I'm having a bug(?) with Cheat Engine

[PronKill]

I want to find the health address through AOB function. I've done it and for some reason the named variable won't work in the table, BUT its address works.
Here is what I mean by that:

That's the code I'm using. "rcx" is what I need to get.

Code: Select all

[ENABLE]
aobscanregion(INJECT, TimeSurvivors-Win64-Shipping.exe+198819A, TimeSurvivors-Win64-Shipping.exe+19881AD,F3 0F 10 81 64 03 00 00 C3) // should be unique
alloc(newmem,$1000,INJECT)
registersymbol(INJECT)
define(pHealth,newmem+100)
registersymbol(pHealth)

label(return)

pHealth:
  dd 0

newmem:
  mov [pHealth],rcx
  movss xmm0,[rcx+00000364]
  jmp return

INJECT:
  jmp newmem
  nop 3
return:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
  db F3 0F 10 81 64 03 00 00

unregistersymbol(INJECT)
unregistersymbol(pHealth)
dealloc(newmem)

If you want to ask about the pointer from the address 7FF7B1A20100, it is mentioned in the code (which is basically pHealth from the script)


And so basically despite the script actually working, Cheat Engine just trolls me with this situation. Anyone knows how to fix this?

[Messy6666]

didn't read all but for starter
RCX == 8 bytes not 4

so DQ instead of DD ( pHealth )

[PronKill]

didn't read all but for starter
RCX == 8 bytes not 4

so DQ instead of DD ( pHealth )

I'll have this difference in mind for the future, though sad that this isn't exactly what could fix my problem.

[Messy6666]

well your current pHealth doesn't have enough room to hold the pointer ( RCX )
all weird things can happen

[PronKill]

I've found how to fix this issue. I'm just going to use "alloc" for the future, instead of giving it a dq 0 value, as it seems to be the only way to make it work...

[Rhark]

Personally, I would've done it like this:

Code: Select all

[ENABLE]
aobscanregion(INJECT, TimeSurvivors-Win64-Shipping.exe+198819A, TimeSurvivors-Win64-Shipping.exe+19881AD,F3 0F 10 81 64 03 00 00 C3) // should be unique
alloc(newmem,$1000,INJECT)
registersymbol(INJECT)

label(pHealth)
registersymbol(pHealth)

label(return)

newmem:
  mov [pHealth],rcx
code:
  movss xmm0,[rcx+00000364]
  jmp return

newmem+200:
pHealth:
   dq 0

INJECT:
  jmp newmem
  nop 3
return:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
  db F3 0F 10 81 64 03 00 00

unregistersymbol(INJECT)
unregistersymbol(pHealth)
dealloc(newmem)

Not sure why you're using "aobscanregion" for an Unreal Engine game though. One update and it will be broken.

[PronKill]

Personally, I would've done it like this:

Code: Select all

[ENABLE]
aobscanregion(INJECT, TimeSurvivors-Win64-Shipping.exe+198819A, TimeSurvivors-Win64-Shipping.exe+19881AD,F3 0F 10 81 64 03 00 00 C3) // should be unique
alloc(newmem,$1000,INJECT)
registersymbol(INJECT)

label(pHealth)
registersymbol(pHealth)

label(return)

newmem:
  mov [pHealth],rcx
code:
  movss xmm0,[rcx+00000364]
  jmp return

newmem+200:
pHealth:
   dq 0

INJECT:
  jmp newmem
  nop 3
return:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
INJECT:
  db F3 0F 10 81 64 03 00 00

unregistersymbol(INJECT)
unregistersymbol(pHealth)
dealloc(newmem)

Not sure why you're using "aobscanregion" for an Unreal Engine game though. One update and it will be broken.

It actually works like that too. Thank you! As for the aobscanregion, that's what I've just randomly found out about and started using it for conveniency instead of aobscan. If there is a way better way to do things, I'd really like to know, as finding tutorials about these things is hard for me.

[VampTY]

Like Rhark said about that aob, anyway, curiosity, i've downloaded the DEMO (not my kind of game, i hope i can remove it from my account), found the hp, made you 2 types of scripts, one with ptr and one without, you can learn from examples.

That script made with pointer:
> Why is like that "registersymbol(health _hp)" ? Is easier, much faster to read, you can add more, like:
registersymbol(health _hp _ammo _ armor)

No need to add:

registersymbol(health)
registersymbol(_hp)
registersymbol(_ammo)
registersymbol(_armor)

> Why after DISABLE is?

dealloc(*)
unregistersymbol(*)

And not?

dealloc(health)
unregistersymbol(newmem) or whatever the name might be?

