Can help with multilevel pointers find?

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Can help with multilevel pointers find?

Post by chusski » Sun May 05, 2019 11:50 am

Hello.

I am noob with CE, and i am tryign to learm find multilevel pointers.
But i have a problem to find Health pointer on The_Swords_of_Dittov1.14.01-202.
Can some one help my with it plz?
My finally is learm how to do for other games too...

I can find the pointer for the one sesion of the game, but change for every map, and every session.

Thx very much guys.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1626
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 591

Re: Can help with multilevel pointers find?

Post by TheyCallMeTim13 » Sun May 05, 2019 12:31 pm

You likely need to change the structure size and max. level. That or look into code injection and just hook the address.
https://wiki.cheatengine.org/index.php? ... ction_full
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Sun May 05, 2019 3:15 pm

thx for reply.

how injection works, if the address change every time the game are reloaded?

i was try to to compare scanned address with another scaned adres after reload game, but one one address be finded...

thx for the help. (and sorry for my english)

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1626
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 591

Re: Can help with multilevel pointers find?

Post by TheyCallMeTim13 » Sun May 05, 2019 3:47 pm

Check the wiki it goes over code injection and the use of AOBs. But basically you hook the code that accesses the address.
https://wiki.cheatengine.org/index.php? ... rials:AOBs
https://wiki.cheatengine.org/index.php? ... ler:Basics
https://wiki.cheatengine.org/index.php? ... :Templates
https://wiki.cheatengine.org/index.php? ... ction_full

Code: Select all

define(bytes, 8B 47 58 5F 8D 14 F6)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobSkillPointsHook, Borderlands2.exe, E8xxxxxxxx83xxxx8Bxxxxxx8Dxxxxxx8Dxxxxxx8B)
define(injSkillPointsHook, aobSkillPointsHook+8)
assert(injSkillPointsHook, bytes)
registerSymbol(injSkillPointsHook)

alloc(memSkillPointsHook, 0x400, injSkillPointsHook)

label(ptrSkillPointsHook)
registerSymbol(ptrSkillPointsHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memSkillPointsHook:
	ptrSkillPointsHook:
		dd 0
	align 10 CC
	n_code:
		mov [ptrSkillPointsHook],edi
	o_code:
		mov eax,[edi+58]
		pop edi
		lea edx,[esi+esi*8]
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injSkillPointsHook:
	jmp n_code
	nop
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injSkillPointsHook:
	db bytes

unregisterSymbol(injSkillPointsHook)

unregisterSymbol(ptrSkillPointsHook)

dealloc(memSkillPointsHook)

{
//// Injection Point: Borderlands2.exe+BA6377  -  01C46377
//// AOB address: 01C4636F  -  Borderlands2.exe+BA636F
//// Process: Borderlands2.exe  -  010A0000
//// Module: Borderlands2.exe  -  010A0000
//// Module Size: 01AC7000
Borderlands2.exe+BA633C:  83 C0 04                    -  add eax,04                         
Borderlands2.exe+BA633F:  74 E4                       -  je 01C46325                        
Borderlands2.exe+BA6341:  8B 30                       -  mov esi,[eax]                      
Borderlands2.exe+BA6343:  85 F6                       -  test esi,esi                       
Borderlands2.exe+BA6345:  78 DE                       -  js 01C46325                        
Borderlands2.exe+BA6347:  3B 77 5C                    -  cmp esi,[edi+5C]                   
Borderlands2.exe+BA634A:  7D D9                       -  jnl 01C46325                       
Borderlands2.exe+BA634C:  8B 47 5C                    -  mov eax,[edi+5C]                   
Borderlands2.exe+BA634F:  3B F0                       -  cmp esi,eax                        
Borderlands2.exe+BA6351:  7C 24                       -  jl 01C46377                        
Borderlands2.exe+BA6353:  85 F6                       -  test esi,esi                       
Borderlands2.exe+BA6355:  75 04                       -  jne 01C4635B                       
Borderlands2.exe+BA6357:  85 C0                       -  test eax,eax                       
Borderlands2.exe+BA6359:  74 1C                       -  je 01C46377                        
Borderlands2.exe+BA635B:  68 E8082A02                 -  push 022A08E8                      [00000000]
Borderlands2.exe+BA6360:  68 5C020000                 -  push 0000025C                      
Borderlands2.exe+BA6365:  68 F80B2A02                 -  push 022A0BF8                      ["d:\bamboo\builds\man-mancanapccert-job1\development\src\core\inc\Array.h"]
Borderlands2.exe+BA636A:  68 C80B2A02                 -  push 022A0BC8                      ["i>=0 && (i<ArrayNum||(i==0 && ArrayNum==0))"]
Borderlands2.exe+BA636F:  E8 ACF64DFF                 -  call 01125A20                      <<<--- AOB Starts Here
Borderlands2.exe+BA6374:  83 C4 10                    -  add esp,10                         
////  INJECTING START  ----------------------------------------------------------
Borderlands2.exe+BA6377:  8B 47 58                    -  mov eax,[edi+58]                   
Borderlands2.exe+BA637A:  5F                          -  pop edi                            
Borderlands2.exe+BA637B:  8D 14 F6                    -  lea edx,[esi+esi*8]                
////  INJECTING END  ----------------------------------------------------------
Borderlands2.exe+BA637E:  5E                          -  pop esi                            
Borderlands2.exe+BA637F:  8D 04 90                    -  lea eax,[eax+edx*4]                
Borderlands2.exe+BA6382:  5B                          -  pop ebx                            
Borderlands2.exe+BA6383:  8B E5                       -  mov esp,ebp                        
Borderlands2.exe+BA6385:  5D                          -  pop ebp                            
Borderlands2.exe+BA6386:  C2 0400                     -  ret 0004                           
Borderlands2.exe+BA6389:  CC                          -  int 3                              
Borderlands2.exe+BA638A:  CC                          -  int 3                              
Borderlands2.exe+BA638B:  CC                          -  int 3                              
Borderlands2.exe+BA638C:  CC                          -  int 3                              
Borderlands2.exe+BA638D:  CC                          -  int 3                              
Borderlands2.exe+BA638E:  CC                          -  int 3                              
Borderlands2.exe+BA638F:  CC                          -  int 3                              
Borderlands2.exe+BA6390:  55                          -  push ebp                           
Borderlands2.exe+BA6391:  8B EC                       -  mov ebp,esp                        
Borderlands2.exe+BA6393:  8B 45 08                    -  mov eax,[ebp+08]                   
Borderlands2.exe+BA6396:  53                          -  push ebx                           
Borderlands2.exe+BA6397:  50                          -  push eax                           
//// Template: I2CEA_AOBFullInjection
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

