Use AoB to find base address

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#1
Hello everyone. I've been using cheat engine for quite a while now, but as I like to keep it simple with cheating, I used to stick with pointer scanning to make my own tables. Recently however, for some games pointer scanning didn't work (no useable pointers, or too many offsets). For example Stronghold 2 or Stronghold Crusader 2.

So I got a little deeper into the tutorial and learned about AoBscans. I followed Rydian's superb tutorial (http://forum.cheatengine.org/viewtopic.php?t=572465) to learn how to make a script that finds the base address every time the game restarts (and then add the base+offset manually, which automatically updates).

Rydian mentions that in order for this to work you need the following condition fulfilled:
If 'Find out what addresses the instruction accesses' only shows one address as being accessed (which is in this case our health address) then you're good. However if it shows multiple addresses as being accessed, then that's not a decent target for this technique
This is the case for Stronghold 2, but unfortunately for Stronghold Crusader 2 when you look up the value for gold, only 1 useable opcode exists, and it is a code that accesses both my own gold and the gold of my enemies (nothing else):
Code:
mov [edx+edi*4],eax
Thus, messing around with this code will give everyone the same amount of gold.

Furthermore, when I added the following script:
Code:
[ENABLE]

aobscanmodule(INJECT,StrongholdBase.dll,89 04 8A 5B 74 1A) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

globalalloc(_playerbase,4)
globalalloc(_multiplier,4)

newmem:

code:
  mov [_playerbase],edx
  mov [_multiplier],ecx
  mov [edx+ecx*4],eax
  pop ebx
  je StrongholdBase.StrongholdBase::Estate::GetKeep+2712
  jmp return

INJECT:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 04 8A 5B 74 1A

unregistersymbol(INJECT)
dealloc(newmem)
Then I 'Add address manually' with the following instruction: [_playerbase]+[_multiplier]*4

But the address I add constantly changes to reflect the last gold address that was accessed by the opcode. So I would like to ask, if no unique opcode can be found for gold (or at least not by me, I'm a complete assembly noob), how can I alter my script so that _playerbase and _offset only get stored if it's my gold that is being accessed by the opcode. Or is there an easier way to find an opcode that does only access my gold?

Thanks in advance!
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#2
TheOrigan post_id=27694 time=1512915580 user_id=11222 said:
...I'm a complete assembly noob....

Thanks in advance!
No good. :?
You must try/learn:
Registry compare.
Backtrack.
TheOrigan post_id=27694 time=1512915580 user_id=11222 said:
Then I 'Add address manually' with the following instruction: [_playerbase]+[_multiplier]*4
Will not work.
I'm so bad at explaining things.
 

jungletek

Reality Bytes
Staff member
Shogun
Oct 17, 2017
148
2
18
#3
Blayde post_id=27709 time=1512928677 user_id=8084 said:
Registry compare.
Register compare.
 

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#4
Blayde post_id=27709 time=1512928677 user_id=8084 said:
Will not work.
I'm so bad at explaining things.
Actually, it does work, but because the opcode accesses all gold values, this address keeps moving between the gold addresses of every player when the opcode executes, which is several times per second. All I would like to know is if there is a way to either discern the gold values so I'm left with only mine OR maybe save all of the gold values, so I can just check which one's mine without having to dive into the disassembler every time..

I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4

PS: how do you backtrack? I get the feeling this might lead me to a solution for my problem..
 

jungletek

Reality Bytes
Staff member
Shogun
Oct 17, 2017
148
2
18
#5
TheOrigan post_id=27750 time=1512982765 user_id=11222 said:
Blayde post_id=27709 time=1512928677 user_id=8084 said:
Will not work.
I'm so bad at explaining things.
Actually, it does work, but because the opcode accesses all gold values, this address keeps moving between the gold addresses of every player when the opcode executes, which is several times per second. All I would like to know is if there is a way to either discern the gold values so I'm left with only mine OR maybe save all of the gold values, so I can just check which one's mine without having to dive into the disassembler every time..

