Cheat Engine

h4ck0ry · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

-snip-

cooleko · Posted: Sun Jun 12, 2016 9:34 pm Post subject:

Almost every game I have played doesn't use offsets for writing the X,Y,Z coordinates; however, the X and Y coordinates are always offset by something (4,8,10).

Because of this I will do two things, If I'm accessing the instruction through CE, I'll find what addresses this instruction accesses. Usually it is EVERY objects coordinates so I'll hook the instruction and filter out my character's coordinates based on some parameter found using the structure dissector.

Once successful, then I'll do one of two things: either perform an AOB scan for the instruction and capture (in your case) RCX + any filters, or I'll scan for a code cave and use that guaranteed open slot to write the addresses in a static memory location.

Then you just access the addresses using the pointer 400000+w/e.

OR, I do a pointerscan using the tool and let it run for a day or two until it finds a static.

====================
Section 2 - Let's have some fun
====================

Now, the X and Y coordinates are always in a structure. This structure, while not found using the instructions, will be capturing using those instructions.

Find out what addresses the instruction mov [rcx],edx accesses.
Hopefully it will give us 2-10 instructions, just pick your champ and 2-3 others (this is done by ctrl-click iirc). Right click and perform a dissect structure on these addresses, Just hit NO for all the options.

A new screen will open up with the addresses you selected at the top and nothing in the main window.

Copy and paste your address (40DE6EE990) into the first slot and move every other address to Group 2 (create new group, then change group for each additional address). If you have a teammate or something, then keep him in Group 1 with you.

This is where the guessing starts. Assuming that you have noticed from finding this memory location two or three times, that it always ends in a 90, you can guess that the base of this structure is at 40DE6EE900, it is a fair guess, maybe not correct but that is why we guess. So change every address in group 1 and 2 to be 00 instead of 90, or simply subtract 90 from w/e the address is if they are not all 90 (most likely). If 90 doesnt work, then try 190, 500, or 1090.

Then select define new structure, let CE auto guess.

Start at address 90 (or w/e now holds the X coord after your guess above) and work your way up, you are looking for a pointer or anything that gives you a clue. You may find a pointer (that if followed) to the name of the character, or maybe the character stats. Once you find something that is definitely useful, add that address to your list (press A) and see what accesses it! If you are lucky, then that instruction will have an offset and you will now know where the actual structure header is. Once you have found the structure header you can do two things.

Save 50 bytes in front of and behind the header and compare against multiple game loads for an AOB scan.

Or, you can find the pointer (for instance) to HP, Name, or Stats, and simply add the offset to your X and Y coordinates. Then use that pointer outside of the game.

Hope this helps!

ParkourPenguin · Posted: Sun Jun 12, 2016 9:40 pm Post subject:

As the "more info" window already states, that value it gives you is just a guess. It's clear from looking at the assembly around the instructions which access your addresses that the game is very likely adding another offset to those registers before those instructions are executed (i.e. lea rbx,[rcx+10], the other lea instructions, negative offsets). If the game offsets the register from the base of the structure the address it's accessing is in, then CE's guess won't be correct.

A good way to find a good pointer is to backtrace that instruction and find out how it's getting that address. Of course, that requires knowledge of assembly, which not everyone has.

An alternative is to use the pointer scanner. You should use at least two pointermaps in the scan to save time writing to disk (main bottleneck) and disk space. A concise overview:

Find and choose one of those addresses (they should be consistently relative to each other between separate instances of the game).
Write it down.
Right click in the address list and select "Generate pointermap".
Save it somewhere.
Restart the game (restarting your computer can help even more).
Open the game again and find that same address (it should be at a different location but the same relative to the others).
Right click on that address in the address list and select "Pointer scan for this address".
Select "Compare results with other saved pointermap(s)"
Open the saved pointermap file and use the address you previously wrote down for it.
Start the scan and wait.

After the scan is complete, restart your computer again, find the address again, and rescan that list with the new address. Any remaining pointers should be stable enough to use in your application.

I'd recommend leaving the settings at their default state for the first scan. If you don't find anything, try increasing max level and/or max offset. If the scan is taking too long (i.e. many hours), try to fiddle with the advanced options. Using the "Max different offsets per node" option will speed it up tremendously, but you'll miss lots of valid pointers. Increase it gradually if the scan completes very quickly.

Note that if the game is written in a language that uses JIT compilation or otherwise runs off a VM (e.g. .NET, java, flash, etc.) or some type of emulation/interpretation (e.g. emulators), finding static pointers will be a significantly harder challenge than you think.

Another option is to use a code injection to get the address. Find an instruction that only accesses that address (right click on an instruction in the disassembler and select "Find out what addresses this instruction accesses"), and use CE's AoB template to make a code injection for it. See the "injection copies" section of this topic for more information. If you can't find an instruction that only accesses that address, you can try to find a filter to use as cooleko suggested. See this topic for information on that.

Doing this in another application would entail scanning for an AoB, allocating your own memory, writing a jump to your code, having your code copy the address of the coordinate to some set location (i.e. around your code), and jumping back into the game's memory. Since this is a 64-bit process, the jumps will be more complicated. Allocate your code's memory within 2GB of the injection point and you can use jmp rel32 to take up 5 bytes for the injection point instead of the >10 bytes for jumping to a location further away.

h4ck0ry · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

-snip-

cooleko · Posted: Tue Jun 14, 2016 12:39 am Post subject:

Darkbyte has explained how to reference threadstack0 a couple times before, this should help you: http://forum.cheatengine.org/viewtopic.php?p=5487976
This particular thread discusses x64 programs too, so I think it will fit your project.

If you need other explanations, there were a couple other threads, or someone might pop in here.