Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Better way to reduce pointer scan results?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
PhoenixAki
How do I cheat?
Reputation: 0

Joined: 22 May 2020
Posts: 5

PostPosted: Fri May 22, 2020 7:45 am    Post subject: Better way to reduce pointer scan results? Reply with quote

I've been using Cheat Engine on and off over the last year or so, but very heavily throughout May. I've been working alongside a friend to try to find reliable pointers to a ton of things in a game (Ty 2: Bush Rescue) so he can build up a trainer for them. I'll mention as well that I have done Computer Science as an undergrad, and I'm doing a Master's in it as well now, so I have a pretty good understanding of memory stuff, I'm just very new to applying it directly on such a low level.

I know virtually 0 about the trainer side of things and have been more on the research and pointer scanning side of things. I've gotten the hang of the approach with finding the addresses, pointer scanning, and rescanning memory to reducing the results while going in and out of levels, restarting the game, etc.

However, even with extensive testing by going all around the game, a lot of my pointer scans still have thousands of results, with a lot of different base addresses. I've always heard on videos that once you reduce them as much as you can, just pick some at random and hope they work, and I can't help but feel like there has to be approaches that are safer in the long-run than this.

I know it's expected to have multiple valid pointers, but are there ways to be able to home in on the correct base address to help narrow down the results further? Or is it possible to have multiple valid base addresses as well? I've attempted to understand the opcode stuff with "find out what writes to this address" to try to work out where each structure is in memory, but I have no idea if my understanding of that is correct or if it can be used in conjunction with pointer scans to help find the most valid pointers.

In general, if there are any tips to reducing results beyond just going into and out of levels and restarting the game/PC, I would greatly appreciate being "pointed" in the right direction Laughing
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22569
Location: The netherlands

PostPosted: Fri May 22, 2020 9:49 am    Post subject: Reply with quote

There can be multiple base addresses yes, e.g a pointer to the physics engine may have a pointer to the first object which may have a pointer to the game
and there may also be a player pointer which has a pointer to the current map which may have a pointer to the game


Best way to reduce the the results is doing pointerscans on different systems. You can let other people generate pointermaps for you which you can then feed to the rescan to filter out invalid paths

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ParkourPenguin
I post too much
Reputation: 76

Joined: 06 Jul 2014
Posts: 2570

PostPosted: Fri May 22, 2020 10:43 am    Post subject: Reply with quote

PhoenixAki wrote:
I've always heard on videos that once you reduce them as much as you can, just pick some at random and hope they work, and I can't help but feel like there has to be approaches that are safer in the long-run than this.
I've always had that same feeling too. You don't need to pick them completely at random- pick a path with a low number of nodes, a low-ish max offset, and something that looks like a good base address (exe, sometimes threadstack, maybe or maybe not some dlls).
You can debug the process and find the exact pointer paths the game uses by reading and backtracing assembly. Of course that takes far more effort than simply using the pointer scanner, and it's impractical for anyone who doesn't know assembly.

PhoenixAki wrote:
I know it's expected to have multiple valid pointers, but are there ways to be able to home in on the correct base address to help narrow down the results further? Or is it possible to have multiple valid base addresses as well?
That depends on how you define "correct." If you mean "something that works," then pick something at random; if you mean "the one the game uses," there would still be several paths that could appertain to that. You could look at those paths and rank them based on semantics, but that would get into the territory of reverse engineering.
Also note that a path the game frequently uses might be more likely to break on an update than other paths.

PhoenixAki wrote:
I've attempted to understand the opcode stuff with "find out what writes to this address" to try to work out where each structure is in memory, but I have no idea if my understanding of that is correct or if it can be used in conjunction with pointer scans to help find the most valid pointers.
If you just look at offsets in instructions that access addresses (e.g. 4C in "mov eax[esi+4C]"), you can get a pretty good idea of what the last few offsets are; however, you aren't guaranteed to get the "correct" path.
(when I talked about backtracing, in this example I'd mean figuring out where the value in esi comes from by reading assembly, and recursively repeating that until you get to something static)

PhoenixAki wrote:
In general, if there are any tips to reducing results beyond just going into and out of levels and restarting the game/PC, I would greatly appreciate being "pointed" in the right direction
There's nothing easy I can think of. As DB said, have others find the respective address, generate a pointermap, and send it to you. This should always be done if you plan on distributing the table to others.

