Cheat Engine

[dick_traced]

i have several sugestions that would make a better tool out of cheat engine:

1. STRUCTURES

- first of all: a listing in the main window of all structures we've defined for a game
example:
http://img853.imageshack.us/img853/9240/struc.jpg

also save all the structures defined when a cheat table is saved, and load all the structures like in the image above when the cheat table is loaded

- option to modify the size of a structure
example: i create a structure with default size (4096). and after i rename the elements, i find out that the structure should be only 300 bytes long

- automatically recreate missing elements. if i have a DWORD element in a structure and i've found out that instead of a DWORD there should be 2 WORDS, i modify the size of that element to WORD, but the second resulting WORD from the DWORD we had doesn't show as an element
example:

structure player
{
0000 DWORD experience
0004 DWORD pointer
0008 DWORD life and mana
000C BYTE speed
.........
}

the above is what cheat engine gave me. but i found out that the DWORD at +8 is life and mana, so i want to split it in 2 WORDS. BUT if i change it's type to WORD, cheat engine would show:

structure player
{
0000 DWORD experience
0004 DWORD pointer
0008 WORD life
000C BYTE speed
.........
}

SO WORD 000A IS MISSING


- an option in the structures window to show only differences/no differences between 2 groups. what i mean is an option to show only blue/red/green elements.

- posibility to select and delete multiple structure elements at once

- an option to keep track of changed values in a structure

- an option (plugin) to export structures to IDA


2. DEBUGGER & POINTERS

- snapshot of all registers for every opcode in a specified subroutine, to easily find how a specified register got manipulated

example: we find our health is substracted at

408899: sub dword ptr [esi+4c],eax
esi is 333333 in the case of our health

[esi+4c] is health address. we want to find static address and to build up the pointer. And here's the sugestion: add to cheat engine an option to monitorize the subroutine where this instruction is (the start address is given by the user or aquired automatically) and after we take damage in game, we switch back to cheat engine and we see the subroutine was called 4 times. so to sort out, we highlight the instruction 408899: sub dword ptr [esi+4c],eax and we tell cheat engine we only need the subroutine where esi was 333333 at the highlighted line of code. so we will have the subroutine in which the game decreased our health with a SNAPSHOT of the registers for every opcode. since we're interested in esi register to see where it got manipulated, we tell that to cheat engine and we get a comment in a disassembled text view of that subroutine like:

[Dark Byte]

good idea, when I get time I'll look into that
tip: If you put it in the bugtracker there is a less chance it gets drowned to page 4 within a month

as for directx mess: It will come back in a less effective way next version (no texture locks as there is no easy way to get the matrixes in dx10+)

[Geri]

I was thinking about the idea with the debugger too but won't it slow down the game drastically? (Basically to an unplayable level.)
At least when you are logging every registers, you have to do it step by step like when you trace. And you have to think about calls. Step in or step over, because it is important. And unless you know that those subroutines are not 100.000 codes long, it isn't a good idea to start a trace in them with undefined length. So the idea itself is good and useful I just don't think it is easy to do it technically.

Regardless of these concerns, more options for the automatic debugging features are always welcome.

EDIT:
Another thing that I was thinking about is to make more than one trace at the same breakpoint. Eg. the code is running 10 times and it will be traced 10 times in 10 different trace. We could make a counter, like make max 20 traces and stop tracing after that. Or similar.
It may be extremely slow but I don't know.

[dick_traced]

here's how i picture it:

hxxp://img265.imageshack.us/img265/9503/hooker.jpg

it's like the 'break and trace' option, with some differences:

- we tell cheatengine the starting address of the routine (or ce will get it automatically)
- cheat engine will trace all instructions until 'ret' is encountered
- cheat-engine WILL NOT disable the hook after 'ret' is encountered, because the routine may be called more than 1 time
- let's say cheat engine encountered and monitorised that routine 5 times when we were in the game. we filter the routines by highlighting the instruction that decrease our life and tell cheat-engine the condition (ie: esi register = 4455)
*** this sorting could be done before the monitorize (we tell ce from the beginning the condition, and if that condition is not met, the routine is not monitorised anymore), OR we can specify the condition AFTER ALL the LOGGINS were made
- the return address is also recorded for every occurence of the monitorised routine
- WE STEP OVER CALLS IN THE MONITORISED ROUTINE!!! for performance, and because if the register we're interested have a different value after the call, we can easily spot that out, because cheat engine will comment that for us
- cheatengine will also comment if the memory address that gets in touch with the monitorised register is static (see picture)


@Geri: about the slow down of the game: i don't think there is so much slow down of the game in comparison with already implemented feature 'break and trace'. it may be slower than 'break and trace', but not that drastically i think. we're stepping over the calls

@DarkByte: if you look carefully the comments cheat engine is supposed to make are AFTER the instruction took place! the 'break and trace' is taking snapshots of registers BEFORE opcode gets executed. we need the comments to me made after opcode get executed. BUT i think you'll understand all from the above picture

*** the above picture is from cheat engine tutorial. so you see how easy is to find what you're looking for with this feature? of course this is also extremly useful when the register for pointer gets manipulated a lot inside a routine.

[SiXxKiLuR]

When creating trainer with CE you have options for Freeze Value but Allow Increase. plus the other options in that selection. It would be useful to add those options in the address list. When you right click on a address in the address list it gives you a category of Actions then subcategory list of the freeze options etc.

[Dark Byte]

tip:press the numeric + or -, or click 3 pixels right of the checkbox

[SiXxKiLuR]