i am very sad about what happen at forum.cheatengine.org , it have been
targeted by the big company from the game industry (Seems like its due
to copyright claims by Bethesda, claiming Cheat Engine is violating the works of companies like Bethesda ect...) [you know the big one can name any reasons]
giving Dark Byte the admin and creator of Cheat Engine such a Big problem.
Read more here
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}
Besides an amplified DDoS attack also a 'Notice of Infringment' from a representative of Bethesda and others. (is this coincidence ? ................ )
Dark Byte , my thanks to you for all your hard work, i hope the problem will only be temporary.
i am releasing a series of all i learn from forum.cheatengine.org
i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames
this is the 2nd post i learn
{ the site don't work correctly for now due to DDos atack and the other trouble stuff, hope it just temporary}
writen by
Rydian
Grandmaster Cheater Supreme
Making your table have the right addresses each time without having to re-scan every time you run
the game is something everybody wants, but a lot of people aren't sure how it's done. Finding the
game's native pointer path for the value you want to keep track of is the traditional way, but just
because it's traditional doesn't mean it's the best. In fact with how complex games are getting and
how many of them are being written in dynamically-managed languages nowadays (with some games
actually getting compiled in RAM each launch), a lot of games don't even have native pointer paths
built off of static base addresses anymore and the traditional pointer-finding method fails.
So I'm going to show you three modern techniques to make your table re-find the data for you each run.
For this tutorial I will be using the game Rogue Legacy as it's written in .NET and thus benefits from this.
- Pointer Scanner
Cheat Engine has a pointer scanner function now that's capable of finding all sorts of pointer paths
that the traditional methods won't find. It's fairly easy to use too. The first thing you're going to want
to do is the same as in any hack, and that is to scan the game to find what the current address of a
value is. In this case I'll go for health. Once you have that value found and it's in your table, right-click
it and choose one of the Find What ... This Address options.
Tip: I recommend you use "accesses" when possible, but in many cases "accesses" will be really slow
(for example when looking at coordinates) so choose "writes" if "accesses" is slowing things down.
Once Cheat Engine is logging what happens to our health address, I'm going to run around like a ninny
and get hit a few times and then look at the log window and see what popped up. In this case we're
trying to find the offset for health.
In this case it's pretty obvious that the offset is +118. You'll use this info to narrow down the pointer
searches. What you want to do now is Stop and Close that (bottom-right button) and then go back to
the normal address list. Right-click the health address you found and choose to run the Pointer Scanner.
When you do you'll see something like this pop up.
See the red highlighted parts? You're going to want to tell it to only keep results that end with a
certain offset, and then tell it that the final offset is 118 (because that's what we saw earlier).
The other two things you may want to change are the maximum offset (in this box it's decimal!)
and the depth. Generally the newer and more complex the game is, the bigger the max offset and
depths you may need to go. I recommend starting with an offset of 1024 and a depth of 4 for most
games, and if that ends in failure after a rescan then raise the values and try again. Anyways for
this game I'm using for an example, what's shown in the screen should be fine.
When you start the scan, it'll have you save the scan results somewhere. I recommend you choose a
place other than where your cheat tables are. I personally just made a "pointer scans" folder inside
the cheat table folder. Name the scan whatever you like. The scanning process can take from a minute
to an hour or more depending on the offset/depth...
So I recommend you have some Youtube videos or something to do in the meantime. Once it's done
with the initial scan you should see the results. Just like with a normal scan, the first set of results will
be the biggest, don't be scared by the number of results. What I recommend you do now is close the
game and restart it. Get back to where you were before, and scan for your health address, right-click it,
and open the pointer scanner. But this time, close the main popup window because you'll want to open
the previous scan results and work from there.
Simply put in the new address and let it filter the scan down. You could also simply give it the current
value instead of the address and let it work off of that, and while that is less work, it's also less precise,
as in it won't filter out as many bad pointers as specifying the new address itself will filter out.
Do a couple of rescans until you've narrowed it down to the point that it stops dropping tons of pointers
each scan. Unlike scanning for memory addresses normally, when doing pointer scans you will often
end up with a bunch of different pointers that work. Just like in life, there's many paths that can lead
to the same result, so don't expect the pointer scanner to go down to just 1-3 options like with normal
scans, because with many games you'll be left with 100 or more, all functional.
- Injection Copies
If pointer scanning isn't your thing or it's taking too long for you, a much faster method is to inject some
code that will copy the base address of the structure for us. As you saw in the above method, by looking
at code that reads/writes the address you can often find an offset. If you're looking for something like
player health, generally other stats like the player's mana and strength or whatever will be in the same
structure. You can try to find these addresses normally and see if they're very close or similar, if they're
very close to eachother (~1024 +/-) than you can usually be assured that they're in the same structure.
So the basic idea is to find some code that works on something in the structure, and then edit that code
a bit to make it copy the right data for us every time. The first obstacle will be to find code that only
affects the structure you want. For Rogue Legacy, let's find our health value, find what accesses it (as
before you may need writes instead if accesses brings up way too many things), then once you have some
functions there click Stop. Pick one of the instructions that has something like "eax+00000188" in it.
Basically you'll want a function that works off of a register plus an offset, so we know that it deals
with the base address of the data we want. Once you see an acceptable target, click one of the functions
and then click the "Show Disassembler" button to open the memory viewer at the right location.
So at the time that target code executes, ebx+00000118 is our health value. This means that ebx contains
the base address of the player structure and +0x118 bytes from that is the health value. So if we can edit
this script to constantly copy the value of ebx out for us, we can have a "pointer" to the player's health
address (and any other stats in the structure) that won't break across restarts!
Anyways as you see in the screenshot, this will show the game's code that's In the disassembler window,
and now we want to see if that target code works off of just the data we want (which is good) or if it's a
shared/global function that works for lots of different things (we don't want that in this case). Right-click
the code and click "Find what addresses this instruction accesses" and you'll see a new window.
Play the game some more and do various things, and check back on that window now and then. If it only
shows one address as being accessed (which is in this case our health address) then you're good. However
if it shows multiple addresses as being accessed, then that's not a decent target for this technique and you
will want to target something else. Preferably something that's either unique to the player (such as MP if
enemies don't have MP limits) or something that's only displayed for you and not the enemies (like some
of your stats or something).
