 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
drtrann
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2013
Posts: 4
|
 Posted: Tue Sep 17, 2013 7:51 pm Post subject: C++ trying to use static pointer: returns different value |
 |
|
so i'll begin that i'm pretty new to the entire concept of memory editing, but i'm attempting to jump right in.
right now i have a bunch of values from the game that i know for a fact are static pointers to the information i use, but when i try and bring those offsets into C++ it gives me different results then cheat engine does. I was hoping someone could point out where i've gone wrong. (i assume something is wrong with my pointer formatting in c++)
pointer in Cheat Eninge:
game.exe+F87F80
assigning the pointer in C++
| Code: | | unsigned int tar_ptr = dwbase + 0x0F87F80; |
i know that base address is correct and working with other values, but those were examples, when i attempt to add my own pointer it doesn't work.
would appreciate any help immensely
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Sep 17, 2013 11:19 pm Post subject: |
|
|
Stick a debugger to your c++ application and see what is the value of tar_ptr just after the line you posted above. If you convert that value to hex you should see the same number as in the "address" column of cheat engine.
If the value of tar_ptr is the same as in the the address column, the problem is what you do AFTER with tar_ptr. If your variable is a single or 2 byte in cheat engine, make sure you're only reading one or two bytes in your ReadProcessMemory (or 8 bytes for a double). Also make sure ReadProcessMemory actually modifies the content of its destination buffer.
If you don't see tar_ptr (in hex) in the address column then dwbase is incorrect or you messed up when copying F87F80 from cheat engine.
If you still can't find the problem, post your code and cheat table, I'll check if I see something obviously wrong.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
drtrann
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2013
Posts: 4
|
| Posted: Wed Sep 18, 2013 8:08 am Post subject: |
|
|
hey gniaf,
thank you for your offer of help. I haven't been able to narrow down exactly whats going on, and was hoping to take you up on your offer of help. below is the source that i'm using. all the data based on the dwbase + 0x010bbd9c works perfectly (pointer toward list. but when i attempt to direct it toward the pointer of my characters target (dwbase + 0x0F87F80) it doesn't seem to work. weirdly enough if i go to game+001bbd9c in cheat engine it ends up nowhere which makes me think there is a discrepancy between how the offsets are formatted.
| Code: | #include "stdafx.h"
#include <TlHelp32.h>
DWORD GetProcessID(char*);
DWORD GetProcessModule(DWORD, char*);
int main()
{
/* game's process id */
DWORD dwpid = GetProcessID("GAME"); /*replaced name */
/* Base address of game module */
DWORD dwbase = GetProcessModule(dwpid, "GAME"); /*replaced name */
/* Get handle to process */
HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, false, dwpid);
/* Static pointer to entity list */
unsigned int entity_list_ptr = dwbase + 0x010bbd9c;
printf_s("entity list pointer: %08x ", entity_list_ptr);
/* Variable to hold the pointer to the an entity */
unsigned int entity_ptr = 0;
/* Own pointer to entity */
unsigned int my_entity_ptr = 0;
/* target Ptr*/
unsigned int tar_ptr = dwbase + 0x015C9B4C;
/* Apparantly there are different types of entity lists, this one seems to display only monsters/npcs (untested)*/
/* The game seems to use a hardcap of 100 monsters/npcs displayed at a time, this can be increased? (untested) */
char tar_name[64];
ReadProcessMemory(hproc, (char*) (tar_ptr + 0x30), &tar_name, 64, 0);
unsigned int tar_ID = 0;
ReadProcessMemory(hproc, (unsigned int*) (tar_ptr + 0x74), &tar_ptr, sizeof(unsigned int) , 0);
printf_s("target: %s (%08x) pointer:<%08x> ",tar_name, tar_ID, tar_ptr);
for (int entcount = 0; entcount < 0x64; entcount++)
{
/* Read the first entity address from the entity list and store it into the entity_ptr variable */
ReadProcessMemory(hproc, (unsigned int*)(entity_list_ptr + (entcount * 4)), &entity_ptr, sizeof(unsigned int), 0);
/* If the adress is null, don't read it */
if (entity_ptr != 0)
{
/* The first address read is always your own entities address */
if (entcount == 0)
my_entity_ptr = entity_ptr;
/* You can obtain a lot more data here then just buffs/debuf, here are some */
