Cheat Engine

Hoittoru · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

I don't know if I should address both issues here or make a second topic because I've run into many different problems. What I am currently trying to do is find the base address for Main Hand Attack Damage. I started the pointer scan with 10,000 offset and level 10 at normal thread. It's been 7 hours and the path count is 5,686,612,176,272 (im sure everyone can count but thats 5 trillion) is this normal? also my cpu is at 100% running this scan.

Above is what I'm currently attempting. The bigger mission was to find a way to script the Main Hand Attack Damage value (float) to stick; even through loading screens and game restart. Issue with that was the instruction that was writing to MH att Damage was: (off the top of my head) movss [rbx+30],xmm6. I injected with mov [rbx+30],#700. Crashed my game to kingdom come. (I have a lot more detailed info on this topic; should I make another post elsewhere for this?) Question

ulysse31 · Posted: Sun Jun 12, 2016 10:04 am Post subject:

Why do you go 10 level deep and with 10 k offset?
Did you not find any pointer with the default value that CE pre-fills ?

How many addresses is movss [rbx+30],xmm6 accessing ?
(memory view right click the opcode and chose "find out what address this instruction accesses").
IF it access only one you should hook it and retrieve the MH attack address, if it accesses more than one it would be another reason for your game crash.
refer to : http://forum.cheatengine.org/viewtopic.php?t=572465

Finally why would you move an integer into a float ? (ie you know it's float and yet you move #700 to it)

Ps :
000002BC translates to decimal 700 for an integer variable
442F0000 translates to decimal 700 for a float variable
and finally integer decimal 700 translates into a 9.80 x 10^-43 float variable

Hoittoru · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

ParkourPenguin · Posted: Sun Jun 12, 2016 1:24 pm Post subject:

I'm not surprised at all you're getting 5 trillion+ pointer paths found with those settings. In that image you posted, all the offsets were +30, so the last offset of a real pointer path is probably going to be 30. Also, set "Max different offsets per node" to 3. If the scan completes too quickly with those settings, raise max different offsets per node or turn it off completely.

You can get the last few offsets (not just the last one) usually by trying to find the pointer path manually. Look at the CE tutorial for information on that. If you know how to read assembly, you can also usually look before one of the instructions that accesses your address and figure out the pointer path that way.

Writing to disk is usually the biggest bottleneck in the scan. Use a couple pointermaps at least. This will also help save on disk space a lot.

IMO code injection w/ AoB scan is usually a better way of getting a consistent reference to an address than pointers, but if you don't know assembly, it's difficult.

ulysse3131 asked how many addresses that instruction accesses, not how many instructions access that address. Right click on the instruction movss [rbx+30] in the disassembler and select "Find out what addresses this instruction accesses" to do exactly as it says.

You can use mov [rbx+30],(float)700 if you want. Technically, it's more appropriate to move the floating point number into an xmm register (when using SSE) and move that into an address, but whatever works. Here's an example of what I just said in case you didn't understand:

Hoittoru · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

ParkourPenguin · Posted: Sun Jun 12, 2016 3:13 pm Post subject:

First of all, you should be using an 8 byte value type search instead of 4 byte since you're in a 64-bit process. 32-bit process = 32-bit address space = 2^32 possible addresses = 32 bits (4 bytes) needed to represent an address. Similar for a 64-bit process, but you should get the idea you need 8 bytes to represent an address.

However, that shouldn't be the thing causing any problems since the upper 4 bytes are 0. Either that offset is wrong or for some reason the next node is in read-only memory. I highly doubt the game encrypts pointer nodes; you shouldn't be concerned with that.

Sometimes, it doesn't matter if an instruction accesses more than one address. Seemingly more often than not, however, it will do something you don't want it to do. See this topic for information on that.

ulysse31 · Posted: Sun Jun 12, 2016 4:26 pm Post subject:

AOBscan and address hooking would be nice.
Don't forget to fill the dots (...) in the above posted code (select the opcode you wanna inject and press ctrl+A ctrl+I for auto assemble injection pattern, it will fill the dots for you).

However for now you probably wanna find an instruction that only accesses your MH address or you wanna find a marker such as a register value that indicates the opcodes are currently accessing the MH address (something like eax == specific value)

Hoittoru · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

OK so we made progress! Smile

I used the below code which kind of works. it brings my MH att dmg to 700 and stays! but it also changes crit chance, xp rate, mana, 3 attributes, and other stats to 700 as well. So i believe you guys are right, I possibly have the wrong address? but how? I can manually change the address to 700 and freeze it and it works but when I load or restart address is lost. an alternative if easier; have the script allow me to alter the address manually.

ulysse31 · Posted: Mon Jun 13, 2016 5:55 am Post subject:

you have several choices among which :
1) you take the MH address and find out what writes (or access) to it, you see several opcodes that you then follow in disassembler and you check what addresses these opcodes access, your goal is to find an opcode that *only* access the MH address because then when you inject your code you will only change MH value, by now you have understood that the reason you changed crit rate etc values is that the opcode you hooked not only access MH address but also crit rate address etc..

2) you set a breakpoint on the opcode you are currently hooking, and every time it accesses an address you take note of the registers, especially when it accesses MH address. You then restart the game and do it again and ideally you wanna find a key value within a register (rax rbx rcx rdx..) which means that the opcode is currently accessing MH address. If you can find that value I'll provide you a piece of code which you'll then understand.

Note that 1) is imo better than 2) and most likely 1 if well done is also patch-proof.

ParkourPenguin · Posted: Mon Jun 13, 2016 8:15 am Post subject:

Hoittoru · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

guys im stumped.

ParkourPenguin · Posted: Mon Jun 13, 2016 1:42 pm Post subject:

That instruction accesses multiple addresses. That's just how the game is programmed. You can't (easily) change that. It's not that you're missing anything; you're just overthinking this entire situation and making it more complicated than it actually is.

I was referring to the entire first post. Go through step 9 of the CE tutorial if you want to practice in an easier environment.

Hoittoru · How do I cheat? Reputation: 0 Joined: 12 Jun 2016 Posts: 9

ParkourPenguin · Posted: Mon Jun 13, 2016 2:58 pm Post subject:

ulysse31 · Posted: Mon Jun 13, 2016 3:50 pm Post subject:

I launched the game actually and checked the opcodes, it doesn't access only 3 addresses.. it does so only when u dont use the game and u are on stat screen at which point if u do nothing it does access 3 addresses... among which your main hand attack is not, but actually this opcode accesses thousands of addresses, all the opcode which work with main hand attack damage access thousands of addresses unfortunately. It kind of makes it a pain to work with it.