https://wiki.cheatengine.org/index.php?title=Tutorials
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

Twistedself
Noobzor
Noobzor
Posts: 12
Joined: Sat Jun 30, 2018 12:38 am
Reputation: 12

Re: Can help with multilevel pointers find?

Post by Twistedself » Sun May 05, 2019 5:12 pm

Iittle off-topic, but you can aobscanmodules, then just the (variableName, module, ?? ??)? and it works the same way as a regualar aobscan(VariableName, ?? ??) but only scans within the module?

@OP if you post the game or an address I can help you make this work. Tim is saying that you don't need the pointer if you have the code, you can just scan for the assembly(opcode) via AOB that uses that address.

They way I normally do it is , lets say;

your code is:
push edx
mov edx, [esi+eax*8+4]

When you dissassemble you have the following bytes (I am making this up with no code)
a3 43 F0 D2 37 28 24 64

You know the variable is what ever the value is after they do esi+eax8*+4 and shove that into edx. So identify the byte range that is esi"""""""+4 and mask out those bytes. In our example something like
a3 43 F0 D2 ?? ?? ?? ??

Then write the code like

Aobscan(WantedVariableOrig, a3 43 F0 D2 ?? ?? ?? ??)
This will take the value at the AOB and load it into your variableORIG. make sure to add a lable and registersymbol(multiple if you will use that data more than once)

Then just go into your code
[enable]
alloc
label
register

activateScript:
mov edx, [WantedVariable]
jmp [WantedVariableOrig]+1

WantedVariable:
dd (float) 1.5

deactivateScript:
mov edx, [esi+eax*8+4]
jmp WantedVariableOrig

[disable]

unregister
dealloc

Something like this. I am very new to ASM and coding in general! I am self taught and I am sorry If my information is off. I do like helping tho and I hope I covered your question.

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Sun May 05, 2019 5:17 pm

Thx very much rellay for the help.
I going around 1 moth reading and tryig to learm how it work... But i am sure my problem are the comprension of the english, going better when see the examples.

I make this code, but something wrong, because when i execute; the game crash.
i was do with template cheat table framework and AOB injection.
And not modify any part off atm.

