Cheat Engine

Astaroth4256

This post is simply out of curiosity, no help needed with anything so I'm not sure if this is the right place to post this

I was searching for a bool (1byte) type variable within an object's data structure so I expected it to have 0 or 1 values and nothing different, the address was supposed to be true or false if the object is under a certain effect (of a tractor beam). I was unable to find said bool address so I did unknown initial value and 'all types' scan, there was a bunch of addresses that changed depending if the target was tractored or not, so I looked for the most relatable ones and I found two 4byte addresses 1922EE59 and 1922FF69.

If the object was being tractored then the values are 541001607 and 536870917. If it's not being tractored then the values are 541001606 and 536870916. I looked around these addresses for a '1byte' but everything within 8byte distance was useless so the only useful address was these two which were like "if object is tractored then last digit is uneven (normal value +1) and if object is not tractored then last digit is even (digit was 6)
This address allows me to determine if the object is tractored or not so I would call it "valid" but it got me curious why would it be saved like this? The offset for these addresses are 161 and 1271 so that's rather an invalid address but it works "properly", and the way these address' values change don't point to anything like the effect itself. The game is a MMO so I also don't think it could be a mistake in the game's code.

Can anyone explain why these two addresses are like this?

FreeER · Posted: Sun Apr 30, 2017 7:34 am Post subject:

well since they're changing by 1 my initial thought is that it's using a 1 bit flag value, eg. 541001606 is ‭00100000001111110000011110000110‬ in binary and 541001607 is 00100000001111110000011110000111 (the last bit with a value of 1 changes from 0 to 1), same for 536870916 (100000000000000000000000000100 to ... 1).

That's often the case if the same value is being used to represent several true/false values, each bit is a boolean.

Of course it could also just be a way to make it slightly harder to find the value because it's not the expected 0/1 value.

Should be easy enough to check if you look at the code that's accessing the 4 byte value, if it's using bitwise functions like or, xor, or and then it's probably a flag value, if it's just overwriting the entire four bytes with a mov then it's probably not.

Astaroth4256 · Posted: Sun Apr 30, 2017 8:13 am Post subject:

Amazing, I didn't know there could be something like this, perhaps now I can find what auras and other effects are on whatever game object. Thanks. Do you have any tips for scanning such addresses? How does such variable look like in programming code form, a link or direction to get details on that?

FreeER · Posted: Sun Apr 30, 2017 9:02 am Post subject:

For searching I usually find a way to easily toggle the state/flag and then do a search for unknown value 1 byte (1 byte gives 8 flags so is usually sufficient), toggle it, and then do a search for changed, toggle it again and then I can do a search for unchanged compared to the _first_ scan (since it should be the same value as long as nothing else has changed), rinse and repeat basically.

Included cheats like typing "godmode" to prevent damage and then godmode again to disable it is a perfect example of something like this Smile

As for how it'd look in code, basically you just use bitwise operations to set the bits like you want, though a few languages have more support (C/C++ has a "bitfield" for example http://blog.aaronballman.com/2011/08/the-joys-of-bit-fields/).

To set a bit to 1 you'd usually use OR, to check a bit you use AND, and to set a bit to 0 you'd use AND and NOT.

If you have the value 00000000 in binary and want to set the bit that represents 8, then you could simply set it to 8 to get 00001000 but that would set the other bits to 0, similarly you could add 8 and in this case it works just fine but if it was already set then you'd get 0010000 (16) so you'd have to check whether it was set before setting it.

With bitwise functions you'd use
00000000 OR
00001000
------------- 0 or 0 = 0, 0 or 1 = 1
00001000

If you had
00001000 OR
00001000
------------- 0 or 0 = 0, 0 or 1 = 1, 1 or 1 = 1
00001000

you still get 8 like you wanted and if you had

11110111 OR
00001000
------------- 0 or 0 = 0, 0 or 1 = 1
11111111

The only bit that changes is the one you wanted to set.

to check a bit you'd use and

11111111 AND
00001000
------------- 0 and 0 = 0, 0 and 1 = 0, 1 and 1 = 1
00001000

so you get 8 if 8 is set, otherwise you'd end up with 0

11110111 AND
00001000
------------- 0 and 0 = 0, 0 and 1 = 0, 1 and 1 = 1
00000000

we take advantage of this with NOT to set a bit to 0, not 1 is 0, not 0 is 1, so not simply flips or inverts the bits

NOT 00001000 is 11110111, aka the "mask" for 8

11111111 AND
11110111
--------------
11110111

so now the 8 bit is set.

You can also set multiple bits by using, eg. 9 instead of 8 to set the 8 bit and the 1 bit.

You should be able to find some examples by searching google for "bit flags <language>"

Astaroth4256 · Posted: Sun Apr 30, 2017 9:38 am Post subject:

FreeER · Posted: Sun Apr 30, 2017 9:52 am Post subject:

You should really edit that quote since 99% of it is irrelevant to what you're talking about... it just makes people waste a bunch of time scrolling.

As for finding it, technically it kind of depends on what you're searching for. 1 byte is only large enough to store 256 values, either 0 to 255 if treated as unsigned or -128 to 127 if signed. So 541001607 doesn't really make any sense as a 1 byte value.

541001607 is 203F0787 in hex, the first (least significant) byte is the 87 part which is -121 (or 135 unsigned) as a 1 byte value, 541001606 is, of course, 1 less so -122 (or 134 unsigned).

However, practically speaking CE will convert 541001607 to the right value depending on the type you search for, which is why if I change the value for step 2 of the tutorial to 541001607 and then search for 541001607 as a 1 byte value (then change to ...06 ad scan again) I'll still be able to find the same address https://imgur.com/a/RJVIo

I can't really say why you couldn't find it on that game, only that you should be able to since it's the same value in the same place just a matter of how many bytes you are comparing together (4 or 1).