The Swords of Ditto 1.04.03

C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Cake-san said:
Just started to play this game today...
For now:
Get Hp
Get Money
Inf item use
Hi Cake-san.

Lol, great work, can you explain, how you find hp pointer ? plz
 
Cake-san

Cake-san

Expert Cheater
Table Maker
Joined
Mar 26, 2017
Messages
262
chusski said:
Hi Cake-san.

Lol, great work, can you explain, how you find hp pointer ? plz
You can backtrace the hp variable by using break & trace instruction.
If the function is shared you can set condition on breakpoint, of when to break.

For this game, the offset is dynamic & precalculated so, it's pretty tedious/pointless on looking for said pointer.

You have to find suitable spot for code injection to get your hp variable.

Cheers. :D
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Cake-san, i am trying to learm how to use CE, and understand the process. ( the good guides, and helppers are in english, i my english are not good enough, then some terms and expresion dont help so much)
Can you answer some questio about that process ? or say my where i am wrong plz
I will explain the procces that i understand, step by step.

On the find the HP proccess for example:
You did:

-Find value Hp (100) and decrease by one hit, and find drecrease, then locate Hp (dynamic) of the HP.
-Find out what address "write" on the address.
-Hitted again, and pop up on instrucction, on this case = 008E921E - F2 0F11 0E - movsd [esi],xmm1
-Show dissasemble.
-Right clic, and break and trace instrucction. ( use this metode, because offset are dynamic and crazzy..)
-Trace:
-Trace show, all step follow this instruction to go address of Hp no?
-What happends from here? need find the address?

Thx very much for your time.
 
Cake-san

Cake-san

Expert Cheater
Table Maker
Joined
Mar 26, 2017
Messages
262
I'm more prefer on using -Find out what "access" this address and choosing the most count when I want to make script that "get" the address.

-Pause the game by either using CE's pause hotkey or go to advanced options click the pause image.
-Show disassembler
-Right click, break and trace instruction. (step over instead of single step) -> Okay
-Ctrl+B -> select your breakpoint, then Ctrl+C or right-click -> set/change condition
-Set your condition eg: simple : ESI == 0x57AD9680
-Okay -> Unpause game

From here on you have to use your backtrace skill. A bit of assembly knowledge & a bit of programming knowledge.
You can try using this backtracing method on CE turorial.Pointer section , to understand it more ;)
 
I

ImpalaPUA

Expert Cheater
Table Maker
Joined
Apr 18, 2017
Messages
382
chusski said:
Hi Garrett Dark .

This is the first game in which I try to use the CE. Seeing the game I thought it would be easy.
Since I was not able to find life, I thought I was useless ...

Good job and Thank you very much for sharing your work.

I'm watching it to see, if I find out something else.
It can definitely be cheated, but you said this is your first game using CE. I am just saying you picked a harder game to test your skills.
 
G

Garrett Dark

Novice Cheater
Joined
May 8, 2019
Messages
15
This is an updated version of my table from yesterday. I've added a bunch of new Sticker Ability AOB lookups, and fixed the Poison Attack lookup to work consistently.

I also did a pointer to Sword Power, which happen to be surprising easy unlike other things in this game. Sword Power is the stat on the stat screen that list Era, time, and such. If you crank it up (I got it at 8750) you can basically one shot enemies with your sword. The pointer is stable, and you only need to change once for it be permanent (no apparent resetting like other things). In fact the weird thing about this is even if you start another new game, the Sword Power is still what you set it to last (possible how the game intended it to be?).

As before:
- This is for v1.14.01-202
- The AOB lookup cheats aren't working perfectly due to this game, lots of resetting and wrong address pointing when changing maps in-game and the numbers look glitched.
- See my last post for more info
To use:
- Check mark "AOB Lookup.....", this will find all the memory locations of stuff I found.
- in "AOB Pointers" is where all the values are at. But it'll probably look glitched because the scripts haven't found the right locations yet (or it changed if you wait long enough)
- to make it find the right locations, in-game go look at the Stickers screen a few times, all the "AOB pointers" should go to either "0" or "1" when found (or close to 0 or 1 if you got stuff equipped)
- Change values now only if the numbers don't look glitched. It should hold even if the numbers glitch afterwards until a major map change (usually topside to dungeons or houses & vice versa. Topside to topside seems to hold) or when looking at the Sticker Screen again (which initiates the game's reset value code when looking or leaving that screen).
- For convenience I made some hotkeys in CE (Ctrl-H) for all the stuff, you can change the "set value to" whatever you want. The keys are mapped to "[", "]", "\" for each group of effects.
- If the game resets the values on you and your character is weak again, just look at the Sticker Screen again until the values are 0 or 1 again, and use the hotkeys.
 

