|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Wed Aug 04, 2021 6:01 am Post subject: Create symbol dynamic changing memory address for pointer |
|
|
Hi!
Edit2: Updated the Subject to reflect the real issue here, since it has come up that perhaps aobscanregion is not actually the best solution.
Ok, so I am trying here to figure out a nice way to automatically read out several sections of addresses that moves around from time to time in the game.
I want to use these addresses as pointers in my table.
I have noticed that there is also two versions of the data in the memory range, the first one seems "fake", so I want the second entry, which is always the correct one.
I was unable to find a pointer that leads to this address.
I was also unable to find a structure or whatever to symbolize the data.
So I went on to try Auto Assemble (and dabbled with lua)
This example works, every time. I get two addresses, with the second one being what I want to use as a pointer in my table.
However I am not sure how to proceed from there to make in into a script in the table.
Code: | inventoryBaseAddress = AOBScan("C5 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ?? ?? 00 00 01 00 00 00 FF FF FF FF 01")
print(inventoryBaseAddress[0])
print(inventoryBaseAddress[1])
inventoryBaseAddress.destroy() |
Result printed out
Code: | 1DF3B95A018
1DF3FBE9018 |
I went on to use AA, and here i have trouble getting things to work properly, and I cannot find out why.
I tried a few different aproaches.
This seems to somewhat work, I get no compile/inject error, the player is defined in the Symbol config, no address attached to it which I think is ok (?), however when using player in the table as a pointer it says the address is 000000C5. Seems to have a relation to my byte array, I read somewhere that this is data, not a pointer? So how do I work with that?
Code: | //// -------------------- Main Section ---------------------
[ENABLE]
//// -------------------- Enable Section ---------------------
aobscan(player, C5 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ?? ?? 00 00 01 00 00 00 FF FF FF FF 01)
registersymbol(player)
[DISABLE]
//// -------------------- Disable Section --------------------
unregisterSymbol(player) |
Now, I also tried another route, since I read that aobScan / aobScanRegion always picks the first find.
This one however gives me <<Failiure determining what fakeInventoryBaseAddress means>>
Code: | //// -------------------- Main Section ---------------------
[ENABLE]
//// -------------------- Enable Section ---------------------
aobScanRegion(fakeInventoryBaseAddress,10000000000,2F000000000, C5 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ?? ?? 00 00 01 00 00 00 FF FF FF FF 01)
fakeInventoryBaseAddress:
registerSymbol(fakeInventoryBaseAddress)
aobScanRegion(inventoryBaseAddress,fakeInventoryBaseAddress,2F000000000, C5 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ?? ?? 00 00 01 00 00 00 FF FF FF FF 01)
inventoryBaseAddress:
registerSymbol(inventoryBaseAddress)
[DISABLE]
//// -------------------- Disable Section --------------------
unregisterSymbol(fakeInventoryBaseAddress)
unregisterSymbol(inventoryBaseAddress) |
Please let me know what I am messing up..
Oh, and I actually have several sections of memory like this I want to craft pointers for with dynamic offset.
Is there a easier/better way to read these out and add them to my cheat table?
This one seems to take a lot of time to run.
Last edited by Nevitar on Thu Aug 05, 2021 5:45 am; edited 1 time in total |
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Wed Aug 04, 2021 6:33 am Post subject: |
|
|
You're using AOB scan on a large region of memory. If you know the module that the address resides in you can use that to narrow down the location of the AOB.
Although the AOB you're using looks really suspicious. A screenshot of the section of memory where the instructions pass the pointer to the player would be helpful.
|
|
Back to top |
|
|
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Wed Aug 04, 2021 7:11 am Post subject: |
|
|
LeFiXER wrote: | You're using AOB scan on a large region of memory. If you know the module that the address resides in you can use that to narrow down the location of the AOB.
Although the AOB you're using looks really suspicious. A screenshot of the section of memory where the instructions pass the pointer to the player would be helpful. |
Cheers for getting back to me.
Yes, I feel it is a large area of memory, but so far I have found the section I want to reside between 1DF3FBE9018 and 2462AEA3018, and that is in just 3 rescans, not sure how I could limit that further, sadly.
I did take a look at modules, but they seemed to be tons of different modules in this range of memory, not just one.
I would be happy to help with a screenshot for the second part of your reply, but not sure what you mean exactly.
Attaching a screenshot of what might be what you are interested in?