/* Read the entities name at entity_ptr with an offset of 0x30 */
char entity_name[64];
ReadProcessMemory(hproc, (char*)(entity_ptr + 0x30), &entity_name, 64, 0);
/* Read the entity id, again, entity_ptr with an offset of 0x74 */
/* This id can be used to locate target and identify the caster of buffs/debuffs */
unsigned int entity_id = 0;
ReadProcessMemory(hproc, (unsigned int*)(entity_ptr + 0x74), &entity_id, sizeof(unsigned int), 0);
/*unsigned int hp = 0;
/*ReadProcessMemory(hproc, (unsigned int*) (dwbase + 0xF8BBE0 + 0x20 + 0xC + 0xC + 0x20 + 0), &hp, sizeof(unsigned int), 0);
/* Read the entity coordinates (x, z, y) starting at entity_ptr + 0xA0 respectively */
/* Changing your own x,y,z coordinates will make you "teleport" (detectable?) */
float x, y, z;
ReadProcessMemory(hproc, (float*)(entity_ptr + 0xA0), &x, sizeof(float), 0);
ReadProcessMemory(hproc, (float*)(entity_ptr + 0xA4), &z, sizeof(float), 0);
ReadProcessMemory(hproc, (float*)(entity_ptr + 0xA8), &y, sizeof(float), 0);
/* There's alot more data to obtain, the above are just a few examples */
/* Let's print this information to the console window */
printf_s("character: %s (%08X) : (x,y,z): %.1f, %.1f, %.1f\n",entity_name, entity_id, x, y, z);
/* Read the buff list of the entity */
/* The start of the bufflist begins at entity_ptr with an offset of 0x2f48 and has a max of 30 buffs */
/* Each buff/debuff has a length of 12 bytes */
/* Iterate trough the buff list */
for (int bufnum = 0; bufnum < 30; bufnum++)
{
/* Read the buff id (2 bytes) */
unsigned short buff_id = 0;
ReadProcessMemory(hproc, (unsigned short*)(entity_ptr + 0x2f48 + (bufnum * 12)), &buff_id, sizeof(unsigned short), 0);
/* Read the buff value (2 bytes) */
/* This is usually null, but skills like Sprint uses a value of 0x1E (30) */
/* The higher this value the more potent the skill, results in ex. faster sprinting */
unsigned short buff_val = 0;
ReadProcessMemory(hproc, (unsigned short*)(entity_ptr + 0x2f48 + (bufnum * 12) + 2), &buff_val, sizeof(unsigned short), 0);
/* Read the buff duration timer (4 bytes (float)) */
/* Decrementing float value, buff is removed when this reaches zero */
/* No need to say that toggle skills without duration have this value set to zero by default */
float buff_duration = 0;
ReadProcessMemory(hproc, (float*)(entity_ptr + 0x2f48 + (bufnum * 12) + 4), &buff_duration, sizeof(float), 0);
/* Read the buff/debuf caster's id */
/* Used to identify who casted the buff/debuf */
unsigned int buff_caster_id = 0;
ReadProcessMemory(hproc, (unsigned int*)(entity_ptr + 0x2f48 + (bufnum * 12) + 8), &buff_caster_id, sizeof(unsigned int), 0);
/* Display the buffs/debuffs in the console window */
/* This is impractical and is an example of the output (debugging) */
/* For the sake of readability, lets filter out unused buff slots */
if (buff_id != 0)
printf_s("bufid: %04X val: %04X duration: %.0fs casterid: %08X\n",
buff_id, buff_val, buff_duration, buff_caster_id);
}
printf_s("\n");
}
}
/* We're done here, close handle */
CloseHandle(hproc);
getchar();
return 0;
}
DWORD GetProcessID(char* Exename)
{
HANDLE hprocessSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
PROCESSENTRY32 ProcessEntry = { 0 };
ProcessEntry.dwSize = sizeof(ProcessEntry);
if (Process32First(hprocessSnapShot, &ProcessEntry))
{
do
{
if (lstrcmp(ProcessEntry.szExeFile, Exename) == 0)
return ProcessEntry.th32ProcessID;
}
while(Process32Next(hprocessSnapShot, &ProcessEntry));
}
CloseHandle(hprocessSnapShot);
return 0;
}
DWORD GetProcessModule(DWORD pId, char* Modulename)
{
HANDLE hprocessSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId);
MODULEENTRY32 ModEntry;
ModEntry.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hprocessSnapShot, &ModEntry))
{
do
{
if (lstrcmp(ModEntry.szModule, Modulename) == 0)
return (DWORD)ModEntry.modBaseAddr;
}
while(Module32Next(hprocessSnapShot, &ModEntry));
}
CloseHandle(hprocessSnapShot);
return 0;
} |
Last edited by drtrann on Wed Sep 18, 2013 11:23 am; edited 1 time in total |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Sep 18, 2013 10:31 am Post subject: |
|
|
| drtrann wrote: | | the pointer of my characters target (dwbase + 0x0F87F80) |
I don't see any F87F80 in your code, but I see a
unsigned int tar_ptr = dwbase + 0x015C9B4C;
| drtrann wrote: | | all the data based on the dwbase + 0x010bbd9c works perfectly. [...] weirdly enough if i go to f***.exe+01bbd9c in cheat engine it ends up nowhere. |
1-Finally you forgot to scrub the game's name here.
