|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
DukeKickem How do I cheat? Reputation: 0
Joined: 28 Nov 2021 Posts: 5
|
Posted: Sun Nov 28, 2021 7:04 am Post subject: Failing to cheat UnderMine |
|
|
I've been trying to make myself a cheat table for the game UnderMine. I'd like to do it myself as an exercise but I seem to be doing something wrong.
I want to be able to have a cheat table for keys and bombs, both are 4 byte values. I can easily find them when starting a game but the problem is that they move around in memory for each new game. So I tried finding their pointers so I can save those, hoping this way I will always be able to edit the values when starting a new game without having to search for them again.
So I got the address of the bombs, saw what writes to that address when a bomb is added or removed and you can see the result in the attached image.
From what I gather the base address for the game is what's in the RDI register and the pointer for the bombs should be the value of the RDI register and an offset of 38 (I also tried the "RSI" register, but the value was the same as in the RDI).
But when I try to add a value manually and check the pointer checkbox and enter "38" as the offset. The value of that is 0 while I have 3 bombs.
I can't figure out what I'm doing wrong.
Description: |
|
Filesize: |
22.73 KB |
Viewed: |
2585 Time(s) |
|
Last edited by DukeKickem on Sun Nov 28, 2021 7:45 am; edited 1 time in total |
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Sun Nov 28, 2021 7:31 am Post subject: |
|
|
You can see how many times the instructions are accessed. The value won't update unless the instruction is accessed. RDI won't be the base address of the game but the pointer address of the value that holds your bombs.
r15 will also hold that pointer address. If you select the instruction and click Show disassembler, set a breakpoint on that instruction. See the values in the registers. Run the game again, add the value (address) held in r15 to the cheat table with the offset 38. It should correlate to your bomb value.
|
|
Back to top |
|
|
DukeKickem How do I cheat? Reputation: 0
Joined: 28 Nov 2021 Posts: 5
|
Posted: Sun Nov 28, 2021 7:57 am Post subject: |
|
|
LeFiXER wrote: | You can see how many times the instructions are accessed. The value won't update unless the instruction is accessed. RDI won't be the base address of the game but the pointer address of the value that holds your bombs.
r15 will also hold that pointer address. If you select the instruction and click Show disassembler, set a breakpoint on that instruction. See the values in the registers. Run the game again, add the value (address) held in r15 to the cheat table with the offset 38. It should correlate to your bomb value. |
Oh, wow, didn't know I can add breakpoints.
But, anyway, started the game again, attached the debugger, etc. and added the value stored in r15 with an offset of 38 and it still shows "0" as its value.
Adding pics, as you can see I have 8 bombs at the moment.
Description: |
|
Filesize: |
70.08 KB |
Viewed: |
2563 Time(s) |
|
Description: |
|
Filesize: |
48.26 KB |
Viewed: |
2563 Time(s) |
|
Description: |
|
Filesize: |
32.86 KB |
Viewed: |
2563 Time(s) |
|
|
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Sun Nov 28, 2021 9:11 am Post subject: |
|
|
I can't say for what reason the addresses don't add up, but with mono games it's better to pull the address from the register using a script and then creating pointers based on that address.
On the instruction you placed a breakpoint, press Ctrl+A (Auto Assemble) or you can access it via Tools > Auto Assemble, in the Auto Assemble window press Ctrl, Shift + A (AOB Injection) or click Template AOB Injection.
Select the array of bytes and scan to make sure it is unique. It should be but sometimes it's not, if it isn't you just keep adding bytes to the end of the array until the AOB scan yields just 1 result. You can pull a pointer using this method.