Edit:
Scratch that, i did not take a look at modules, I was watching Memory regions, which there are lots of.
Perhaps I could find a specific module, how?
Description: |
|
Filesize: |
49.98 KB |
Viewed: |
2896 Time(s) |
|
|
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Wed Aug 04, 2021 9:09 am Post subject: |
|
|
On the memory viewer, press Ctrl+J (Dissect code) and select the main EXE file and any DLL files that aren't related to the OS.
That should resolve a lot of the addresses and give a bit more of a meaningful view of things.
|
|
Back to top |
|
|
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Wed Aug 04, 2021 10:02 am Post subject: |
|
|
LeFiXER wrote: | On the memory viewer, press Ctrl+J (Dissect code) and select the main EXE file and any DLL files that aren't related to the OS.
That should resolve a lot of the addresses and give a bit more of a meaningful view of things. |
Interesting, where is the result of this, or what happens when I do this?
Attached image, I did not get a new window of the results.
I saw I can in the Memory Viewer "View referenced strings" for example.
Description: |
|
Filesize: |
13.81 KB |
Viewed: |
2862 Time(s) |
|
|
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Wed Aug 04, 2021 10:17 am Post subject: |
|
|
The results will be displayed in the memory viewer window; however, I noticed that in the dissect code section there is mono-2.0-bdwgc.dll.
I presume this game is a Unity game? If so, you can use Mono > .Net Info menu options to view the functions at a lower-level by clicking on Assembly-C-Sharp.dll in the left-hand pane, all the functions related to that DLL will be loaded in the central-pane. You can click on any of these entries to see all things that pertain to that entry. Following that, you can right-click on the members of the object/class, then click JIT. It will open up the memory viewer window at the point that function would be called. Alternatively, you can load Assembly-C-Sharp.dll in dnSpy and analyse the functions at a higher-level.
I know this doesn't really help with your particular issue specifically but if you can find the function that is responsible for initiating the code at which you want to manipulate, then you can find a more suitable AOB.
With Unity games, after activating mono you can reference scan regions with their module name, for example:
Code: |
aobscanregion(inject,Player:Update,Player:Update+1000, X,Y,Z)
|
Note: 'X,Y,Z' would be the AOB
|
|
Back to top |
|
|
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Wed Aug 04, 2021 12:07 pm Post subject: |
|
|
LeFiXER wrote: | The results will be displayed in the memory viewer window; however, I noticed that in the dissect code section there is mono-2.0-bdwgc.dll.
I presume this game is a Unity game? If so, you can use Mono > .Net Info menu options to view the functions at a lower-level by clicking on Assembly-C-Sharp.dll in the left-hand pane, all the functions related to that DLL will be loaded in the central-pane. You can click on any of these entries to see all things that pertain to that entry. Following that, you can right-click on the members of the object/class, then click JIT. It will open up the memory viewer window at the point that function would be called. Alternatively, you can load Assembly-C-Sharp.dll in dnSpy and analyse the functions at a higher-level.
I know this doesn't really help with your particular issue specifically but if you can find the function that is responsible for initiating the code at which you want to manipulate, then you can find a more suitable AOB.
With Unity games, after activating mono you can reference scan regions with their module name, for example:
Code: |
aobscanregion(inject,Player:Update,Player:Update+1000, X,Y,Z)
|
Note: 'X,Y,Z' would be the AOB |
Thank you for the help.
While interesting, and I found a lot of fun stuff to sift through, I feel like most of that was over my head at this time, I found things that relate to the inventory, but could not get further.
I have mono activated, so I need to find a module name then?
Hmm
I also found information relating to the achievements, that could be interesting, the Steam achievements are not triggering.
|
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Wed Aug 04, 2021 12:45 pm Post subject: |
|
|
There is a lot to sift through for sure. I recommend you just read/analyse and experiment. The best way to learn.
|
|
Back to top |
|
|
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Wed Aug 04, 2021 12:55 pm Post subject: |
|
|
LeFiXER wrote: | There is a lot to sift through for sure. I recommend you just read/analyse and experiment. The best way to learn. |
Yes indeed,
I have spent several days trying to get my aobscanregion to work though.. reading a lot.