2-The two aren't the same address (game.exe+0x010bbd9c works but game.exe+001bbd9c ends up in unallocated space? A bit weird though...).
Other than that, in ReadProcessMemory(hproc, (unsigned int*) (tar_ptr + 0x74), &tar_ptr, sizeof(unsigned int) , 0);
Shouldn't it be tar_ID ?
Also you didn't post your cheat table, so I can't check its consistency with your code (cheat tables can be edited with notepad if you want to replace the exe name).
In a different matter, I'd suggest you write yourself a pair of structs like:
| Code: |
typedef Struct Buff_
{
short ID;
short Value;
float Duration;
unsigned int Caster
}Buff;
typedef Struct Entity_
{
BYTE Unknown_1[0x30];
BYTE Name[64];
BYTE Unknown_2[4];
unsigned int ID;
BYTE Unknown_3[0x28];
float x;
float y;
float z;
BYTE Unknown_4[0x2f48-4-4-4-0x28-4-4-64-0x30];
Buff Buffs[30];
//continue filling as you discover new stuff
} Entity; |
Then you just have to do | Code: | Entity MyEntity;
ReadProcessMemory(hproc, (unsigned int*)(entity_ptr), &MyEntity, sizeof(Entity), 0);
printf("character: %s (%08X) : (x,y,z): %.1f, %.1f, %.1f\n",MyEntity.Name, MyEntity.ID, MyEntity.x, MyEntity.y, MyEntity.z);
//you can access MyEntity.Buffs[1].Duration. |
Beware that you need to set structure member alignment to 1 byte for this to work (project settings->C/C++->code generation->structure member alignment in visual studio).
Disclaimer: I typed that code in a web browser and didn't compile it so I might have left some typos or stupid mistakes.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Last edited by Gniarf on Wed Sep 18, 2013 2:00 pm; edited 1 time in total |
|
| Back to top |
|
|
drtrann
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2013
Posts: 4
|
| Posted: Wed Sep 18, 2013 11:22 am Post subject: |
|
|
sorry yes the Tar_ID was wrong and the offset was something i was testing out on the side. the address should be ase posted.