So once you've found code and you're certain it only affects the address you're targeting and has the right
notation in it (register+offset so we know it knows about the base address), it's time to actually write the
script for it. With the line of code highlighted in the disassembler, press CTRL+A and that should open the
Auto Assembler window. In there go to Template - Cheat Table Framework Code, and then click
Template - AOB Injection. Click okay on the address it asks for (by default it'll use the address of the
line that was highlighted when you opened the AA window), and when it asks for a name you should give
it something short and descriptive. In our case we're targeting code that reads HP, so here I chose
"hpreading".
After accepting that, you'll see the injection script template that CE has generated. After erasing the
comments and spacing (I do that just so I don't have to scroll all the time), it'd look something like this.
Now in order to tell this script to additionally copy the base address for our use, we'll add just two lines to it.
The first line, the globalalloc() function, is shorthand for allocating some memory and registering a label to
it globally for other scripts and things to use. The first argument is the name for the label. Personally I
pick something like _xbase because I try to use an underscore to mark things exposed for the table, and I try
to name the base address value copies something meaningful. The second argument is the number of bytes
to allocate. For 32-bit programs and things using less than 4GB of RAM, in most cases you'll only need 4
The second addition is what tells the game to actually copy the base address for us. In almost all cases
it's as simple as telling AA to do "move, into the value of the allocated memory, the contents of the register".
Replace the register with whatever one is actually used with the offset in the original code, of course.
The idea is that when this script is turned on, the code that you targeted will also copy the base address of that
structure to the allocated memory each time. And this memory has a label that we can use in the table to
reference it. So after adding those lines to your script, go to File - Assign To Current Cheat Table.
Do not click "Execute".
Now that script should be an entry in your cheat table. You'll probably want to close the AA window and then
rename the script copy in the table or something. You should be able to check it, and it should enable. Then
to actually see the fruit of your labor and use the results of that script, in CE's upper portion click the
"Add address manually" button. In there, you can use either the pointer syntax or manually type in the base
and offset like [_playerbase]+118.
Yup, there we go, as long as that script is turned on the game will be copying the base address of the player
structure for our use, and we can pull up anything in that structure with that syntax. So you can keep finding
stats in that structure, and then with one script the game will always tell you the right addresses!
- AOB To Data
So you may have a structure (set of stats/options) that you want to target, but in some situations pointer
scanning and injection just aren't feasible options. You may be working with a game running in an
interpreted environment (flash, web browser, scripting) or one that updates quite often and the code
changes while the data you're targeting stays mostly the same. In these cases and more, you can create a
scan right to the data structure you need instead and have CE fill in the rest of the addresses for you.
So, going on the same example as above, finding the health address and it's offset. You're going to want
to do to two things with that offset. You're going to want to write it down for later (write something like
"+118 = health" in notepad) and you're going to want to take your health address and subtract 118 from
it in hex. The default Windows calculator program can operate in hex if you put it in scientific mode first.
Once you have your health address with 118 (in hex) subtracted from it, that's the address to the
start of the player/character structure. Back in CE, click Add Address Manually and put in that
address. The type doesn't really matter, but I tend to make it binary so that it stands out visually in
the address list. I did it here and named it Player Structure Start, though a name isn't really needed.
Now you're going to want to click that address and press CTRL+B to open the Memory Browser. You
should see a new window, and the bottom half will be divided into three sections, like the screenshot.
You're probably going to want to resize the Memory Browser window until the middle section measures
16 bytes/pairs across, like in the screenshot.
The left section is the starting address of each row, the middle of the actual RAM contents in Hexadecimal,
and the last row is the RAM contents expressed in ASCII. For this we want to focus on the middle section.
Click and drag in the middle section to select the first three rows or so. For some games just the first two
will do, for others you may need 5-7 rows, but for Rogue Legacy 3 is all we'll need. Once you have the
rows selected, press CTRL+C to copy them and then go and paste them into Notepad or something, making
sure to add back in the line breaks.
Then you'll want to close the game, start it back up, and do this again, copying another sample of what that
data looks like. I recommend doing things like loading in different characters and settings and a few
restarts just to make sure you have a wide range of samples. Here's four I picked up for this example.
What you're going to want to do is compare all the data samples you have, and for the digits that don't
match on them, replace them with a question joe. For for this example, the signature for my data is...
Now that you have your data signature to the player base, it's time to make the script that will scan for it.
Go back to the memory browser and in it, press CTRL+A to open the Auto Assemble window. Paste this.
Of course replace the example signature with the one you've made. I'm using "player" for the labels here
but if you're searching for another type of data replace the label with whatever other human-readable tag
you feel like. Then go to File -> Add To Current Cheat Table. Do NOT click "execute". Once it's been
added to the table, you can open it and edit/okay it from within there safely.
If you can click to check that script and it checks (it may take a second or two while it scans), then you're
good to continue. If it does not check by the time CE starts responding again, then that means it could
not find a match for the signature so you should double-check on that.
So what was all this signature work for anyways? Well, now's the time to see the fruits of your labor.
Remember how I had you note down what the health address was? Well, go to add an address manually
and for the address, type _player+118 (or whatever the health offset is). That's right, CE will understand
what you mean and when you run the script and it finds the player structure start and assigns it the label
of _player, any other addresses that work off of that will have it filled in. So let's say I added mana too.
Then I check the script and...
Bam, the table did the scan and finding and assigning for me so I don't need to scan for those values
manually any more. All you have to know is a signature for the structure and the offsets, and you can
make a scan like this. When it breaks, generally you only need to update the signature being scanned
for and the rest will fix itself. Feel free to keep scanning and adding offsets!
LF2005 wrote:
_player is what's used and referenced in the table itself, outside of the script.
If you mean making the script find two different structures, then chances are making two separate scripts would be best as game updates might change one and not the other.
[quote="Rydian"][size=16][b]- Foreword[/b][/size]
Making your table have the right addresses each time without having to re-scan every time you run
the game is something everybody wants, but a lot of people aren't sure how it's done. Finding the
game's native pointer path for the value you want to keep track of is the traditional way, but just
because it's traditional doesn't mean it's the best. In fact with how complex games are getting and
how many of them are being written in dynamically-managed languages nowadays (with some games
actually getting compiled in RAM each launch), [i]a lot of games don't even have native pointer paths
built off of static base addresses anymore[/i] and the traditional pointer-finding method fails.
So I'm going to show you two modern techniques to make your table re-find the data for you each run.
