Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Reading Cheat Engine Pointers into AHK

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
TadaceAce
How do I cheat?
Reputation: 0

Joined: 21 Mar 2019
Posts: 2

PostPosted: Thu Mar 21, 2019 2:00 pm    Post subject: Reading Cheat Engine Pointers into AHK Reply with quote

I'm trying to learn how to read cheat engine pointers into ahk for script and botting purposes. I'm using Grim Dawn for learning purposes. I'm using the Class_memory lib by RHCP.

1) When using Cheat Engine to find pointers, the base address has multiple values including THREADSTACK0, Engine.dll, and GrimDawn.exe. I'm assuming these have different base addresses? Which does the baseaddress() method refer to and can it be set to read from a different one?

2) I simply cannot get offsets to work. In the attached file, the first offset is 380. Thus the code below should return the value at the address 0x249E2978 but doesn't. In fact, a hex calculator says the offset is 0x370 which returns the correct value.
Code:
result := mem.read(0x249E2608, "Uint", 0x380)


3) The second offset, going from 0x249E2978 to 0x1C04DD78, CE says the offset is 340 but this seems entirely incorrect to me. Where is it getting this number?

The code below should return that pointer value but it doesn't. It seems like a simple concept that I cannot get to work. I've got to be missing something and I've hit an absolute wall figuring it out.
Code:

#Persistent
#SingleInstance force

Numpad3:: Reload
Numpad4:: Exit

*Numpad1::

mem := new _ClassMemory("ahk_exe Grim Dawn.exe")
result := mem.read(mem.baseaddress - 0x00000558, "Uint", 0x380, 0x340, 0x20, 0x24, 0x3D0)
msgbox, % "result: " result


[/code]



Capture.PNG
 Description:
 Filesize:  35.39 KB
 Viewed:  5213 Time(s)

Capture.PNG


Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Thu Mar 21, 2019 4:04 pm    Post subject: Reply with quote

https://forum.cheatengine.org/viewtopic.php?t=609143
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4283

PostPosted: Thu Mar 21, 2019 4:48 pm    Post subject: Reply with quote

1: A base address is just the address a pointer path starts at. There's no magic baseaddress() function you can call to get it since different pointers can have different base addresses. You should be able to find the base address consistently (e.g. static offset in .exe / .dll; consistent offset in a thread's stack); otherwise, it isn't going to be of much use when you restart the game. Besides that, it's no different from any other address.

I don't know what you mean by baseaddress() as there's no such function in CE. If it's relevant to AHK, I'd guess it returns the address the .exe was loaded at, but you should go somewhere else to figure that out.

2: Integers in square brackets refer to the value stored at an address. 249E2608+380 = 249E2988, but [249E2608+380] = [249E2988] = 249E2978.

3: See #2. You're not just adding offsets- you're also reading values.

I don't know what language that code is written in, let alone that API. What is mem.read and mem.baseaddress? I can guess what read does, but I highly doubt baseaddress is the address of the first threadstack. If you're lucky, there might be something in the API that gets the stack's address for you, but more likely than not, you'll have to figure it out yourself. Use a search engine to find old topics explaining this process.

Alternatively, find a different pointer.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
TadaceAce
How do I cheat?
Reputation: 0

Joined: 21 Mar 2019
Posts: 2

PostPosted: Thu Mar 21, 2019 5:07 pm    Post subject: Reply with quote

Quote:
ThreadStack0 is not a module, its the pushed return address from kernel32.BaseThreadInitThunk

you can notice there are two symbols, + and -

in your case its minus (it will be minus - always), so ThreadStack0 is ESP (when system call your entry point)

value of [esp - AC8] = some address
that address + offset 40 = ???
??? + D8 = ??
?? + offset = ?

and so on, but dont depend on stack contents.


Sorry, I'm going to have to ask you to dumb this down for me. So ThreadStack0 is ESP (I only have a vague understanding of what this is) which is a static address that serves as a root for the pointer. Then in that example you subtract AC8 from it to find the first pointer?

It seems that the baseAddress method won't point to ESP by default. What's the best way to find this address and will it change?

Is there a reference to what the different roots (e.g. Threadstack) refer to?


ParkourPenguin wrote:


2: Integers in square brackets refer to the value stored at an address. 249E2608+380 = 249E2988, but [249E2608+380] = [249E2988] = 249E2978.

3: See #2. You're not just adding offsets- you're also reading values.


This was helpful. Turns out it was a combination of setting the format to hex before the operations and a fundamental misunderstanding that you're reading the value at each step.


Code:
SetFormat Integer, H

base := 0x3843C748
pointer := mem.read(base+0x208)
pointer := mem.read(pointer+0x20)
pointer := mem.read(pointer+0x2E8)
pointer := mem.read(pointer+0x30)

SetFormat Integer, d
result := mem.read(pointer+0x608)

msgbox % "result: " result


This works and returns the right value for the pointer shown in attached. It doesn't use the function I was intending to use but it works.

My question is, I use 0x3843C748 as a base. This is the from the entry point (?) of the pointer in CE "FreeImage.dll+0016A5C4". Is this proper or should I be finding an address for FreeImage.dll?



Capture.PNG
 Description:
 Filesize:  38.65 KB
 Viewed:  5194 Time(s)

Capture.PNG


Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 139

Joined: 06 Jul 2014
Posts: 4283

PostPosted: Thu Mar 21, 2019 8:38 pm    Post subject: Reply with quote

3843C748 isn't the base address. It's the value stored at "FreeImage.dll"+0016A5C4 - the base address (this is shown by the -> text instead of = ).

You need to figure out where "FreeImage.dll" was loaded, add 0016A5C4 to that address, read the value, and go from there.

I don't know what that API is or how to use it, but it probably has something that can find the address a dll was loaded at.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites