 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
 Posted: Thu Apr 03, 2014 2:47 pm Post subject: |
 |
|
Well, I finally found the right address that controls the gauge phew. My biggest mistake was thinking that the gauge of my character and the computer's character were connected. That lead me to the address which controlled the display. One other mistake was thinking that the value remained the same at a certain point when it didn't.
Probably the best thing to do when searching for the right address for gauges is to always assume that it's never the same value again, meaning to always use "changed value". The value may not be the same at maximum the next time, the same thing when it's empty. The other thing is to look for changing values only when the gauge is moving, at least at first. Well that's my advice anyway.
By the way I was trying to make a script when address's value type was 8 byte, how can I use mov correctly for a case like this: | Code: | | mov [ecx],#4755801205493255373 |
|
|
| Back to top |
|
 |
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Fri Apr 04, 2014 2:34 am Post subject: |
|
|
For #2, that's one of the things I told you. 
As far as moving 8-byte values I'm not sure exactly as I've never need to do it other than for doubles, in which case I use.
| Code: | | move [ecx],(double)123.456 |
If the value you're looking at is double then you can use that shortcut.
_________________
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Fri Apr 04, 2014 4:00 am Post subject: |
|
|
| Rydian wrote: | | For #2, that's one of the things I told you. |
I know and I've been keeping that in mind after that. It's better to have instructions in one simple package, isn't it.
The certain point I was talking about in the first paragraph is not related to the same thing though.
Thanks for the tip about the double value.
Edit: This address can be found in all types and when I work with the address as a 4 byte value in my script, the value stays the same. If I try to use: | Code: |
mov [ecx],(double)166833.531005859 |
The value changes. Is this normal with the double values?
Don't mind about the example changing.
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Fri Apr 04, 2014 5:32 pm Post subject: |
|
|
Double is just double-precision floating-point, which means more digits, but floats are inherently slightly inaccurate, so if you mean that the hex/int representation is different (but it still works fine), then it's nothing to be alarmed about as far as I know.
_________________
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Sat Apr 05, 2014 10:41 am Post subject: |
|
|
| Rydian wrote: | | so if you mean that the hex/int representation is different (but it still works fine), then it's nothing to be alarmed about as far as I know. |
Yes, that's what I was wondering. Thanks.
I've been testing different scripts and I'm having problems. The gauge is at maximum but depending on which value I'm using, the serve speed may be lower or higher than it would normally be at maximum. This is why I wanted to know how to copy 8 byte values because that might solve my problems.
I have found perhaps another road but I need some help on this script:
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+0],0
jne originalcode
mov [esi+254],#1065353216
jmp exit
originalcode:
fst dword ptr [esi+00000254]
exit:
jmp returnhere
"VT3.exe"+8D90D:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"VT3.exe"+8D90D:
fst dword ptr [esi+00000254]
//Alt: db D9 96 54 02 00 00 |
If there is one nop the gauge starts at the top and empties, so it's moving backwards compared to normal. If there are two nops the game crashes and with 3 or more nops the gauge stays at max. Using this script with more than one nop keeps the serve of my character normal, but the npcs serve goes haywire. Is there a way around this?
Edit: In essence what I'm asking, is there a way to make the nop conditional so it only works for me or is there any other commands which would have a similar effect?
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Thu Apr 10, 2014 11:23 am Post subject: |
|
|
| You know, somebody could at least tell me if it's not possible.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Thu Apr 10, 2014 12:09 pm Post subject: |
|
|
Assuming you have the correct address...
1. When writing a script, let CE build it for you. It will determine how many NOP's to use. If you do not use the correct amount, the game may be extremely buggy and/or crash.
2. Moving 8 byte values...there are several ways to do it. Did you try qword? You can mov esi into a custom address and manipulate it like you would a pointer address (and just set value type to 8 byte). You can also try 4 byte offsets, if there are multiple addresses:
| Code: | newmem:
cmp [esi+0],0
jne originalcode
mov [esi+250],FFFFFFFF
mov [esi+254],FFFFFFFF
mov [esi+258],FFFFFFFF
jmp exit |
etc.
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Fri Apr 11, 2014 12:30 pm Post subject: |
|
|
| ++METHOS wrote: | | You can mov esi into a custom address and manipulate it like you would a pointer address (and just set value type to 8 byte) |
I'm having difficulties understanding this can you give an example please.
I'm one hundred percent certain that I have the right address, because freezing this address freezes every other address that have something to do with serving. Other addresses do not have the same effect. Also when I freeze the value just using Cheat engine while it can't keep the gauge full all the time because of the limitation, I still get a max serve.
I get an error when I do this: | Code: | | mov qword ptr [edi+254],#4685900211099271168 |
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Fri Apr 11, 2014 1:32 pm Post subject: |
|
|
Activate script. Once script is activated, double click on the BASE ADDRESS entry and change it to a pointer. In the text box (for address), type in:
base
Change the offset to +254 and click okay.