For this tutorial I will be using the game Rogue Legacy as it's written in .NET and so benefits from this.
[size=16][b]- Pointer Scanner[/b][/size]
Cheat Engine has a pointer scanner function now that's capable of finding all sorts of pointer paths
that the traditional methods won't find. It's fairly easy to use too. The first thing you're going to want
to do is the same as in any hack, and that is to scan the game to find what the current address of a
value is. In this case I'll go for health. Once you have that value found and it's in your table, right-click
it and choose one of the Find What ... This Address options.
[img]http://s12.postimg.org/4rbvnabfx/find_what_accesses.png[/img]
[i]Tip: I recommend you use "accesses" when possible, but in many cases "accesses" will be really slow
(for example when looking at coordinates) so choose "writes" if "accesses" is slowing things down.[/i]
Once Cheat Engine is logging what happens to our health address, I'm going to run around like a ninny
and get hit a few times and then look at the log window and see what popped up. In this case we're
trying to find the offset for health.
[img]http://s12.postimg.org/q8rq8ds31/offset_118.png[/img]
In this case it's pretty obvious that the offset is +118. You'll use this info to narrow down the pointer
searches. What you want to do now is Stop and Close that (bottom-right button) and then go back to
the normal address list. Right-click the health address you found and choose to run the Pointer Scanner.
When you do you'll see something like this pop up.
[img]http://s12.postimg.org/6pijla3xp/pointer_scan_first.png[/img]
See the red highlighted parts? You're going to want to tell it to only keep results that end with a
certain offset, and then tell it that the final offset is 118 (because that's what we saw earlier).
The other two things you may want to change are the maximum offset (in this box it's decimal!)
and the depth. Generally the newer and more complex the game is, the bigger the max offset and
depths you may need to go. I recommend starting with an offset of 1024 and a depth of 4 for most
games, and if that ends in failure after a rescan then raise the values and try again. Anyways for
this game I'm using for an example, what's shown in the screen should be fine.
When you start the scan, it'll have you save the scan results somewhere. I recommend you choose a
place other than where your cheat tables are. I personally just made a "pointer scans" folder inside
the cheat table folder. Name the scan whatever you like. The scanning process can take from a minute
to an hour or more depending on the offset/depth...
[img]http://s12.postimg.org/mmhbhzwbx/scan_in_progress.png[/img]
So I recommend you have some Youtube videos or something to do in the meantime. Once it's done
with the initial scan you should see the results. Just like with a normal scan, the first set of results will
be the biggest, don't be scared by the number of results. What I recommend you do now is close the
game and restart it. Get back to where you were before, and scan for your health address, right-click it,
and open the pointer scanner. But this time, close the main popup window because you'll want to open
the previous scan results and work from there.
[img]http://s12.postimg.org/6kesblwml/pointer_scanner_open.png[/img]
[img]http://s12.postimg.org/f3y69d4z1/rescan_menu.png[/img]
[img]http://s12.postimg.org/od0cjhdv1/rescan_options.png[/img]
Simply put in the new address and let it filter the scan down. You could also simply give it the current
value instead of the address and let it work off of that, and while that is less work, it's also less precise,
as in it won't filter out as many bad pointers as specifying the new address itself will filter out.
Do a couple of rescans until you've narrowed it down to the point that it stops dropping tons of pointers
each scan. Unlike scanning for memory addresses normally, when doing pointer scans you will often
end up with a bunch of different pointers that work. [b]Just like in life, there's many paths that can lead
to the same result[/b], so don't expect the pointer scanner to go down to just 1-3 options like with normal
scans, because with many games you'll be left with 100 or more, all functional.
[size=16][b]- AOB To Data[/b][/size]
Sometimes pointers just aren't an option. You may be working with a game running in an interpreted
environment (flash, web browser, scripting) or one that updates quite often and data tends to shift
around like it has a mind of it's own. In these cases and more, you can create a scan right to the
structure you need and have CE fill in the rest of the addresses for you.
So, going on the same example as above, finding the health address and it's offset. You're going to want
to do to two things with that offset. You're going to want to write it down for later (write something like
"+118 = health" in notepad) and you're going to want to take your health address and subtract 118 from
it. The default Windows calculator program can operate in hex if you put it in scientific mode first.
[img]http://s11.postimg.org/8vhy0asqb/calc_options.png[/img]
Once you have your health address with 118 (in hex) subtracted from it, [i]that's the address to the
start of the player/character structure[/i]. Back in CE, click Add Address Manually and put in that
address. The type doesn't really matter, but I tend to make it binary so that it stands out visually in
the address list. I did it here and named it Player Structure Start, though a name isn't really needed.
[img]http://s21.postimg.org/4y6h6e0yf/address_list_structure_start.png[/img]
Now you're going to want to click that address and press CTRL+B to open the Memory Browser. You
should see a new window, and the bottom half will be divided into three sections, like the screenshot.
You're probably going to want to resize the Memory Browser window until the middle section measures
16 bytes/pairs across, like in the screenshot.
[img]http://s21.postimg.org/c5crg0193/memory_view.png[/img]
The left section is the starting address of each row, the middle of the actual RAM contents in Hexadecimal,
and the last row is the RAM contents expressed in ASCII. For this we want to focus on the middle section.
Click and drag in the middle section to select the first three rows or so. For some games just the first two
will do, for others you may need 5-7 rows, but for Rogue Legacy 3 is all we'll need. Once you have the
rows selected, press CTRL+C to copy them and then go and paste them into Notepad or something, making
sure to add back in the line breaks.
Then you'll want to close the game, start it back up, and do this again, copying another sample of what that
data looks like. I recommend doing things like loading in different characters and settings and a few
restarts just to make sure you have a wide range of samples. Here's four I picked up for this example.
[code]A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00
A8 1E E3 00 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00
A8 1E 6B 03 00 00 00 00 00 00 00 00 28 12 87 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00
A8 1E 75 05 00 00 00 00 00 00 00 00 28 12 75 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00[/code]
What you're going to want to do is compare all the data samples you have, and for the digits that don't
match on them, replace them with a question joe. For for this example, the signature for my data is...
[code]A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ??
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00[/code]
Now that you have your data signature to the player base, it's time to make the script that will scan for it.
Go back to the memory browser and in it, press CTRL+A to open the Auto Assemble window. Paste this.
