Infectonator 3 [Tutorial How to use/open .PTR file]

hysspy

ThumbsUp Hunter
Table Maker
Aug 24, 2017
145
62
28
#1
In this tutorial there are something to know first :
1. There are 5 pictures. Tutorial follow by cepOI1 to cepOI5 ;)
2. On the pictures, there are number instructions, follow by number 1 to 3.

3. L-Click = Left Click, R-Click = Right Click and Double Click = Double L-Click :D

==================
Picture No.1 [cepOI1]
==================

1. Open cheat engine table file [Infectonator 3]
2. Right Click on VALUE [Pointer DNA]
3. Left Click on Pointer scan for this address


==================
Picture No.2 [cepOI2]
==================

1. Left Click Cancel
2. Left Click File


==================
Picture No.3 [cepOI3]
==================

1. Left Click OPEN
2. No, that's it, only one thing to do in here, go to pictures no 4 :D and don't ask about wallpaper :D


==================
Picture No.4 [cepOI4]
==================


1. Left Click .PTR file
2. Left Click OPEN


==================
Picture No.5 [cepOI5]
==================

1. Game Process [infectonator3.exe] attached
2. DNA value on the game shown : 1000000188 :D
3. In the pointer list there's a match with dna value on the game, Double click to add those pointer on the table [1 pointer only] and don't forget to save the table :D
4. End Of Tutorial ;)


NOTE : Pictures included on the attachment, recommended to Download ;)
 

Attachments

Last edited:
May 12, 2018
5
0
1
#2
i did that but am stuck on the 5 one i dont have any point to and i already try and spent money didnt work
Post automatically merged:

ok i got the money work but not sure how to get dna working
 

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
564
299
63
#3
I have a feeling the pointers he found via Pointer Scan don't work all the time. But it could just be me.
 

hysspy

ThumbsUp Hunter
Table Maker
Aug 24, 2017
145
62
28
#4
i did that but am stuck on the 5 one i dont have any point to and i already try and spent money didnt work
Post automatically merged:

ok i got the money work but not sure how to get dna working
Ok, on the step 4 [Opening .PTR file], then you attach the game process [infectonator3.exe], after that pointer value list will change from - to those number dna value you have on the game. Remember : attach game process.

I have a feeling the pointers he found via Pointer Scan don't work all the time. But it could just be me.
Sir @SunBeam , pointer are still good, working and kicking :D
I hope this screenshot below be able to cure your feelings sir :D ;)

 
May 12, 2018
5
0
1
#5
hey i still cant work it only the money thing i select infectontor but only a few thing change most of it are still blank
 

hysspy

ThumbsUp Hunter
Table Maker
Aug 24, 2017
145
62
28
#6
hey i still cant work it only the money thing i select infectontor but only a few thing change most of it are still blank
wait sir, is this the first time you use cheat engine? and you said you forget to install cheat engine before o_O
 
May 12, 2018
5
0
1
#7
well it not the first time i did use it before but i delete it cause it was confusing like 7 to 9 time
 
Feb 10, 2018
5
0
1
#10
The DNA pointer doesn't work for me I can get the pointer file to open, add from the pointer file, and select them but I can't get them to work
Post automatically merged:

CAN SOMEONE PLEASE HELP ME FIGURE THIS OUT!
 
Last edited:

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
564
299
63
#11
Ask @hysspy. He's very convinced the pointers work.. for HIM :) Guess he didn't properly read what I said - the PTR content will NOT work for everyone. Simply cuz you've not tested out those pointers; you just had Pointer Scan find a list and shared it, without filtering and making sure they're stable.
 

fantomas

Expert Cheater
Table Maker
Mar 25, 2017
265
16
18
#12
@hysspy

Hi :)

Great tutorial! ;) Like it says, one picture is worth a thousand words, right???? :)

I would just make a little notice... you're talking about how to use/open a .PTR file but you do not explain what is it that file and how you got/made it, so that might somewhat be confusing.

Also, I do not know how this game works but in your place, I would avoid making pointers based upon a .dll (very instable and might cause game crashing) but rather upon game.exe file.

👊😉
 

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
564
299
63
#13
Just checked the game information. It's built with Unity, so pointers like that will not work, considering code is JIT-ed (compiled when needed). Sure, you might find a pointer that works. For you. At a given moment in time. But in the long run, it won't for everyone. If you still wanna do it, I suggest finding a symbolic variable, a base pointer you can reference with CE's Mono. Then build paths with it. Considering CE will resolve its address every time, you got yourself a "static" base pointer.

As for using exe over dll, it's Unity. The main game code is allocated in RAM. You can't use the exe to find a pointer.

I might take a look on my return from Athens. @hysspy: PM me the game link so we look at the same version when doing this.