Because having "*" in "(*)" will dealloc even if you have 100 added in your script, all can be named differently or almost the same, like:

alloc(life1,8)
alloc(life2,8)
alloc(life3,8)
alloc(life4,8)
alloc(life5,8)
alloc(life100,8)
alloc(life200,8)
alloc(lhealth1,8)
alloc(lhealth2,8)

Etc.

That "(*)" will dealloc all, same goes for "unregistersymbol(*)" in all scripts.

And also:
4=32 bits
8=64 bits

Example:

alloc(life1,8) - is for 64 bits
alloc(life1,4) - is for 32 bits

Finding a pointer and his offset can be added easily to the script, if that thingy (value) runs through it, in this case in my scripts is in "rsi", let's say armor or whatever is in there is still located in "rsi" although in another script or address (that won't matter) can still be added to this script, just add the offset.

Other way, can be done like ... let's say the offset is 300, your hp is on 300, your ammo is on 250, you know is on rsi (your ammo) but you found your ammo offset on a script that you have no idea what to do with it or is a shared code (multiple op codes could run through it), find the hp or whatever that has only 1 thingy moving around (when that is accesssed only that should run, one thing)..the in the same way you add any other pointer, instead of just adding the right and known ofset (in this example is 300 for hp) .. let's say on your table your ammo your found value for ammo is 738625615 (and you don't know for the life of you what to do) and for hp or whatever you have found and is only one thing running when accessed and the address is 738625312, well in that spot when you insert the offset just use the arrows, then go either left or right untill you;ll reach from 738625615 from 738625312.I hope you've understood this, this is for shared code, bad cases without backtracking!

If when accessed (right click) points you to one single thingy running and that has multiple offsets pointing to hp, armor, stats etc than is easier, to the same script you just add the offsests needed, easy-peasy!

Take care!

[PronKill]

Like Rhark said abou that aob, anyway, curiosity, i've downloaded the DEMO (not my kind of game, i hope i can remove it from my account), found the hp, made you 2 types os scripts, one with ptr and one without, you can learn from examples.

That script made with pointer:
> Why is like that "registersymbol(health _hp)" ? Is easier, much faster to read , you can add more, like:
registersymbol(health _hp _ammo _ armor)

No need to add

registersymbol(health)
registersymbol(_hp)
registersymbol(_ammo)
registersymbol(_armor)
> why after DISABLE is:

dealloc(*)
unregistersymbol(*)

And not

dealloc(health)
unregistersymbol(newmem) or whatever the name might be

Because having "*" in "(*)" will dealloc even if you have 100 added in your script, like:

alloc(life1,8)
alloc(life2,8)
alloc(life3,8)
alloc(life4,8)
alloc(life5,8)

etc

That "(*)" will dealloc all, same goes for "unregistersymbol(*)" in all scripts.
And in:
alloc(life1,8) - is for 64
alloc(life1,4) - is for 32

Finding a pointer and its offset can be added easily to the script, if that thingy runs through it, in this case in my scripts is in "rsi", let's say armor or whatever is in there is still located in "rsi" although in different script (that won't matter) can still be added in this script, just add the offset.Other way can be done like ... let's say teh offset is 300, you hp, your ammo is on 250, you know is on rsi but you found you ammo offset on a script that you have no idea what to do with it or is a shared code..find the hp or whatever that has only 1 thingy moving around whane its accesssed and add it there..just use th arrorws when you're making the poiter, left or right, meaning you either decrease or increase, manually untill you'll find you pointer, easy-peasy .I hope you can understand that, i'm bad at explaining these.

I ate a lot of words..

Take care!

Thanks for the help, I'll have all these tips in mind! If you want to remove the game from Steam library, you can right-click it, hover over Manage and click the "Remove from account" (works only for free games though).
So I guess I'm better off using "aobscanmodule" for Unreal Engine games, while "aobscanregion" is better used with games that have Mono?

[VampTY]

@ PronKill

Yes, now depends mostly now if you plan in updating the files, if is just one time, eh..with "aobscanmodule" a cheat can function in some older version or newer version of the game,or could suffer small modifications to bytes (updates to the script, sometimes few ?? can do the trick).