[code][ENABLE]
aobscan(player, A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ?? 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00)
label(_player)
registersymbol(_player)
player:
_player:
[DISABLE]
unregistersymbol(_player)[/code]
Of course replace the example signature with the one you've made. I'm using "player" for the labels here
but if you're searching for another type of data replace the label with whatever other human-readable tag
you feel like. Then go to File -> Add To Current Cheat Table. Do NOT click "execute". Once it's been
added to the table, you can open it and edit/okay it from within there safely.
If you can click to check that script and it checks (it may take a second or two while it scans), then you're
good to continue. If it does not check by the time CE starts responding again, then that means it could
not find a match for the signature so you should double-check on that.
So what was all this signature work for anyways? Well, now's the time to see the fruits of your labor.
Remember how I had you note down what the health address was? Well, go to add an address manually
and for the address, type _player+118 (or whatever the health offset is). That's right, CE will understand
what you mean and when you run the script and it finds the player structure start and assigns it the label
of _player, any other addresses that work off of that will have it filled in. So let's say I added mana too.
[img]http://s21.postimg.org/qaikhtaaf/aob_setup_no_run.png[/img]
Then I check the script and...
[img]http://s21.postimg.org/9lh4lwdp3/aob_setup_hasrun.png[/img]
Bam, the table did the scan and finding and assigning for me so I don't need to scan for those values
manually any more. All you have to know is a signature for the structure and the offsets, and you can
make a scan like this. When it breaks, generally you only need to update the signature being scanned
for and the rest will fix itself. Feel free to keep scanning and adding offsets!
[img]http://s7.postimg.org/4zukp8f5n/filled_out.png[/img][/quote]
@Rydian my friend programmer maked a program that adds wildcards automatically.
I'm having trouble with the pointer scan. I'm using Cave Story to test this, with the HP address. Checking for access, I get this: 0042133E - 0FBF 0D CEE64900 - movsx ecx,word ptr [Doukutsu.exe+9E6CE]
So I add 9E6CE as offset, leave everything else as it is, and run the scan.. which then returns 0 results. Changing around max offset and level didn't help. What's wrong?
Doukutsu.exe+9E6CE is a static address. If you add it to your address list, it will always show your health without any additional effort.
Quote:
This ^ How'd you get this? the screenshot before it doesn't even show anything similar. Did I miss something?
Also I've skimmed over your other guide with AOB, however there your not getting it from the bottom, but taking them from the bytes in the top half.
So yea I'm really confused here. Please help.
Edit: Apologies, both seem to work. I was simply confused as to why both works.. but well both are byte /facepalm
I can share my own program:
http://forum.cheatengine.org/viewtopic.php?t=572933
Its coded under VBS (open source) and you can compare more than 2 AoB to get the best wilcard-aob
I coded an easy tool to generator patters for our AoB scan routines, the script is very simple; you only need to add some array of bytes (min 2, max infinite) and the script will generate a valid pattern, example:
Here is the script: http://pastebin.com/tQsvbSkh
Just copy&paste the script in a TXT file (notepad) and save it as whatever.vbs
whipsmack wrote:
Cave Story doesn't use pointers for health,
it's always a static address there. Same with the + version, which is
an update of the original engine. That's why I used a .NET game for
this example, 'cause you'll want something that actually does move
memory around dynamically.
I
wouldn't know how to do that. In cases where the AOB signature itself
is getting more than one result, it generally means that you need to try
a different angle or approach if what you're targeting can't be
uniquely identified.
In that
situation, the memory area you're targeting isn't good for a signature.
Try something else that's close to what you're looking at, perhaps
something a few lines earlier.
Or, try finding the base of the structure of what you're looking for (like if health is eax+18, target eax).
by
Rydian
Grandmaster Cheater Supreme
==================================================================================
http://forum.cheatengine.org
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}
i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames
=================================================================
FreeER “aka” atubeacct
have share this:
You can use the wayback machine (aka the internet archive) to access some pages including this wonderful guide and the first 6 pages of comments
https://web.archive.org/web/20150908103929/http://forum.cheatengine.org/viewtopic.php?t=542093&postdays=0&postorder=asc&start=0
{note}
Hopefully the forum itself being down is just temporary but... there's probably no harm in saving / rehosting (with credit as done here of course) any particularly useful posts/discussions (downloads may not work but at least 5k+ of the cheat tables have been hosted at https://github.com/Hexorg/CheatEngineTables that would still leave some lua extensions potentially lost in a worst case scenario and many scripts and useful tips from the posts theirselves).
=================================================================
{note}
this link is for
COMPLETE CheatEngine Tutorial(with pictures) UPDATE JAN 2015
at my thanks to Cheat Engine and Dark Byte (1)
I am not good at finding link, any link to the old post is welcome.
Thanks!
Forge By Games # ForgeByGames
giving Dark Byte the admin and creator of Cheat Engine such a Big problem.
Read more here
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}
Besides an amplified DDoS attack also a 'Notice of Infringment' from a representative of Bethesda and others. (is this coincidence ? ................ )
Dark Byte , my thanks to you for all your hard work, i hope the problem will only be temporary.
i am releasing a series of all i learn from forum.cheatengine.org
i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames
this is the 2nd post i learn
all credit go to , all these from
http://forum.cheatengine.org/viewtopic.php?t=572465{ the site don't work correctly for now due to DDos atack and the other trouble stuff, hope it just temporary}
writen by
Rydian
Grandmaster Cheater Supreme
Pointer Scanner + Injection Copies + AOB To Data -Cheat Engine Guides
the game is something everybody wants, but a lot of people aren't sure how it's done. Finding the
game's native pointer path for the value you want to keep track of is the traditional way, but just
because it's traditional doesn't mean it's the best. In fact with how complex games are getting and
how many of them are being written in dynamically-managed languages nowadays (with some games
actually getting compiled in RAM each launch), a lot of games don't even have native pointer paths
built off of static base addresses anymore and the traditional pointer-finding method fails.
So I'm going to show you three modern techniques to make your table re-find the data for you each run.
For this tutorial I will be using the game Rogue Legacy as it's written in .NET and thus benefits from this.
- Pointer Scanner
Cheat Engine has a pointer scanner function now that's capable of finding all sorts of pointer paths
that the traditional methods won't find. It's fairly easy to use too. The first thing you're going to want
to do is the same as in any hack, and that is to scan the game to find what the current address of a
value is. In this case I'll go for health. Once you have that value found and it's in your table, right-click
it and choose one of the Find What ... This Address options.
