Cheat Engine

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

Hi!
Edit2: Updated the Subject to reflect the real issue here, since it has come up that perhaps aobscanregion is not actually the best solution.

Ok, so I am trying here to figure out a nice way to automatically read out several sections of addresses that moves around from time to time in the game.
I want to use these addresses as pointers in my table.
I have noticed that there is also two versions of the data in the memory range, the first one seems "fake", so I want the second entry, which is always the correct one.

I was unable to find a pointer that leads to this address.
I was also unable to find a structure or whatever to symbolize the data.
So I went on to try Auto Assemble (and dabbled with lua)

This example works, every time. I get two addresses, with the second one being what I want to use as a pointer in my table.
However I am not sure how to proceed from there to make in into a script in the table.

LeFiXER · Posted: Wed Aug 04, 2021 6:33 am Post subject:

You're using AOB scan on a large region of memory. If you know the module that the address resides in you can use that to narrow down the location of the AOB.

Although the AOB you're using looks really suspicious. A screenshot of the section of memory where the instructions pass the pointer to the player would be helpful.

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

LeFiXER · Posted: Wed Aug 04, 2021 9:09 am Post subject:

On the memory viewer, press Ctrl+J (Dissect code) and select the main EXE file and any DLL files that aren't related to the OS.

That should resolve a lot of the addresses and give a bit more of a meaningful view of things.

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

LeFiXER · Posted: Wed Aug 04, 2021 10:17 am Post subject:

The results will be displayed in the memory viewer window; however, I noticed that in the dissect code section there is mono-2.0-bdwgc.dll.

I presume this game is a Unity game? If so, you can use Mono > .Net Info menu options to view the functions at a lower-level by clicking on Assembly-C-Sharp.dll in the left-hand pane, all the functions related to that DLL will be loaded in the central-pane. You can click on any of these entries to see all things that pertain to that entry. Following that, you can right-click on the members of the object/class, then click JIT. It will open up the memory viewer window at the point that function would be called. Alternatively, you can load Assembly-C-Sharp.dll in dnSpy and analyse the functions at a higher-level.

I know this doesn't really help with your particular issue specifically but if you can find the function that is responsible for initiating the code at which you want to manipulate, then you can find a more suitable AOB.

With Unity games, after activating mono you can reference scan regions with their module name, for example:

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

LeFiXER · Posted: Wed Aug 04, 2021 12:45 pm Post subject:

There is a lot to sift through for sure. I recommend you just read/analyse and experiment. The best way to learn.

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

LeFiXER · Posted: Wed Aug 04, 2021 1:40 pm Post subject:

aobscan will scan a module's memory for the matching bytes, which represent instructions in ASM but doesn't actually return an address. It gives you a location where you can manipulate the instructions directly.

A pointer is usually held in a register e.g. EAX/RAX, EDI/RDI (32-bit/64-bit), the game will mov the pointer (address which pointer to a value) data from one register to another, sometimes with an offset to denote how far behind, or further forward in memory the data should be moved to.

In the memory viewer window on the left side you have the addresses of the module's functions. The centre column is the bytes which represent the instructions in machine code form, the column to the right of the byte column
is the instructions in human-readable form (ASM).

Think of addresses as streets, and on those streets are houses (registers) and those houses have numbers (offsets).
When data is accessed it needs to know where to look. Armed with that analogy I'll do my best to explain.

in ASM the convention is like this:

TheyCallMeTim13 · Posted: Wed Aug 04, 2021 4:16 pm Post subject:

This looks like you're trying to find values with the AOB. You want to find instructions, not values as these AOBs will tend to fail. Look up "code injection" and "injection copy" to make your own pointers.

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

TheyCallMeTim13 · Posted: Wed Aug 04, 2021 7:35 pm Post subject:

I mean you can try, it might work. But from personal experience I can say it'll likely fail more than it works. Just look up the injection copy, once you do it you see it's a lot easier and faster than other approaches most times. I use it all the time to make my own pointers. Basically you find the address, see what accesses it, and inject where only the address you want is accessed to copy the address/base to your own pointer/symbol. And start with the CE templates as it will make things easier in the beginning.

Nevitar · How do I cheat? Reputation: 0 Joined: 04 Aug 2021 Posts: 8

TheyCallMeTim13 · Posted: Thu Aug 05, 2021 11:32 am Post subject:

You'll need to find the instruction that accesses the real value. I'd look for the list/array base, so you'll need to do some back tracing. You'll likely find something like "[RAX+RCX*8+10]", where one registry is the list base and the other is the item index. Once you find the base just look for an instruction that runs constantly or at least when you look at inventory, so you'll get the new address whenever it changes.