Of course, this only works well if the instruction is being accessed several times per second. If it is, just make sure that the value type is set to 8 byte (should be, already). If so, set and/or freeze the value to whatever you want.
| Description: |
|
Download |
| Filename: |
VT3.CT |
| Filesize: |
1.06 KB |
| Downloaded: |
2648 Time(s) |
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Sat Apr 12, 2014 5:58 am Post subject: |
|
|
Oh, you meant that way. I never thought of that because I thought it would work the same way as just freezing the address once I've found it. As a matter of fact it works the same way and I have to enable the script first and start serving before this works, so it is not a very efficient way. The instruction I'm using is being accessed several times but only when the gauge shows up. There is one instruction that accesses the address even when the gauge is not there but that one accesses hundreds of other addresses so I don't want to touch it.
Could you show me another way?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 12, 2014 11:44 am Post subject: |
|
|
Have you tried manipulating multiple, 4 byte addresses to achieve the desired effect (see script above). Not sure why you received an error with qword (use hex). Alternatively, you can:
| Code: | push esi
mov qword esi,FFFFFFFF33333333
mov qword [edi+254],esi
pop esi |
By the way, why do you not want to just freeze the address?
If the other instruction is accessing your address CONSTANTLY, then I would recommend going that route, because this instruction is obviously not going to do what you want, if I am understanding you correctly. You should consider learning how to filter out those other addresses anyway.
Complete the CE tutorial.
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Sat Apr 12, 2014 1:44 pm Post subject: |
|
|
I have completed the tutorial. The cmp part in the script I've given you is there for filtering purposes, so I have a basic understanding of filteing. Actually ++METHOS you are the one who taught me how to filter.
If there were like 10 maybe as much as 20 addresses then I might be able to filter them but when there are hundreds of them, it gets real tricky. Even if I could filter them, I would have to always write the value I want to use. The biggest problem I have just freezing the value, is that the gauge gets funky.
I haven't tried that multiple addresses advice because I understood that I would need more than one address. None of the instructions are accessing other addresses that are connected to the gauge.
Using qword with hex doesn't change a thing, I still get "code is not injectable". This happens when I try it with that push command as well.
I'm not using this instruction either since you told that the NOP count should not be messed with. I have a couple others that I need the 8 byte values for.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Apr 12, 2014 7:07 pm Post subject: |
|
|
A couple of things...
1. Filtering out addresses is easy...even if there are hundreds of addresses; it just takes time.
2. If freezing the value doesn't work, or, doesn't always work as it should, then you may need to change your approach or find a different address, altogether.
3. You say you would always have to write the value...not sure what you mean. If freezing the value causes problems, have you tried just nop'ing the instruction that writes to your targeted address?
4. Regarding multiple addresses...you said that you needed to manipulate multiple addresses for the cheat to function properly. Even though the instruction may appear to only be accessing one address, those other addresses in that structure are being manipulated some how. For example, the targeted address is at offset +254, but if you manipulate that address (and) the address at offset +250 (or +258), then that same instruction can be used to access all addresses that pertain to your targeted value(s).
5. The code should be injectable...are you using CE 6.3?
6. Not sure what you're referring to about the NOP...you can still NOP the instruction without altering the NOP's necessary to maintain byte structure. By letting CE build the script for you, that is covered. So, to NOP the instruction for your targeted address, you would just do this (assuming this is the instruction that 'writes' to your address and not 'accesses' it):
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+0],0
jne originalcode
jmp exit
originalcode:
fst dword ptr [esi+00000254]
exit:
jmp returnhere
"VT3.exe"+8D90D:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"VT3.exe"+8D90D:
fst dword ptr [esi+00000254]
//Alt: db D9 96 54 02 00 00 |
Is the game offline and downloadable? If so, maybe I can help when I have time. I am busy these days, but I can take a look at it in my free time.
|
|
| Back to top |
|
|
Dlve
Advanced Cheater
![]() Reputation: 0
Joined: 24 Feb 2014
Posts: 54
|
| Posted: Sun Apr 13, 2014 6:03 am Post subject: |
|
|
| ++METHOS wrote: |
1. When writing a script, let CE build it for you. It will determine how many NOP's to use. If you do not use the correct amount, the game may be extremely buggy and/or crash.
|
1. Okay, I guess I'll try to do some filtering.
2. You misunderstand, the freezing works but due to cheat engines slowness the gauge fills and empties in a rapid pace. If I just inject a code the gauge would stay full constantly.
3. Using this method I can see the value of the gauge depending how full it is. If I want it to be full constantly I always need to write it and then freeze the value, don't I? I'll try nop'ing some instructions and see what happens.
4. So I can use different addresses in a script even if the instructions don't access them. Can I be sure that those addresses that aren't accessed work as they do when frozen or is this something I always need to verify?
