Cheat Engine

Goat Engine · Cheater Reputation: 0 Joined: 13 Aug 2018 Posts: 44

From my understanding, when searching for a pointer using the results of the "accesses this address" list, we can ignore any results that don't have anything between brackets [ ] as explained in the tutorial, but I was wondering when there's a long list of results that appear right when a change in the game is made/monitored...

1) Is it generally a good idea to start from the top or bottom of the list?

2) Is it generally a good idea to start with the ones with higher counts to the left of the entry, or the ones with 1 count?

3) Do the mov, movups, etc have any order or priority I should use for what to check first or any to ignore, etc?

For example if this list pops up right when the change happens that I'm looking for, which ones should I investigate first and why?

140436C94 - 55 - push rbp
14043715B - 5D - pop rbp
14145C460 - 40 53 - push rbx
14145C475 - 5B - pop rbx
14145C430 - 40 53 - push rbx
14145C44A - 5B - pop rbx
140437760 - 40 53 - push rbx
1404377AC - 5B - pop rbx
140D6BCC6 - 48 C7 40 04 FFFFFFFF - mov [rax+04],FFFFFFFF
14042A39E - 0F10 80 EC000000 - movups xmm0,[rax+000000EC]
140D6BD26 - 48 C7 40 04 FFFFFFFF - mov [rax+04],FFFFFFFF
14042A481 - 0F10 80 EC000000 - movups xmm0,[rax+000000EC]
14042CC6E - 48 89 6C 24 30 - mov [rsp+30],rbp
14042CCD8 - 48 8B 6C 24 30 - mov rbp,[rsp+30]
14042C670 - 48 89 5C 24 08 - mov [rsp+08],rbx
14042C6DE - 48 8B 5C 24 40 - mov rbx,[rsp+40]
140429A30 - 48 89 5C 24 08 - mov [rsp+08],rbx
140429AD8 - 48 8B 5C 24 30 - mov rbx,[rsp+30]
141445873 - 41 56 - push r14
14144597C - 41 5E - pop r14
1400E3574 - 48 89 5C 24 30 - mov [rsp+30],rbx
1400E3597 - 48 8B 5C 24 30 - mov rbx,[rsp+30]
7FFD94B076DF - 48 89 7C 24 30 - mov [rsp+30],rdi
7FFD94B07736 - 48 8B 7C 24 30 - mov rdi,[rsp+30]
14041BD90 - 44 89 70 FC - mov [rax-04],r14d
14041BE90 - 48 8B 84 D5 70050000 - mov rax,[rbp+rdx*8+00000570]
14041BEA0 - 48 89 8C D5 70050000 - mov [rbp+rdx*8+00000570],rcx
14041BE98 - 48 8B 8C D5 78050000 - mov rcx,[rbp+rdx*8+00000578]
14041BEA8 - 48 89 84 D5 78050000 - mov [rbp+rdx*8+00000578],rax
140DA74C9 - F3 0F7F 4A F0 - movdqu [rdx-10],xmm1
14042C357 - 8B 0B - mov ecx,[rbx]
1404347C4 - 48 89 B3 F0020000 - mov [rbx+000002F0],rsi
140434C96 - 48 8B 43 20 - mov rax,[rbx+20]

^The "count" number in front of each entry didn't copy, but several were a 1 while others were much higher in count number.

ParkourPenguin · Posted: Mon Aug 13, 2018 2:41 pm Post subject:

There's no absolute answer to any of those questions. The list will populate in the order of the first execution of those instructions as seen by CE. Do whatever you feel makes sense.

Dark Byte · Posted: Mon Aug 13, 2018 2:46 pm Post subject:

also, before searching for pointers you should make sure that the address is the correct one and not a temporary display value, else whatever you find will mostly be useless

Goat Engine · Cheater Reputation: 0 Joined: 13 Aug 2018 Posts: 44

ParkourPenguin · Posted: Mon Aug 13, 2018 4:14 pm Post subject:

There is a reason why that advice is included. In many situations where this technique of finding a pointer works, you'll only need to look at instructions with square brackets. However, the tutorial never explains why this is the case (AFAIK; I haven't gone through it in a while). Novices reading that will think it's an absolute and just accept it as a fact that they don't understand.

I don't think this is necessarily bad, because the tutorial is not designed to teach in that great of detail. It's good at quickly teaching novices with little knowledge of computer science about easy situations. It only teaches people what to do- not how or why things work. If it taught everything, it would take hundreds of hours to complete and very few people would use it.

Saying that advice is stupid was uncalled for, but there are definitely exceptions to it.

I'd still recommend the pointer scanner since it's easy to use. If you want to track it down manually, learn about x86-64 architecture.

Goat Engine · Cheater Reputation: 0 Joined: 13 Aug 2018 Posts: 44

Ah, I see what you mean and yes I did find myself wondering "why" and "when" for a few things the tutorial had me run through.

All in all I've had pretty good success using the manual method for everything I've tried to do except one final task which I opened another thread on earlier today, and from what others tell me who play the same game is an unusually difficult task considering how basic of a change it's intended to make in the game.

Also @Dark Byte - Yes I learned the hard way a while ago about identifying and avoiding looking too much into the display values. Happened again today when I thought I was on the right track to this last problem I've been trying to figure out for a while now. lol

Anyway I think I consider the original question of this thread to be solved, but if anyone wants to add any ideas/comments to my other thread, it would definitely be welcome. Thanks guys!

Dark Byte · Posted: Mon Aug 13, 2018 11:35 pm Post subject:

when looking for pointers you can pretty much ignore instructions without brackets because those are either blockmove instructions where the origin and destination registers have been changed so not even a base or offset can be figured out from that (and it's usually an indication that the value you found is not the real value)

or worse, it's stack manipulation instructions like push. This means that the address is in the stack and at a height that it's affected by function calls. In that case most of the code you found will be unrelated to what you where looking for