In Unity games, i use "aobscan", i mean for example download this table here:
viewtopic.php?f=2&t=25937

In those scripts i added the address instead of the name, you just copy that in "Memory View", right click the address and "Copy to clipboard/Addresses only" and in the script, for example:

Code: Select all

[ENABLE]
aobscan(HudHeart:Update+58f,48 63 80 84 02 00 00 48)
alloc(newmem,$100,HudHeart:Update+58f)
alloc(_player,4)
label(return)
registersymbol(HudHeart:Update+58f _player)
newmem:
  mov [_player],rax
  movsxd  rax,dword ptr [rax+284]
  jmp return
HudHeart:Update+58f:
  jmp newmem
  nop 2
return:
[DISABLE]
dealloc(newmem)
unregistersymbol(HudHeart:Update+58f)
HudHeart:Update+58f:
  db 48 63 80 84 02 00 00

That "HudHeart:Update+58f" was the copied address, instead of the default "INJECT" name was before or the one given after, it will load much faster.
And in the first script, where is "OpenProcess("savantremix.exe")", just rename with the .exe of the the game you'll do the table for!

I don't know if is clear, i don't know how to explain things! Just watch some tutorials online !

[PronKill]

@ PronKill

Yes, now depends mostly now if you plan in updating the files, if is just one time, eh..with "aobscanmodule" a cheat can function in some older version or newer version of the game,or could suffer small modifications to bytes (updates to the script, sometimes few ?? can do the trick).

In Unity games, i use "aobscan", i mean for example download this table here:
viewtopic.php?f=2&t=25937

In those scripts i added the address instead of the name, you just copy that in "Memory View", right click the address and "Copy to clipboard/Addresses only" and in the script, for example:

Code: Select all

[ENABLE]
aobscan(HudHeart:Update+58f,48 63 80 84 02 00 00 48)
alloc(newmem,$100,HudHeart:Update+58f)
alloc(_player,4)
label(return)
registersymbol(HudHeart:Update+58f _player)
newmem:
  mov [_player],rax
  movsxd  rax,dword ptr [rax+284]
  jmp return
HudHeart:Update+58f:
  jmp newmem
  nop 2
return:
[DISABLE]
dealloc(newmem)
unregistersymbol(HudHeart:Update+58f)
HudHeart:Update+58f:
  db 48 63 80 84 02 00 00

That "HudHeart:Update+58f" was the copied address, instead of the default "INJECT" name was before or the one given after, it will load much faster.
And in the first script, where is "OpenProcess("savantremix.exe")", just rename with the .exe of the the game you'll do the table for!

I don't know if is clear, i don't know how to explain things! Just watch some tutorials online !

I see. Thanks!

[shadowblade]

@ PronKill

Yes, now depends mostly now if you plan in updating the files, if is just one time, eh..with "aobscanmodule" a cheat can function in some older version or newer version of the game,or could suffer small modifications to bytes (updates to the script, sometimes few ?? can do the trick).

In Unity games, i use "aobscan", i mean for example download this table here:
viewtopic.php?f=2&t=25937

In those scripts i added the address instead of the name, you just copy that in "Memory View", right click the address and "Copy to clipboard/Addresses only" and in the script, for example:

Code: Select all

[ENABLE]
aobscan(HudHeart:Update+58f,48 63 80 84 02 00 00 48)
alloc(newmem,$100,HudHeart:Update+58f)
alloc(_player,4)
label(return)
registersymbol(HudHeart:Update+58f _player)
newmem:
  mov [_player],rax
  movsxd  rax,dword ptr [rax+284]
  jmp return
HudHeart:Update+58f:
  jmp newmem
  nop 2
return:
[DISABLE]
dealloc(newmem)
unregistersymbol(HudHeart:Update+58f)
HudHeart:Update+58f:
  db 48 63 80 84 02 00 00

That "HudHeart:Update+58f" was the copied address, instead of the default "INJECT" name was before or the one given after, it will load much faster.
And in the first script, where is "OpenProcess("savantremix.exe")", just rename with the .exe of the the game you'll do the table for!

I don't know if is clear, i don't know how to explain things! Just watch some tutorials online !

you should alloc 8 not 4

[PronKill]

@ PronKill

Yes, now depends mostly now if you plan in updating the files, if is just one time, eh..with "aobscanmodule" a cheat can function in some older version or newer version of the game,or could suffer small modifications to bytes (updates to the script, sometimes few ?? can do the trick).

In Unity games, i use "aobscan", i mean for example download this table here:
viewtopic.php?f=2&t=25937

In those scripts i added the address instead of the name, you just copy that in "Memory View", right click the address and "Copy to clipboard/Addresses only" and in the script, for example:

Code: Select all

[ENABLE]
aobscan(HudHeart:Update+58f,48 63 80 84 02 00 00 48)
alloc(newmem,$100,HudHeart:Update+58f)
alloc(_player,4)
label(return)
registersymbol(HudHeart:Update+58f _player)
newmem:
  mov [_player],rax
  movsxd  rax,dword ptr [rax+284]
  jmp return
HudHeart:Update+58f:
  jmp newmem
  nop 2
return:
[DISABLE]
dealloc(newmem)
unregistersymbol(HudHeart:Update+58f)
HudHeart:Update+58f:
  db 48 63 80 84 02 00 00

That "HudHeart:Update+58f" was the copied address, instead of the default "INJECT" name was before or the one given after, it will load much faster.
And in the first script, where is "OpenProcess("savantremix.exe")", just rename with the .exe of the the game you'll do the table for!

