Cheat Engine

riverwest · Newbie cheater Reputation: 0 Joined: 05 May 2019 Posts: 14

Software developer here, new to hacking games. Just trying this out for fun as it helps me understand more than what I'm normally exposed to. I'd like to show you the work I've done so far in my exploration to get infinite ammo for Pandemic Express. Conceptually, I know that to do this, I need to create a trainer that will inject the proper code so my ammo does not decrease.

Steps
1. New scan (current ammo) > shoot > next scan (current ammo) > repeat. Found 3 addresses.
2. Took the first address and ran "Find out what access this address". I find one instruction cmp [rsi+rcx*4+00000094],eax. From the guides I've read, I need to look at the address in brackets [ ], but I first note the value of "rcx*4+00000094" which is "4*4+00000094" == "16+00000094" == AA. I assume my offset is AA (but I don't do anything with this yet). The value of rsi is 000001AF2C60EC60 so I search for this address in CE.
3. In my search results, I get 11 addresses - one of them a base address, 7FFAFE0560A8. I add this base address to the list of "tracked addresses" and find that the address 7FFAFE0560A8 is actually saying "TheHunting.DLL+FC60A8". This is important, no? Anyways, let's dig further.
4. I run "Find out what accesses this address" on 7FFAFE0560A8 and I get 7 instructions. Each of these instructions are mov, which is probably where the ammo is getting set for the game, but I'm not entirely sure yet. A list of distinct codes is below:

- mov rcx,[rax+00000278]
- mov rcx,[rsi+00000278]
- mov rcx,[rcx+00000270]
- mov rcx,[rcx+00000278]
- mov rdx,[rax+00000278]

I'm thinking at this point, maybe rax, rsi or rcx holds the actual value of my ammo? Bad assumption? Not sure yet. Very Happy

I list out the addresses of the instructions just to have.

rax = 00007FFAFE055E30
rsi = 00007FFAFE055E30
rcx = 000001AF2C60EC60

Searching at the rax and rsi addresses gives me 3 new base addresses:

7FFAFE055DF8
7FFAFE06B090
7FFB24ECE058 <<

Calling out the last one, because once I run "Find out what accesses this address" I get the following two commands:

cmp qword ptr [rcx+000007C8],00
mov rax,[rcx+000007C8]

Getting juicy, "cmp" - that's comparing values, that has to be near what I want, right? Lets mark down the value of rcx, which is 00007FFB24ECD890 and search for that address.

--

5 new base addresses! (There is an endless number of references here..). I run the "Find out what accesses this address" again on all of them and only 2 return instructions.

Address 1 - 7FFAFE01DC58
Instruction set ->
mov rcx,[7FFAFE01DC58]
(this instruction is actually mov rcx,[TheHunting.DLL+F8DC58] but I don't know what to do with that)

Address 2 - 7FFB24EBD1C0
Instruction set ->

- mov rcx,[7FFB24EBD1C0]
- mov rdi,[7FFB24EBD1C0]
- mov rax,[7FFB24EBD1C0]

(the address 7FFB24EBD1C0 is actually [CryAction.dll+9BD1C0], but I don't know what to do with this either)

----

So my question is, where do I go from here? I've tried adding for example, 7FFB24EBD1C0, which is from a few sentences above and browsed the memory region and found these commands:

jmp PandemicExpress.CryModuleGetMemoryInfo+C9B7
jmp PandemicExpress.exe+242F4
..

I don't know what to do from here. I didn't find my original values, but I jumped down to the .exe so I'm confident this is helpful.

TheyCallMeTim13

riverwest · Newbie cheater Reputation: 0 Joined: 05 May 2019 Posts: 14

Thank you very much for your help. I was able to understand your reply.

riverwest · Newbie cheater Reputation: 0 Joined: 05 May 2019 Posts: 14

TheyCallMeTim13