Cheat Engine

Drivium

I'm working on a free cam cheat and it requires nop'ing about 8 different instructions. I have all of the target addresses in a list already. I just need some programmatic way of right clicking each, finding what writes to it, and nop'ing anything it returns (some addresses have 3 instructions that write to it).

For example, I have a main cheat called Cam Base (also a header), which is just an aob scan. It creates a label/symbol called _camcoords, which I then use to offset all of the addresses I need nop'd.

Maybe a script that applies this to everything under the header Cam Base?

Thanks in advance!

ParkourPenguin · Posted: Thu Jun 04, 2020 9:18 am Post subject:

Lua could do that, but there's no guarantee you'll catch every write to every address. You'd be better off making AoBs for those instructions and finding them that way.

Drivium · Posted: Fri Jun 05, 2020 4:54 pm Post subject:

My concern with finding 8+ aob's and nopping them is it would take a substantial amount of time to enable the cheat. With my suggestion, it only requires finding one as the in-memory addresses are just offshoots of that first aob. So, I really think something that finds what writes to, and nops all instructions under any addresses in my header would work. Issue is I'm not that well versed in lua...

Here's what I imagine with some pseudo code: If header = "header name" then for each [address] in [addresses] find what writes to this address. for each [instruction] in [instructions] nop

ParkourPenguin · Posted: Fri Jun 05, 2020 7:57 pm Post subject:

You could use the memscan class directly w/ the vtByteArrays type. It's a one pass scan for unique aobs. Last I checked it's not documented / defined in main.lua / defines.lua, but it shouldn't be too hard to figure out by reading CE's source.
With that and only scanning through executable memory, it should be sufficiently fast.

The problems associated with breakpoints is (generally) far worse. Instructions pop up in the "find out what writes..." list because they were executed. You might need to do some action in the game in order for a particular instruction to execute. It's not like you click that button and every instruction that could write to that address magically pops up. If e.g. the game is paused and nothing is writing to the address, then you won't see anything writing to the address.
With that in mind, what's an appropriate amount of time to wait? What if you don't find anything after waiting? What if you find an instruction you don't want to replace with nops?
Doing it "correctly" would involve verifying a unique aob pattern around the instruction that triggered the breakpoint to make sure it's an instruction you want to replace with nops (this would also solve the "get previous instruction" problem). When you do replace an instruction, mark down that information for all breakpoints that instruction could access. Breakpoints with no instructions left can be removed, and a new one can be placed on another address.
Still, it's not generally predictable how long that would take. There are only 4 hardware breakpoints available, so it's not like you could just set breakpoints everywhere and forget about it.

Finding the instructions through a memscan would be far easier and usually safer / more reliable.

Drivium · Posted: Fri Jun 05, 2020 10:16 pm Post subject:

In my case, the instruction is constantly writing to the addresses and they come up immediately without any additional actions. This is my first cam hack, so I'm assuming the dilemma I'm describing must have been solved already. I just don't know...what I don't know. lol

Do you have an example of a script you would use to achieve what I'm describing? Yes, I could just feed it all of the aob's it needs. I made an assumption it would take a while to enable that way, but sounds like you know of a swifter way.

ParkourPenguin · Posted: Sat Jun 06, 2020 10:32 am Post subject:

It shouldn't be too bad then; however, you should still be safe about it and not assume you replaced every write after a few hundred milliseconds.

Looking at CE's source, I don't think TMemScan.GetOnlyOneResults is exposed to Lua.
Doing it the more conventional way through an AA script might be best. Unfortunately AA aobscans scan through all memory and I can't see any way to change that to only executable memory.

I'd hope most people do camhacks by replacing only what they need to replace and not simply everything. But if it works, it works.

Dark Byte · Posted: Sat Jun 06, 2020 10:55 am Post subject:

You can set MemScanInstance.OnlyOne=true

when the scan is done MemScanInstance.Result will have the address

If you combine it with IsUnique=true multiple threads will be used to scan the memory, the first one that finds it will stop the others and return the value (make sure it is in fact unique)

ParkourPenguin · Posted: Sat Jun 06, 2020 12:01 pm Post subject:

For one aob sure, but a multi aob scan with vtByteArrays can't be used in Lua because there's no way to get the results.

Drivium · Posted: Tue Jun 09, 2020 12:26 am Post subject:

Thanks for the responses. I'll think on a different way to accomplish this.

mg_01 · Cheater Reputation: 0 Joined: 28 Jan 2018 Posts: 41

i dunno if it'll help, but i wrote a autohotkey macro to nop out stuff for my free-cam script. it's literally just clicking automatically though, nothing elegant.