Cheat Engine

++METHOS · Posted: Wed Mar 06, 2013 9:13 pm Post subject: Trouble with finding player ID

I think I published a thread about this some time ago, but I am still having trouble with it.

I am wondering if anyone has ever had a problem with finding the player ID for friend/enemy? Where did you start the dissection? At player health? Have you ever seen any oddball values for player ID (as opposed to 0, 1, 2 etc.)? If you did not find this value near the health address, where did you find it? Was it close/far from your dissection address?

Since I cannot find the player ID, I am using my health address to compare, as a temporary fix. I have hacked the health address to go beyond what any other player in the game will have, to make it unique, so the health cheat must be enabled for the script to work. I'd like to change this so that all scripts will not be dependent on the health address. So far, I have created a script that immobilizes all players except hero player, but this script is relying on the fact that the health address is being manipulated.

Thanks.

Gniarf · Posted: Thu Mar 07, 2013 12:04 am Post subject:

Personally I don't use PlayerID to differentiate between variables because I don't know any reliable or semi reliable method to find it. I tried this approach once, with serious sam3, and my reasoning was the following:
1-the number's address was close to the health's address. I don't remember how far, but I think it was less than 0x100 bytes.
2-the number was too small to be a pointer or a botched float/double.
3-it looked like it were always the same value (0x101 iirc) when it handles the player's health and uses another for enemies (0x103 iirc).
Well it didn't work that well since some enemies were unkillable too. In the end I found that game has cheat codes, so I didn't try other stuff.

In your case I'd try "find out what accesses..." and find a function - any function - the handles the "hero player" 's health and nothing else (the one that reads his health to display it in a corner is often a good candidate...). The "find our what addresses this function access" feature is quite useful for that.
Then either turn this function into a freezer or simply use it to note the hero player's health address somewhere. After that, in your hooked functions, just use compare the address of the health you're going to write with the stored address and if it's the same do your hack(s).

EDIT: this video shows a russian guy finding the player ID in mass effect 3: http://www.youtube.com/watch?v=NjkheCO0hfo
Looks like health=[esi+6C], playerID = [esi+2C]=D3.

++METHOS · Posted: Thu Mar 07, 2013 1:12 am Post subject:

Thanks for the tips. This definitely gives me something to think about. This particular game allows you to choose from multiple characters, all with different stats/values, so I may have to get creative.

Thanks, again.

lp0 · Posted: Sat Mar 09, 2013 10:33 am Post subject:

Some random thoughts on my approx. 1 week with Cheat Engine, plus some general insight on programming, computing, best practices, etc. As with the GNU license, there is no implied usefulness of any of this information. Ignorance is bliss, and if I'm stupid, don't tell me because it's much more fun this way.

For me, it's all about having controllable conditions in which you can test, which provides a sufficient variety of data for a meaningful comparison, while not providing too much data so-as-to bury any investigatory efforts. That's a long sentence, dripping with subtlety and nuance; I'll try to dissect it a bit.

Controllable conditions: This is paramount to any investigation, because if you cannot control the initial (or thereabouts) conditions of the investigation, you will never be able to separate the "noise" from meaningful results. What this means, relevant to your question, and in the context of CE, is that you should strive to create a situation (possibly a save point) that you can use a starting point for your iterative investigation. An example in the context of your question:

Investigation: I want to find a piece of data that can be used to identify between friend and foe.

Initial conditions: Create a scenario that has four (I use four, you can scale up as you like) "actors" - two from the player side, two from the enemy side. If possible (such as a map game, etc), create this point with the same four units every time.

I use four units, with an even split between friend and foe, because it provides me (personally, that is; YMMV) with a sufficient amount of information that I can do comparisons, fiddle with memory, etc - while not having so much information that my brain will fail to extract patterns between the four sets of data.

So, you have your initial conditions now; with a save point (or equivalent) to reset the investigation as needed. Next thing, is to find a value that you can use to derive the base structure for a unit. A popular one is health, probably, but any value will generally do - as long as it is a value that is shared between all units, regardless of type, friend, foe, etc. So, let's assume health.

Find the health value for a unit - maybe 4 byte integer, possibly float. Whatever the case may be, let's assume you've found it. Now, add it to the address list and use "What writes to this address". A quick aside.

Some suggest using "what accesses this address" - I tend to shy away from that, because I'm not interested in what reads the address in question to display on a GUI or whatever; I want the code that modifies the address. But that is my preference, not a Law of Nature.

When your watching what writes to that address, go take some damage (once or twice, not a thousand times). If your lucky, there should only be a single code result - more on this in a minute. If there are multiple results, that does complicate things a little more, in that you should now see if these multiple code addresses are really all part of a single "block" - use the disassembler for this. If they are all close together (probably floating point, then) it is up to you to discern the purposes of the registers in that code. Once you've done that, you can inject code at a specific spot to modify the register you are interested in.