In so specific words asking about the "correct" path, you're asking how to ascertain semantic information about the binary structure of the game and in essence learn how the game was programmed. This would fall under basic reverse engineering.
I'd recommend doing that for the sake of learning, not practicality. If a pointer path "just works," use it and move on. Spend your time doing something else.
If disk space isn't of concern, save the pointer maps/scans for when the game has an update. It's possible one path could still work, but it's also possible everything breaks and it wouldn't have mattered if you found the "correct" path or not.

PS: aobscans and code injection (search "injection copy") are less likely to break on an update than static pointers IMO.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
PhoenixAki
How do I cheat?
Reputation: 0

Joined: 22 May 2020
Posts: 5

PostPosted: Fri May 22, 2020 6:04 pm    Post subject: Reply with quote

Thanks for the quick responses 🙂

I haven't messed with pointermaps all too much yet, but my understanding is that if I supply my results with a pointermap from another PC, that filters out all the pointer paths that aren't valid on both systems? Is it simply enough to have someone else open the game on their system and generate a pointermap from that point, or would they need to find the addresses in question before generating it?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22569
Location: The netherlands

PostPosted: Fri May 22, 2020 6:28 pm    Post subject: Reply with quote

yes, just let them be in the game and generate a pointermap. They don't even need to find the address first (though it helps) Then use it on a rescan and filter on valid address only
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
PhoenixAki
How do I cheat?
Reputation: 0

Joined: 22 May 2020
Posts: 5

PostPosted: Sat May 23, 2020 6:19 am    Post subject: Reply with quote

I figured this part would be straightforward but I feel like I'm missing something (probably simple) here, sorry 😅

For this example I'm trying to find pointers for the player's Y coordinate. To try this out I went and pulled up the game on my laptop and created a generic pointermap (didn't find any addresses before doing so) and sent it over to my PC.

I then went back to my PC and pulled up the pointer scan results for the Y coordinate I have saved. I went to rescan memory like I've been doing, but now linked the pointermap from my laptop. I'm not sure what to do from here:
- When I supply "address to find" with the current address of the Y coordinate, I get 0 results left over.
- When I instead use "only filter out accessible pointers", I still got 0 results. However, when trying this for some other game values, some had a few left after doing this.

What's the right approach here? I know that another option is to find the Y coordinate (or whatever value is currently being worked on) on both systems and generate pointermaps with the coordinate included, and directly compare the maps that way (instead of comparing to already-existing scan results), but it seems simpler to do the rescan approach without having to find the address in both places.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22569
Location: The netherlands

PostPosted: Sat May 23, 2020 6:43 am    Post subject: Reply with quote

You should have picked "only filter out invalid pointers"
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
PhoenixAki
How do I cheat?
Reputation: 0

Joined: 22 May 2020
Posts: 5

PostPosted: Sat May 23, 2020 7:01 am    Post subject: Reply with quote

That's what I was wanting to do initially as it seemed more logical, but it's greyed out for me. I take it that's not normal? Seems I can't post URLs, so I can't show what it looks like, but when I choose the saved pointermap, the "filter out invalid pointers", "delay rescan", and "repeat rescan" options, as well as the "value to find" get greyed out and I can't use them.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22569
Location: The netherlands

PostPosted: Sat May 23, 2020 12:30 pm    Post subject: Reply with quote

hmm, looks like a bug
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
PhoenixAki
How do I cheat?
Reputation: 0

Joined: 22 May 2020
Posts: 5

PostPosted: Sat May 23, 2020 4:37 pm    Post subject: Reply with quote

To be safe, I just confirmed I'm on the most recent version and that it still happens now that I've restarted my PC. Is there any info you need from me to help find the cause of this (assuming it is a bug)? I figured maybe this just meant there aren't any invalid pointers, but it's still unusual for it to be greyed out entirely, and although I have experience with programming I can't even begin to understand the source code Laughing I'm not sure if this would be something I should wait on or if I should use a different approach in the meantime (like the direct comparison of pointermaps from a few messages ago). Thanks a ton for the replies + effort put into CE Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22569
Location: The netherlands

PostPosted: Sun May 24, 2020 1:00 am    Post subject: Reply with quote

Direct comparison with the pointermaps is the way to go

Or send the pointerscan results to someone else and ask them to do a rescan

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites