View previous topic :: View next topic |
Author |
Message |
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Jan 24, 2006 11:19 am Post subject: A quick method |
|
|
When using mhs
After you find a value that you want to resolve, and you find it's address, say it's address is (34891278). Try the following:
1. Select the pointer search.
2. Choose a "range" type search.
3. For the max value of the range put the address of the value you want resolved, for example (34891278). For the lowest part of the range set all the last 5 digits to '0' so (34800000). Make sure that the "only find static" pointers" box is ticked.
The first box is for the lowest value of the range, and the 2nd box, (the one on the right) is for the max value of the range.
That should search for static pointers that point to addresses in that range that are before the address of the value that you want resolved. Also, in the box that says "save offsets from", just put in the same address as the max value of the range (34891278).
Now in the results window it will show each static pointer and the offset distance between the address that they point to and the address of the value you want resolved. All the offsets distances will be listed with a "-" sign in front of them, since we are saving offsets from the max part of the range, so pick the one with the smallest negative offset, so "-500" is better than "-1000". The decimal offset distance is shown in brackets. It's easier to work with decimal offsets. There is also a "go to closest" button on the results window which should automatically show you the pointer with the smallest offset distance, it will highlight it.
Now with that static pointer, to test it just remember that you are adding that 500 to the address that the pointer points to, in order to get the address of the value that you want resolved. So test it.
If that static pointer turns out to be unreliable, then you can try the next best one, for example the next best one could be "-600", it's a larger offset, but it may be a more reliable static pointer.
Last edited by Turtle on Wed Jan 25, 2006 9:16 am; edited 2 times in total |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Jan 24, 2006 12:05 pm Post subject: |
|
|
problem with this method is that it's only a level 1 pointer, and doesn't take into account module addresses that change
Another method that might be easier to use is ce's pointer scanner. To get the results described here, just do a max level of 1 and structsize of at least 1024 and it'll scan quickly. (but I recommend a higher value because only very few games use level 1 pointers)
When the scan is done just doubleclick the address and it'll be added to the list with all offsets filled in for you
You can also easily test the results, by saving the addresses it found, and reboot, or restart the game, then reopen the game, reload the list, and then use the option "rescan memory" to filter out the wrong ones
and another thing, if you want to have a list with more addresses, then use the option to use static code as base instead of dissecting
Also, for people using the injected pointerscan feature of 5.2.28 , use max level of 2 for max level 1, max level of 3 for max level 2, etc... (small bug, but the scanner is working)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Jan 24, 2006 3:05 pm Post subject: |
|
|
Ok.
For "size of structure" I put 1024, and for "max level" I put 3, but what should I put for "level 0 structsize"?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Jan 24, 2006 3:16 pm Post subject: |
|
|
depends on your method
if you use the option to use module data as static address then 4, but if you use dissection I recommend something like 30 or 40
I recommend the injected pointer scan though, it's more accurate, and faster
another thing you might want to watch, is that some modules have a more direct path to a address than others.
For example if the base module at 00400000 has a level 7 pointer to your address , it then might also be that there is another module that can reach it with only a level 2 or 3 pointer. (e.g gamex86.dll will have a shorter path to health than quake4.exe, which links to gamex86.dll which links to your address)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Jan 24, 2006 3:29 pm Post subject: |
|
|
I tried the injected scanner, it's fast. It seems a bit different to the regular scanner.
Also, how would I know which module has the shortest path?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Jan 24, 2006 3:36 pm Post subject: |
|
|
yes, it is a complete rewrite, and even fixes some bugs, has a small change on how I keep track of successfull and unsuccessfull pointer paths, and shows more data (so you now see it hasn't crashed on one address but is dissecting a base path, which can sometimes be quite large)
But choosing the right module can be tricky. You can usually find it using the base module and a big enough max level, but each level increases the number of addresses to find with the factor of your structsize. (worst case scenario with no skipping of unsuccessfull paths and all addresses it encounters are pointers: addresses to scan*structsize*structsize*structsize*.....)
But usually you want to scan the game engine itself for the pointer. The modulenames usually have a name that is interpretable, (e.g gamex86.dll, unrealengine.dll, civ4core.dll,...) or perhaps you found a few easy to find pointers yourself that lead you to a certain module each time
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Jan 24, 2006 3:47 pm Post subject: |
|
|
When I do an injected scan and then try to do another one right after, I get an error msg: "Access violation at address 00000000. Read of address 00000000."
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Jan 24, 2006 3:49 pm Post subject: |
|
|
I know, thats a bug. (was to be expected with raw cvs snapshots)
If the settings window gets closed it frees it, it shouldn't have done that anymore
it's already been fixed in the cvs
to fix it now: just close the old pointer scanner, and reinject using ce
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Tue Jan 24, 2006 4:03 pm Post subject: |
|
|
Not all dynamic pointer equations are simple addition, are they? Simple addition ones may look something like: "mov eax, [esi+1a]"
That's fairly straightforward, but I don't know if they are all that simple. Does CE deal with all types of equations when scanning?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Tue Jan 24, 2006 4:06 pm Post subject: |
|
|
in a way, it scans from 0 to structsize, so if it was something like eax+esi*8 it will find the first 128 elements when using a structsize of 1024, but you're right if it is a movable element, but if the element is fixed like esi=0 for first player, esi=1 for 2nd player, esi=2 for 3th player, then it will find it
and there is usually another path to it as well, like the current object under the cursor, or lastselected object, or something
Let's just say: if it can be written down as a pointer address, it can be found. (may take some years if you have to resort to structsizes of 10kb or bigger, but it will find it )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Turtle Advanced Cheater Reputation: 7
Joined: 25 Jul 2004 Posts: 85
|
Posted: Wed Jan 25, 2006 8:51 am Post subject: |
|
|
Dark Byte wrote: |
another thing you might want to watch, is that some modules have a more direct path to a address than others.
For example if the base module at 00400000 has a level 7 pointer to your address , it then might also be that there is another module that can reach it with only a level 2 or 3 pointer. (e.g gamex86.dll will have a shorter path to health than quake4.exe, which links to gamex86.dll which links to your address) |
Could someone make their own injected .dll to provide a shorter pointer path? Or would it have to be one of the existing .dlls?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Wed Jan 25, 2006 12:56 pm Post subject: |
|
|
you can inject any dll you want with the dll injection option. (the injected pointer scanner that comes with ce is also injected using that same method, the userinterface is part of the dll)
But I don't completly understand what you mean with a shorter path. If you know a shorter path, you don't really have to scan because you already know it.
Or if you mean that you did find the first and perhaps even 2nd level pointer for a address, but the base address still isn't green, then you can also do a pointer scan for that base address, and then later just append the offsets you already found
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
TheBaron88 How do I cheat? Reputation: 0
Joined: 06 May 2006 Posts: 2
|
Posted: Sat May 06, 2006 6:36 am Post subject: |
|
|
Quote: | the injected pointer scanner that comes with ce | is this the "Pointer Scan" in the "Tools" menu?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sat May 06, 2006 6:43 am Post subject: |
|
|
kinda, i'm talking here about the injected pointer scan option that comes with the weekly compile. (I also posted the dll seperately a while back in a prince of persia thread) It's basicly the same, but a lot faster.
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
TheBaron88 How do I cheat? Reputation: 0
Joined: 06 May 2006 Posts: 2
|
Posted: Sat May 06, 2006 7:28 am Post subject: |
|
|
Got a link for the dll or the latest build plz, cant find that thread,
|
|
Back to top |
|
|
|