Cheat Engine

[wizzar]

Hello guys,
so I've been fiddling with a game for a few days now and I'm on the verge of losing my mind searching for a base address.

I followed all the tutorials and videos I could find, learned about multi level points and all the stuff. The problem is that all the examples always use "stupid" games, games that don't make any effor to hide information. Now that I came across a well written game, I'm facing a wall.

First thing I noticed: the HP value is a 2 byte "nonsense" number, and it changes everytime.
Say my hp is 505, than the address that contains my HP will contain a number such as 19968 (but this changes, I think they use a random salt everytime you open the game).
I don't know how to get around this problem, how to find a formula that will give me the correct HP. This is my first question: how would I go about doing that?

Second question is related to the base pointer.
I managed to find the first level pointer for hp and mana (they are always 0x8 away from each other, e.g. mp = 022208AA hp = 022208A2).
When I use "find out what access..." on hp, there is only 1 opcode that accesses ths hp when it changes, and it has no offset:
fstp dwrod ptr [esi] (esi = 022208A0).

I figured out that the address pointing to 022208A0 + 0x2 = hp, so 022208A0 + 0x2 + 0x8 = mp.

Now, if I use "find out what accesses this pointer" on hp pointer, I get 9 opcodes, all equal.
Here is where things get out of my league:


img @i.imgur dot com/KiBj6d3.png

>> 004F5D05 - mov esi, [ebx+eax*4+000000A4]
The value of the pointer [...] is probably 07F12678 (6 resuls upon search).

EAX = 00000DC9
ESI = 022208A0

Now 07F12678 gives me 6 resuls upon search, but I can't find the hp anymore because I can't find the offset.
PS: I tried DC9 * 4 + A4 = 37C8, it doesn't help.
PS2: +000000A4 is always there, never changes.

What am I missing?


I figured out. I wasn't adding the second level offset. I had to add 2 offsets for 07F12678: 37C8 and another with 2, then I got a pointer to the hp again.

I kept on doing this, I found 8 levels. Now I'm stuck. I searched for an address (008276B0) that gives me 2 possible pointers:
02214354 and 0832FF70, the problem is that after adding the offset to these pointers, I get nothing from "find out what accesses this pointer", just a bunch of

mov esi,[esi]
mov edx,[edx]
mov eax,[eax]
mov edx,[edx]

and in all of these, the probable address is again 008276B0, it's like im in a loop.

What is the procedure here?

[ParkourPenguin]

First question is an easy one I think. It's the wrong data type.

You said that fstp dword ptr [esi] (esi = 022208A0) writes to HP. fstp is an instruction usually used with floating point numbers, not integers. dword ptr means that you're working with something that's the length of a double word, or 4 bytes. Put this together, and you should see that you're probably dealing with a float stored at 022208A0, and not a 2-byte stored at 022208A2.

With regards to your second question, I'm amazed you did it manually for 8 levels of pointers. I get bored after I can't find a static after 2 or 3 levels and end up doing a pointer scan for it. CE's pointer scanner is pretty straightforward for the most part. Make sure you set the max offset value to be 16384 (something greater than 14280, or 37C8 converted to decimal), and maybe start with a lower max level (like 3) and work your way up. If you'd like a guide/tutorial for pointer scanning, you can search around for one. I found one here- seems good but I only took a glance at it.