| View previous topic :: View next topic |
| Author |
Message |
Gaz
Cheater
![]() Reputation: 0
Joined: 08 Aug 2012
Posts: 40
|
 Posted: Sun Mar 20, 2016 11:28 am Post subject: How on earth do you find entity lists, Enemy players arrays |
 |
|
I really hope someone help me , I am trying to find an entity list right , so to access all players in a dll which I am coding in c++ and then to set the enemies ammo to 0 so that they have no ammo or set their health to 0 so that they get 1 hit killed. I have tried so many ways in finding this with no luck. I do know though that Enemies do access my health but here is video showing how I am trying... https://www.youtube.com/watch?v=NwDr1mkr3j8
I want to take this knowledge and use it for like other games as well
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Sun Mar 20, 2016 11:58 am Post subject: |
|
|
Find the health of two enemies. Use the automatic pointer scanner on each.
Go through both lists of found pointers and find a common address used in both.
For example, you might find pointers with 5 offsets and the address after the 2nd offset is the same for both enemies.
So then the offset after that is the one that cycles through each enemy.
|
|
| Back to top |
|
|
Gaz
Cheater
![]() Reputation: 0
Joined: 08 Aug 2012
Posts: 40
|
| Posted: Sun Mar 20, 2016 1:24 pm Post subject: |
|
|
| Tried to no avail
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Mar 20, 2016 9:30 pm Post subject: |
|
|
For ammo...all you need to do is hook the instruction that is accessing all ammo values, which, according to your video, you may have already found. Since the instruction is also accessing hero ammo, you'll need to filter it out so that it isn't affected. Once you have a reliable filter in place, you can do whatever you want with enemy ammo.
By the way, this target has integrity checks, so keep that in mind when doing any sort of injection.
|
|
| Back to top |
|
|
Gaz
Cheater
![]() Reputation: 0
Joined: 08 Aug 2012
Posts: 40
|
| Posted: Mon Mar 21, 2016 7:57 am Post subject: |
|
|
| I know the game has checks , Is there a video on the net somewhere about finding entity lists for games etc ?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Mar 21, 2016 8:16 am Post subject: |
|
|
Well...good luck, then. 
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Mar 21, 2016 12:50 pm Post subject: |
|
|
| Gaz wrote: | | I know the game has checks , Is there a video on the net somewhere about finding entity lists for games etc ? |
It differs per game due to how the game works and handles the objects.
For example, I'll use C++ as a reference.
If a game uses a predefined array of objects like this:
| Code: | unsigned int m_EntityPointers[1024];
m_EntityPointers[0] = new Entity();
m_EntityPointers[1] = new Entity(); |
In memory you are going to have a table of pointers where they would be indexed based on the size of the pointer (ie in this example, 4 bytes). So you would often see things like:
| Code: | | mov ecx, [eax+edx*4] |
eax would be the base address of m_PlayerPointers, while edx would be the index within the block to offset from (ie. 0 to 1024).
Another example would be if a list implementation was used. However there are a lot of different list variants. There is a single linked list, double linked list, etc. Linked lists often are started with a few variables specific to the lists. Something like this:
| Code: | struct SingleLinkListElement
{
void* next;
};
struct DoubleLinkListElement
{
void* prev;
void* next;
};
|
Then each element is linked to one another keeping a chain of elements that can be iterated through. In some cases, next will be set to the first element in the chain on the last element, or in other cases it will be null. (Same goes for prev on the first element. In some cases it will link to the last element, others it will just be null.)
A game that uses this approach is Grim Dawn. They do a single linked list on their objects stored in an object manager. The next is set to the following object in the list with the last object being set to the first objects pointer in the list. So you would compare against the first elements pointer while looping the list.
For example walking a linked list in this manner would be like:
| Code: |
auto firstObjPtr = *(unsigned int*)(get_first_object_in_some_manner());
while (true)
{
auto current = *(unsigned int*)(obj + 0x00);
if (current == firstObjPtr)
break;
current = *(unsigned int*)(obj + 0x00);
}
|
To find how games usually handle this, your best bet is setting breakpoints on parts of the structure within the object. From there you can trace back to what is accessing it to determine how it is being handled in memory in terms of how the full list / array is stored. (If there even is one.)
Here is a quick rundown example of the first I gave in a game that uses a fixed array for its entities. First you'd find some information on an entity you want to find. So for example, this is my entities information block:
From there I'd add a known location in this block to my table and use the 'Find What Accesses This Address' feature. For example, in my entity block offset 0xA0 is a pointer to my XYZ information. So I'll use that.