I don't know if is clear, i don't know how to explain things! Just watch some tutorials online !

you should alloc 8 not 4

This example is related towards the function of "aobscan" which is shown with a Unity game table which is linked in their message. The example about allocation is shown higher.

Edit: Actually, you're right, there is rax instead of eax, but I've seen it actually work even with a "1". I don't know what allocation affects if it works like that to be honest XD

[VampTY]

Here's the HP , in two ways, for chapter 0 v.805, this could function for 1 hr or 1 week, depends on updates, tested only with Claire, could work also for others, if i'd had all of them unlocked (game finished) i could have posted a more reliable answer, untill then PronKill experience with this forms, try other games for more experience gained, then when the game will be full, you'll have more knowledge.Good luck!

[VampTY]

There's also globalalloc or readmem, well that was for a reason with 4, there's cases when there's more than enough, just like the thingy with newmem,1000 and newmem,100 ... or 256 with 4096 , cheat engine knows how much it needs.

One more example, i hope you can understand...in this below from {$lua} to {$asm} don't mind that, it's a transition with other option, HP only, that is without disabling the option, you can just click another one instead and thsi will disable this just like that, over and over..ok

You see that readmem, one 8 and one 7, one jumps under it, byte

Code: Select all

[ENABLE]
{$lua}
local pHealthOn = getAddressList().getMemoryRecordByDescription("Character   [Health/One Hit Kill]")
if (pHealthOn.Active) then
 pHealthOn.Active = false
end
{$asm}
aobscanmodule(character_health,xblades.exe,0F ?? ?? ?? ?? ?? ?? 72 ?? B8 ?? ?? ?? ?? C3 33 ?? C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B)
alloc(character_health_base_x,8)
alloc(character_health_base_y,7)
label(code)
label(newmem_y)
label(return)
registersymbol(character_health)
registersymbol(character_health_base_x)
registersymbol(character_health_base_y)
character_health_base_y:
  readmem(character_health,7)
newmem_x:
  cmp byte ptr [ecx+7c],7
  jne code
  push eax
  mov eax,[ecx+4d4]
  mov [ecx+4d0],eax
  pop eax
newmem_y:
  mov [character_health_base_x],ecx
  readmem(character_health,7)
  jmp return
code:
  readmem(character_health,7)
  jmp return
character_health:
  jmp newmem_x
  nop 2
return:
[DISABLE]
dealloc(*)
unregistersymbol(*)
character_health:
  readmem(character_health_base_y,7)

---------
Or, i use it sometimes, for those games that use crc checks or anti checks cheats filters, i hate them , look below, but this works with a plugin (free) and also with Data Execution Prevention (DEP) disabled...sometimes i also disable my internet, just to be sure.


You see that 3 from stealtheditex, it also runs with 4 it can go up to more than that, like 12, 13 and more since this will reads exactly to your current pointer stealtheditex and will alloc all the time, while stealthedit is just one time (though is not in this example), just to point that out

Code: Select all

[ENABLE]
aobscanmodule(energy_character,AvP_DX11.exe,F3 0F 11 86 38 04 00 00 8B)
stealtheditex(energy_character_plugin_base,energy_character,3)
alloc(newmem,100,AvP_DX11.exe)
label(code)
label(energy_character_plugin_value)
label(return)
registersymbol(energy_character_plugin_value)
newmem:
  movss xmm0,[esi+43C]
code:
  movss [esi+438],xmm0
  jmp return
energy_character_plugin_base:
energy_character_plugin_value:
  jmp newmem
  nop 3
return:
[DISABLE]
dealloc(newmem)
unregistersymbol(energy_character_plugin_value)
energy_character_plugin_value:
  db F3 0F 11 86 38 04 00 00

The thingy is to alloc as much as is needed, you can:

alloc(256)
alloc(24)
alloc(16)

In some scripts you can just define or label them...substract a byte or two..i guess i shouldn't have pasted all these, perhaps they're a lot to manage, now, though just to get some idea.Ok, too much info as i've said, i'm bad at these!I won't post in your topic, i'll leave others!

Take care!