 |
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
JonerBardlos How do I cheat?
Reputation: 0
Joined: 13 Jan 2019 Posts: 2
|
Posted: Sun Jan 13, 2019 5:23 am Post subject: Cheat Engine - Base address details |
|
|
Hello. I have run scan for string in memory, wrote down addresses, then restarted a game. I repeated this action few times and these are results:
Address = 03253278
AllocBase = 03010000 Base = 03253000 Size = 35BD00
Address = 03433278
AllocBase = 031F0000 Base = 03433000 Size = 35BD00
Address = 03493278
AllocBase = 03250000 Base = 03493000 Size = 35BD00
Later I calculated that string that I'm interested in is always located 632 bytes after base address:
03253278 - 03253000 = 632 (278h)
03433278 - 03433000 = 632 (278h)
03493278 - 03493000 = 632 (278h)
Later I had tried to find how this base address is calculated. I had tried to use x32dbg debugger for this, but I failed. It is complicated case, because this string is loaded into memory only once on game startup, so I'm not able to use option "Data breakpoint > Find out what writes this address" in cheat engine. (or I just don't know how?)
Can you tell me how base address is calculated? I have tried to look into PE header of the game executable, but didn't find anything.
Also, do you know how to find opcode which is responsible for writing this string when it loads only once on the startup of the game?
Any advices will be helpful.
|
|
Back to top |
|
 |
OldCheatEngineUser Whateven rank
Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Sun Jan 13, 2019 7:21 am Post subject: |
|
|
you can search and specify "last digits" in "memory scan options" to 278, or use pointer scanner to find a static pointer that points to that string.
yes string will be always at offset (base+278), and base is (allocbase+243000).
JonerBardlos wrote: | Later I had tried to find how this base address is calculated. I had tried to use x32dbg debugger for this, but I failed. It is complicated case, because this string is loaded into memory only once on game startup, so I'm not able to use option "Data breakpoint > Find out what writes this address" in cheat engine. (or I just don't know how?)
Can you tell me how base address is calculated? I have tried to look into PE header of the game executable, but didn't find anything.
Also, do you know how to find opcode which is responsible for writing this string when it loads only once on the startup of the game? |
settings -> debugger options -> use windows debugger, then file -> open process -> create process.
this way you can use data break point, read/write accesses or whatever fits.
it allows you to scan for string, since the process execution will stop at module entry point.
"I have tried to look into PE header of the game executable, but didn't find anything."
executable's data usually within the executable itself and they are static, NT-Loader reserves pages for the static code/data that the module have.
NT-Loader reserves extra pages for executable in case executable called VirtualAlloc, thats not everything the loader also allocate pages and initialize them to 0. (some have no_access attributes)
so it either allocates new memory, or reuse some old memory.
note:
there is no official documentation about how the loader manage things, this is based on analysis and experience. (limited to windows 7 and xp)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
 |
JonerBardlos How do I cheat?
Reputation: 0
Joined: 13 Jan 2019 Posts: 2
|
Posted: Mon Jan 14, 2019 8:29 am Post subject: |
|
|
Thank you very much. Your response helped me a lot.
I didn't know earlier that process can be created in cheat engine :p
But I still haven't solved my main issue. I was not able to create a valid memory breakpoint, because memory is dynamically allocated each time at game startup or loading a new level.
What I tried was to generate pointer to my string and scan for memory access/write for address pointed by this pointer, but the problem is that this value for scanning isn't calculated each time, so access/write actions are detected on static address.
So for example I have pointer P->XXXXX, I run scanning what writes this address, then I restart the game and pointer is P->YYYYY, but scanning still runs for XXXXX.
Really helpful feature here would be memory conditional breakpoint, like scanning memory for string each time opcode is executed.
But I understand that would be hard to implement and processor power consuming solution.
Quote: | yes string will be always at offset (base+278), and base is (allocbase+243000). |
That basically helped me understand this, but I still have no clue how to find out what is value of allocbase. As I understand this value is calculated during execution, but I really don't know how to check where in code calculation happens. This stops me from setting proper breakpoint to find out which opcode write data to my string.
|
|
Back to top |
|
 |
OldCheatEngineUser Whateven rank
Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Mon Jan 14, 2019 1:57 pm Post subject: |
|
|
JonerBardlos wrote: | but I still have no clue how to find out what is value of allocbase. |
memory region can help, memory view -> view -> memory regions.
you should have been able to find your string without issues, anyhow what are you trying to achieve?
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
 |
LeonBlade How do I cheat?
Reputation: 0
Joined: 25 Jan 2019 Posts: 9
|
Posted: Mon Jan 28, 2019 8:20 pm Post subject: |
|
|
If I understand you correctly you're saying that the base module + some bytes will always contain what you're looking for? In that case, why can't you reference it like this: "game.exe"+0x278
Using "game.exe" will resolve as the base address for that given module.
|
|
Back to top |
|
 |
OldCheatEngineUser Whateven rank
Reputation: 20
Joined: 01 Feb 2016 Posts: 1586
|
Posted: Mon Jan 28, 2019 8:27 pm Post subject: |
|
|
nope, you did not understand correctly.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|