Attachments

C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Cake-san said:
I'm more prefer on using -Find out what "access" this address and choosing the most count when I want to make script that "get" the address.

-Pause the game by either using CE's pause hotkey or go to advanced options click the pause image.
-Show disassembler
-Right click, break and trace instruction. (step over instead of single step) -> Okay
-Ctrl+B -> select your breakpoint, then Ctrl+C or right-click -> set/change condition
-Set your condition eg: simple : ESI == 0x57AD9680
-Okay -> Unpause game

From here on you have to use your backtrace skill. A bit of assembly knowledge & a bit of programming knowledge.
You can try using this backtracing method on CE turorial.Pointer section , to understand it more ;)
-If i use "access" this address, get alot of instructions: to this address: 4e9d94b0 (HP)
i was select this one:
00A7921E - F2 0F11 0E - movsd [esi],xmm1
Because some xmm1 double value move to ESI, or i thnk so. this are the best no?




-then show disasemble: The_Swords_of_Ditto.exe+4921E - F2 0F11 0E - movsd [esi],xmm1

-control+B : (step over instead of single step)
need to select , type find code or type hardware break point ?


-Control+C: ( i select the first one)(its like a HP address
ESI==0x4e9d94b0 "simple"

-then i got alot of traces(like dont used control+C), i was think the Control +C are a filtre or something for traces... no ?

-on traces what i need to see, for know if i am going well?

Can link me that tutorial, that you asking about? plz i dont find it on google.

thx very much really.
 
Cake-san

Cake-san

Expert Cheater
Table Maker
Joined
Mar 26, 2017
Messages
262
chusski said:
Can link me that tutorial, that you asking about? plz i dont find it on google.

thx very much really.
You can find many references from the original CE forum.
https://forum.cheatengine.org/index.php
Search for backtrace.

There is a few post that I made there in the past if you want to make it into your reference.
(well it's not that good, the young me :oops: )
https://forum.cheatengine.org/viewtopic.php?p=5673091
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Hi Cake-san.

thx very much.

I think I'm useless ... I have not found this instruction yet ... i am tryng to find it by me ways, with your explanations but nothing...
The_Swords_of_Ditto.exe"+19E3DD5: 83 EC 04 - sub esp,04

----------------------------------
Cake-san,

You chose this instruction; but would it necessarily have to be that? (The_Swords_of_Ditto.exe"+19E3DD5: 83 EC 04 - sub esp,04)
You could have picked another and you could do the same, could not you?

thx very much.
 
Cake-san

Cake-san

Expert Cheater
Table Maker
Joined
Mar 26, 2017
Messages
262
chusski said:
Cake-san,

You chose this instruction; but would it necessarily have to be that? (The_Swords_of_Ditto.exe"+19E3DD5: 83 EC 04 - sub esp,04)
You could have picked another and you could do the same, could not you?

thx very much.
Yep, as long as you get the result that you desire and it doesn't crash the game.

For the information for people that use my table I had added a few more options in my table, here
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
I think I'm moving forward ...
Well, to see if i understand how your script work....

Arrays of bytes:
--------------------------------
aobscanmodule(aob_hp,"The_Swords_of_Ditto.exe", xx xx xx BYTES: ) --->scan module of game looking for the bytes.
registersymbol(aob_hp)---> register the name for the array
alloc(newmem,2048)---> ????
label(returnhere)---> label for do go to ?
label(hp)---> label for do go to ?
registersymbol(hp)---> create array

newmem:---> ????
call dword ptr [eax+04]---> call dword (32btis) ptr (pointer) [eax+04] (i think address +4 ?)
sub esp,04 --->( -04 to address on esp)
mov [hp],eax ---> (move eax address to hp array)
jmp returnhere ---> jump to returnhere label ?
hp: ---> ( label for do go to xx?)
dq 0 ---> ????
aob_hp+B: ---> ???? ( what is + B)?
jmp newmem ---> jump to newmen label
nop ---> (nothing to do )??
returnhere: ---> label for go to

[DISABLE]
dealloc(newmem) ---> disable label ?
aob_hp+B: ---> ????
//call dword ptr [eax+04]
//sub esp,04
db FF 50 04 83 EC 04 ---> ????
unregistersymbol(aob_hp) ---> delete array ?
unregistersymbol(hp)---> delete arrat ??
--------------------------------------------------------------

If i understand good it:
Create an instruction (aob_hp), redirect byte to this instruction.
The aob_hp ; call eax+04 and move to new array (hp).
no?

thx for help ^^
 
G

Garrett Dark

Novice Cheater
Joined
May 8, 2019
Messages
15
@chusski

I'm trying to figure out this backtrace and breakpoint stuff too because my scripts are so glitchy because it actually has shared instructions when I thought it was not shared. So I figure maybe I can try to backtrace it to a point when it's not shared to improve my scripts.

