Cheat Engine

Kannkor · How do I cheat? Reputation: 0 Joined: 21 Nov 2011 Posts: 1

Keep in mind (other than tutorials etc), this is my first time trying to find a base pointer. In the steps I have taken, please note my assumptions (which could be completely wrong). I figure round 1, will be telling what I did, and maybe there is something obviously incorrect I'm doing. Then if more info is needed, I can either screen shot what I see, or make a quick video. Anyways, onto my attempts.

I log into the game and load Cheat Engine (if there's a better way, I'm all ears).
I do a search for float for my current HP, buy an item with +HP only, and do another search, there are 8 entries. I run out and take damage, 4 are current HP and 4 are max HP. They all change at the same time when I change my HP, so this is the list I assume I have to work with.

Two of them are actual floats (when I'm not full health, there are decimals at times), so I assume I should be using these, since the others may be reading from these and converting to an int. (Assumption #1...)

Here is my list of 8. They are in pairs, first one is current HP, second one is MAX HP.
A12F073C - Current HP and a float
A12F0744 - Max HP

A1586544
A158654C

A158710C
A1587114

A1587CD4
A1587CDC

(In this specific example, I seem to only have 1 float, so I'm using it).
A12F073C
I right click it and choose "Find out what accesses this address"
It has a dozen or so that spam like crazy, so I ignore those. I remove an item, and get 2 new lines.
fld dword ptr [edi+24c] and fstp dword ptr [edi+24c]
Both say the pointer needed to find is probably: A12F04F0
So I note the 24c offset.
I search (in hex - 4 bytes) for A12F4F0.
I get 7 results (all black). (There were 9 results, but a few values changed while typing, so I removed them from the list).
5106F2DC
A0E76D1C
A0FBDDD0
A1075CF8
A10760B8
A1077CD8
A12F0728

If I was a betting man, I'd guess the ones with A were all instances of something that were created ( like entities spawning ), and the first one ( 5106F2DC ) is the one I'm after (I could be completely wrong.. but it just looks more tasty than the others).
So I add 5106F2DC to my list. (Double clicking it, I mean).

I right click it and choose "Find out what accesses this address"
It's blank. I remove an item to lower my HP, it's still blank...
I pick up an item to increase my HP, still blank.

At this stage, I'm stuck with 5106F2DC, so my best guess is, it's a dead end and I can't use it.

I'll move onto the next one then: A0E76D1C
It has lots of stuff spamming, and when I remove an item, it has 4 lines that happen once.
Two MOV, and 2 cmp. I assume 1 for HP, and 1 for MAX HP, in all 4 cases, the offset is 2C, and the value of the pointer is: A0E76CF0.

I search for that value in hex and get 1 results.
9BBBEF78 (black)
Add it to my list
I right click it and choose "Find out what accesses this address"
4 lines spamming, do the HP thing, now 6 new lines appear.
The following 3 lines happened once
mov eax,[eax+edx*4]
mov ecx,[eax+ecx*4]
mov ecx,[eax+ecx*4]
The following 3 lines happened twice
mov [ebp+00],eax
mov ecx,[eax]
mov [eax],ecx

The 3 lines with eax+e_x*4 all show the value for the pointer to be A0E76Cf0 (which is the same as the last one!!). So.. this is ultimately a loop (or I'm missing something).
The 3 lines that happened twice, all show the value for the pointer to be 9BBBEF78. Since there isn't an offset here ( +00 ), that makes sense.
I search for 9BBBEF78 in hex and get 2 results (both black).
9BBBEF7C
A4761B48

I'm sure there is an educated guess someone could make of which one to try... I'm going with me being uneducated here, so I'm taking the first one.
I add 9BBBEF7C to my list.
I right click it and choose "Find out what accesses this address"
It's blank. I do the HP thing. Still blank.
Okay, so it seems this one is a dead end too (or I'm missing what else to do with it).
Lets try the other one - a4761B48
I right click it and choose "Find out what accesses this address"
Has 4 spamming (hey this is familiar!).
Do the HP thing, I get 3 that happen once, and 8 that happen twice.
The first 3 are: edx+eax*4, and all show value of the pointer: A4761B48
Seems all roads lead to value being: A4761B48. Guess I use that one!

