Cheat Engine

iPromise · Posted: Tue Jun 22, 2010 6:44 pm Post subject: Some questions on pointers.

I know how to use pointers, but I don't understand the math in the scan, or how to obtain the pointers offsets after the scan.

My first question is:

Why do we subtract from the address we're searching for by the offset range and from there check if any address has a value in between the address subtracted by the offset range and the address itself?

That leads to my second question:

Once we have an address, how do we obtain its offsets? For example, Cheat Engine v5.6 gives me for example:

CC
C8
D0

How do we programmatically find those 3 offsets, and how do we even know if the address is a level 1 pointer, level 2 pointer, level 3 pointer, etc?

Thanks.

Slugsnack · Posted: Tue Jun 22, 2010 7:01 pm Post subject:

idk wtf you mean by the first question. given a pointer x which points to y. and then adding offset z points to our dynamic address d, you seem to be implying at any point we should be scanning for an address in the range of y and y + z.

the offsets can be 'guessed' by looking at the instruction. if you did and understood the cheatengine tutorial you would know this. for example 'mov edi, [esi+08]'. means esi probably is y in our case and 8 is z. more commonly you'll see something like :

mov eax, [ebx+ecx*4]

this is an array dereference. ebx being the address of the start of the array. 4 is the size of each element of the array and ecx is the array index. therefore our y is ebx and our offset ecx*4. scanning for the value of ebx at that point should yield a pointer.

iPromise · Posted: Tue Jun 22, 2010 7:22 pm Post subject:

You have to deassemble the target to obtain the inline assembly, correct?

Dark Byte · Posted: Tue Jun 22, 2010 7:23 pm Post subject:

I'm assuming he;s talking about the pointerscan, where it's basically brute forcing all possible pointer paths.

I'll try to explain ce's pointerscan.
let's say you scan for address 12345108 and a structsize of 2048 (0x800)

ce will then scan for pointer values between (12345108-800) to (12345108)
For each address it finds (p-lev1), it scans again (p-lev1-800) to (p-lev1)
and for each result that gives(p-lev2) it does it again (p-lev2-800) to (p-lev2)... until the max level has been reached, or another end-condition has been met (e.g static address)

Of course, ce doesn't actually scan those values each time, it keeps a map of all pointer values and all the pointers that have that specific value for quick lookup

iPromise · Posted: Tue Jun 22, 2010 7:32 pm Post subject:

So what this is what I should do if i'm scanning for address ex: 0x00400000.

I'm only look for static paths so,

Scan for every address that is static, if I found an address whose value is the same as any value from this range (0x00400000 - 0x800) to (0x004000000) then I repeat the same exact scan for any addresses whose values are from (static address - 0x800) to (static address), until I obtain an exception?