Cheat Engine

[crislivinitup]

Hi guys,

I'm currently making a bot and I'd like to know how I can poke memory to push a button in the game. Example, there is a button which, when pressed, causes the character to drink a potion... or when pressed it will send coordinates to make the character to a specific x, y on the map. I'm assuming ollydbg may be of help in this? I would like to beable to do this with only the help of cheatengine. I'm making a bot which can read and poke memory. I figured it would be a test to see if the button is pushed and all I need to do is poke the memory tested... though it might be in the registry...
Well, any help is appreciated.

Please don't tell me to do it a different way than poking memory, unless I can incorporate it in my bot through a windows API, it won't be very useful to me.

[Slugsnack]

Well there are two main ways of doing what you describe. First is to find the function. This can be done by debugging the function and tracing out via return addresses. Second way is to find the message that is processed by the game that calls this function then emulate that message. This is commonly done with PostMessage, etc.

It can't be done very easily by just poking memory short of creating threads in the function or injecting a DLL and calling the function.

[crislivinitup]

Let's say I can find the function with ollydbg... is it just as simple as poking a memory value to initiate the ingame function? I figure it depends how the programming is structured.... all function calls eventually start back from a conditional if and then statement, like if the button is pressed then initiate(call the function to build) this menu... etc. I'm very new to this, are there any examples of successfully doing this? Can you explain to me in greater detail?

[Slugsnack]

[crislivinitup]

Oic... I think I understand what you're saying, if it's a WM_Command which would be used for many functions then many functions may cease to be called. But what if it is a poke for a one time thing(not freezing it), then it would press the button once correct?

Also if I do end up doing code injection, where would I have to inject the code to jump to the function? If I do it at the wrong place in the main loop then it will call the function too many times and crash. (I'm assuming).

I'm not too familiar with these things, which is why I posted. I'm also having trouble actually finding the ingame function, any suggestions? The function is an autowalk function in the game piratekingonline. I'd like to send the coordinates to autowalkto without clicking a thing. If I'm using ollydbg I'm not sure where to set the break point. Ofcourse if there is a cheat engine way to find the function that would be even better.

[Slugsnack]

If you are to poke something, you would poke a conditional jump to become unconditional or to reverse its condition. That is what I assumed you meant by poking it. You would not be poking memory in the data section but memory encoding instructions in the code section.

If you end up doing code injection, you would allocate memory in the target, and write a procedure there that continuously calls the function. It will not crash unless that function is inside some sort of critical section that you violated by calling it instead of a wrapper for it. Alternatively you could just keep creating remote threads at that function but that way you are only able to pass a single parameter. Or you could try to send the message itself that is handled by a call to the function by using SendMessage/PostMessage or some other way of emulating input.

If it's autowalk you're trying to do, perhaps try sending the keys that you would press normally to walk. Or you can find coordinate addresses and find what writes to it and debug and trace from the addresses you get from that.

[crislivinitup]

I didn't have any ideas about how to find the function but you just gave me a great idea. The coordinates are somehow connected to the function because of course the function will have to compare the current coordinates to the desired coordinates.... or after I send the coordinates I immediately search for them while he's still walking and see what reads from it to perform the comparative check and I should be inside the function.

Though, can you explain this postmessage/sendmessage thing... at first I thought you were referring to a name inside a windows api module, though now I'm beginning to think not. It might be an interesting way of tackling the problem; just for knowledge sake. Thanks for the reply.

[Slugsnack]

In the message processing paradigm, the windows can be considered as an entity of some sort. Its creation is completely separate to how the user interacts with it. Once it is created, we only have to worry about user interaction to it. This user interaction comes in the form of messages. When the user does something, say click or press a key, etc. the system sends your window a given message. Even plugging in a USB device will broadcast a windows message to all top-level windows. The programmer's job is to handle particular messages that they are interested in. All other messages are redirected to some sort of default callback procedure.

The window does not worry about how the messages are generated, all it needs to worry about is that when a particular message comes, it needs to match that message with a handler for it. This handler is the code that is executed when our window is notified for that message. So let's put it like this. Maybe in a game, our programmer would want to handle the case when the user presses the arrow buttons. So in the procedure handling windows messages, it says 'oh if we see an arrow button, let's call function X to move the character this way'. If we want to move the character ourselves, we can either send the message to the window or we can call function X directly. Sending the message yourself can be done by bashing your finger up and down on that particular button or programmatically, it can be done with the SendMessage or PostMessage APIs.

So as you can see, we can actually manipulate the game at several different levels. We can do it by bashing buttons.. hardware level. We could also do it at a driver level with APIs like SendInput. Abstracting still further up, we can do it by sending the messages that would be generated from both of the above cases. This is pretty much the top level of abstraction. Or we can look at it from a different angle. Instead of interacting with the game system by giving it input and letting it do its thing, how about we take the job of the game system itself ( calling the function manually ) ?

Yes your idea of getting the function is exactly what I was suggesting in my previous post.