 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
 Posted: Sun Jan 24, 2016 3:20 pm Post subject: Creating a Fallout 4 aimbot in C# |
 |
|
Hi all, I'm currently attempting to create an aimbot for Fallout 4 using C#. I want to use the formulas below to "auto-aim" at the enemy closest to me.
float pitchX = (float)Math.Asin((enemy.zPos - player.zPos / 3dDistance(enemy, player)) * 180 / PI
float pitchY = - (float)Math.Atan2(enemy.xpos - player.xpos, enemy.ypos - player.ypos) / PI * 180 + 180;
I was able to retrieve pointers and offsets to my x, y, z coordinates as well as my mouse-x and mouse-y values. To find each enemies' coordinates, I first found a single enemies' Y coordinate (I used the enemy named 'Swan'), then found what wrote to that address, opened the memory viewer, and then chose the option, "Find out what addresses this instruction addresses". From there, a list of all the nearby enemy Y coordinates showed. I added several addresses of the enemies' Y coordinates to my address list in order to copy and find a good AOB signature for scanning. Using this AOB signature, I am able to find an address which accesses all enemy Y coordinates between game restarts. Luckily, each enemies' X and Z offsets are just a few offsets from their Y coordinates, so I basically have all enemies' X, Y, and Z coordinates. I'm sure I can find all the enemy HPs the same way.
To do this aimbot in C#, I'm trying to mimic Cheat Engine's "Find out what addresses this instruction addresses" in order to retrieve the list of each enemies' Y coordinates.
I searched the forums and found this thread,
viewtopic.php?t=584937
However, it looks like a C# solution wasn't found. Does anyone know if a library which mimics Cheat Engine's "Find out what addresses this instruction addresses" exists?
Will it be simpler to just use Cheat Engine's LUA script functionality to finish my aimbot? I'm assuming that because cheat engine supports LUA, I will be able to use cheat engine's functions such as its aob scanning and "Find out what addresses this instruction addresses" in LUA scripts?
| Description: |
|
| Filesize: |
93.58 KB |
| Viewed: |
20636 Time(s) |
|
| Description: |
|
| Filesize: |
30.26 KB |
| Viewed: |
20638 Time(s) |
|
|
|
| Back to top |
|
 |
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Mon Jan 25, 2016 1:01 pm Post subject: |
|
|
I guess my next goal will be to look at cheat engine's source code to learn how "Find out what addresses this instruction accesses" works, then re-create this method in C#. Once I have this created (if time permits), I will post and share the C# method/Object.
From my understanding CE attaches a debugger to a specified process, so I may have to use the same method in C# using:
| Code: |
public static void Attach(DTE dte)
{
EnvDTE.Processes processes = dte.Debugger.LocalProcesses;
foreach(EnvDTE.Process proc in processes)
if(proc.Name.IndexOf("Target.exe") != -1)
proc.Attach();
}
|
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
 Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Jan 25, 2016 1:42 pm Post subject: |
|
|
| Tatsu808 wrote: | I guess my next goal will be to look at cheat engine's source code to learn how "Find out what addresses this instruction accesses" works, then re-create this method in C#. Once I have this created (if time permits), I will post and share the C# method/Object.
From my understanding CE attaches a debugger to a specified process, so I may have to use the same method in C# using:
| Code: |
public static void Attach(DTE dte)
{
EnvDTE.Processes processes = dte.Debugger.LocalProcesses;
foreach(EnvDTE.Process proc in processes)
if(proc.Name.IndexOf("Target.exe") != -1)
proc.Attach();
}
|
|
Oh no!
For goodness sake, don't try solving this problem as someone that is Cheat Engine dependant would do, there's a better way for that.
Look at the addresses you got.
You just need a single base address to compute the entire list, because each of them is 0x80 bytes away from the other.
This means that, if you make your code automatically searching for the base address (a pointer could work, but I would suggest hooking instead), you can compute everything you need for your table, without the need of a debugger.
_________________
|
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Mon Jan 25, 2016 2:22 pm Post subject: |
|
|
Thanks for the reply. I also noticed that most of the addresses in the list were 0x80 bytes were away from each other, but sometimes, they'll be off by some gaps greater than that. For example, towards the bottom the list there's:
C3163D2700
C3163D6980
which is 4290 byes away from each other. Then further down there's
C3163E6F00
C3163E9A00
which is 2B00 bytes away from each other.
I tried finding a pattern to the larger gaps, but am not seeing one. In the picture on my first post, the list is being sorted on the Value column. In the picture attached to this post, they are being sorted on the Address column. I've highlighted some of the addresses that are off more than 80 byes apart. Got any suggestions on how to handle the gaps that are more than 80 bytes apart?
| Description: |
|
| Filesize: |
27.87 KB |
| Viewed: |
20563 Time(s) |
|
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Jan 25, 2016 2:28 pm Post subject: |
|
|
| Tatsu808 wrote: | Thanks for the reply. I also noticed that most of the addresses in the list were 0x80 bytes were away from each other, but sometimes, they'll be off by some gaps greater than that. For example, towards the bottom the list there's:
C3163D2700
C3163D6980
which is 4290 byes away from each other. Then further down there's
C3163E6F00
C3163E9A00
which is 2B00 bytes away from each other.
I tried finding a pattern to the larger gaps, but am not seeing one. In the picture on my first post, the list is being sorted on the value. In the picture attached to this post, they are being sorted on the address. I've highlighted some of the addresses that are off more than 80 byes apart. Got any suggestions on how to handle the gaps that are more than 80 bytes apart? |
Sure, because even if the larger gaps are not 0x80 bytes away from each other, they are still mutliples of 0x80.
This means that, if you iterate thru the structure, you can use specific values of them that will tell you if the structure is ok.
For example, the position itself, if a structure is incorrect, the float should be something very strange, either a huge or a very small value.
There might be even other values that can tell you if a structure is the correct one, but I won't go in depht with this.
You can always use the Dissect Data/Structures tool in CE to work around this, or if you are very good in asm x64 you can solve this problem entirely with hooking.
_________________
|
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Mon Jan 25, 2016 2:38 pm Post subject: |
|
|
True, I added 5 random enemies to the dissect data/structures list and there was some "green" among them all. I haven't tried adding any addresses to the dissect data/structures list that were in between those "gaps" greater than 0x80. it's possible the "bad addresses" will be "red" in the locations where the enemy structures share a green area, but don't know just yet! I shall experiment and find out though! Definitely a good way to tell a good address from a bad one.
I shall look into hooking. Sounds like a very viable solution.
Thanks for the help. I will keep you updated on my progress.
Last edited by Tatsu808 on Mon Jan 25, 2016 2:49 pm; edited 1 time in total |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Jan 25, 2016 2:47 pm Post subject: |
|
|
| Tatsu808 wrote: | True, I added 5 random enemies to the dissect data/structures list and there was some "green" among them all. I haven't tried adding any addresses to the dissect data/structures list that were in between those "gaps" greater than 0x80. it's possible the "bad addresses" will be "red" in the locations where the enemy structures share a green area, but don't know just yet! I shall experiment and find out though! Definitely a good way to tell a good address from a bad one.
I shall look into hooking. Sounds like very viable solution.
Thanks for the help. I will keep you updated on my progress. |
Sure!
If you have any problem in regards of hooking, you can contact me wherever you want!
Just search for mgostIH on skype, steam, youtube, or even google.
_________________
|
|
| Back to top |
|
|
Tatsu808
Newbie cheater
![]() Reputation: 0
Joined: 15 Nov 2014
Posts: 20
|
| Posted: Mon Feb 01, 2016 1:09 am Post subject: |
|
|
I was able to get all enemy coordinates via hooking just by using the following:
mov [storage], rdi
movaps [rdi], xmm0
[storage] then contained rapidly changing values representing the enemy y coordinates. I just kept reading the address at [storage] and added them to a C# dictionary.
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Tue Feb 02, 2016 1:02 pm Post subject: |
|
|
| Tatsu808 wrote: | I was able to get all enemy coordinates via hooking just by using the following:
mov [storage], rdi
movaps [rdi], xmm0
[storage] then contained rapidly changing values representing the enemy y coordinates. I just kept reading the address at [storage] and added them to a C# dictionary. |
So I guess you solved the problem.
_________________
|
|
| Back to top |
|
|
sh00ter999
Advanced Cheater
 Reputation: 1
Joined: 17 May 2008
Posts: 89
|
| Posted: Sun Aug 21, 2016 4:07 am Post subject: |
|
|
| Tatsu808 wrote: | I was able to get all enemy coordinates via hooking just by using the following:
mov [storage], rdi
movaps [rdi], xmm0
[storage] then contained rapidly changing values representing the enemy y coordinates. I just kept reading the address at [storage] and added them to a C# dictionary. |
What exactly do you mean you simply `hookedŽ | Code: | mov [storage], rdi
movaps [rdi], xmm0 |
?
How do you go about hooking that in C#?
Personally I am having big troubles editing any found values in this game Fallout 4. I am able to find HP, AP, weight and ammunition values (mostly floats) but they only seem to contain the visual values that are printed on the screen, not the actual health for instance. If I scan for HP I remain with 3 addresses, none of them seem to actually alter / freeze HP.
_________________
Hyes! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
