Dealing with no working addresses.

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
ballhammer
Noobzor
Noobzor
Posts: 9
Joined: Sat Apr 29, 2017 2:49 am
Reputation: 0

Dealing with no working addresses.

Post by ballhammer »

So i'm trying to cheat money in a game but the addresses I get don't work even though the address list does not change when I keep scanning, and editing any of the result does not change my money when it gets updated in game. I was going to find the pointer for money but can't if I can't even find a working "standard" address.



Damage values work just not anything related to money/resources.



Sorry if you don't get what i'm trying to say but I'm terrible at writing/typing.
Last edited by ballhammer on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

User avatar
happyTugs
Table Makers
Table Makers
Posts: 64
Joined: Mon Apr 20, 2020 1:01 am
Reputation: 14

Dealing with no working addresses.

Post by happyTugs »

I am assuming you have completed the CE tutorial, right? If you haven't, then I would start there.
As it still eludes me, what exactly is your issue?
the addresses I get don't work even though the address list does not change when I keep scanning
Were you able to find the actual address (not the visual) that controlled money?
If you did, you could make an injection copy or, alternatively, get a pointer to the address.

Or, perhaps money is of a different type besides 4-bytes?

I can't really make any feasible conclusions since your message is slightly unclear.
Last edited by happyTugs on Mon Jun 29, 2020 3:07 am, edited 2 times in total.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1480
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 736

Dealing with no working addresses.

Post by TheyCallMeTim13 »

[QUOTE="ballhammer, post: 138549, member: 3697"]

So i'm trying to cheat money in a game but the addresses I get don't work even though the address list does not change when I keep scanning, and editing any of the result does not change my money when it gets updated in game. I was going to find the pointer for money but can't if I can't even find a working "standard" address.



Damage values work just not anything related to money/resources.



Sorry if you don't get what i'm trying to say but I'm terrible at writing/typing.

[/QUOTE]

This could be because the value is stored as a different type than you think, or the value could be encrypted, or the value is stored on a server and not in your memory; thus you have only found the display value. Block the game in your firewall to see if it's server side, if not then you'll have to try different value types and different scan methods tell you find a value you can freeze and have an effect in game.

ballhammer
Noobzor
Noobzor
Posts: 9
Joined: Sat Apr 29, 2017 2:49 am
Reputation: 0

Dealing with no working addresses.

Post by ballhammer »

[QUOTE="happyTugs, post: 138553, member: 39952"]

I am assuming you have completed the CE tutorial, right? If you haven't, then I would start there.



As it still eludes me, what exactly is your issue?



Were you able to find the actual address (not the visual) that controlled money?

If you did, you could make an injection copy or, alternatively, get a pointer to the address.

Or, perhaps money is of a different type besides 4-bytes?



I can't really make any feasible conclusions since your message is slightly unclear.

If you are smart enough to realize your own flaws, then you should take steps to remediate them.

[/QUOTE]

The scanning finds the address but changing doesn't do anything and I had it set to all before changing it to 4 bytes since all the other values I was editing were 4 bytes. I was also assuming if I can't get the standard address to work than the pointer wouldn't work either.

note: I have all set to include 1,2,4,8, float, and double. [S]I have not completed the tutorial but I will do that right now.[/S] Completed

[automerge]1591553559[/automerge]

[QUOTE="TheyCallMeTim13, post: 138557, member: 91"]

This could be because the value is stored as a different type than you think, or the value could be encrypted, or the value is stored on a server and not in your memory; thus you have only found the display value. Block the game in your firewall to see if it's server side, if not then you'll have to try different value types and different scan methods tell you find a value you can freeze and have an effect in game.

[/QUOTE]

I tested it and game works without internet.



A video is worth a thousand words. Hopefully this will better than my cluster**** of a comment

[MEDIA=googledrive]1g55jK7elFibrVjCYeCPRmrQEzlg3FZhl[/MEDIA]
Last edited by ballhammer on Sun Jun 07, 2020 7:55 pm, edited 8 times in total.

User avatar
happyTugs
Table Makers
Table Makers
Posts: 64
Joined: Mon Apr 20, 2020 1:01 am
Reputation: 14

Dealing with no working addresses.

Post by happyTugs »

ballhammer wrote: The scanning finds the address but changing doesn't do anything
A few things I can think of.

The address you have found might be the visual address.
Or, the actual value might be entirely different (encrypted maybe? idk).

One (slightly tedious) way to remediate that is to not search for an exact value, but to search for an unknown initial value and filtering your results with 'Changed value'.

Alternatively, you could work your way up by finding out what instruction accesses the address and trace how the visual address got its value.