Code: |
[ENABLE]
// You can change the name of INJECT to something more fitting. (make sure all iterations of the word INJECT match the new name)
aobscan(INJECT,[the array of bytes goes here])
alloc(newmem,$1000,INJECT)
// Here we are allocating 8-bytes of memory to store the pointer address which happens to be a 64-bit value in this case. If it's a 32-bit game then use 4-bytes
alloc(pointer,8)
label(code)
label(return)
newmem:
// mov the address held in RDI into [pointer], brackets denotes the value held at, pointer on its own is the physical address of pointer.
mov [pointer],rdi
code:
// original instructions
movsxd rax,dword ptr [rdi+38]
mov [rbp-38],rax
jmp return
INJECT:
jmp newmem
nop 3
return:
registersymbol(INJECT)
// Here we register the symbol so we can access it in the table
registersymbol(pointer)
[DISABLE]
INJECT:
db [array of bytes goes here]
unregistersymbol(INJECT)
// Here we unregister the symbol so it isn't accidentally used should the the script be deactivated.
unregistersymbol(pointer)
dealloc(newmem)
// Finally, we deallocate the memory we allocated earlier
dealloc(pointer)
|
Once you activate that script, you can use the Dissect Data Structure feature to dissect the structure. In the address field type [pointer] then create a new struct (Ctrl + N). Cheat Engine will dissect the structure and give you lots of information regarding that struct. From there, you can use the offsets to add to the pointer within the table.
Add a new address, in the address field type [pointer]+offset (where offset is the offset). Set the data type accordingly and there you have it.
If I helped in any way, please give rep .
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Sun Nov 28, 2021 11:52 am Post subject: |
|
|
In the "Add address" window, the arrow -> means "points to X", or "the value stored at this address is the address X".
The value of r15, 2AF50C960F0, is an address. This address is not necessarily a pointer. You can add 0x38 to this address to get the address you want. You don't need to dereference that address.
Uncheck the "pointer" checkbox and put "2AF50C960F0+C8" for the address to mimic what the game is doing.
Look at the CE tutorial for more information on pointers. This video on step 8 also covers the correct way to use the pointer scanner:
https://www.youtube.com/watch?v=3dyIrcx8Z8g
I still think code injection is a better way of getting an address in general. Search for "injection copy" for more information.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1055 Location: 0x90
|
Posted: Sun Nov 28, 2021 1:47 pm Post subject: |
|
|
ParkourPenguin wrote: | In the "Add address" window, the arrow -> means "points to X", or "the value stored at this address is the address X".
The value of r15, 2AF50C960F0, is an address. This address is not necessarily a pointer. You can add 0x38 to this address to get the address you want. You don't need to dereference that address.
Uncheck the "pointer" checkbox and put "2AF50C960F0+C8" for the address to mimic what the game is doing.
Look at the CE tutorial for more information on pointers. This video on step 8 also covers the correct way to use the pointer scanner:
https://www.youtube.com/watch?v=3dyIrcx8Z8g
I still think code injection is a better way of getting an address in general. Search for "injection copy" for more information. |
I'm not 100% familiar with the terms used but I believe the script I posted previously, demonstrates what you're suggesting. Although, I know that in this case it is a struct that contains more than just the value of the item; it includes other values pertaining to the object which is a resource.
|
|
Back to top |
|
|
DukeKickem How do I cheat? Reputation: 0
Joined: 28 Nov 2021 Posts: 5
|
Posted: Sat Dec 04, 2021 10:18 am Post subject: |
|
|
ParkourPenguin wrote: | In the "Add address" window, the arrow -> means "points to X", or "the value stored at this address is the address X".
The value of r15, 2AF50C960F0, is an address. This address is not necessarily a pointer. You can add 0x38 to this address to get the address you want. You don't need to dereference that address.
Uncheck the "pointer" checkbox and put "2AF50C960F0+C8" for the address to mimic what the game is doing.
Look at the CE tutorial for more information on pointers. This video on step 8 also covers the correct way to use the pointer scanner:
[vid]
I still think code injection is a better way of getting an address in general. Search for "injection copy" for more information. |
That video tutorial and pointerscanning def saved my hide. Was successful in finding keys, will try for the others, as well and I will also look into the code injection thing.
EDIT:
Can't double-post, so just wanted to say, LeFiXER, your explanation is waaaaaaaaaaaaaaay too advanced for my blood.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|