Tip: I recommend you use "accesses" when possible, but in many cases "accesses" will be really slow
(for example when looking at coordinates) so choose "writes" if "accesses" is slowing things down.
Once Cheat Engine is logging what happens to our health address, I'm going to run around like a ninny
and get hit a few times and then look at the log window and see what popped up. In this case we're
trying to find the offset for health.
In this case it's pretty obvious that the offset is +118. You'll use this info to narrow down the pointer
searches. What you want to do now is Stop and Close that (bottom-right button) and then go back to
the normal address list. Right-click the health address you found and choose to run the Pointer Scanner.
When you do you'll see something like this pop up.
See the red highlighted parts? You're going to want to tell it to only keep results that end with a
certain offset, and then tell it that the final offset is 118 (because that's what we saw earlier).
The other two things you may want to change are the maximum offset (in this box it's decimal!)
and the depth. Generally the newer and more complex the game is, the bigger the max offset and
depths you may need to go. I recommend starting with an offset of 1024 and a depth of 4 for most
games, and if that ends in failure after a rescan then raise the values and try again. Anyways for
this game I'm using for an example, what's shown in the screen should be fine.
When you start the scan, it'll have you save the scan results somewhere. I recommend you choose a
place other than where your cheat tables are. I personally just made a "pointer scans" folder inside
the cheat table folder. Name the scan whatever you like. The scanning process can take from a minute
to an hour or more depending on the offset/depth...
So I recommend you have some Youtube videos or something to do in the meantime. Once it's done
with the initial scan you should see the results. Just like with a normal scan, the first set of results will
be the biggest, don't be scared by the number of results. What I recommend you do now is close the
game and restart it. Get back to where you were before, and scan for your health address, right-click it,
and open the pointer scanner. But this time, close the main popup window because you'll want to open
the previous scan results and work from there.
Simply put in the new address and let it filter the scan down. You could also simply give it the current
value instead of the address and let it work off of that, and while that is less work, it's also less precise,
as in it won't filter out as many bad pointers as specifying the new address itself will filter out.
Do a couple of rescans until you've narrowed it down to the point that it stops dropping tons of pointers
each scan. Unlike scanning for memory addresses normally, when doing pointer scans you will often
end up with a bunch of different pointers that work. Just like in life, there's many paths that can lead
to the same result, so don't expect the pointer scanner to go down to just 1-3 options like with normal
scans, because with many games you'll be left with 100 or more, all functional.
- Injection Copies
If pointer scanning isn't your thing or it's taking too long for you, a much faster method is to inject some
code that will copy the base address of the structure for us. As you saw in the above method, by looking
at code that reads/writes the address you can often find an offset. If you're looking for something like
player health, generally other stats like the player's mana and strength or whatever will be in the same
structure. You can try to find these addresses normally and see if they're very close or similar, if they're
very close to eachother (~1024 +/-) than you can usually be assured that they're in the same structure.
So the basic idea is to find some code that works on something in the structure, and then edit that code
a bit to make it copy the right data for us every time. The first obstacle will be to find code that only
affects the structure you want. For Rogue Legacy, let's find our health value, find what accesses it (as
before you may need writes instead if accesses brings up way too many things), then once you have some
functions there click Stop. Pick one of the instructions that has something like "eax+00000188" in it.
Basically you'll want a function that works off of a register plus an offset, so we know that it deals
with the base address of the data we want. Once you see an acceptable target, click one of the functions
and then click the "Show Disassembler" button to open the memory viewer at the right location.
So at the time that target code executes, ebx+00000118 is our health value. This means that ebx contains
the base address of the player structure and +0x118 bytes from that is the health value. So if we can edit
this script to constantly copy the value of ebx out for us, we can have a "pointer" to the player's health
address (and any other stats in the structure) that won't break across restarts!
Anyways as you see in the screenshot, this will show the game's code that's In the disassembler window,
and now we want to see if that target code works off of just the data we want (which is good) or if it's a
shared/global function that works for lots of different things (we don't want that in this case). Right-click
the code and click "Find what addresses this instruction accesses" and you'll see a new window.
Play the game some more and do various things, and check back on that window now and then. If it only
shows one address as being accessed (which is in this case our health address) then you're good. However
if it shows multiple addresses as being accessed, then that's not a decent target for this technique and you
will want to target something else. Preferably something that's either unique to the player (such as MP if
enemies don't have MP limits) or something that's only displayed for you and not the enemies (like some
of your stats or something).
So once you've found code and you're certain it only affects the address you're targeting and has the right
notation in it (register+offset so we know it knows about the base address), it's time to actually write the
script for it. With the line of code highlighted in the disassembler, press CTRL+A and that should open the
Auto Assembler window. In there go to Template - Cheat Table Framework Code, and then click
Template - AOB Injection. Click okay on the address it asks for (by default it'll use the address of the
line that was highlighted when you opened the AA window), and when it asks for a name you should give
it something short and descriptive. In our case we're targeting code that reads HP, so here I chose
"hpreading".
After accepting that, you'll see the injection script template that CE has generated. After erasing the
comments and spacing (I do that just so I don't have to scroll all the time), it'd look something like this.
Now in order to tell this script to additionally copy the base address for our use, we'll add just two lines to it.
The first line, the globalalloc() function, is shorthand for allocating some memory and registering a label to
it globally for other scripts and things to use. The first argument is the name for the label. Personally I
pick something like _xbase because I try to use an underscore to mark things exposed for the table, and I try
to name the base address value copies something meaningful. The second argument is the number of bytes
to allocate. For 32-bit programs and things using less than 4GB of RAM, in most cases you'll only need 4
The second addition is what tells the game to actually copy the base address for us. In almost all cases
it's as simple as telling AA to do "move, into the value of the allocated memory, the contents of the register".
Replace the register with whatever one is actually used with the offset in the original code, of course.
The idea is that when this script is turned on, the code that you targeted will also copy the base address of that
structure to the allocated memory each time. And this memory has a label that we can use in the table to
reference it. So after adding those lines to your script, go to File - Assign To Current Cheat Table.
Do not click "Execute".
Now that script should be an entry in your cheat table. You'll probably want to close the AA window and then
rename the script copy in the table or something. You should be able to check it, and it should enable. Then
to actually see the fruit of your labor and use the results of that script, in CE's upper portion click the
"Add address manually" button. In there, you can use either the pointer syntax or manually type in the base
and offset like [_playerbase]+118.