Anyways, this video might help you understand backtracing: [media=youtube]06t_hoWGa5c[/media]. While it's in English which you say is not your language, maybe you can turn on close captioning on YouTube and get it to translate it to your language to understand.

I also think I found a mistake in your backtracing example you posted (see in red) with selecting the breakpoint and setting the condition:
chusski said:
Cake-san said:
I'm more prefer on using -Find out what "access" this address and choosing the most count when I want to make script that "get" the address.

-Pause the game by either using CE's pause hotkey or go to advanced options click the pause image.
-Show disassembler
-Right click, break and trace instruction. (step over instead of single step) -> Okay
-Ctrl+B -> select your breakpoint, then Ctrl+C or right-click -> set/change condition
-Set your condition eg: simple : ESI == 0x57AD9680
-Okay -> Unpause game

From here on you have to use your backtrace skill. A bit of assembly knowledge & a bit of programming knowledge.
You can try using this backtracing method on CE turorial.Pointer section , to understand it more ;)


-Control+C: ( i select the first one)(its like a HP address
ESI==0x4e9d94b0 "simple"
You said you selected the first one to put the condition "ESI==0x4e9d94b0". I think you're supposed to selected the third one which is the "Break and Trace" and not the "Find Code" first two.

I was testing this out with an instruction which was shared with 6 other addresses, and whenever I set the condition on the first one "find code" and looked at the tracer's first instruction (the original one you're setting the trace on), it always randomly picked one of the other shared addresses and not the one I wanted it to trace. It was only until I picked the third "Break and Trace" and put the condition on that, the tracer showed the one I wanted it to trace.

I hope that makes sense.

EDIT: No maybe I was mistaken. I can't get it work anymore after posting this. :(
EDIT2: Yes, I was correct, I got it working again. The variable (ESI, EBX, etc) has to be uppercase in the conditional to work. I had it lower case the second time I tried which is why it didn't work. :D
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Tfanks very much,Garrett Dark.

This get more sense. and thx for video, i am loking that all time,tryng to unsrtand, but subtittlesdont work very well to spanish...
Atm i am stuck on learnning how language asm works, and how find point where the address are not shared or where yes it shared...
Tryning with tutorial step 9, but dont have luck atm...

In this game, when we use toggle breakpoint, to see what happens step by step, on the instruction of life, the game is frozen. It should not freeze until you get hit by an enemy, right?

Thx you all guys.
 
G

Garrett Dark

Novice Cheater
Joined
May 8, 2019
Messages
15
@chusski

I think this game is too difficult, at least for me. I've tried backtracing several things to try to find a non-shared address, but I keep encountering problems. It's no where as easy as in that video I linked.

There's either so many calls or jumps that I can't backtrace anymore because the tracer won't start to trace anymore, or conditionals don't work anymore so I don't know if it's tracing the correct shared code anymore. Or I hit a "pop" and don't know what to do anymore. ie. If I'm following EAX being address "12345678", I eventually get to a "pop EAX", after the "pop" it's "12345678" and before the "pop" it's completely something different. So where did the "pop" get the "12345678" from? There's no "push EAX" anywhere near, and all the other variables are not anything similar to what I'm looking for.

I'm going to watch some more tutorial videos, but I think I've done as much as I can with this game. It's the most difficult and frustrating game I've tried with CE. So if this is your first game with CE, you're going to have an easier time with most other games.
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
I think, if learm with that, can do all the rest lol.

But yes i am same to you, fustrated. But Cake-san, find the way, for alot of things, with backtrace.
Only need to learm how Cake-san determiner the correct address to script.

That are direction where Cake-san, inject aob : 02413DC7
 
Cake-san

Cake-san

Expert Cheater
Table Maker
Joined
Mar 26, 2017
Messages
262
Here.
My debugger setting, doesn't make much difference as long it doesn't crash the game & do get result.


So let say I already scan my hp address and get that address. Then I find out what access that address and I get this.


I want to backtrace "movsd xmm2,[edi]" , so I copy edi value and show the disassembler, then I pause the game process. If you don't pause the game process, the break point will be hit by other thing that you might don't want. You can also pause the game process using hotkey that you had set on CE setting.


Then I set the break and trace on that instruction.


And set the condition using the edi value that I had copied.


After I had unpaused the game process, I get the result. As you can see my edi value is indeed of what I had set on the condition.


Then, I double-click "esi,eax ", below "ret" and I get this.


So I set another break and trace on instruction below the "jmp" , above the "esi,eax " .


And the result.



Eax contain my hp address after the game run instruction "call dword ptr [eax+04]" , so if you trace that call you can get the hp base address but even if you get the base address, you also will see that the offset is being precalculate.