I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4

PS: how do you backtrack? I get the feeling this might lead me to a solution for my problem..
https://www.youtube.com/watch?v=yu5Lx5uq32A

http://www.cheatengine.org/forum/viewtopic.php?p=5581413&sid=8813882329e900092811796c282505cd#5581413
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#6
jungletek post_id=27747 time=1512976662 user_id=9475 said:
Blayde post_id=27709 time=1512928677 user_id=8084 said:
Registry compare.
Register compare.
:oops:
English is not my native language

Break and trace: (look at 22:00 min)
https://www.youtube.com/watch?v=IyXiOHvZ74c&t=1423s

Backtrace Encrypted Values:
https://www.youtube.com/watch?v=po_d2oilgLA&t=3s

Using Different Registries:
https://www.youtube.com/watch?v=afCoTLBq6dI&t=337s

Comparing Multi Level Pointers:
https://www.youtube.com/watch?v=c7RVIQG6qQo&t=401s
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#7
TheOrigan post_id=27750 time=1512982765 user_id=11222 said:
I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4
Is ecx value the same for you and enemies?
 

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#8
Blayde post_id=27757 time=1512992959 user_id=8084 said:
TheOrigan post_id=27750 time=1512982765 user_id=11222 said:
I tried following Geri's tutorial, in which he describes a way to do this with 'Find out what Accesses..' which should point to the displayed value, which is supposed to be only my gold, but the offset is the same: ecx*4
Is ecx value the same for you and enemies?
I'm not sure, but I think so. I once listed the gold values for every player in the game and edx for a certain gold address is bigger than that of the lowest gold address, so I think it's edx that changes. ecx is a small offset I think, as it's always something like 00000010 or 0000000A. But as far as I know, you can't count back with a certain offset?
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#9
TheOrigan post_id=27761 time=1512999594 user_id=11222 said:
I'm not sure, but I think so. I once listed the gold values for every player in the game and edx for a certain gold address is bigger than that of the lowest gold address, so I think it's edx that changes. ecx is a small offset I think, as it's always something like 00000010 or 0000000A. But as far as I know, you can't count back with a certain offset?
In this situation you must backtrack edx. Where does value come from.

Someting like:
 

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#10
Blayde post_id=27763 time=1513000297 user_id=8084 said:
TheOrigan post_id=27761 time=1512999594 user_id=11222 said:
I'm not sure, but I think so. I once listed the gold values for every player in the game and edx for a certain gold address is bigger than that of the lowest gold address, so I think it's edx that changes. ecx is a small offset I think, as it's always something like 00000010 or 0000000A. But as far as I know, you can't count back with a certain offset?
In this situation you must backtrack edx. Where does value come from.

Someting like:
So if I understand correctly you went back to check where [rdi] comes from, as its [rdi] that went into rax? Because the first address + the offset does not equal the second address.

Anyway, I'll be sure to check your tutorial links. Maybe it solves my problems for me. I'll report back when I've seen them!
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#11
TheOrigan post_id=27766 time=1513002942 user_id=11222 said:
So if I understand correctly you went back to check where [rdi] comes from, as its [rdi] that went into rax? Because the first address + the offset does not equal the second address.
This was only an example "how to".

You need to look for something like:
mov edx,[somevalue]
lea edx,[somevalue]

In worst case
mov edx,[ebp+offset]
mov edx,[esp+offset] (stack sh!t)

Edit:
Check what happens before (mov rdi instruction) using address/opcode right after "ret". (Bad example :D )
 

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#12
So I've taken a look at the tutorials and already learned a lot. Unfortunately I still don't really know to what point I should backtrace until I found a 'branch' that is unique to my gold value. For example, placing a return at the start of the first branch disables taxes (can't really know for sure wether it's only my taxes or everyone's). Dissecting the data structure yields nothing of value.

I have noticed that the value for EDX is still my (player, not any of the enemies) base address in 52561F36, but changes in the next operation.


EDIT: I checked this opcode and it writes to a few addresses that always have the same value. One address has value 0, the other has value 1, ... The amount of addresses reflect how many players are in the game. So I assume I have found something. How could I use this to my advantage?
 

jungletek

Reality Bytes
Staff member
Shogun
Oct 17, 2017
148
2
18
#13
Blayde post_id=27756 time=1512992638 user_id=8084 said:
:oops: English is not my native language
It's okay, I thought so, but I'm just helping, not criticizing ;)
 

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#14
TheOrigan post_id=27789 time=1513027843 user_id=11222 said:
So I've taken a look at the tutorials and already learned a lot. Unfortunately I still don't really know to what point I should backtrace until I found a 'branch' that is unique to my gold value. For example, placing a return at the start of the first branch disables taxes (can't really know for sure wether it's only my taxes or everyone's). Dissecting the data structure yields nothing of value.