Yup, there we go, as long as that script is turned on the game will be copying the base address of the player
structure for our use, and we can pull up anything in that structure with that syntax. So you can keep finding
stats in that structure, and then with one script the game will always tell you the right addresses!
- AOB To Data
So you may have a structure (set of stats/options) that you want to target, but in some situations pointer
scanning and injection just aren't feasible options. You may be working with a game running in an
interpreted environment (flash, web browser, scripting) or one that updates quite often and the code
changes while the data you're targeting stays mostly the same. In these cases and more, you can create a
scan right to the data structure you need instead and have CE fill in the rest of the addresses for you.
So, going on the same example as above, finding the health address and it's offset. You're going to want
to do to two things with that offset. You're going to want to write it down for later (write something like
"+118 = health" in notepad) and you're going to want to take your health address and subtract 118 from
it in hex. The default Windows calculator program can operate in hex if you put it in scientific mode first.
Once you have your health address with 118 (in hex) subtracted from it, that's the address to the
start of the player/character structure. Back in CE, click Add Address Manually and put in that
address. The type doesn't really matter, but I tend to make it binary so that it stands out visually in
the address list. I did it here and named it Player Structure Start, though a name isn't really needed.
Now you're going to want to click that address and press CTRL+B to open the Memory Browser. You
should see a new window, and the bottom half will be divided into three sections, like the screenshot.
You're probably going to want to resize the Memory Browser window until the middle section measures
16 bytes/pairs across, like in the screenshot.
The left section is the starting address of each row, the middle of the actual RAM contents in Hexadecimal,
and the last row is the RAM contents expressed in ASCII. For this we want to focus on the middle section.
Click and drag in the middle section to select the first three rows or so. For some games just the first two
will do, for others you may need 5-7 rows, but for Rogue Legacy 3 is all we'll need. Once you have the
rows selected, press CTRL+C to copy them and then go and paste them into Notepad or something, making
sure to add back in the line breaks.
Then you'll want to close the game, start it back up, and do this again, copying another sample of what that
data looks like. I recommend doing things like loading in different characters and settings and a few
restarts just to make sure you have a wide range of samples. Here's four I picked up for this example.
Code: |
A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 A8 1E E3 00 00 00 00 00 00 00 00 00 28 12 88 03 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 A8 1E 6B 03 00 00 00 00 00 00 00 00 28 12 87 03 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 A8 1E 75 05 00 00 00 00 00 00 00 00 28 12 75 03 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 |
What you're going to want to do is compare all the data samples you have, and for the digits that don't
match on them, replace them with a question joe. For for this example, the signature for my data is...
Code: |
A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ??
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 |
Now that you have your data signature to the player base, it's time to make the script that will scan for it.
Go back to the memory browser and in it, press CTRL+A to open the Auto Assemble window. Paste this.
Code: |
[ENABLE]
aobscan(player, A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ?? 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00) label(_player) registersymbol(_player) player: _player: [DISABLE] unregistersymbol(_player) |
Of course replace the example signature with the one you've made. I'm using "player" for the labels here
but if you're searching for another type of data replace the label with whatever other human-readable tag
you feel like. Then go to File -> Add To Current Cheat Table. Do NOT click "execute". Once it's been
added to the table, you can open it and edit/okay it from within there safely.
If you can click to check that script and it checks (it may take a second or two while it scans), then you're
good to continue. If it does not check by the time CE starts responding again, then that means it could
not find a match for the signature so you should double-check on that.
So what was all this signature work for anyways? Well, now's the time to see the fruits of your labor.
Remember how I had you note down what the health address was? Well, go to add an address manually
and for the address, type _player+118 (or whatever the health offset is). That's right, CE will understand
what you mean and when you run the script and it finds the player structure start and assigns it the label
of _player, any other addresses that work off of that will have it filled in. So let's say I added mana too.
Then I check the script and...
Bam, the table did the scan and finding and assigning for me so I don't need to scan for those values
manually any more. All you have to know is a signature for the structure and the offsets, and you can
make a scan like this. When it breaks, generally you only need to update the signature being scanned
for and the rest will fix itself. Feel free to keep scanning and adding offsets!
LF2005 wrote:
you didn't explained this code isn't there a mistake, it seems that you call for the scanner to the label player, then you declare a label _player & register the Symbol _player, then initialize player & _player, and in the end finalize _player is possibly to make more parameters ? |
If you mean making the script find two different structures, then chances are making two separate scripts would be best as game updates might change one and not the other.
[quote="Rydian"][size=16][b]- Foreword[/b][/size]
Making your table have the right addresses each time without having to re-scan every time you run
the game is something everybody wants, but a lot of people aren't sure how it's done. Finding the
game's native pointer path for the value you want to keep track of is the traditional way, but just
because it's traditional doesn't mean it's the best. In fact with how complex games are getting and
how many of them are being written in dynamically-managed languages nowadays (with some games
actually getting compiled in RAM each launch), [i]a lot of games don't even have native pointer paths
built off of static base addresses anymore[/i] and the traditional pointer-finding method fails.
So I'm going to show you two modern techniques to make your table re-find the data for you each run.
For this tutorial I will be using the game Rogue Legacy as it's written in .NET and so benefits from this.
[size=16][b]- Pointer Scanner[/b][/size]
Cheat Engine has a pointer scanner function now that's capable of finding all sorts of pointer paths
that the traditional methods won't find. It's fairly easy to use too. The first thing you're going to want
to do is the same as in any hack, and that is to scan the game to find what the current address of a
value is. In this case I'll go for health. Once you have that value found and it's in your table, right-click
it and choose one of the Find What ... This Address options.
[img]http://s12.postimg.org/4rbvnabfx/find_what_accesses.png[/img]
[i]Tip: I recommend you use "accesses" when possible, but in many cases "accesses" will be really slow
(for example when looking at coordinates) so choose "writes" if "accesses" is slowing things down.[/i]
Once Cheat Engine is logging what happens to our health address, I'm going to run around like a ninny
and get hit a few times and then look at the log window and see what popped up. In this case we're
trying to find the offset for health.
[img]http://s12.postimg.org/q8rq8ds31/offset_118.png[/img]
In this case it's pretty obvious that the offset is +118. You'll use this info to narrow down the pointer
searches. What you want to do now is Stop and Close that (bottom-right button) and then go back to
the normal address list. Right-click the health address you found and choose to run the Pointer Scanner.