So, let's make up a scenario, according to the following rules:

`eax` holds the value of the new health for the actor in question
`edx` holds the damage being inflicted on the actor in question
`esi` holds the pointer for the structure of the actor in question (offsets have to be relative to something, after all)
[esi+4] is the current health of the actor
[esi+8] is the max health of the actor

++METHOS · Posted: Sat Mar 09, 2013 1:49 pm Post subject:

lp0, I appreciate the effort...it looks like you spent a lot of time with that reply. Thanks.

Unfortunately, everything that you have posted is old news for me. The problem that I am having with finding the player ID is not in how to do it, but in actually finding a static value that can be used at all.

The player values in this game are random and recycled. If one troop dies, another troop will take that spot, at the same address. I have looked high and low (very) while dissecting data structures, and none of the addresses that are similar are static. Unfortunately, for this game, I think I am going to have to continue using my own manipulated code, and just create an ID that can be used to separate my player from the rest.

Thanks, again.

daspamer · Posted: Sat Mar 09, 2013 2:08 pm Post subject:

GNIREENIGNE,
If you did not understood what the person above me wrote (very helpful), I'm willing to help you out Wink

.
Not far ago, decided to use the dissect structres (Well I made some teleport hack for some MMO game, some famous MMO game, told the admin, and helped him to patch it.. and got some great stuff inside the game Wink

).

And you can always do
do

Dark Byte · Posted: Sat Mar 09, 2013 2:08 pm Post subject:

Perhaps the unit has a pointer to another structure that in it's turn has a pointer to the controller object, which may have a pointer to a string that contains your name, or just Player

lp0 · Posted: Sat Mar 09, 2013 2:23 pm Post subject:

In that case, I have a large structure of just bytes that I "map" onto a location when I'm really stumped.

It can be tricky, but it pointed (haha CE pun) me in the right direction once or twice.

++METHOS · Posted: Sat Mar 09, 2013 2:50 pm Post subject:

lp0 · Posted: Sat Mar 09, 2013 2:57 pm Post subject:

I'm interested; care to share the name of the game?

Gniarf · Posted: Sat Mar 09, 2013 3:33 pm Post subject:

Not sure it would work, but you can try the following crazy idea: assuming health is accessed by [eax+1234], copy every byte from the beginning of one friendly unit (eax+0) to eax+1234, freeze the game, paste those bytes over an enemy unit, and resume the game. If that enemy unit just switched sides or health bar color, you know your ID is somewhere in that.

If it does not work AND doesn't crash, you can venture past unit_begin+1234, problem is knowing where the unit's data ends, and where the next thing's data begins... You can try picking a random spot a few bytes further, "find[ing] out what access..." which will give you a result with [register+Offset]. As long as Offset keeps increasing you're still on that one unit's data.

Normally you should end up doing a clone of your unit, right? Riiight??

Let me know if it proves of any use. Also what game is it? Does it have a demo/trial version?

daspamer · Posted: Sat Mar 09, 2013 3:47 pm Post subject:

Well, what i wrote is just an suggestion.. I've tried making the same for a facebook game named marvel avengers alliance, I have faced the same issue as you..so decided to use hotkeys..because AI and players sharing the same IDs + theres 3 addresses for HP, and for 1 theres something different.. but for the second one theres nothing different...(and the second one being called first..)..

Anyway, good luck.
Give me the game name and I will check it out.

++METHOS · Posted: Sat Mar 09, 2013 6:05 pm Post subject:

Gniarf · Posted: Sun Mar 10, 2013 6:59 am Post subject:

So far I've found that (in the demo):
-health is at PlayerStructure+104
-CharacterID is at PlayerStructure+C
-CharacterID for special generals is below 0x10, probably because there aren't much characters in the demo.
-CharacterID for generic generals is above 0x20, often above 0x30.
-Generic allied generals have PlayerStructure+D=1

Problem I can't sort between allied and enemy special generals. In the demo the only general I can play has CharacterID=6, some of my allies have 5 and 7 and one of the bosses has CharacterID=0. (edit: Sun Ce has ID 0x1C)

...hmm they probably might have used something like CharacterID=0 to 4 for blue (Wu?) generrals, and 5-7 for red ones (Shu?) and then would come the green (Wei) and independent ones. Gotta try that after lunch....

EDIT: that seems to work. The script below overwrites the health upon taking damage by 0 or 300k. That way you can easily tell who is invincible and who isn't. Let's hope that CharacterIDs don't change on every mission. Aside that I'd bet those IDs are NOT the same in the demo and in the full game.

++METHOS · Posted: Sun Mar 10, 2013 1:58 pm Post subject:

So, you're saying that there are different ID's being used based on the officer type (and) that these ID's may be located at different offsets? How did you determine this? How did you test it?

I haven't tested your script, but I wonder if you have tested the result of it. For example, whenever I try to mov 0 into health, the troops cannot be killed. I have yet to find which code/codes trigger death, and have yet to be able to create an 'automatic/instant' kill (e.g. a way to kill the troops without even hitting/interacting with them). There is an address that controls all actions/sprites, but manipulating that with the health address was not successful.

I'll take a look at your findings later to see if what you've found applies to the version that I am working with.

Thanks for your help.