Code: Select all

{ Game   : The_Swords_of_Ditto.exe
  Version: 
  Date   : 2019-05-05
  Author : ChusskiNew

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,The_Swords_of_Ditto.exe,5C C8 F2 0F 11 0E 89 F0) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:

code:
  movsd [esi],xmm1
  mov eax,esi
  jmp return

INJECT+02:
  jmp newmem
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT+02:
  db F2 0F 11 0E 89 F0

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "The_Swords_of_Ditto.exe"+4921E

"The_Swords_of_Ditto.exe"+491F5: DD 5C 24 20                       -  fstp qword ptr [esp+20]
"The_Swords_of_Ditto.exe"+491F9: F2 0F 10 44 24 20                 -  movsd xmm0,[esp+20]
"The_Swords_of_Ditto.exe"+491FF: EB 04                             -  jmp The_Swords_of_Ditto.exe+49205
"The_Swords_of_Ditto.exe"+49201: F2 0F 2A 06                       -  cvtsi2sd xmm0,[esi]
"The_Swords_of_Ditto.exe"+49205: F2 0F 5C 07                       -  subsd xmm0,[edi]
"The_Swords_of_Ditto.exe"+49209: F2 0F 11 06                       -  movsd [esi],xmm0
"The_Swords_of_Ditto.exe"+4920D: C7 46 0C 00 00 00 00              -  mov [esi+0C],00000000
"The_Swords_of_Ditto.exe"+49214: EB 0C                             -  jmp The_Swords_of_Ditto.exe+49222
"The_Swords_of_Ditto.exe"+49216: F2 0F 10 07                       -  movsd xmm0,[edi]
"The_Swords_of_Ditto.exe"+4921A: F2 0F 5C C8                       -  subsd xmm1,xmm0
// ---------- INJECTING HERE ----------
"The_Swords_of_Ditto.exe"+4921E: F2 0F 11 0E                       -  movsd [esi],xmm1
"The_Swords_of_Ditto.exe"+49222: 89 F0                             -  mov eax,esi
// ---------- DONE INJECTING  ----------
"The_Swords_of_Ditto.exe"+49224: 8D 65 F8                          -  lea esp,[ebp-08]
"The_Swords_of_Ditto.exe"+49227: 5E                                -  pop esi
"The_Swords_of_Ditto.exe"+49228: 5F                                -  pop edi
"The_Swords_of_Ditto.exe"+49229: 5D                                -  pop ebp
"The_Swords_of_Ditto.exe"+4922A: C2 04 00                          -  ret 0004
"The_Swords_of_Ditto.exe"+4922D: CC                                -  int 3 
"The_Swords_of_Ditto.exe"+4922E: CC                                -  int 3 
"The_Swords_of_Ditto.exe"+4922F: CC                                -  int 3 
"The_Swords_of_Ditto.exe"+49230: 55                                -  push ebp
"The_Swords_of_Ditto.exe"+49231: 89 E5                             -  mov ebp,esp
}
thx both guys.

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1626
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 591

Re: Can help with multilevel pointers find?

Post by TheyCallMeTim13 » Sun May 05, 2019 9:25 pm

Twistedself wrote:
Sun May 05, 2019 5:12 pm
Iittle off-topic, but you can aobscanmodules, then just the (variableName, module, ?? ??)? and it works the same way as a regualar aobscan(VariableName, ?? ??) but only scans within the module?...
Yes. It's good for larger module based games, which most newer games are.

Twistedself wrote:
Sun May 05, 2019 5:12 pm
...
Aobscan(WantedVariableOrig, a3 43 F0 D2 ?? ?? ?? ??)
...
And any non hex number in a CE aob string is seen as a wild card, so ending one with all wildcards is pointless; i.e. "a3 43 F0 D2" is basically equal to this "a3 43 F0 D2 ?? ?? ?? ??". Not sure if CE just ignores it or if it would actually make the scan take longer.

chusski wrote:
Sun May 05, 2019 5:17 pm
...
I make this code, but something wrong, because when i execute; the game crash....
Try doing a manual AOB scan (in the CE scan UI) and make sure you only get 1 address, or at least the first address is the right one. And just increase the AOB until it's works. But the code looks fine so that would be my guess at this point.
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Mon May 06, 2019 7:17 am

Hello guys.
I am know near to learm... but i dont know where are me wrong..... i think the problem are i am working on bad address... any idea? thx guys
by mobs hitting my, reloading game, i take 4 times the bytes, from diferent address. This address are the one i can change to up health again.
Its was i tryng without luck:
Finding address:
Image

opcodes write at address:
Image

memory viewer:
Image

codes listing on notepad to compare:
Image

Code: Select all

00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 40 00 00 00 00 00 00 00 00 0A D7 A3 70 3D 0A D7 3F 00 00 00 00 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00

Code: Select all

[ENABLE]
aobscanmodule(health,The_Swords_of_Ditto.exe+4921e,?? ?? ?? ?? ?? ?? 59 40)
label(dittohealth)
registersymbol(dittohealth)

health:
dittohealth:

[DISABLE]
unregistersymbol(dittohealth)

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Mon May 06, 2019 5:48 pm

Hello guys, i am getting crazy....

Any idea?
thx for advanced

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1626
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 591

Re: Can help with multilevel pointers find?

Post by TheyCallMeTim13 » Mon May 06, 2019 10:33 pm

chusski wrote:
Mon May 06, 2019 5:48 pm
Hello guys, i am getting crazy....