BR,
Sun
 

hysspy

ThumbsUp Hunter
Table Maker
Aug 24, 2017
145
62
28
#14
The DNA pointer doesn't work for me I can get the pointer file to open, add from the pointer file, and select them but I can't get them to work
Post automatically merged:

CAN SOMEONE PLEASE HELP ME FIGURE THIS OUT!
Sir @Resurgence , let's wait from sir @SunBeam yea :D

Ask @hysspy. He's very convinced the pointers work.. for HIM :) Guess he didn't properly read what I said - the PTR content will NOT work for everyone. Simply cuz you've not tested out those pointers; you just had Pointer Scan find a list and shared it, without filtering and making sure they're stable.
It looks like your feelings was right sir ;)
I don't know what to say about this feelings :D

@hysspy

Hi :)

Great tutorial! ;) Like it says, one picture is worth a thousand words, right???? :)

I would just make a little notice... you're talking about how to use/open a .PTR file but you do not explain what is it that file and how you got/made it, so that might somewhat be confusing.

Also, I do not know how this game works but in your place, I would avoid making pointers based upon a .dll (very instable and might cause game crashing) but rather upon game.exe file.

👊😉
Thanks sir @fantomas for the kind words ;)
and yes sir, those .dll pointer it looks like bad news and sir @SunBeam feelings was right all along :D

Just checked the game information. It's built with Unity, so pointers like that will not work, considering code is JIT-ed (compiled when needed). Sure, you might find a pointer that works. For you. At a given moment in time. But in the long run, it won't for everyone. If you still wanna do it, I suggest finding a symbolic variable, a base pointer you can reference with CE's Mono. Then build paths with it. Considering CE will resolve its address every time, you got yourself a "static" base pointer.

As for using exe over dll, it's Unity. The main game code is allocated in RAM. You can't use the exe to find a pointer.

I might take a look on my return from Athens. @hysspy: PM me the game link so we look at the same version when doing this.

BR,
Sun
Alright sir, i've sent a pm and link ;)
 

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
564
299
63
#17
Alright. Got the game, installed, played a bit, then started investigating (note I'll be using Telerik's JustDecompiler and Cheat Engine). Fired up CE and found my gold amount while at this screen:



Now, debugging the Gold Coins amount shows this in the debug pane (all this happened while purchasing something):



Combined with Mono, I can see which functions each of those lines belongs to:
  • TG_InfoPanelController:UpdateInfo (0x518 offset)
  • TG_StatsUpgradePanel:InfoBuyButtonDownFunction (0x9C offset)
  • TG_LabUIManager:BuySomething (0x1B,0x24 offsets)
  • TG_LabUIManager:UpdateMoneyText (0xA8 offset)
  • etc.
You get the idea.

The location where a write happens is TG_LabUIManager:BuySomething function. So.. Ctrl+G > TG_LabUIManager:BuySomething [Enter]. F5 to set a breakpoint at the function's prologue.

Notes:
  • when you enable a breakpoint, Mono will get disabled - aka you won't see symbols anymore - if that happens, main CE GUI > Mono > Activate mono features)
  • use hardware breakpoints
  • set game in windowed mode
And we see this:



The yellow highlighted area is what gets executed on write when we buy something (4th line in the previous screenshot, if you remember?). Try to buy something and trace the code as CE breaks:



(see it in full screen)

So now:
  • my purchase costs 1400 Gold
  • RDX is a function parameter, its value being 0x578 (1400 in decimal)
  • I stopped tracing at a base pointer (mov rax,[15088608])
  • the game code then uses this pointer + an offset (0xC4) to get to Gold Amount (mov [rax+000000C4],ecx)
So having said that, there's really no reason to use Pointer Scan to find a stable pointer for gold (same logic can be applied to.. uhh.. DNA?). Now let's find out more about this pointer, as CE doesn't say much. On my end, it's 15088608 (on yours it will be different). We want to find a symbol that would take me, you, anyone to its valid reference on each one's PCs ;)

Resume game (if you've set a breakpoint and game got frozen) and let's fire up Mono > Dissect mono:



Remember our function? TG_LabUIManager:BuySomething. Find it in Assembly-CSharp tree. Here it is for me:



If you now check the 2nd bullet above, where I said RDX is a function parameter.. and then check the blue-yellow highlighted line where it says Buy Something (cost int.).. well.. that's our parameter :) Still no information on that pointer. But we at least learned of the function's parameter.

Time to run this through JustDecompiler. Open tool up and drag'n'drop Assembly-CSharp.dll onto it (it's in Infectonator3_Data\Managed subfolder). And find this exact function in the <Default namespace> references:



And I found it here:



If you now check the function I mentioned, you will see that:

C++:
public void BuySomething(int cost)
{
    TG_Static.gameData.UseMoney(cost);
    this.UpdateMoneyText(cost, false);
    if (TG_Static.tutorialState == TG_Static.TutorialState.NONE)
    {
        TG_Static.gameData.AddGameStatisticProgress(TG_GameStatisticData.ConvertToKey(TG_GameStatisticType.SPEND_COIN, string.Empty), (float)cost);
        this.CheckMissionProgress(true);
    }
}

TG_Static.gameData.UseMoney(cost);

So our pointer will most likely be of TG_GameData type and can be further reviewed in TG_Static namespace. Let's go there with CE:



What you probably didn't know is you can have CE resolve this for you. Right-click on the selected line and do this:



A new script will be added automatically to your table. Just enable it. Normally, CE should pick-up the pointer for you and resolve it; however, since it's acting like a fag, this is what you'll see:



Furthermore, if you disable and re-enable the script, the game will crash. So what's next you'll ask? We have several options to tackle this:
  • find out where this pointer is actively used; to do that, you'll need to debug it on access
  • use the function I referenced with offset to read-up the pointer from the ASM
Let's do the second one:

1) Back to our function, Ctrl+G > TG_LabUIManager:BuySomething. Double-click on TG_LabUIManager:BuySomething+10 line. On my end I see this (you will see different):

Code:
TG_LabUIManager:BuySomething+10 - 48 8B 04 25 B8D67803  - mov rax,[0378D6B8] { [36A97D68] }

2) If you look at the bytes, starting from the 4th, you will see our pointer backwards: xx xx xx xx B8 D6 78 03 (to be read as 0378D6D8).

3) Normally, if CE wouldn't be gay this time around as well, you would be able to do this:



And pointer would be valid. We will have to make use of some Lua to be able to properly read the pointer and use it ourselves ;) I'll explain in the below:
  • Memory Viewer > Ctrl+L
  • Lua window opens
Reproduce this:



What this does is to fetch the function address from the symbols list, apply 0x10 offset, then offset by 0x4, read the pointer from that offset, then offset by 0xC4 and read Gold amount as hexa or decimal.

BR,
Sun
 

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
564
299
63
#18
Try out this table. I've added a function that would scan the TG_LabUIManager:BuySomething function for the location of this line:



Reason for this is people often play various versions of the game, where the JIT-ed code is either compiled differently or that line is at a different offset. The scan function will find that line for you :)

The script will then do the regular and register a symbol to that pointer. You can now use pGameData + 0xC4 to get to Gold Coins :p



^ Already in the table.

BR,
Sun
 

Attachments

SunBeam

Trouble-Maker
Talents
Feb 4, 2018
564
299
63
#19
Correction: CE isn't gay. It's just resolving static fields with the available option doesn't take into account if a game is x86 or x64. It will always add to list the x86 script. See this issue.

Here's the x64 variant which would resolve that pointer:

Code:
[ENABLE]

alloc( TG_Static.gameData.threadstart, 0x1000 )
createthread( TG_Static.gameData.threadstart )
registersymbol( TG_Static.gameData.threadstart )
label( classname )
label( namespace )
label( assemblyname )
label( fieldname )
label( status )
label( domain )
label( assembly )
label( field )
label( TG_Static.gameData )
registersymbol( TG_Static.gameData )
label( TG_Static.gameData.threadexit )

TG_Static.gameData.threadstart:
sub rsp,28
mov [TG_Static.gameData],0
call mono.mono_get_root_domain
test rax,rax
je TG_Static.gameData.threadexit
  mov [domain],rax
  mov rcx,rax
  call mono.mono_thread_attach
  mov rdx,status
  mov rcx,assemblyname
  call mono.mono_assembly_load_with_partial_name
  test rax,rax
  je TG_Static.gameData.threadexit
    mov rcx,rax
    call mono.mono_assembly_get_image
    test rax,rax
    je TG_Static.gameData.threadexit
      mov [assembly], rax
      mov r8,classname
      mov rdx,namespace
      mov rcx,rax
      call mono.mono_class_from_name_case
      test rax,rax
      je TG_Static.gameData.threadexit
        mov rdx,fieldname
        mov rcx,eax
        call mono.mono_class_get_field_from_name
        test rax,rax
        je TG_Static.gameData.threadexit
          mov [field],rax
          mov rcx,rax
          call mono.mono_field_get_parent
          test rax,rax
          je TG_Static.gameData.threadexit
            mov rdx,rax
            mov rcx,[domain]
            call mono.mono_class_vtable
            test rax,rax
            je TG_Static.gameData.threadexit
              mov rcx,rax
              call mono.mono_vtable_get_static_field_data
              test rax,rax
              je TG_Static.gameData.threadexit
                mov rbx,rax
                mov rcx,[field]
                call mono.mono_field_get_offset
                add rbx,rax
                mov [TG_Static.gameData],rbx
TG_Static.gameData.threadexit:
add rsp,28
ret

//////////////////
// Data section //
//////////////////

TG_Static.gameData:
dq 0
assemblyname:
db 'Assembly-CSharp',0
namespace:
db '',0
classname:
db 'TG_Static',0
fieldname:
db 'gameData',0
status:
dq 0
domain:
dq 0
assembly:
dq 0
field:
dq 0

[DISABLE]

unregistersymbol( TG_Static.gameData )
dealloc( TG_Static.gameData.threadstart )
unregistersymbol( TG_Static.gameData.threadstart )



So now you can do this:



There you have it, 2 methods to deal with this :p

In the future, when you want to resolve x64 Mono static fields, just do:



Then copy-paste my script and fix the strings accordingly (as per the ones you want resolved); these:

Code:
assemblyname:
db 'Assembly-CSharp',0
namespace:
db '',0
classname:
db 'TG_Static',0
fieldname:
db 'gameData',0

BR,
Sun
 

Attachments

Last edited:
Top Bottom