I search for A4761B48 and get 2 results. (both black).
A12F0704
A4761D08

Guess I go with the first one to keep my pattern!
I add A12F0704 to my list.
I right click it and choose "Find out what accesses this address"
Has 4 spamming.
There's about a dozen that show up. 3 at 1, 1 at 16, and 8 or so at 2.
There seems to be 2 different routes to take (another crossroad? This is like a bad bollywood movie).
esi+10 value of pointer: A12F06F4
esi+04 value of pointer: A12F0700
Since only 1 of them has the +10, I guess I'll go with the +4 for now (again, I suspect there is an educated guess that could be made...)
I search for hex value: A12F0700 and.. nothing.. Wait.. it's blank? Okay, guess it's not that one.
I search for hex value: A12F06F4 and get 8 results (We're back to 8 results?! Tell me it aint so!).
5106F2B4
7D963F00
83388C34
83789028
8B25DDF8
A0E76CF4
A4B2ED9C
A4B2EE24
At this stage, we both know I'm choosing the first one. So I add 5106F2B4 to the list.
I right click it and choose "Find out what accesses this address"
Blank, do the HP thing, still blank. Moving on then!
I add 7D963F00 to my list. What access this address...
Blank, do the HP thing, still blank. Moving on.
I add 83388C34 to my list. What access this address..
Blank, do the HP thing, still blank. Moving on.
I add 8379028 to my list. What access this address..
Blank, do the HP thing, 5 results.
All 5 results lead to offset: 08 and value of pointer: 83789020

Search by hex, and get 1 results, A12F06FC (still black)
I add it to my list, and What access this address...
4 spamming, and 7 when I do the HP thing.
There's 2 different options.
One has mov eax,[edi+esi*4] (the line above it, has xor esi,esi). The line after it has test byte ptr [eax+04],01
So (I'm not very good at assembly), but it seems in the end, it's a pointer +4, or 8 (since esi is either 0 or 1). I suspect it's always 8 because..
Because, the other option, is esi+08.
Both have a pointer value of A12F06F4. Arg! This is the same as above...
At this stage, I really feel as if I've done something wrong. Surely there isn't this many pointers deep to finding the base pointer, or I'm doing something incorrect (I suspect this one).
Continuing from the list of 8 above, I'm on 8B25DDF8
Blank.
Onto A0E76CF4
Has 5 spamming, and 4 upon HP thing.
Offset: 04, value of pointer: a0e76cf0
1 results for A0E76CF0
A4CEC128
Has 4 spamming, 6 upon HP thing.
First set is one of those eax+edx*4 which gives A0E76CF0 (which is what I just used).
Second set is offset: 0 with value of A4CEC128
Search for A4CEC128
5 results
A4761B48
A4BF7D84
A4BF7D88
A4CEC118
A4CEC12C

First one (A4761B48) I've used before above
Trying A4BF7D84
Blank, HP thing, still blank.
Trying A4BF7D88
Blank, HP thing, still blank.
Trying A4CEC118
Blank, HP thing, still blank.
Trying A4CEC12C
Blank, HP thing, still blank.

Well, that lead to a dead end... There's plenty of other possibilities from above (choosing the second one instead of the first one), and I'll continue my quest to see if I can find a base pointer. Hopefully someone can comment if I'm on the right track, or guide to what I'm doing wrong. While I'm trying to get the answer, I don't just _want_ the answer, i want to be able to find it myself so I can do it again when I need too.

Sorry about the length of this, I was just trying to show what I've done and that I've put an effort to try, but I fear I'm missing a step some where.

Thanks for any guidiance.
-Kannkor

LeFiXER · Posted: Wed Jan 11, 2012 3:45 pm Post subject:

What you have to do is, click show disassembler on

mov eax,[eax+edx*4]

Here, you will set a breakpoint (F5) and wait for the game to break, Once it does check the EAX register on the right hand side of the disassembler window. This will be the address that points to the *4 offset (an indexed list, you were right with the looping). Once you've copied the address from the EAX register scan new value (hex, 4-byte) once it's found results. Quickly remove the breakpoint via F5 and press F9 to continue paused process. You should be able to find a static basepointer via this method.