| Quote: | | (unsigned int tar_ptr = dwbase + 0xF87F80;) |
here is the address list
| Code: | <?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="16">
<CheatEntries>
<CheatEntry>
<ID>34</ID>
<Description>"hp current"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>"game"+00F8BBE0</Address>
<Offsets>
<Offset>0</Offset>
<Offset>20</Offset>
<Offset>C</Offset>
<Offset>C</Offset>
<Offset>20</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>19</ID>
<Description>"hp max"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>"game"+00F8BBE0</Address>
<Offsets>
<Offset>4</Offset>
<Offset>20</Offset>
<Offset>C</Offset>
<Offset>C</Offset>
<Offset>20</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>20</ID>
<Description>"mana current"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>"game"+00F8BBE0</Address>
<Offsets>
<Offset>8</Offset>
<Offset>20</Offset>
<Offset>C</Offset>
<Offset>C</Offset>
<Offset>20</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>21</ID>
<Description>"mana max"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>"game"+00F8BBE0</Address>
<Offsets>
<Offset>C</Offset>
<Offset>20</Offset>
<Offset>C</Offset>
<Offset>C</Offset>
<Offset>20</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>22</ID>
<Description>"tp current"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>"game"+00F8BBE0</Address>
<Offsets>
<Offset>10</Offset>
<Offset>20</Offset>
<Offset>C</Offset>
<Offset>C</Offset>
<Offset>20</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>23</ID>
<Description>"tp max"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>"game"+00F8BBE0</Address>
<Offsets>
<Offset>14</Offset>
<Offset>20</Offset>
<Offset>C</Offset>
<Offset>C</Offset>
<Offset>20</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>25</ID>
<Description>"mybuff1"</Description>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>2 Bytes</VariableType>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>2F48</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>32</ID>
<Description>"mybuff1Length"</Description>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>2F70</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>5</ID>
<Description>"entity list"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F89EC8 </Address>
</CheatEntry>
<CheatEntry>
<ID>28</ID>
<Description>"No description"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F89EC8</Address>
</CheatEntry>
<CheatEntry>
<ID>6</ID>
<Description>"your character pointer"</Description>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F89ECC </Address>
</CheatEntry>
<CheatEntry>
<ID>30</ID>
<Description>"your character ID"</Description>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>0</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>37</ID>
<Description>"your character ID"</Description>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>74</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>35</ID>
<Description>"your character ID"</Description>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>String</VariableType>
<Length>64</Length>
<Unicode>0</Unicode>
<ZeroTerminate>1</ZeroTerminate>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>30</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>2</ID>
<Description>"target ID"</Description>
<ShowAsHex>1</ShowAsHex>
<ShowAsSigned>0</ShowAsSigned>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F87F80</Address>
<Offsets>
<Offset>74</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>36</ID>
<Description>"target name"</Description>
<ShowAsHex>1</ShowAsHex>
<ShowAsSigned>0</ShowAsSigned>
<Color>80000008</Color>
<VariableType>String</VariableType>
<Length>64</Length>
<Unicode>0</Unicode>
<ZeroTerminate>1</ZeroTerminate>
<Address>game+F87F80</Address>
<Offsets>
<Offset>30</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>38</ID>
<Description>"target pointer"</Description>
<ShowAsHex>1</ShowAsHex>
<ShowAsSigned>0</ShowAsSigned>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F87F80</Address>
<Offsets>
<Offset>0</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>29</ID>
<Description>"mybuff2"</Description>
<ShowAsHex>1</ShowAsHex>
<Color>80000008</Color>
<VariableType>2 Bytes</VariableType>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>2F60</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>31</ID>
<Description>"mybuff1Length"</Description>
<Color>80000008</Color>
<VariableType>Float</VariableType>
<Address>game+F89ECC</Address>
<Offsets>
<Offset>2F58</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>26</ID>
<Description>"No description"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+F89Ed0</Address>
<Offsets>
<Offset>2F48</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>27</ID>
<Description>"No description"</Description>
<Color>80000008</Color>
<VariableType>4 Bytes</VariableType>
<Address>game+010bbd9c</Address>
<Offsets>
<Offset>0</Offset>
</Offsets>
</CheatEntry>
</CheatEntries>
<UserdefinedSymbols/>
</CheatTable>
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Sep 18, 2013 1:59 pm Post subject: |
|
|
Hah, I bet I found it! You were missing one level of indirection; see that line for entity_prtr?
| Code: | | ReadProcessMemory(hproc, (unsigned int*)(entity_list_ptr + (entcount * 4)), &entity_ptr, sizeof(unsigned int), 0); |
You're need the equivalent for tar_ptr, something like:
| Code: | unsigned int tar_ptr = 0;
ReadProcessMemory(hproc, (unsigned int*)(dwbase + 0x0F87F80), &tar_ptr, sizeof(unsigned int), 0);
//might wanna do a null check on tar_ptr here. |
As for the 0x010bbd9c thing, normally if you edit the last entry of your cheat table and replace the 0 above game+010bbd9c (in cheat engine, not in the .ct text) by 74 you should end up on the first mob/NPC's ID.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
drtrann
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2013
Posts: 4
|
| Posted: Wed Sep 18, 2013 2:36 pm Post subject: |
|
|
| mother of god.. how did i miss that. thank you so much for you help
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