A few links you could take a look at.
Backtracing Shared Instructions from Visual Addresses! - 18:45 (Stephen Chapman)
Techniques and Tips to Find and Backtrace Encrypted Values - 37:08 (Chris Fayte)
How to Find Encrypted or Obfuscated Variables in Cheat Engine Guide - Forum Post (Rake)
and of course,
Tim The Enchanter
Spoiler
i just realized that TheyCallMeTim13 :: Enchanter is a fucking monty python reference... :o
Last edited by happyTugs on Mon Jun 29, 2020 3:13 am, edited 4 times in total.

ballhammer
Noobzor
Noobzor
Posts: 9
Joined: Sat Apr 29, 2017 2:49 am
Reputation: 0

Dealing with no working addresses.

Post by ballhammer »

[QUOTE="happyTugs, post: 138674, member: 39952"]

A few things I can think of.



The address you have found [I]might [/I]be the visual address.

Or, the actual value [I]might [/I]be entirely different (encrypted maybe? idk).



One (slightly tedious) way to remediate that is to not search for an exact value, but to search for an unknown initial value and filtering your results with 'Changed value'.



Alternatively, you could work your way up by finding out what instruction accesses the address and trace how the visual address got its value.



A few links you could take a look at.

[URL='https://www.youtube.com/watch?v=06t_hoWGa5c']Backtracing Shared Instructions from Visual Addresses! - 18:45 (Stephen Chapman)[/URL]

[URL='https://www.youtube.com/watch?time_continue=5&v=po_d2oilgLA&feature=emb_logo']Techniques and Tips to Find and Backtrace Encrypted Values - 37:08 (Chris Fayte)[/URL]

[URL='https://guidedhacking.com/threads/how-to-find-encrypted-or-obfuscated-variables-in-cheat-engine-guide.11445/']How to Find Encrypted or Obfuscated Variables in Cheat Engine Guide - Forum Post (Rake)[/URL]

and of course,

[URL='https://www.youtube.com/channel/UC0gZIPnqoBGcXw9DTrfnxjQ']Tim The Enchanter[/URL]



[ISPOILER]omg, i just realized that [USER=91]TheyCallMeTim13[/USER] [B]:: Enchanter[/B] is a fucking monty python reference...:eek:[/ISPOILER]

[/QUOTE]

I'll try that.



Note: relating to one of the videos links.

The debugger does not work with this game. It just times out.
Last edited by ballhammer on Sun Jun 07, 2020 8:58 pm, edited 1 time in total.

User avatar
happyTugs
Table Makers
Table Makers
Posts: 64
Joined: Mon Apr 20, 2020 1:01 am
Reputation: 14

Dealing with no working addresses.

Post by happyTugs »

since you actually seem to take advice, i took a quick look at the game.
your values are being encrypted by a simple xor.

Code: Select all

ACE.exe+1517D0 - 55                    - push ebp
ACE.exe+1517D1 - 8B EC                 - mov ebp,esp
ACE.exe+1517D3 - 8B 41 24              - mov eax,[ecx+24] -- [ecx+24] holds the actual coins
ACE.exe+1517D6 - BA 0F270000           - mov edx,0000270F { 9999 } -- max coins
ACE.exe+1517DB - 35 D3EA0700           - xor eax,0007EAD3 { 518867 } -- encryption takes place here
ACE.exe+1517E0 - 03 45 08              - add eax,[ebp+08]
ACE.exe+1517E3 - 3B C2                 - cmp eax,edx
ACE.exe+1517E5 - 0F4F C2               - cmovg eax,edx -- if you exceeded 9999 coins, retain value of 9999 coins (potentially unlimited coins?)
ACE.exe+1517E8 - 33 D2                 - xor edx,edx
ACE.exe+1517EA - 85 C0                 - test eax,eax
ACE.exe+1517EC - 0F49 D0               - cmovns edx,eax
ACE.exe+1517EF - 8B C2                 - mov eax,edx
ACE.exe+1517F1 - 35 D3EA0700           - xor eax,0007EAD3 { 518867 }
ACE.exe+1517F6 - 80 79 3C 00           - cmp byte ptr [ecx+3C],00 { 0 }
ACE.exe+1517FA - 89 41 24              - mov [ecx+24],eax
ACE.exe+1517FD - 75 12                 - jne ACE.exe+151811
ACE.exe+1517FF - 52                    - push edx
ACE.exe+151800 - 68 60BCDE00           - push ACE.exe+20BC60 { ("BattleMaterial") }
ACE.exe+151805 - E8 1679FBFF           - call ACE.exe+109120
ACE.exe+15180A - 8B C8                 - mov ecx,eax
ACE.exe+15180C - E8 4F87FBFF           - call ACE.exe+109F60
ACE.exe+151811 - 5D                    - pop ebp
ACE.exe+151812 - C2 0400               - ret 0004 { 4 }
wondering how i found that?

