Cheat Engine

mouser · Last edited by mouser on Wed Mar 18, 2015 4:01 am; edited 2 times in total

Hi, I'm trying to get camera XYZ coordinates in Oddworld New N Tasty.
I'm also a terrible noob at Cheat Engine but did a lot of research via Youtube/CE Tutorial etc.

Still I keep failing at simple things, e.g.
---- can't post URLs---pic in attachment

What you see here is the found camera X, what writes to it (2 adds). I don't understand how to make a pointer out of these addresses. Whats the value of the pointer here? It says it's the same address as the one I've already found, which I used to see what is writing to it. If I search for that address "18F85D48", nothing comes up.

When I open up the memory viewer though and search for that address, Cheat Engine finds it.

Now I know that the camera X address will change every time I restart the game. I can't aob scan this address as the bytes also change, I can aob scan some other addresses e.g. the address I in the screenshot I'm trying to point to "3448A3EB" I can always aob scan this function and it does what it's supposed to (some camera function) but I always have to manually search for the camera x address in order to set a hotkey to it and change the camera.

This is probably something a script would be good for but as I said, noob alarm, I wouldn't know how to even start.
AOB for the one function I can scan for and then use that somehow to tell CE where camer x is etc.?

Im out of ideas at the moment.

justa_dude · Posted: Mon Mar 09, 2015 12:59 pm Post subject:

Depending on... you might be able to simplify things w/ CE's Mono support. Click the mono menu on the main CE title-bar and enable Mono support. Then, when you "find what address blah blah", you will probably see nice symbols describing the code (eg PLayer::Move::1bf). You should be able to use this symbol instead of an aob.

alanze · Posted: Mon Mar 09, 2015 2:04 pm Post subject:

You have to learn finding pointers, CE tutorial #6 and #8 would be a good start.
Your starting value is in EAX (18f85d48), start scanning just like in the tutorial.
Also you can use the "Pointer scan" option from Tools menu, here is a video how to use it: watch?v=8CJdV1Vfvv0
A third method would be to back-follow EAX to see how its value is constructed.

mouser · Posted: Sat Mar 14, 2015 5:07 am Post subject:

Thanks for the advice, I have the pointerscans down and a few addresses locked (I still have to check out the mono support, will do later)
I still have to try and AOB these pointers if possible, do I AOB scan what the pointer points to or the pointer itself (if there is even a difference?)

Another question, so I have a pointerscan for an address and it gets me everytime where I want it to be (e.g. X coordinate). I know that in the memory viewer there are a few other interesting addresses (or opcodes) in the vicinity of that pointer and they seem to be always at the same distance from it, let's say there is a function above 2 other functions that does something I find interesting, it's always 2 other functions away but I don't want to pointerscan for address.

How to I lock these addresses withouth pointerscanning them all?

I pointerscanned XYZ all one by one but I've read somewhere else that you only need to find one of them and since they are alway 4 bytes apart (there was a name for it, members I think). How do I tell cheatengine to look for these other addresses, using only the one pointer you have?

I assume it's telling ce in a script to take the pointer and add or substract 4 and then save that address and adding some operation to that. How would that look as code?

alanze · Posted: Sat Mar 14, 2015 12:50 pm Post subject:

You need to aob-scan the final result (the pointer points to) but first you need to find some static values (pattern) near it.
There is no reason to aob-scan the base address (because always remains the same, once you found it you have it).
No script is needed to tell CE that there is another address 4 bytes forward or backward, I give an example to show how you do that:
00665500 - ammo
00665504 - health
00665508 - x position player
0066550C - y position player
00665510 - z position player
00665514 - car id
00665518 - fuel
Let's say you found a 3 level pointer for "x position player" which looks like this:

Now to use this pointer also for ammo, health, y.. you have to add or substract their address difference from the third offset.
Let's do it for y:
wee know y is forward by "4" bytes (0066550C-00665508=4)
so we add 4 to the third offset, 40+4=44, this is the new pointer for y (without searching and scripting):

Do the same for the rest, (third offset for ammo = 38; health = 3C; x = 40; y = 44; z = 48; car id = 4C; fuel = 50)
Remember, you substract or add alway to the last offset (all calculations has to be hex).

mouser · Posted: Tue Mar 17, 2015 2:51 pm Post subject:

Worked like a charm, thanks again.