With that I find a lot of results accessing this address since its a highly accessed thing:
I can check each of these until I can trace some information back to what is accessing my base pointer of my entity. So one of the traces gives me this function:
In this function, the game is looping the entity list within a certain bounds (0x400 to 0x900). This loop checks a few certain things about the entity.
- 0x00000078 = The entities server id. (To compare against what is being looked for from a argument passed to this function.)
- 0x000000A0 = The entity warp pointer. (To its XYZ information.)
- 0x00000120 = The entities render information. (To determine if its alive/rendered on screen.)
In a pseudo manner, this is basically doing the following:
| Code: | auto index = 0x400;
while (index < 0x900)
{
// Get the entity pointer..
auto pointer = *(unsinged int*)(0x037851A0 + (index * 4));
if (pointer == nullptr)
{
index++;
continue;
}
// Get the warp pointer of the entity and ensure its valid..
auto warpPtr = *(unsigned int*)(pointer + 0xA0);
if (warpPtr == nullptr)
{
index++;
continue;
}
// Get the render flag of the entity and ensure its rendered..
auto render = *(unsigned int*)(pointer + 0x120);
if (render == 0x04000000)
{
index++;
continue;
}
auto serverId = *(unsigned int*)(pointer + 0x78);
if (serverId == wantedServerID)
{
// Return the warp pointer of this entity..
return warpPtr;
}
index++;
} |
_________________
- Retired. |
|
| Back to top |
|
|
SunBeam
I post too much
 Reputation: 65
Joined: 25 Feb 2005
Posts: 4023
Location: Romania
|
| Posted: Mon Mar 21, 2016 4:11 pm Post subject: |
|
|
I'm pretty sure you nailed it all down and he understood everything  Judging from how he started the thread, expect replies 
On another note - retired, eh? Glad seeing you around. We should catch up sometime.
BR,
Sun
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
Gaz
Cheater
![]() Reputation: 0
Joined: 08 Aug 2012
Posts: 40
|
| Posted: Wed Mar 23, 2016 7:27 am Post subject: |
|
|
| atom0s wrote: | | SunBeam wrote: | I'm pretty sure you nailed it all down and he understood everything Judging from how he started the thread, expect replies
On another note - retired, eh? Glad seeing you around. We should catch up sometime.
BR,
Sun |
Hey man, long time no see. Hit me up with a pm  Can chat on Skype or something sometime. |
Explained really well that makes a lot more sense thank you
|
|
| Back to top |
|
|
finnegan waking up
How do I cheat?
 Reputation: 13
Joined: 05 Aug 2014
Posts: 0
|
| Posted: Wed Mar 23, 2016 3:01 pm Post subject: |
|
|
| you're going to have a harder time doing this in CE than in C++.
|
|
| Back to top |
|
|
niceone
How do I cheat?
![]() Reputation: 0
Joined: 01 Apr 2016
Posts: 3
|
| Posted: Fri Apr 01, 2016 5:28 am Post subject: |
|
|
Hey,
im also trying to figuere out the entity list from Rainbow Six -
but i cant find it until now.
Can you help me to find it?
Usually via Teamspeak or Skype etc?
Would be very nice from you 
|
|
| Back to top |
|
|
JohnathanSweeney
Newbie cheater
![]() Reputation: 1
Joined: 04 Apr 2016
Posts: 20
|
| Posted: Mon Apr 04, 2016 4:47 pm Post subject: |
|
|
This will be a helpful youtube tutorial for this, but it is a bit long:
/watch?v=H6eH6eSAL2w
|
|
| Back to top |
|
|
Greys0n
How do I cheat?
![]() Reputation: 0
Joined: 05 Apr 2016
Posts: 0
Location: US
|
| Posted: Tue Apr 05, 2016 3:46 am Post subject: |
|
|
| Find the health of two enemies. Use the automatic pointer scanner on each.
|
|
| Back to top |
|
|
SunBeam
I post too much
Reputation: 65
Joined: 25 Feb 2005
Posts: 4023
Location: Romania
|
| Posted: Tue Apr 05, 2016 6:46 am Post subject: |
|
|
| Greys0n wrote: | | Find the health of two enemies. Use the automatic pointer scanner on each. |
Automatic Pointer Scan is there to help out form a logic. Don't rely exclusively on it, as some pointers that work for you might not work for others.
One more thing you can try is: after finding a stable pointer that works for you, debug each level of the pointer (access), thus making sure game engine uses all levels -> offsets are stable. If at least one level of the pointer doesn't break on access (including base), then it might be the pointer won't work for others.
BR,
Sun
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
