Cheat Engine

ipinkk · How do I cheat? Reputation: 0 Joined: 31 Oct 2015 Posts: 4

Hi everyone,

I'm trying to find base address of a list of item location in the storage.
After some little investigation, there's something I know about it:

- Each "Item Location" is represent by an array of 5: [ FFFFFFF, itemLocation, itemIndex, columnsInStorage, rowsInStorage]. So, each "Item Location" will take 20 bytes.

- "Item List" is an array of "Item Location".

I tried to found address of "columns" value of an Item. And "Find out what accesses this address". Please look at my attachment.

As you can see from the attachment:

- 2D8 should be the offset of "columns" value.

- eax = 500 = 64*0x14 -> 64 should be the index of Item which I scanned in array

- ecx = 04622148 -> this should be the base of array.

So I add value of ecx into the cheat table and do a pointer scan. I got a lot of results in my computer, even after restart the computer I still got more than 100.000 results.

But when I copy the pointer results to my virtual machine and do the rescan there. All pointers were disappear.

I tried many times but no luck at all.

Could anyone please help ? If you need more information I can provide.

Is there really no base address for this value ?

mgr.inz.Player · Posted: Sat Oct 31, 2015 4:19 pm Post subject:

Increase "max level" and "max offset". (what max level did you try?)
Did you wait till the end of scan or you stopped the scan?

ipinkk · How do I cheat? Reputation: 0 Joined: 31 Oct 2015 Posts: 4

Hi mgr.inz.Player,

Thanks for your reply.

I was using default configuration of CE.

Re-trying with max offset value is 3192 and max level is 6. First scan got more than 5 billion results, re-scanning. This is just too long, Will update results later.

If I suspect one of the offset is around "271FB4" , which max offset value should I provide ?

And is there any faster way to find the base ? I often use "Find what access this memory address" method. But failed to use that method against this value.

EDIT:

I scanned for the base of the array and got an address.

And this is what I got when trying to "Find out what access this address" on that address ( see attachment).

And I'm stuck there.

As far as I know, that's because the array was a local variable of the function.
So anyone know how to get its base ? through debugger or anything.

Any help is much appreciated.

I'm new to CE so if there's anything I can read to solve this, please take me there T_T

Thanks

mgr.inz.Player · Posted: Sun Nov 01, 2015 7:45 am Post subject:

To be clear. You found "columns" value of an Item and do "Find out what accesses...", then you look at ECX register.

That way you received the address of object (array of items).

Is that array in one place all the time (except death, map/level transmission)?

Look here at ECX and ESP registers:

ECX value is way different than ESP value, and that means: array is not a local variable of function.

Better do whole procedure, you did before, this time in one sitting. And make screenshots.

1. find column address, do "Find out what accesses...", do a screenshot (like 1.jpg)
2. add new address to the list (ECX), do "Find out what accesses...", do a screenshot

ipinkk · How do I cheat? Reputation: 0 Joined: 31 Oct 2015 Posts: 4

Here's what I did, step by step

mgr.inz.Player · Posted: Sun Nov 01, 2015 2:17 pm Post subject:

The step 4 and address 043A2110.

You might want to try like this:

Maybe you will find something.

If above found addresses aren't accessed by opcode ("find out what..." doesn't have hits) you can scan for each found address.

Maybe that way you can find address of object which contains pointer to an array of items:

ipinkk · How do I cheat? Reputation: 0 Joined: 31 Oct 2015 Posts: 4

Hi mgr.inz.Player,

Thanks very much for the hint.

First, I tried the range you told me but still got nothing good.

Then, I was thinking, if the array is in an object so the address of array should be [objectBase + offset]. So we won't need address higher then address of the array.

So, I tried search range again with range like [arrayBase-c8, arrayBase]. Still got nothing good.

I continue to tried with [arrayBase-190, arrayBase]. Nothing good at all, at this point i'm thinking about giving up.

Luckily I didn't give up, I tried again with range [arrayBase-258, arrayBase]

Then finally, something good appear, an instruction like move "eax,[eax + ecx*4]". The offset from array was 1b4

That look familiar, I managed to find its base address pretty easily.

I didn't have enough time to test the base more, but it seem very good.

Thanks again, and a lot. Without your hint, maybe I would never figure it out.

But if possible, I have one question: why didn't I get anything when try to "find out what access this address" on the base of array. From the final result, I would expect something like "mov eax, [ecx + 1b4]" when try to "find out what access this address".
I'm very eager to learn what really happens there. So if possible please help to answer my question.

mgr.inz.Player · Posted: Mon Nov 02, 2015 12:23 pm Post subject:

That array could be accessed once, immediately after it was created. While world and assets are loading, or while spawning your character, etc.

You can not do "find out what..." on not yet existing array.