Cheat Engine Tutorial Guide (x32) - Part 3

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
TheyCallMeTim13
Administration
Administration
Posts: 980
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 154
Contact:

Cheat Engine Tutorial Guide (x32) - Part 3

Post by TheyCallMeTim13 » Wed Apr 18, 2018 1:13 pm

https://wiki.cheatengine.org/index.php? ... _Guide_x32
Cheat Engine Tutorial Guide (x32) - Part 3

Continued from: Cheat Engine Tutorial Guide (x32) - Part 2


Step 9
When you start step 9 you should see the form looking like this.
Image

So here like the help text says there is far more then one solution.
First we need to find one of the addresses and add it to the table.
If you are having trouble finding an address, remember to try different value types, and don't forget to start new scans.
Then like in step 7 we want to see what accesses the address, to find the function that writes to the actor's health.
Go ahead and save the password if you want to try different ways, this is the last step in the tutorial.
So here it's good to understand what we're actually looking for to tell allies and combatants apart.
When the game or engine is written, actors and players mite be written like this.

Code: Select all

//// Actor, base for all actors
class Actor(object){
   string Name = 'Actor';
   Coord Coords = new Coord(0, 0, 0);
   float Health = 100.0;
   //...
}

//// Player
class Player(Actor){ //// Player inherits form Actor
   string Name = 'Player';
   int Team = 1;
   //...
}
The team it self could be a structure, say if it's declared as an object class like the 'Coords' variable, which we would want to look for a pointer to the actor's team structure.
So one way we could do this is to find the team id or team structure in the player structure.


Find the team id in the player structure
After you have found the function that decreases health.
Right click the instruction in the disassembler view form, and select find out what addresses this instruction accesses.
Image

Then click the attack button for all 4 values.
You should have all 4 addresses in the debugger list.
Image

So go ahead and add them to the address list.
Image

Then let's open the dissect data structure form.
Image

You'll get some pop ups, after going thought them you should see a form like this. Note that I had to expand the width of the form to be able to move the columns.
Image

So here we can see that the team variable is at offset 0x10 of the structure.
Now we need to add some injection code to a script, then add some code that checks the team variable of the structure, to determine which actors are allies and which are combatants.
So we want some this like this.
Image


So with this script enabled, when the game writes to an actors health here is what will happen after the jump to the hook code:
  1. Save (PUSH) the EFLAGS register, not completely needed but still a good habit when comparing.
  2. Check if actor is on team 1.
    1. If actor is on team 1, then we set the new value to 5000 in a floating point format.
  3. Check if actor is on team 2.
    1. If actor is on team 2, then we set the new value to 0 in hex format. (float 0 == int 0 == hex 0)
  4. Restore (POP) the EFLAGS register, this is completely needed if the register was PUSHed.
With this script enabled, click the restart game and autoplay button, then you should see the form change and look like this.
Image

So click the next button to complete the tutorial.
Then you should see a form telling you that you have completed the tutorial.


Find a difference in the registers
After you have found the function that decreases health.
Right click the instruction in the disassembler view form, and select find out what addresses this instruction accesses.
Image

Then click the attack button for all 4 values.
You should have all 4 addresses in the debugger list.
Image

Now let's look at the registers to see if we can find a difference in the allies and combatants.
Select each address individually and press Ctrl+R.
Arrange the forms to make it easier to compare.
Image

So here we can see that ESI is 1 for the combatants.
So a script like this should work.
Image


So with this script enabled, when the game writes to an actors health here is what will happen after the jump to the hook code:
  1. Save (PUSH) the EFLAGS register, not completely needed but still a good habit when comparing.
  2. Check if ESI register is 1.
    1. If ESI register is 1, then we set the new value to 0 in hex format. (float 0 == int 0 == hex 0)
    2. If ESI register is not 1, then we assume the actor is an ally so we set the new value to 5000 in a floating point format.
  3. Restore (POP) the EFLAGS register, this is completely needed if the register was PUSHed.
With this script enabled, click the restart game and autoplay button, then you should see the form change and look like this.
Image

So click the next button to complete the tutorial.
Then you should see a form telling you that you have completed the tutorial.



See also
Last edited by TheyCallMeTim13 on Tue May 01, 2018 12:50 am, edited 6 times in total.

Post Reply

Who is online

Users browsing this forum: No registered users