5. I am using CE 6.3, I am not kidding and it complains that the code is not injectable and shows the exact code that I posted above.
6. Above is your quote, that's what I mean by NOP count. Cheat engine produces automatically one NOP in the script I showed you. I just hoped I could add more NOPS because it would have been perfect but I would need them to only work while I'm serving, which I understood from your post, is not possible.
I've had this game for many years and I could not tell where I got it but I'm sure it can be downloaded. Yes, it's offline too.
Edit: Yeah that above script writes to the address and just NOP'ing it keeps the gauge empty. You know what else it does if you read the post. There is a second instructions that does the same thing and two more which are useless.
Edit2: Just feels to me that using the 4 byte values don't do the job. While The gauge is full the serve speed remains below normal maximum speed. This is not the case with 8 byte values. Besides the other values have offsets like 255 or 256, I'm not sure if it matters but at least they do not remain the same when I use them in the script.
Another Edit: Tried filtering the instruction that accesses hundreds of addresses. Well I was filtering this instruction and I was wondering why it didn't have any effect on the gauge. Then I just NOPed it. Well my characters pants looked awry, not much else, except once the point was over the game crashed. So I think that instruction can be overlooked.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Apr 13, 2014 10:16 am Post subject: |
|
|
| Dlve wrote: | | 1. Okay, I guess I'll try to do some filtering. |
-Even if you are not successful, you will learn more with each attempt. It is a skill that can be improved and you will not regret doing so.
| Dlve wrote: | | 2. You misunderstand, the freezing works but due to cheat engines slowness the gauge fills and empties in a rapid pace. If I just inject a code the gauge would stay full constantly. |
-Two things...either change the update/freeze interval in settings, or, alter the instruction that writes to your address so that, instead of writing it (reducing it), it either does nothing, or always writes 100% value etc.
| Dlve wrote: | | 3. Using this method I can see the value of the gauge depending how full it is. If I want it to be full constantly I always need to write it and then freeze the value, don't I? I'll try nop'ing some instructions and see what happens. |
-Not necessarily. For example, if you nop the instruction that writes to your address, the value should never change. You can do that while also setting the value to whatever you want. Technically, you should only have to do this once since the value will never be written to again (in most cases), but since your script will be executed whenever that code is executed, it will actually be happening over and over again unless you write your script to je originalcode when gauge is full etc.
| Dlve wrote: | | 4. So I can use different addresses in a script even if the instructions don't access them. Can I be sure that those addresses that aren't accessed work as they do when frozen or is this something I always need to verify? |
-You can manipulate any addresses that appear in that structure, just by adjusting the offset of the register that is holding the value of your targeted address. However, since the instruction that you are using for your injection point is not ideal (i.e. isn't constantly being accessed), then the instructions that actually handle the other addresses in your structure may overwrite your values faster than you can manipulate them...which is another reason why you should use a better injection point if you can. This helps to eliminate unneeded injection points (e.g. nop'ing the instructions that write to your other addresses).
| Dlve wrote: | | 5. I am using CE 6.3, I am not kidding and it complains that the code is not injectable and shows the exact code that I posted above. |
-Be sure you are running the latest release of 6.3. Other than that, I do not know; this is a question for Darkbyte. Fortunately, there are other ways to handle 8 byte values.
| Dlve wrote: | | 6. Above is your quote, that's what I mean by NOP count. Cheat engine produces automatically one NOP in the script I showed you. I just hoped I could add more NOPS because it would have been perfect but I would need them to only work while I'm serving, which I understood from your post, is not possible. |
-It's possible, you just have to be careful with what you are overwriting. Typically, you would not alter those NOP's, you would just focus on the instruction by either altering it, including it or not including it. If adding more NOP's works, then maybe you need to change your injection point, or, include additional injection points that make use of conditional jumps so that they are executed only when you want them to be (e.g. when you are serving etc.). Regardless of your approach, you should not alter those NOP's that CE generates unless you really understand what you are doing.
| Dlve wrote: | | I've had this game for many years and I could not tell where I got it but I'm sure it can be downloaded. Yes, it's offline too. |
-I'll take a look when I have time...could be a while.
EDIT: a quick search for the game didn't yield any results; all of the links are now dead. Torrents are a no-go, but any host via RPnet would have done.
As a test, fiddle around with the value to see what you come up with:
| Code: | [ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [esi+0],0
jne originalcode
mov [esi+00000254],FFFFFFFF ///////////////Value
jmp exit
originalcode:
fst dword ptr [esi+00000254]
exit:
jmp returnhere
"VT3.exe"+8D90D:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"VT3.exe"+8D90D:
fst dword ptr [esi+00000254]
//Alt: db D9 96 54 02 00 00 |
Last edited by ++METHOS on Sun Apr 13, 2014 10:40 pm; edited 1 time in total |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