When you do you'll see something like this pop up.
[img]http://s12.postimg.org/6pijla3xp/pointer_scan_first.png[/img]
See the red highlighted parts? You're going to want to tell it to only keep results that end with a
certain offset, and then tell it that the final offset is 118 (because that's what we saw earlier).
The other two things you may want to change are the maximum offset (in this box it's decimal!)
and the depth. Generally the newer and more complex the game is, the bigger the max offset and
depths you may need to go. I recommend starting with an offset of 1024 and a depth of 4 for most
games, and if that ends in failure after a rescan then raise the values and try again. Anyways for
this game I'm using for an example, what's shown in the screen should be fine.
When you start the scan, it'll have you save the scan results somewhere. I recommend you choose a
place other than where your cheat tables are. I personally just made a "pointer scans" folder inside
the cheat table folder. Name the scan whatever you like. The scanning process can take from a minute
to an hour or more depending on the offset/depth...
[img]http://s12.postimg.org/mmhbhzwbx/scan_in_progress.png[/img]
So I recommend you have some Youtube videos or something to do in the meantime. Once it's done
with the initial scan you should see the results. Just like with a normal scan, the first set of results will
be the biggest, don't be scared by the number of results. What I recommend you do now is close the
game and restart it. Get back to where you were before, and scan for your health address, right-click it,
and open the pointer scanner. But this time, close the main popup window because you'll want to open
the previous scan results and work from there.
[img]http://s12.postimg.org/6kesblwml/pointer_scanner_open.png[/img]
[img]http://s12.postimg.org/f3y69d4z1/rescan_menu.png[/img]
[img]http://s12.postimg.org/od0cjhdv1/rescan_options.png[/img]
Simply put in the new address and let it filter the scan down. You could also simply give it the current
value instead of the address and let it work off of that, and while that is less work, it's also less precise,
as in it won't filter out as many bad pointers as specifying the new address itself will filter out.
Do a couple of rescans until you've narrowed it down to the point that it stops dropping tons of pointers
each scan. Unlike scanning for memory addresses normally, when doing pointer scans you will often
end up with a bunch of different pointers that work. [b]Just like in life, there's many paths that can lead
to the same result[/b], so don't expect the pointer scanner to go down to just 1-3 options like with normal
scans, because with many games you'll be left with 100 or more, all functional.
[size=16][b]- AOB To Data[/b][/size]
Sometimes pointers just aren't an option. You may be working with a game running in an interpreted
environment (flash, web browser, scripting) or one that updates quite often and data tends to shift
around like it has a mind of it's own. In these cases and more, you can create a scan right to the
structure you need and have CE fill in the rest of the addresses for you.
So, going on the same example as above, finding the health address and it's offset. You're going to want
to do to two things with that offset. You're going to want to write it down for later (write something like
"+118 = health" in notepad) and you're going to want to take your health address and subtract 118 from
it. The default Windows calculator program can operate in hex if you put it in scientific mode first.
[img]http://s11.postimg.org/8vhy0asqb/calc_options.png[/img]
Once you have your health address with 118 (in hex) subtracted from it, [i]that's the address to the
start of the player/character structure[/i]. Back in CE, click Add Address Manually and put in that
address. The type doesn't really matter, but I tend to make it binary so that it stands out visually in
the address list. I did it here and named it Player Structure Start, though a name isn't really needed.
[img]http://s21.postimg.org/4y6h6e0yf/address_list_structure_start.png[/img]
Now you're going to want to click that address and press CTRL+B to open the Memory Browser. You
should see a new window, and the bottom half will be divided into three sections, like the screenshot.
You're probably going to want to resize the Memory Browser window until the middle section measures
16 bytes/pairs across, like in the screenshot.
[img]http://s21.postimg.org/c5crg0193/memory_view.png[/img]
The left section is the starting address of each row, the middle of the actual RAM contents in Hexadecimal,
and the last row is the RAM contents expressed in ASCII. For this we want to focus on the middle section.
Click and drag in the middle section to select the first three rows or so. For some games just the first two
will do, for others you may need 5-7 rows, but for Rogue Legacy 3 is all we'll need. Once you have the
rows selected, press CTRL+C to copy them and then go and paste them into Notepad or something, making
sure to add back in the line breaks.
Then you'll want to close the game, start it back up, and do this again, copying another sample of what that
data looks like. I recommend doing things like loading in different characters and settings and a few
restarts just to make sure you have a wide range of samples. Here's four I picked up for this example.
[code]A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00
A8 1E E3 00 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00
A8 1E 6B 03 00 00 00 00 00 00 00 00 28 12 87 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00
A8 1E 75 05 00 00 00 00 00 00 00 00 28 12 75 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00[/code]
What you're going to want to do is compare all the data samples you have, and for the digits that don't
match on them, replace them with a question joe. For for this example, the signature for my data is...
[code]A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ??
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00[/code]
Now that you have your data signature to the player base, it's time to make the script that will scan for it.
Go back to the memory browser and in it, press CTRL+A to open the Auto Assemble window. Paste this.
[code][ENABLE]
aobscan(player, A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ?? 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00)
label(_player)
registersymbol(_player)
player:
_player:
[DISABLE]
unregistersymbol(_player)[/code]
Of course replace the example signature with the one you've made. I'm using "player" for the labels here
but if you're searching for another type of data replace the label with whatever other human-readable tag
you feel like. Then go to File -> Add To Current Cheat Table. Do NOT click "execute". Once it's been
added to the table, you can open it and edit/okay it from within there safely.
If you can click to check that script and it checks (it may take a second or two while it scans), then you're
good to continue. If it does not check by the time CE starts responding again, then that means it could
not find a match for the signature so you should double-check on that.
So what was all this signature work for anyways? Well, now's the time to see the fruits of your labor.
Remember how I had you note down what the health address was? Well, go to add an address manually
and for the address, type _player+118 (or whatever the health offset is). That's right, CE will understand
what you mean and when you run the script and it finds the player structure start and assigns it the label
of _player, any other addresses that work off of that will have it filled in. So let's say I added mana too.
[img]http://s21.postimg.org/qaikhtaaf/aob_setup_no_run.png[/img]
Then I check the script and...