Any idea?
thx for advanced
Try an actual injection hook and use the AOB injection template, but it looks like that might be shared instruction and you'll have to filter it out someway. If you are unsure how to do that, do the CE tutorial.
https://wiki.cheatengine.org/index.php? ... _Guide_x32
https://wiki.cheatengine.org/index.php? ... _Guide_x64
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Tue May 07, 2019 6:13 am

Thx Tim. I really appreciate your help, this wiki with images is great I'm moving forward a lot. But I know I'm not a great student, I think it's devolved to my inlges ... but I've completed it until Step 9 and those examples do not help me understand what happens when I try it in the Ditto game.
It's as if the address is looping or something like that ...
I have managed to find a pointer that when I get hit the initial address appears but I can not get more of that. This pointer when passing between screens does not change, but if when restarting the game.
If I understood correctly:
 -injection hook: is to inject another direction on which you are looking. When I do this the game crash. To avoid this, I would need the address that was not shared, no?

-AOB injection template:
It is to avoid looking for a pointer, like in Step 9, if you do not look for the correct bytes, several times you compare them and with the pattern create an AOB that looks for it alone. But as I only find the initial address, and this is not serving me because of many patterns that I do ... when I set it up in the AOB, it finds a direction that has nothing to do ...

cant understand what i doing wrong...

User avatar
TheyCallMeTim13
Administration
Administration
Posts: 1626
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 591

Re: Can help with multilevel pointers find?

Post by TheyCallMeTim13 » Tue May 07, 2019 12:23 pm

chusski wrote:
Tue May 07, 2019 6:13 am
...
 -injection hook: is to inject another direction on which you are looking. When I do this the game crash. To avoid this, I would need the address that was not shared, no?
...
If you used a template, then it most likely crashes because more than one address is accessed by the instruction. Step 9 of the tutorial goes over shared instructions.

chusski wrote:
Tue May 07, 2019 6:13 am
...
-AOB injection template:
It is to avoid looking for a pointer, like in Step 9, if you do not look for the correct bytes, several times you compare them and with the pattern create an AOB that looks for it alone. But as I only find the initial address, and this is not serving me because of many patterns that I do ... when I set it up in the AOB, it finds a direction that has nothing to do ...
No AOB injection is for using a "scan signature" to deal with the instructions address changing, like after an update and even some games the address will change after a reboot. The injection hook itself is for "hooking" the base of the address you want to basically make your own pointer.
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Tue May 07, 2019 5:19 pm

Well, let's see if I do the steps correctly.

1- I look for the direction of life. (100)
-Busco 100 (is Double)
-I get hit
-I look for Decrease

2-With the direction of Life: (00123BBB)
-I do Find writte to address:
-In the beginning I was 2 and its counters do not stop going up.
-I let them stick and an instruction is added (always the same: 0109921E - F2 0F11 0E - movsd [esi], xmm1)
-in this instruction I do show dissasembler

3-Find what access to this instruction: (difficult because the game slows down a lot)
-I let them hit me. and I stop it.
- Appear hundreds of addresses.
-Address 3 addresses with 1 counter. (Double)
-Only one of them has the value of life. which is the same as at the beginning (00123BBB)

What i need do next? compare the hundreds of addresses that come out?
In the tutorial Step 9 only 4 and it is easy to find the differences, more or less ....
If i compare the 3 address that have 1 counter, really dont know what i am looking for...

thx again

User avatar
VampTY
Table Makers
Table Makers
Posts: 71
Joined: Tue Mar 05, 2019 10:52 am
Reputation: 34

Re: Can help with multilevel pointers find?

Post by VampTY » Tue May 07, 2019 6:42 pm

@ chusski

In order to help you out, on version 1.15.02-202 REL, by Plaza, if you have that one, test this option below.
So while playing, load that table and F2 ..ESC then so that the visual will activate and you'll have unlimited bombs, i can find the health also..let me know if this works for your version, on the version i've mentioned works very well.
Attachments
item-bomb.CT
(1.17 KiB) Downloaded 29 times

chusski
Cheater
Cheater
Posts: 32
Joined: Sat Sep 08, 2018 8:25 pm
Reputation: 6

Re: Can help with multilevel pointers find?

Post by chusski » Tue May 07, 2019 9:59 pm

Thx very much for the help VampTY.

I am working at with The_Swords_of_Dittov1.14.01-202. Only workign with that because, i was stard with it.
Too Got installled 1.15.02-202 REL. But its np i can try tomorrow. Now i a at work.
If you can find way to health pointer, its great to see your work. And help my alot see it, for understand my wrong.
But i want understand what i am doing bad, and learm how this world works. really i am getting crazy with that pointer, but iam new on CE.

Thx again for all your time guys.

Post Reply

Who is online

Users browsing this forum: Baidu [Spider]