value scans). That'll definitely get you all the addresses related to your camera, but it may take a while to narrow the list of results down. Find out which one actually changes your camera angle in-game when you change it in CE, then do a pointer scan for that.


This doesn't work, I assume it's because it is an online game, if I change the value in cheat engine there is no change in game and also the value gets changed straight back to what it was.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Nov 22, 2015 5:55 pm    Post subject: Reply with quote

Ah, ok. Then yeah, it's probably server-sided. If you want to do the pointer scan, expand your search settings until you do find one that works, or find a different value that's easier to find a static pointer for.

If you give up on finding a pointer, go for the code injection route I explained earlier.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Sun Nov 22, 2015 6:03 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Ah, ok. Then yeah, it's probably server-sided. If you want to do the pointer scan, expand your search settings until you do find one that works, or find a different value that's easier to find a static pointer for.

If you give up on finding a pointer, go for the code injection route I explained earlier.


Okay so I gave that code injection a try, here's the steps I took.

I added a Memory address [cameraAddress] went to memory view, press Auto assemble, pasted your code and executed it.

It then displayed a messagebox (see Attachment) saying newmem = 02FF0000 cameraAddress = 02FF0200

However at this point the value of [cameraAddress] did not change, so I executed the code again and this time the value is correct however the messagebox it displayed was different, it said

newmem = 00300000
cameraAddress = 00300200

Is this how it's supposed to be ? and if so what is the next step?



cenew.png
 Description:
 Filesize:  12.85 KB
 Viewed:  23338 Time(s)

cenew.png


Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Nov 22, 2015 6:31 pm    Post subject: Reply with quote

Those boxes shouldn't be popping up. You should paste that code into an auto assembler window (Ctrl+Alt+A from the main CE window), then select File -> Assign to current cheat table. Then it'll add it as a script which you can enable/disable as you please via the checkbox at the left side of the record in the table.

Then, add the address [cameraAddress] as you did, and it should work. You can also drag that onto the script's record to add it as a "child" of that script. Then right click on the script, and under "Group config", select "Hide children when deactivated". Then the camera address will only pop up when the script is activated (AKA when that address actually exists).

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Sun Nov 22, 2015 6:56 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Those boxes shouldn't be popping up. You should paste that code into an auto assembler window (Ctrl+Alt+A from the main CE window), then select File -> Assign to current cheat table. Then it'll add it as a script which you can enable/disable as you please via the checkbox at the left side of the record in the table.

Then, add the address [cameraAddress] as you did, and it should work. You can also drag that onto the script's record to add it as a "child" of that script. Then right click on the script, and under "Group config", select "Hide children when deactivated". Then the camera address will only pop up when the script is activated (AKA when that address actually exists).


This is the result



result.png
 Description:
 Filesize:  1.77 KB
 Viewed:  23307 Time(s)

result.png


Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Nov 22, 2015 6:59 pm    Post subject: Reply with quote

Yeah. See the "2 main problems with this method" above. That section of assembly has to be run in order for it to write the correct address to cameraAddress. That's why I said it could be annoying if you don't know when those instructions are run.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Sun Nov 22, 2015 7:01 pm    Post subject: Reply with quote

ParkourPenguin wrote:
Yeah. See the "2 main problems with this method" above. That section of assembly has to be run in order for it to write the correct address to cameraAddress. That's why I said it could be annoying if you don't know when those instructions are run.


Hmmm, so what do you suggest I do. Keep trying with the Pointer scan?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Nov 22, 2015 7:20 pm    Post subject: This post has 1 review(s) Reply with quote

You can if you want to. Or just keep playing the game until that section of assembly is run.

Tips for a pointer scan:
  1. Select "No looping pointers". It'll slow down the scan a bit, but less disk space is used, and less invalid results are found.
  2. Make sure you're letting the stack addresses of the first few threads to be handled as static. You can even try increasing the values on these a bit to possibly find more valid results.
  3. Increase the max offset value and max level if you aren't finding anything.
  4. The game might have marked some pointers as read-only (unlikely but possible). Uncheck "Don't include pointers with read-only nodes" if you want to, but it'll increase the amount of results found.
  5. If other pointers you've found have a common base address, selecting "Base address must be in specific range" will help narrow down your results by a lot, but you'll also miss it if it's not in that range.
  6. You might be able to use "First element of pointerstruct must point to module". Don't rely on it for most games, though.
  7. If you're having trouble with diskspace, using "Pointers must end with specific offsets" will help (in this case it would be 8 for the last offset), but you might miss valid results.
  8. If you're really having trouble with disk space, use max different offsets per node. You'll miss tons of pointer paths, though, so you'll need to be lucky.

It's pretty much a balancing act between how encompassing your search is and the amount of disk space you have available.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Murded
Newbie cheater
Reputation: 0

Joined: 16 Nov 2015
Posts: 14

PostPosted: Tue Nov 24, 2015 7:03 pm    Post subject: Reply with quote

ParkourPenguin wrote:
You can if you want to. Or just keep playing the game until that section of assembly is run.

Tips for a pointer scan:
  1. Select "No looping pointers". It'll slow down the scan a bit, but less disk space is used, and less invalid results are found.
  2. Make sure you're letting the stack addresses of the first few threads to be handled as static. You can even try increasing the values on these a bit to possibly find more valid results.
  3. Increase the max offset value and max level if you aren't finding anything.
  4. The game might have marked some pointers as read-only (unlikely but possible). Uncheck "Don't include pointers with read-only nodes" if you want to, but it'll increase the amount of results found.
  5. If other pointers you've found have a common base address, selecting "Base address must be in specific range" will help narrow down your results by a lot, but you'll also miss it if it's not in that range.
  6. You might be able to use "First element of pointerstruct must point to module". Don't rely on it for most games, though.
  7. If you're having trouble with diskspace, using "Pointers must end with specific offsets" will help (in this case it would be 8 for the last offset), but you might miss valid results.
  8. If you're really having trouble with disk space, use max different offsets per node. You'll miss tons of pointer paths, though, so you'll need to be lucky.

It's pretty much a balancing act between how encompassing your search is and the amount of disk space you have available.


I'm still having a bit of an issue with this, I think it's probably because I don't fully understand how it all works would you or anyone else who reads this be down for maybe giving me hand through screen share on skype or teamviewer or something? would be hugely appreciated
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites