[SOLVED] Pointers to <value>. How to find and add.

Bakfiets

Novice Cheater
Fearless Donors
Jul 3, 2017
23
0
1
#1
Hi there,

for the game I'm trying to learn cheat engine with, i have found the value for armor. However, CE is unable to freeze is, but my own 'script' does the job. I have found that the function is called "handleDamage" and is not triggered by me damaging enemies. I can't for the life of me figure out where it checks for 0 armor and thus should jump to the health part, but that's a whole different story.

Question is, I see a heck of a lot of tables having pointers to such values (P->????????). I can't figure out how to find and add the correct pointer to the adress list. In tutorials it just magically happens || worse, the tutor skips at this time to his next trick, thus ommiting the interesting part.
Why i want to do this? It is my understanding that it would negate the need for the script; not forgetting knowledge.

The RDI has a structue with the armor in it. RDI+00 is "autocreate pointers".
Am i missing something or is perhaps JIT-compiling the issue? It's a mono/unity game.

My code (iirc, stop mov-ing the calculated new armor value into the address where armor lives):

Code:
:
aobscan(INJECT,F3 0F 11 AF B0 00 00 00 EB 22) // should be unique
... bla....

code:
  nop
  //movss [rdi+000000B0],xmm5
  jmp return
Full code:
Code:
[ENABLE]

aobscan(INJECT,F3 0F 11 AF B0 00 00 00 EB 22) // should be unique
alloc(newmem,$1000,1AC7752E)

label(code)
label(return)

newmem:

code:
  nop
  //movss [rdi+000000B0],xmm5
  jmp return

INJECT:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 AF B0 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 1AC7752E

""+1AC774FF: F3 0F 10 45 D4           -  movss xmm0,[rbp-2C]
""+1AC77504: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
""+1AC77508: F3 0F 10 0D A0 02 00 00  -  movss xmm1,[1AC777B0]
""+1AC77510: F3 0F 5A C9              -  cvtss2sd xmm1,xmm1
""+1AC77514: F2 0F 5C C1              -  subsd xmm0,xmm1
""+1AC77518: F2 0F 5A E8              -  cvtsd2ss xmm5,xmm0
""+1AC7751C: F3 0F 11 6D D4           -  movss [rbp-2C],xmm5
""+1AC77521: F3 0F 10 45 D4           -  movss xmm0,[rbp-2C]
""+1AC77526: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
""+1AC7752A: F2 0F 5A E8              -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+1AC7752E: F3 0F 11 AF B0 00 00 00  -  movss [rdi+000000B0],xmm5
// ---------- DONE INJECTING  ----------
""+1AC77536: EB 22                    -  jmp 1AC7755A
""+1AC77538: F3 0F 10 45 D8           -  movss xmm0,[rbp-28]
""+1AC7753D: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
""+1AC77541: F3 0F 10 0D 57 02 00 00  -  movss xmm1,[1AC777A0]
""+1AC77549: F3 0F 5A C9              -  cvtss2sd xmm1,xmm1
""+1AC7754D: F2 0F 58 C1              -  addsd xmm0,xmm1
""+1AC77551: F2 0F 5A E8              -  cvtsd2ss xmm5,xmm0
""+1AC77555: F3 0F 11 6D D8           -  movss [rbp-28],xmm5
""+1AC7755A: F3 0F 10 87 B0 00 00 00  -  movss xmm0,[rdi+000000B0]
""+1AC77562: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
}
 

Rudo

Expert Cheater
Table Maker
Apr 6, 2017
122
16
18
#2
If you are sure that the function "handleDamage" is not shared with enemies you can scan for that function and then nop it (use RET).
 

FreeER

RCE Fanatics
Talents
Mar 10, 2017
92
4
8
#3
If you can't freeze the value directly then you won't be able to do it with a pointer either, as for finding them, you can search https://www.youtube.com/results?search_query=cheat+engine+pointers">youtube for "Cheat Engine pointers" and find several videos (including https://www.youtube.com/watch?v=Ifi3rDI6d58">mine for manually finding them, on the second page lol).

I've found unity/mono games difficult to create pointers for however and tend to rely on scripts. One nice things about mono is you should be able to use the name directly instead of an actual AoB eg. (a snippet from a personal cheat table I made for The Swindle)

Code:
// make sure mono is enabled so that the symbols are loaded
USEMONO()
//aobscan(INJECT,8B 40 5C 8B D0) // should be unique
define(INJECT,PlayerData:GetDaysRemaining+9)
I've seen a few tables that assert that the expected bytes are at that address as well.

As Rudo mentioned, if the function is only for the player then you can often simply change the prologue push ebp (0x55) to ret (0xC3) or ret n (C2 XX XX, 2 byte little endian) if that's what the function originally used, potentially setting the r/eax return value.
 

Bakfiets

Novice Cheater
Fearless Donors
Jul 3, 2017
23
0
1
#4
Hey guys,

thanks for the replies! I found out how to use the pointer scan/map to isolate the pointer, and it indeed is able to freeze the value (the correct one this time ;))

Post was longer, but fixed the issue ;)

<SPOILER spoiler="old content">
However, trying to use MONO in my script, the game keeps crashing on MONO (something with a monopipe).
Cheat Engine 6.7, not debugging or anything.

Triggers seconds later, after taking damage for the first time.

Code:
USEMONO()
define(preventDamageDef,HealthHandler:sendDamage+64)


[ENABLE]
label(preventDamage)
registersymbol(preventDamage)

preventDamageDef:
preventDamage:
  db 85 C0 0F 84 5C 00 00 00

[DISABLE]
preventDamage:
  db 85 C0 0F 84 5C 00 00 00
<SPOILER spoiler="error">
Error:...gram Files (x86)\Cheat Engine 6.7\autorun\monoscript.lua:440: attempt to index a nil value (global 'monopipe')
</SPOILER>
</SPOILER>
 
Top Bottom