Address/Value Finding Examples

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
Rydian
Table Makers
Table Makers
Posts: 42
Joined: Sun Aug 13, 2017 10:56 am
Reputation: 47

Address/Value Finding Examples

Post by Rydian » Mon Oct 14, 2019 2:45 am

- Foreword
(This is an updated version of a tutorial from the old forums.)

I get a lot of people asking me how I've found certain values/numbers in games. This will be a listing of various situations that have come up, the different approaches games take, and what I've done to find what I need in those situations.

First, though, run the Cheat Engine Tutorial (it gets installed alongside Cheat Engine) and complete steps 1 through 4. It's important that you understand how to search for invisible values and values in other types, and also that you know how to do changed/unchanged/increased/decreased searches!

Tip: If you need to search for something in a game that goes away quickly (like a really short timer), you may need to use Cheat Engine's speed hack settings to freeze the game so you can go back to Cheat Engine and do your scanning stuff. If you check Cheat Engine's settings, you can set hotkeys to different speedhack settings. I recommend settings for 0 (frozen time) and 1 (normal time).

Image


- - - - -
- Invincibility
Most games have what's known as "mercy invincibility". That is, when you get hit you start flashing or go semi-transparent, and during this time period you can't be hit again. What happens in most cases is that when you get hit, a timer is set, and then the timer counts down (or up), and when it's done counting your invincibility stops.

Image

So there's two possible approaches to this.

A - Find the timer via increased/decreased searches. Then you can lock the timer right at the beginning and get hit again so that it never gets to finish its countdown, so you stay invincible as long as the value is locked.

B - Do an unknown initial value and changed/unchanged search to find the "invincible" flag. Generally simple flags like this are 0 or 1, but it could be other values. Once you've found the flag that determines if your character is invincible or not, lock it at the invincible value and enjoy.

Tip: If your player flashes/fades while invincible and continues to do it indefinitely while you have the cheat on, then flashing may be a second variable that you can find and edit/lock too to give a better visual presentation.


- - - - -
- Position/Teleporting
Games are programs and thus built scientifically and follow basic math. This includes the position of characters/players/objects, they're generally kept track of with coordinates on a grid (think back to math class and plotting stuff on the X/Y axis).

Image

In almost all cases, to the left is less X (either a smaller number or negative) and to the right is more X (positive and/or a higher number). However Y can vary depending on whether the origin of the grid is in the upper-left or the lower-left. Generally, work on finding your left/right coordinate first because that's the easier one, and once you know one coordinate, the other one(s) is/are usually very close to it (if not right next to it) in the game's RAM, which narrows down your search a lot.

For 3D games this is a little tougher to start with because you don't have an obvious plane. Instead try to look at your surroundings to see if there's any obvious left/right/up/down orientation with buildings, polygons of land slopes, or even if you always spawn into a map facing one specific direction. Failing that, if the game has some sort of north/south/east/west indicator, these are usually aligned to the map's grid/coordinates so you can figure out how to move left and right or forward and back and do unknown -> increase/decrease searches to find your coordinates.

Tip: In modern games (that aren't grid-based), positions are most often the float/double format.


- - - - -
- Gravity
Lowering gravity in-game so you can do much higher jumps gives non-techy players a more intuitive (and fun) way to reach places than editing coordinates, but how do you find a concept like gravity when it has no stat display?

Image

A - In many cases it's a value that's applied as long as the player is in the air, but is 0 when the player is on the ground. Doing a mix of unknown/changed searches along with an exact search for 0 on the ground can often find the value for gravity.

B - In other cases the value is static and the game changes logic whether you're on the ground or not. In this case in order to find gravity you'll want to find the player's Y/Z/height coordinate, then find what writes to it and look through the code to try to find any sort of add or sub opcodes that edited it before the write opcode was executed. Then you can try to find where it's pulling the gravity value from.

Tip: Gravity's value could be a positive or a negative depending on how the coordinate system for the game works.