I have noticed that the value for EDX is still my (player, not any of the enemies) base address in 52561F36, but changes in the next operation.


EDIT: I checked this opcode and it writes to a few addresses that always have the same value. One address has value 0, the other has value 1, ... The amount of addresses reflect how many players are in the game. So I assume I have found something. How could I use this to my advantage?

Hello everyone. Thought I'd follow trough with what I find a working solution. I stumbled upon the opcode above and decided to make a first aob script that copies the value for EDX only when [esi+4C] = 0 (which is player 1). Then I simply made a second AoB scan that targets my operation that writes to gold and stores the value of ECX. This gives me EDX and ECX and thus allows me to 'add address manually' so I can find gold easily and freeze it in game (it's still encrypted, but I don't mind)


EDIT: well, apparently [esi+4C] isn't player 1 when the value is 0, it's the position you take on the map. 0 is the default starting position. When I place an AI on the default spot, the script finds his gold address, although it's verry buggy and constantly moves between 0 and his EDX. When I take the default position it works without a hitch.
 

Attachments

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#15
TheOrigan post_id=27877 time=1513111928 user_id=11222 said:
Hello everyone. Thought I'd follow trough with what I find a working solution. I stumbled upon the opcode above and decided to make a first aob script that copies the value for EDX only when [esi+4C] = 0 (which is player 1). Then I simply made a second AoB scan that targets my operation that writes to gold and stores the value of ECX. This gives me EDX and ECX and thus allows me to 'add address manually' so I can find gold easily and freeze it in game (it's still encrypted, but I don't mind)


EDIT: well, apparently [esi+4C] isn't player 1 when the value is 0, it's the position you take on the map. 0 is the default starting position. When I place an AI on the default spot, the script finds his gold address, although it's verry buggy and constantly moves between 0 and his EDX. When I take the default position it works without a hitch.

Here :89 04 8A 5B 74 1A
Player EBX=0
Enemy EBX=1

Gold value before being encrypted.
But the problem is how to compare Player vs Enemy.
Code:
[ENABLE]
aobscanmodule(p_gold,StrongholdBase.dll,78 77 07 C7 45 FC 00 00 00 00 D9 45 FC 8B E5)
alloc(newmem,$100)

label(code)
label(return)

newmem:
code:
  mov [ebp-04],(float)999999
  fld dword ptr [ebp-04]
  mov esp,ebp
  jmp return

p_gold+0A:
  jmp newmem
return:
registersymbol(p_gold)

[DISABLE]
p_gold+0A:
  db D9 45 FC 8B E5

unregistersymbol(p_gold)
dealloc(newmem)
EDIT: (mov [edx+edi*4],eax)
Btw edx and eax are encrypted
 

TheOrigan

What is cheating?
Dec 10, 2017
9
0
1
#16
I found a somewhat unorthodox solution for my problem, thought I'd share it with everyone here since you've been so kind as to help me. Special thanks to Blayde for not getting tired of my sh*it :D

Script 1 decrypts gold for everyone and sets it to 100. Disable the script again and let your enemies change their gold (which happens all the time) while keeping yours at 100. By activating script 2 everyone with 100 gold (which should be you alone) gets 1.000.000.

Please note that setting gold to 100 with script 1 is NOT the same as simply spending money until you reach 100 as internally this value will be encrypted. That's why it's important to keep your gold the same after deactivating script 1 (the second you change it, the encryption runs and the compare from script 2 won't work anymore)

Currently the hotkeys are ctrl+1 and ctrl+2, so you don't have to get out of the game, but feel free to alter.
Thanks guys, I've been trying on this for 20 hours if I can believe steam, so it feels good to have a solution, even if it's patchwork :)
 

Attachments

movss

What is cheating?
Feb 9, 2018
11
0
1
#17
i am sure it's shared code
maybe you can see the tutorial of step 9
http://wiki.cheatengine.org/index.php?title=Tutorials:Cheat_Engine_Tutorial_Guide_x64#Step_9

1st solution register compare
2nd compare the [palyebase]

good lucy to you