[img]http://s21.postimg.org/9lh4lwdp3/aob_setup_hasrun.png[/img]
Bam, the table did the scan and finding and assigning for me so I don't need to scan for those values
manually any more. All you have to know is a signature for the structure and the offsets, and you can
make a scan like this. When it breaks, generally you only need to update the signature being scanned
for and the rest will fix itself. Feel free to keep scanning and adding offsets!
[img]http://s7.postimg.org/4zukp8f5n/filled_out.png[/img][/quote]
@Rydian my friend programmer maked a program that adds wildcards automatically.
I'm having trouble with the pointer scan. I'm using Cave Story to test this, with the HP address. Checking for access, I get this: 0042133E - 0FBF 0D CEE64900 - movsx ecx,word ptr [Doukutsu.exe+9E6CE]
So I add 9E6CE as offset, leave everything else as it is, and run the scan.. which then returns 0 results. Changing around max offset and level didn't help. What's wrong?
Doukutsu.exe+9E6CE is a static address. If you add it to your address list, it will always show your health without any additional effort.
Quote:
A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 |
This ^ How'd you get this? the screenshot before it doesn't even show anything similar. Did I miss something?
Also I've skimmed over your other guide with AOB, however there your not getting it from the bottom, but taking them from the bytes in the top half.
So yea I'm really confused here. Please help.
Edit: Apologies, both seem to work. I was simply confused as to why both works.. but well both are byte /facepalm
I can share my own program:
http://forum.cheatengine.org/viewtopic.php?t=572933
Its coded under VBS (open source) and you can compare more than 2 AoB to get the best wilcard-aob
I coded an easy tool to generator patters for our AoB scan routines, the script is very simple; you only need to add some array of bytes (min 2, max infinite) and the script will generate a valid pattern, example:
Here is the script: http://pastebin.com/tQsvbSkh
Just copy&paste the script in a TXT file (notepad) and save it as whatever.vbs
Set oWSH = CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
T = InputBox("Enter array of bytes nº 1:")
T = T & vbcrlf & InputBox("Enter array of bytes nº 2:")
X = 3
While MsgBox("Do you want to introduce another array of bytes?", vbYesNo, "AoB Pattern Generator") = vbYes
T = T & vbcrlf & InputBox("Enter array of bytes nº " & X &":")
X = X + 1
Wend
AoB = Split(T, vbcrlf)
F = ""
W = 0
X = 0
For i = 1 To Len(AoB(0))
For u = 1 To UBound(AoB)
If Mid(AoB(u), i, 1) <> Mid(AoB(0), i, 1) Then
F = F & "?"
W = W + 1
X = 1
Exit For
End If
Next
If X <> 1 Then F = F & Mid(AoB(0), i, 1)
X = 0
Next
Set File = oFSO.CreateTextFile("aob.txt")
File.Write "Original array of bytes:" & vbcrlf & vbcrlf
File.Write Replace(T, vbcrlf & vbcrlf, vbcrlf) & vbcrlf & vbcrlf
File.Write "Total array of bytes: " & UBound(AoB) + 1 & vbcrlf
File.Write "Total wildcards used: " & W & vbcrlf & vbcrlf
File.Write "Your AoB Pattern:" & vbcrlf & vbcrlf & F
File.Close
'MsgBox F
If MsgBox("AoB Patter Generator finished" & vbcrlf & vbcrlf & "Do you want to open aob.txt file?", vbYesNo, "AoB Pattern Generator") = vbYes Then
oWSH.Run "notepad.exe aob.txt"
End If
whipsmack wrote:
I'm
having trouble with the pointer scan. I'm using Cave Story to test
this, with the HP address. Checking for access, I get this: 0042133E - 0FBF 0D CEE64900 - movsx ecx,word ptr [Doukutsu.exe+9E6CE]
So I add 9E6CE as offset, leave everything else as it is, and run the scan.. which then returns 0 results. Changing around max offset and level didn't help. What's wrong? |
0vad0z3 wrote: |
I have a question about your AOB to Data script, Rydian.
Is it possible to add something onto your script to make more specific, the address I want? For example we'll use the address "0AD2425C". I want the script to search for the wild carded array of bytes of this address while also searching for the end value of the address, in this case "C". Or even make the script search around a certain address for the wildcarded array of bytes. Like search around in a 100 bytes parameter of address "0AD2425C" for array of bytes. |
Tigerlemur wrote: |
So
I'm trying to follow along with this tutorial in Medieval Total War 2
for gold (there's already a table, I think, but I'm just doing it to
learn). I found the address, I found the offset... Those parts were
easy. I got to the quoted step and got these results:
[snipped] The script didn't work. I noticed pretty quickly that the codes are really different and I have to put in lots ?s. To be certain I had the offset correct, I checked it each time, and the address -did- allow me to change the gold value in game, so I don't think that's the problem. Are Total War games bad for this? Is there a trick I'm missing in the way it was coded or..? As a secondary note, I noticed a couple of places that weren't static, but only appeared to change a between two types. The ninth pair only ever was DC or C4. Should I try using that rather than a question mark? I'd like to learn this method. The pointer scanner can REALLY eat up data sometimes, and bigger games have some reeeaaallly deep multi-level pointers. |
Or, try finding the base of the structure of what you're looking for (like if health is eax+18, target eax).
by
Rydian
Grandmaster Cheater Supreme
==================================================================================
http://forum.cheatengine.org
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}
i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames
=================================================================
FreeER “aka” atubeacct
have share this:
You can use the wayback machine (aka the internet archive) to access some pages including this wonderful guide and the first 6 pages of comments
https://web.archive.org/web/20150908103929/http://forum.cheatengine.org/viewtopic.php?t=542093&postdays=0&postorder=asc&start=0
{note}
Hopefully the forum itself being down is just temporary but... there's probably no harm in saving / rehosting (with credit as done here of course) any particularly useful posts/discussions (downloads may not work but at least 5k+ of the cheat tables have been hosted at https://github.com/Hexorg/CheatEngineTables that would still leave some lua extensions potentially lost in a worst case scenario and many scripts and useful tips from the posts theirselves).
=================================================================
{note}
this link is for
COMPLETE CheatEngine Tutorial(with pictures) UPDATE JAN 2015
at my thanks to Cheat Engine and Dark Byte (1)
I am not good at finding link, any link to the old post is welcome.
Thanks!
Forge By Games # ForgeByGames
No comments:
Post a Comment