If you want to know if the instruction is shared or not, you can inject the instruction with "lea eax,[eax]" (depend on which register contain the variable that you seek, can be "lea ebx,[ebx]" or anything else) then, find out what addresses that "lea eax,[eax]" access.

Best regards. :D
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Great Cake-san , thx veyr much. You are the machine ^^

One question, why you decide go o below the jmp?
 
Cake-san

Cake-san

Expert Cheater
Table Maker
Joined
Mar 26, 2017
Messages
262
chusski said:
Great Cake-san , thx veyr much. You are the machine ^^

One question, why you decide go o below the jmp?
Lol, machine.

I set the breakpoint just after the jmp because it produce the most result which you get to see more.
If I set breakpoint above the jmp, I will not get the result that I want. So, I can set breakpoint anywhere that I want as long as it's below the jmp and above the call that is before "mov esi,eax" to get the result.
 
C

chusski

Cheater
Joined
Sep 8, 2018
Messages
39
Thx very mucha again Cake-san.
I filaly find HP address.

Want try this methode, with the great explanation, for looking Era level.
I think, its more hard because, Era levels and other cant be increased by the game like a Exp lvl...

At version 1.14 got 5 level pointer. And that pointer, chnagin offset you can find Era , word, sword exp and level.
But i cant find that pointer manually any more at version 1.15.
And same for items on the bag, but 3 levels pointers.
 
G

Garrett Dark

Novice Cheater
Joined
May 8, 2019
Messages
15
I'm going to share a little bit of my frustration with backtracing for this game and hitting a point where I don't know what to do. Hopefully this helps people learn or somebody can tell me where I'm messing up.

So I want to find a unique non-shared instruction for Attack and Resistances items give (Fire, Ether, Poison Attack/Defense) so I can make a AOB lookup script to point at it.

Okay so I locate the address of one, Fire Attack. Find out what accesses this address:



So I used the first instruction "movsd xmm0,[ebx]" because it's constantly updating in the Stickers Screen in-game.

I know from my other scripts this first one is shared with all the attack and resistance effects, as seen with "What addresses this instruction accesses" in memory view. (Also outside the sticker screen it goes nuts with tons of other stuff).



4E9A0F40 is Fire Attack, the others I know what they all are. So I begin my backtrace of the first instruction with the conditional "EBX==0x4E9A0F40" so it only filters out when Fire Attack is going through the instructions, as seen on the side with EBX 4E9A0F40 :



I find the return to "02C53876 - add esp,0C" and go to it in Memory View:



I see the "Call 02C34F20" above "add esp,0C", I do some back traces further up but none of them have EBX=4E9A0F40 or anything close. So I keep going back down towards the call until I'm at "Push [esp+18]" above the call and it's still no good. So it must be in that call that changed something to EBX=4E9A0F40 eventually. So I follow the "Call 02C34F20":



So I end up on "sub esp,08" do a backtrace there and nothing. It must be further down when EBX=4E9A0F40. I won't go into detail here, but I had to going into each of those jump "je" or "jne" and such to see if anything was happening in there for EBX=4E9A0F40, and coming back out when there was nothing. But eventually I found inside of a call where EBX=4E9A0F40. So I started to go backwards from the "ret" command of the call I was in to see when EBX did not equal 4E9A0F40, so I can see where EBX got it from so hopefully can follow back to a unique non-shared code:



I got up to here when things started to change for EBX=4E9A0F40, all since the "ret" it was EBX=4E9A0F40 (well 4E9A2760 which is one of the other attack & resistance addresses). On the "02C35305 - mov [esp+10], ebx" it was still EBX=4E9A2760, but then....







...on "02C35302 - add ebx, [esi+04]" EBX changed to 20. On this instruction it still actually EBX=4E9AF40, but shows 20 because the line above it made 20, then 2 before that, and 0 before that.

So this tells me around this code is where ebx got the addresses for attack and resistances. It's the "add ebx,[esi+04]" instruction getting it somehow.

In memory view I do a "what addresses this instruction accesses" and get this (which I changed to show values in hex):



Those values are two of the attack & resistance addresses. However I should note one time I did it, it showed one wrong (not attack & resistance address) and one right address. Also when I leave the sticker screen in-game, I get a ton of "wrong" shared addresses using the instruction:



So this is where I hit a dead end and I'm stuck. I don't know how to go any further back for where the attack & resistances addresses are. The "add ebx,[esi+04]" is somehow getting it, but how do I follow that backwards? I can't use the "add ebx,[esi+04]" instruction because it's too shared. :?

The only other thing I can do is backtrace different instructions from the start, but that's starting over again. :(

EDIT: Backtraced another instruction (this time when attacking with your sword), ended up the same. Got stuck while chasing EDX, and got to an instruction of "add edx,[ecx+eax*8+04]". I can't do anything with that.
 
Top