- - - - -
- Infinite (Air/Double) Jumping
Being able to jump infinitely is pretty useful in most games, but how to do it depends on the game.

Image

A - If the game is one where double/air jumping is an in-game feature (like metroidvania games), then once you have the air/double jump ability there's generally an address that keeps track of if you have used your double jump yet (or how many air jumps you have left). You can usually jump into the air normally and then search for 1 (since you still have your air jump ability), then air jump and search for 0 before you hit the ground. Once you've found the address, lock it at 1 (or whatever value is used to denote that you can do it) and enjoy.

B - If the game does not have air jumping as an in-game feature, then my general approach is to find the "is the player standing on the ground" address. This could be 0 or 1, but it could also be more complex things like a check for if "what type of terrain the player is standing on" matches a value for normal ground you can jump off of.

So this is a situation where unknown initial scans and then changed/unchanged searching works best. Stand on some ground you can jump off of and search, then jump into the air and search changed. Then get back on the ground and search changed again, move to some different ground you can still jump off of and search unchanged. Then jump and search changed, etc. Filter it down until you find it.

Tip: Try to avoid searching for "0" as your first search in any scan. It's usually much slower.


- - - - -
- Time of Day
Generally games will reset the "time of day" to 0 either in the morning, or after the in-game midnight. Then they increase the time of day until it resets again. So you can search for increasing values through the afternoon, then wait for midnight/morning to pass and search for a decreased value (since it can be assumed in most cases that the time of day resets then). You may need to try other value types like 8-byte or float/double since tracking time sometimes involves big numbers.

Tip: When searching for time, use the "all" type because there's no real way to guess the format.


- - - - -
- Weapon/Attack Speed
In most games I've messed with, when you swing/attack with a weapon a timer is started. When that timer is done counting, you can attack again. So you can try to apply some of the same info and ideas from invincibility to this, since the basic logic is usually the same.

Some games actually set a target time into the future and then allow you to re-fire when that point in time is reached, so you may want to work off of that logic instead (make the game set the target time to right now or something).

Tip: Attack speed is usually pretty quick, so this is a situation where the speedhack hotkeys help, freezing time in-game so that you can scan multiple times before the attack/swing/reload finishes.


- - - - -
- One Hit Kill
When trying to make one-hit kills, it's tempting to attack monsters, search for the damage numbers that pop up, then try to edit the addresses that contain those. The problem there is that those numbers are generally just placeholders or display numbers that happen after the damage has already logically been dealt. While finding and editing those numbers may work sometimes, in most cases you need to find what's actually applying the damage to the monster/enemy's health value.

First you should find the monster/enemy health value (doing an unknown scan if it's not displayed), then once you have that, find and edit the game code that subtracts from the monster's health. Generally for one-hit kills, the game calculates the damage done, stores the result in a register, and then subtracts that register's value from the monster's HP. So what I generally do is to edit the register involved so that even after calculating the right damage, the game instead subtracts a huge number instead.

Tip: If you're in a situation where the code edits you can make are limited, you can sometimes do a single byte change to change the subtraction register to use EBP. This register holds a memory address which, when converted from hex to decimal, usually equals tons of HP in damage.


- - - - -
- Unique Bonuses
Don't overlook what the game offers you! Many games may give you special/rare bonuses from certain items, or buff up a stat you can't normally increase (like movement speed) under certain situations. These are great targets to find and edit, but how you find them depends on how they work.

A - If they're numerical buffs, like +15% movement speed, then you can search unknown and then increased/decreased as you get and lose the buff. For things that buff an otherwise-static value (like run speed), the game may keep track of this in terms of a floating-point multiplier. It may be 1.0 when you have no buff, and 1.15 if you have a 15% buff. It may also be an addition, like 0.0 with no buff and 0.15 with a buff, or it could be integer, etc. If you have some suspicions based on how the game works in other regards then use that, otherwise you'll have to guess a few times until you find it.

B - If they're some bonus or capability you either have or don't, then you're most likely looking at a value that's 0 or 1 (usually 0 is off and 1 is on). If you can toggle it on and off after you get it you can easily find the value then, but if you only get it once you may need to reload a save a few times or change things around some other way to find the relevant value.


- - - - -
- Admin/Creative Powers
Does the game have a sort of test mode, admin mode, wizard mode, or other such option where your character becomes immortal and can toggle special controls on or off? See if you can find whatever controls these options and turn them on while in normal gameplay. As with many things you're often looking for some sort of byte value (4 or 1 in size) that's 0 when the option is off, but 1 when the option is on.

Tip: Many of the special tools and capabilities will check if you're in admin/test/wizard mode before turning on, if you can find what they're checking for and set change that, you can sometimes turn all of the tools on with a single modification.


- - - - -
- Bypass Maximums
Many games will limit the amount of things you can create or put out. Units of a certain type, how many minions you can spawn at once, stuff like that. In most cases the game is simply counting them and there's some comparison to a maximum value.

A - If the maximum value can be changed/increased in-game you can find the edit the value.

B - If the value is static, find what's reading your minion/spawn/whatever count whenever you make a new one. You'll need to examine the code to see what sort of comparison it's doing (usually shortly before spawning it). It may be comparing to a value in memory and you can find it that way (like cmp eax, [ebx+20]). On the other hand it may be a hardcoded check (like cmp ebx, 8) and you'll need to edit the code in some way to change it.

Tip: You don't always need to edit the number being compared again. Directly after the comparison will usually be some sort of jump logic (jump if equal or larger or whatever) and you can edit the jump logic to make the game always behave a certain way regardless of the comparison result.


- - - - -
- Free Items/Money
When I make codes that let you buy things with no loss or use items without them being depleted, I'm not actually searching for the cost of the items and then setting it to 0. That would take forever since there's so many memory addresses to edit. Instead I'm finding the player's money and then checking what code is writing to it when you buy something. I find the code that subtracts the cost from your money, and then edit that code so that the cost for the items is never actually removed from your money.

Tip: This method is simple, but usually means that you still need to have enough money to buy the item in the first place. If you dig around, you can usually find some sort of comparison that checks if you have enough money to cover the cost of the item in the first place. Try to edit that comparison so that it always tells the game that you can afford it, so that the game will let you buy anything for free no matter your money amount.


- - - - -
- Item Duplication
Many games use the same code for pretty much anything in the inventory, and you can take advantage of that by working with stackable items first. Find the number of items in a stack, then find what code reduces it when you use one from the stack. Edit this to not reduce it, and at the least you'll have a code that makes it so you can use items infinitely. If you're lucky and the game works in the right way, this may also apply to tossing items out (where it will toss it out but still keep a copy in your inventory).

If you want to duplicate non-stackables and the above code doesn't work as a catch-all, you could try to find code that sets the quantity of a stack to 0 directly when tossing it out. You might be able to find a different piece of code that works for tossing instead of using.

Tip: Explore all the ways you can mess with your inventory, because games will often use different pieces of code for different functionality. If one piece of code doesn't work in the most usable way, another one might. Check out splitting stacks, trash cans, trade screens, selling and then rebuying from NPCs, etc.
Game Hacking Tutorial Playlist
Value/Address Finding Examples
Feel free to take things from my tables and expand on them or learn from them.

User avatar
Chiados
Fearless Donors
Fearless Donors
Posts: 150
Joined: Tue Apr 25, 2017 6:56 am
Reputation: 98

Re: Address/Value Finding Examples

Post by Chiados » Sat Dec 07, 2019 1:37 pm

Glad to see these tutorials on FRF. Your old tutorials helped me quite a bit when I first started with CE.

Post Reply

Who is online

Users browsing this forum: Google [Bot]