Cheat Engine

[Lexdyslic]

I'm attempting to find the pointer for levitation in a game called Noita, I've managed to find the address perfectly fine however after seeing what accesses the address there are two copy memory opcodes in the debugger. After trying each of these and searching for the probable address I get no values whatsoever as you can see in screenshot #1.

After doing more reading I found that the possible cause is a pointer chain, so after manually putting in the probable addresses (of which only one of them yielded a value) and seeing what accesses the pointers the exact same 2 copy memory opcodes are found (in screenshot #3).

I'm a complete beginner with using cheat engine and figured I'd use (what i thought) was a simple 2D indie game to try it out and this has me stumped.

[ParkourPenguin]

Do those SSE instructions use an offset? You're not limited to just using mov instructions. Moreover, you'd want to avoid instructions that operate on integer or generic data (i.e. mov) when working with floating point numbers.
Have you tried the pointer scanner? See this video for an example.

In "Noita debugger screenshot 3.png", you're looking at the exact same address. The only difference between them is that you're interpreting the 0s and 1s in memory in a different way (integer vs floating point number).

[Lexdyslic]

Gah, I just typed out a full response and my internet cut out and I lost it. Anyway, all I know about offsets is that they are whatever is in the red square bracket in the 'extra info' window after you double click on an opcode in the debugger screen so i guess they don't use an offset?

Also I tried using the pointer scanner but the tutorial (same one that you linked) is a bit difficult to apply to an actual game, what I did didn't show anything after doing the pointer scan so I'll just type out what I did.

I found the levitation address by scanning and increasing/decreasing the value till i narrowed down the value and found it through trial and error. Then I added that address to the list and generated a pointer map for it and saved it. Then i closed the game down and repeated the same step to get the address and did a pointer scan, making sure to select the same file that I saved before I closed the game. However after waiting for the scan to finish nothing showed up in any of the file types (4 byte, float etc etc).

I understand that the method that I was doing before was the manual way which i got from a tutorial I found on the fearless forums. I don't know the significance of the 'copy memory' opcode I was just following the tutorial I found there which just said to double click on the one that had that to find the probably address and the offset (which the tutorial described as being the text/numbers in the square bracket).

[ParkourPenguin]

[Lexdyslic]

Okay, I took a break and came back to it, the address that I used in the first pointer map was the one that I found by narrowing down the addresses by doing the unknown initial value scan (35ACB720).

I closed the game down, found the levitation address again (this time 3288C810) then did a pointer scan on that address and comparing it with the first address that i did the pointer map of. There was only one address in the drop down menu in the pointer scanner screen, that being 35ACB720. This is what my screen looked like (in pointer scanner+address list.png).

After letting the scanner work the pointer scan screen was blank (shown in pointer scanner.png)

As for when I was doing it manually, I wasn't looking at the movss,addss,fdivr instructions as I was just following a tutorial that didn't shed any light on the significance of those for that step. After looking them up is this because movss/addss is for moving/adding float values which is what the original value is?

In the tutorial that you linked just the defaults were used for the pointer scanner so i left it at that.

[ParkourPenguin]

The pointer scan settings look fine, as long as you didn't change any of the advanced settings. I guess you'd have to increase the max different offsets per node (or disable it completely), or maybe increase max offset / level. Increase it enough and you might die before the scan finnishes... it's probably worth looking into manually before trying the pointer scanner again.

[Lexdyslic]

Heres the opcode window, sorry about dragging out what is probably a simple issue I just wanted to get a better understanding of what I'm doing first (hence all the questions).

[ParkourPenguin]

Asking questions is fine.

The offset is 0x108. The address you should scan for would be the address you're watching (i.e. 30FEB4E8) minus that offset:
30FEB4E8 - 108 = 30FEB3E0

Scan for that value as a 4-byte hexadecimal value. For all the results that come up, check what accesses each one and recursively repeat this process. If you do stuff in the game for a bit (e.g. attack, change levels, return to main menu and reenter the game, reload a save, whatever) and nothing accesses an address, it's fine to skip it and try the next one. Take notes as you go along.

The following isn't pragmatic but it's of pedagogical concern.
Values tend to be grouped together into structures, and structures typically include other structures in them by pointers. These pointers point to the beginning (aka base) of other structures. The values in those other structures are typically accessed through an offset from the base of the structure they're in.
In your previous post, 30FEB4E8 is the address of the value you want, 30FEB3E0 is almost certainly the base of the structure that value is in, and by scanning for the 4-byte hex value 30FEB3E0, you're basically asking "Where are all the pointers that point to this structure?" Those other pointers are probably contained in structures themselves, and you'll need to recursively repeat this process until you get to something static.
The two mov instructions aren't relevant in this specific case because they aren't using any offset and there are other instructions that do use an offset. Those two mov instructions are probably part of some function that operates on generic data. They aren't tailored to any specific value or structure, so they need to be passed the address of the value to operate on directly.

[Lexdyslic]

Okay that makes sense, I definitely have a better idea of how this is structured and what i'm doing by finding the pointers.

Although after scanning 30FEB3E0 it only yielded 2 addresses, and after checking what accesses these addresses i didn't get anything in the debugger. After searching around the forums I saw that maybe switching the method from windows to VEH might help then reopening the game, after doing that (and doing everything up to now again) it yielded 64 addresses. All of these addresses aside from the last one didn't have anything after checking what accesses them. this is what is in the screenshot.

My question now is, what is the offset? After looking up the x86 Assembly language on wikipedia I see that in the red the offset should be something like eax*4 and in the extra info panel it says that eax = 311B5128. Does that mean that since it's the same (probable) address that it's like saying 0*4 = 0? (0 being the offset).

[ParkourPenguin]

[Lexdyslic]

Yeah up until after i scanned 30FEB3E0 i had kept the game open the entire time, and after each time I accessed the address i spent about 20 seconds in each of the 64 addresses doing random things in game before pausing the game again then moving to the next address to check.

How did you first get into using cheat engine? Do you have a formal education in programming or are you self taught? I feel as if I should probably get a better base understanding first before trying to do this as looking up everything only going to get me so far (currently no where). Do you have any recommendations on things I should learn before trying to tackle doing things like this?

[ParkourPenguin]

If that pointer path doesn't work out, I'm not sure where you can easily go from here. You could try increasing the max level / offset on the pointer scanner. Tick "Pointers must end with specific offsets" and put 108 as the only offset- it'll speed up scans.
Everything else I can think of involves assembly.