you first need to learn about calling conventions and how parameters are moved into certain registers/pushed onto the stack before a call.

here's some links.
x86 calling conventions
x64 Architecture

afterwards, apply a break and trace (or a break-point) on the instruction that wrote to the visual address (specifically look at the stack trace), look at what parameters were used in the function call, and trace backwards.

edit. what debugger are you using? try using windows debugger if veh debugger isn't working or vice versa. they are located in the 'Settings' in the 'Debugger Options' underneath the 'Debugger Method'. oh, and make sure you give CE some time for the debugger to attach. don't just close out immediately.
Last edited by happyTugs on Mon Jun 29, 2020 3:14 am, edited 14 times in total.

ballhammer
Noobzor
Noobzor
Posts: 9
Joined: Sat Apr 29, 2017 2:49 am
Reputation: 0

Dealing with no working addresses.

Post by ballhammer »

[QUOTE="happyTugs, post: 138690, member: 39952"]

since you actually seem to take advice, i took quick a look at the game.

your values are being encrypted by a simple xor.

[CODE]

ACE.exe+1517D0 - 55 - push ebp

ACE.exe+1517D1 - 8B EC - mov ebp,esp

ACE.exe+1517D3 - 8B 41 24 - mov eax,[ecx+24] -- [ecx+24] holds the actual coins

ACE.exe+1517D6 - BA 0F270000 - mov edx,0000270F { 9999 } -- max coins

ACE.exe+1517DB - 35 D3EA0700 - xor eax,0007EAD3 { 518867 } -- encryption takes place here

ACE.exe+1517E0 - 03 45 08 - add eax,[ebp+08]

ACE.exe+1517E3 - 3B C2 - cmp eax,edx

ACE.exe+1517E5 - 0F4F C2 - cmovg eax,edx -- if you exceeded 9999 coins, retain value of 9999 coins (potentially unlimited coins?)

ACE.exe+1517E8 - 33 D2 - xor edx,edx

ACE.exe+1517EA - 85 C0 - test eax,eax

ACE.exe+1517EC - 0F49 D0 - cmovns edx,eax

ACE.exe+1517EF - 8B C2 - mov eax,edx

ACE.exe+1517F1 - 35 D3EA0700 - xor eax,0007EAD3 { 518867 }

ACE.exe+1517F6 - 80 79 3C 00 - cmp byte ptr [ecx+3C],00 { 0 }

ACE.exe+1517FA - 89 41 24 - mov [ecx+24],eax

ACE.exe+1517FD - 75 12 - jne ACE.exe+151811

ACE.exe+1517FF - 52 - push edx

ACE.exe+151800 - 68 60BCDE00 - push ACE.exe+20BC60 { ("BattleMaterial") }

ACE.exe+151805 - E8 1679FBFF - call ACE.exe+109120

ACE.exe+15180A - 8B C8 - mov ecx,eax

ACE.exe+15180C - E8 4F87FBFF - call ACE.exe+109F60

ACE.exe+151811 - 5D - pop ebp

ACE.exe+151812 - C2 0400 - ret 0004 { 4 }

[/CODE]



wondering how i found that?



you first need to learn about calling conventions and how parameters are moved into certain registers before a call.

here's some links.

[URL='https://en.wikipedia.org/wiki/X86_calling_conventions']x86 calling conventions[/URL]

[URL='https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/x64-architecture']x64 Architecture[/URL]



afterwards, apply a break and trace (or a break-point) on the function that writes to the visual address (specifically look at the stack trace), look at what parameters were used in the function call, and trace backwards.



edit. what debugger are you using? try using windows debugger if veh debugger isn't working or vice versa. they are located in the 'Settings' in the 'Debugger Options' underneath the 'Debugger Method'. oh, and make sure you give CE some time for the debugger to attach. don't just close out immediately.

[/QUOTE]

Well this is going to be a headache to figure out [S]but I got to learn what High school won't teach me and relating to the debugger I was using the windows debugger but I guess I wasn't waiting long enough.[/S] It just wanted me to click the game.



Thank you and the others for helping:D
Last edited by ballhammer on Sun Jun 07, 2020 10:35 pm, edited 4 times in total.

User avatar
happyTugs
Table Makers
Table Makers
Posts: 64
Joined: Mon Apr 20, 2020 1:01 am
Reputation: 14

Dealing with no working addresses.

Post by happyTugs »

this is going to be a headache
here's a more intuitive explanation
Attachments
15AssemblyFunctions.zip
(extract using 7zip) password: princeton
(256.28 KiB) Downloaded 10 times
Last edited by happyTugs on Sun Jun 07, 2020 10:42 pm, edited 2 times in total.

Post Reply

Who is online

Users browsing this forum: No registered users