I dont understand why I get a 000000C5 instead of the address i want.
there is nothing there at that address.
also dont understand why I cannot use variables in the aobscanregion.
by the way, player in my example is just a name.. what im trying to get is the inventory data.
|
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Wed Aug 04, 2021 1:40 pm Post subject: |
|
|
aobscan will scan a module's memory for the matching bytes, which represent instructions in ASM but doesn't actually return an address. It gives you a location where you can manipulate the instructions directly.
A pointer is usually held in a register e.g. EAX/RAX, EDI/RDI (32-bit/64-bit), the game will mov the pointer (address which pointer to a value) data from one register to another, sometimes with an offset to denote how far behind, or further forward in memory the data should be moved to.
In the memory viewer window on the left side you have the addresses of the module's functions. The centre column is the bytes which represent the instructions in machine code form, the column to the right of the byte column
is the instructions in human-readable form (ASM).
Think of addresses as streets, and on those streets are houses (registers) and those houses have numbers (offsets).
When data is accessed it needs to know where to look. Armed with that analogy I'll do my best to explain.
in ASM the convention is like this:
Quote: |
instruction destination,source
|
Examples of instructions are:
mov, jmp, jne, jz, je, cmp etc...
Examples of how data is moved in memory:
Code: |
mov rax,[rdi] // move the information held in the house RDI to the house RAX
mov ebp,[rax-4] // move the value held in the house 4 numbers behind RAX to the house EBP
mov [rdi+8],rax // move the value held in the house RAX to the house 8 numbers in front of RDI
mov eax,ecx // move the house ECX to the house EAX
|
It's worth noting that these numbers are byte values.
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Aug 04, 2021 4:16 pm Post subject: |
|
|
This looks like you're trying to find values with the AOB. You want to find instructions, not values as these AOBs will tend to fail. Look up "code injection" and "injection copy" to make your own pointers.
_________________
|
|
Back to top |
|
|
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Wed Aug 04, 2021 6:49 pm Post subject: |
|
|
TheyCallMeTim13 wrote: | This looks like you're trying to find values with the AOB. You want to find instructions, not values as these AOBs will tend to fail. Look up "code injection" and "injection copy" to make your own pointers. |
Oh, I see, thanks for the tip.
Well, what I wanted was to create a "symbol" with the address (dynamic), but say for this example, 1DF3BE8C018, so that in my CT I can create pointers by writing the symbol name + an offset, rather than the address.
Seeing as the address is dynamic, I needed a way to find this address properly, this changes several times while the game is still running, so not only on startup.
I was hoping to do it without meddling with allocating memory.
I did however try an example of injecting and I could not get that to work at all, probably because it's been ages since I did assembly.
So I should not be using AOBscan for that?
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Aug 04, 2021 7:35 pm Post subject: |
|
|
I mean you can try, it might work. But from personal experience I can say it'll likely fail more than it works. Just look up the injection copy, once you do it you see it's a lot easier and faster than other approaches most times. I use it all the time to make my own pointers. Basically you find the address, see what accesses it, and inject where only the address you want is accessed to copy the address/base to your own pointer/symbol. And start with the CE templates as it will make things easier in the beginning.
_________________
|
|
Back to top |
|
|
Nevitar How do I cheat? Reputation: 0
Joined: 04 Aug 2021 Posts: 8
|
Posted: Thu Aug 05, 2021 4:02 am Post subject: |
|
|
TheyCallMeTim13 wrote: | I mean you can try, it might work. But from personal experience I can say it'll likely fail more than it works. Just look up the injection copy, once you do it you see it's a lot easier and faster than other approaches most times. I use it all the time to make my own pointers. Basically you find the address, see what accesses it, and inject where only the address you want is accessed to copy the address/base to your own pointer/symbol. And start with the CE templates as it will make things easier in the beginning. |
Yeah, I did start out by trying that, could not get it to work though.
Also keep in mind that the address changes, and that there is a false positive.
The inventory is kept double, but only one changes the values.
Will it work for that?
The inventory has 127 items, I dont want to do this for each of them, so I figured I would try to dynamically create a pointer to some address just at the start.
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Thu Aug 05, 2021 11:32 am Post subject: |
|
|
You'll need to find the instruction that accesses the real value. I'd look for the list/array base, so you'll need to do some back tracing. You'll likely find something like "[RAX+RCX*8+10]", where one registry is the list base and the other is the item index. Once you find the base just look for an instruction that runs constantly or at least when you look at inventory, so you'll get the new address whenever it changes.
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|