Now I have a couple of instructions at other addresses I need to deactivate/reroute.
I don't really understand how you can tell cheat engine where those addresses are based on a base address of a totally different instruction.

I've seen a video where offsets are used to tell cheat engine "You start here, then +40bytes, there is the addres", it's not quite the same as these addresses are all in close proximity to another.

It was the video "Cheat Engine Tutorial 3: Advanced AA Scripts by jgoemat" on youtube.

I try to explain better:
I have an address where a value is stored, I increase/decrease the value to get the desired effect. But first I have to deactivate/reroute/nop a few addresses of a instrcution that writes to this value or it interferes with what I want it to do.

My first thought was to pointerscan or aob scan this instruction and disable them per script, but this way I get a whole lot of aob scans and everything starts to bug out when I tried it, so I'm not sure this is the way to go about it.

What do you think?

Edit:

Are there any good to follow rules on how you write a script, general rules like "Never use more than one aob scan in one script" ?

alanze · Posted: Fri Mar 20, 2015 5:50 pm Post subject:

First find the instructions which writes to your values, then put them one by one in aa script.
There will be places where replacing/nop-ing is enough but also some places where code injection is needed.
(we not use "base addresses" for this, we use the address where the instruction is located)
Here 2 examples with 2 aas:

0046E8AA - 74 0B - je 0046E8B1
If not jumping the money will be decreased.
I will change it to 'jmp' to avoid money decrease.
0046E8AA - EB 0B - jmp 0046E8B1
Byte ratio is equal or less, 2 to 2, no deed to inject code.

mouser · Posted: Sun Mar 22, 2015 12:04 pm Post subject:

I have tried creating a script and when I restarted the game it didn't work anymore so I assume it's one of those games that changes this around.

This here is an aob scan injection for the Y axis of the camera (copy/pasted). It disables the part of the code that keeps the camera from going out of bounds set by the developers. So I can move it everywhere I want, this works everytime.

justa_dude · Posted: Sun Mar 22, 2015 4:43 pm Post subject:

If you'd follow my advice to enable mono tools, you'd probably be able to refer to them by name and your script wouldn't require any aobs. Any reason you're opposed to it?

mouser · Posted: Sun Mar 22, 2015 6:01 pm Post subject:

I'm sorry, I thought that didn't work for me as it wasn't showing anymore in the memory viewer for whatever reason.

But I checked again a couple of minutes ago and then clicked on the mono dissect option and then it showed up again (attachement).

This is the address that writes to the address where camera y axis is stored, I have to disable it to move the camera.
I clicked control+A to see what it puts into a code injection (address).

"DynamicCamera:GetCameraPosition:+4422"

I don't have time at the moment to double check if this address will stay the same when I restart the game (it did change when not using mono support though) will do this tomorrow. But if I understand you correctly this is what the monosupport does, right? No need for AOB because this description of this address will not change?

And to be a bit more clear about my intentions, I am still going for AOB because I expect updates to this game and don't want to do everything again if that happens. I actually only have a lose concept on how to do that but I'm reading a lot of threads on this forum recently and try to get the hang of it.

alanze · Posted: Sun Mar 22, 2015 10:26 pm Post subject:

Here is your auto assemble:

justa_dude · Posted: Sun Mar 22, 2015 11:46 pm Post subject:

The difference is that aobscans into JIT code won't work until the code has been run for the first time. If you enable the mono stuff and use the decorated names, any necessary JIT code should be compiled on demand. The data dissector also becomes much more useful.

mouser · Posted: Mon Mar 30, 2015 4:27 pm Post subject:

Finally got around trying stuff out, everythings seems to be working just fine the way you presented it. I was able to throw most instruction changes into one script except for a few I have a problem with and it is due to me still not completely having a basic understanding on what to do when dealing with instrctions. It probably doesn't help being forced to take long breaks from trying stuff out in CE due to work.

Example:

Zanzer · Posted: Mon Mar 30, 2015 7:10 pm Post subject:

Look in the Bytes column to identify how many NOP's you require.

justa_dude · Posted: Tue Mar 31, 2015 4:33 am Post subject: