Cheat Engine

[SkeeLo]

I'm trying to learn CE and game hacking in general and have a few questions, they're mostly general questions but my examples pertain to Witcher 3 since that is the game I'm using to learn with.

Question 1:
Is it normal that you can't find any pointers at all for some things in games?
Because I cannot find any pointers for Stamina at all using any of the methods outlined in all the guides.
I've also done ridiculous amounts of pointer scanning with different offset amount and levels and it always returns a blank page a few re-scans in if not immediately, despite having hundreds of thousands "potential" pointers left before that happens.

Question 2:
I cannot find the Health address at all by scanning for it, neither by scanning for float values (exact, values between, increase/decrease etc none works and I know it's a float) nor if I scan for the exact address (I know it due to Zanzer's table). I can add it manually though. What gives?

Question 3:
I finally got to the Stamina address (persistent I mean, finding the current address is easy) via AOBScan instead of pointer and noticed that when I commented the code out in the injection it also affected the Health, Enemy Health etc.
I figured it must be a structure and did a dissect as per the tutorial I read before but I didn't know what to look for and this is where I got stuck on my own.
I then looked at Zanzer's table (noticed he used the same AOBScan, high-fived myself for that) and spent a few hours trying to understand what was going on since I've never looked at this stuff before.
Well, I finally understand most of it but I have no idea how to get there on my own and that's what I'm hoping someone can help me with.
I noticed he had a label called player_ptr and so I went looking for this address and found it by checking the Stamina instruction and looking at what it accesses, but I never would have been able to draw the conclusion here on my own since a) it displays Health so I wouldn't have understood that it was the "base" for the whole structure and b) it by default shows the value as byte so there's no way I would have known it even displays Health in the first place, since it wouldn't have occurred to me to change it to float.
So how do you even get there from the Stamina address logically?

Question 4:
Building on the last question, how do you in general find things within structures like this?

[Zanzer]

Depending on how the game handles its structures, pointer scans may be difficult to find.
That is why I stick to code injection to retrieve my base pointers.

Health was actually quite easy to find, considering you can see the exact Vitality amount.
One thing you need to know is that it is normally always a float type and the display value is often rounded.
So if the game shows you have 3000 vitality, you need to do a float search between 2999 and 3001.

The instruction that writes to stamina/health is: movss [rax+rcx*4],xmm6
You use that to determine the base. RAX contains the base while RCX*4 positions the pointer to values within that structure.
So then you noticed that changing this instruction effects enemies too.
Well that's no good, so we must find some way to filter when it's the player structure.

Specifically for Witcher 3, you can look within the base structure and identify a pattern.
You have two floats followed by a 4-byte integer. So the floats were easy to identify.
Current health/max health. Current stamina/max stamina. Etc.
So now what could that 4-byte integer represent?

So, you find a few enemies and see what values their structures contain.
Well, you can see that enemy health is always followed by a 0.
Oh wait, some enemies have a value of 1 after their health.
Well what gives?! What's so special about these enemies?
Hang on a second! Enemies with a 1 are magical beasts.
Witcher contains two weapon types that effect mundane and magical creatures differently!
The 0/1 must be used by the game to determine which damage type effects their health.
Okay, this conclusion may have been harder to come by...
But you can clearly see that stamina is always followed by a 2 for player and NPC.

So anyway, continue looking at what values the player has that NPCs don't have.
Well, toxicity seems like a good stat. Why would the game waste time tracking toxicity on each monster?
Good news. They don't! Well, the 4-byte integer after current/max toxicity is a 3.
So all I need to do is check if the current structure contains toxicity to determine that it is the player.

[SkeeLo]

[Zanzer]

The structure spider is a nice tool, but I don't tend to use it. It often guesses address types wrong.
First thing I always do after finding health or stamina is browse the memory region around that address.
So you would have set the Memory Viewer type to Float and instantly noticed maximum health right after health.
From there, you would've seen several other floats and it's quite normal that stamina/mana and other stats are around health.
So from there you would have seen all of the stats related to the player and assumed the structure base is around there.

The format of this instruction is quite normal, yes.
You start with a base and then add an offset to it.
In this case, the offset is equal to an index value times 4.
This structure is being treated like an array.
Most games use floats or 4-byte integers, so you will normally see it multiply by 4.
So if the index is 0 and you multiply by 4, you get 0. This is the offset for the first item in the array (current health).

Another format you may see is [rax+rcx*4+100]
For this, you are again dealing with an array, but this array starts 0x100 bytes after the base structure address.
Of course, you'll still likely want to grab the base address (RAX in this case).

[SkeeLo]

You, sir, are a gentleman and a scholar!

I didn't use the structure spider myself I just did dissect data/structures under tools as I saw this in a tutorial and that's where the information is guessed wrong by CE I assume and thus confused me.
As you can see in the attached picture of the player structure both Health and Max Health as well as some other values are the wrong value type (Toxicity at 0018 for example is 4-Byte).
Am I going about this the wrong way?
Or is it perhaps a case of I would have been able to notice that the value type was wrong if I had more experience with this?

I mean I understand these values now after having looked at your code and with the help you've provided here in this thread, so it's all pretty much crystal clear now in terms of what it does.
I'm just trying to "backtrack" as if I had not looked at your code nor received your help and see if I can understand the logical steps to find this information on my own.

[Zanzer]

After finding health, I would simply right-click the address and select Browse this memory region.
This would open up the Memory Viewer to that address.
Since the address is a float, you would right-click in the bottom and select Display Type > Float.
Now you can see the various float values for the addresses in the same general area.
All of the 0.00 values are likely non-float values. So for them, I would switch to 4-byte decimal and see the values they have.
Toss in some trial and error by changing values and seeing what effect it has in-game.

[SkeeLo]

Beautiful!
I cannot express my gratitude enough, thank you for all your help Zanzer!