Listing what a pointer function writes into?

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
cHAOSfRED
Noobzor
Noobzor
Posts: 10
Joined: Sun Jun 17, 2018 12:26 pm
Reputation: 0

Listing what a pointer function writes into?

Post by cHAOSfRED »

So continuing from my previous thread for my first table. A new problem emerging.
Spoiler
For example, you have an RPG which consist a list of 4 units/characters, each with their own HP stat. The list of their stats in memory viewer is a region like this.

Code: Select all

...
?? ?? ?? ?? ?? ?? ?? ?? MaxHP1 MaxHP1 MaxMP1 MaxMP1 CurHP1 CurHP1 CurMP1 CurMP1 00 00 00 00 00 00 00 00
?? ?? ?? ?? ?? ?? ?? ?? MaxHP2 MaxHP2 MaxMP2 MaxMP2 CurHP2 CurHP2 CurMP2 CurMP2 00 00 00 00 00 00 00 00
?? ?? ?? ?? ?? ?? ?? ?? MaxHP3 MaxHP3 MaxMP3 MaxMP3 CurHP3 CurHP3 CurMP3 CurMP3 00 00 00 00 00 00 00 00
?? ?? ?? ?? ?? ?? ?? ?? MaxHP4 MaxHP4 MaxMP4 MaxMP4 CurHP4 CurHP4 CurMP4 CurMP4 00 00 00 00 00 00 00 00
...
Unfortunately, this region position doesn't have fixed offset from last unique AoB signature (after every game restarts). Altho each stats have fixed offset to each other at least. So I finally used "Find out what writes to this address" and figured there is only one function for every HP change (either when you took damage, heals or change equipment), just one function address managed to do it with a fixed pointer based on a line like this

"Game.exe+00AABBCC" with value of 4-bytes (AA BB CC DD) which read as "mov blablabla"

From this function, you can use "Find out what addresses this instruction accesses" in disassembler to reverse find where those stats region is atm. Or when the pointer saved to the table, one can use "Disassemble this memory region".
------------------
The plan was sorta creating a table tree that looked like this

Code: Select all

> "Enable this and change your HP" (Script & toggle tree)
>>> Unit 1 slot (toggle tree)
>>>>> Unit 1 Max HP (editable value)
>>>>> Unit 1 Max MP (editable value)
>>>>> Unit 1 Current HP (editable value)
>>>>> Unit 1 Current MP (editable value)
>>> Unit 2 slot
>>>>> Unit 2 Max HP
...
>>> Unit 3 slot
>>>>> Unit 3 Max HP
...
>>> Unit 4
>>>>> Unit 4 Max HP
....
--end of table tree--
There are two steps the script has to do:
1. Look up the addresses of what the pointer instruction writes into.
2. Modify it to the children addresses so the children list displayed and editable correctly.

How to do this?

User avatar
EpicBirdi
Cheater
Cheater
Posts: 28
Joined: Sat Jul 21, 2018 2:22 pm
Reputation: 22

Re: Listing what a pointer function writes into?

Post by EpicBirdi »

See if there's a function that accesses the address for MaxHP1. If something runs often you can pull the address itself as a pointer; otherwise look for something that writes to CurrentHP/MP1 and it'll update when either changes, based on your script.

If your on-write instruction is something simple like:
movss [rbx+0000013C],eax
You can pull the address by using a symbol to store the base address at rbx:
mov [myBasePointer],rbx

You can add a pointer to your symbol "myBasePointer" with offset 13C to find your Current HP/MP, and change the offset from that base to properly locate the other nearby values.

If your instruction affects many different addresses often, you may need unique identifier byte(s) to cmp against to only find your one base address. You can find this unique section by using the Structure Dissect tool. You may also need to do this step in general if your instruction is too "simple", or lacks a clear offset:
movss [rbx],eax
In this case, the instruction is likely shared code for many parts of an application, and you'd need that unique section to make sure you only find the address you want.

If you're certain you'll find your address easily, but notice it change randomly, you can run another cmp check against your symbol itself, for the default value you give it when defined. If it's not the default value, you've already stored an address in it and can jump to regular code instead of replacing the symbol's value.

cHAOSfRED
Noobzor
Noobzor
Posts: 10
Joined: Sun Jun 17, 2018 12:26 pm
Reputation: 0

Re: Listing what a pointer function writes into?

Post by cHAOSfRED »

EpicBirdi wrote:
Thu Jul 15, 2021 7:33 am
Spoiler
See if there's a function that accesses the address for MaxHP1. If something runs often you can pull the address itself as a pointer; otherwise look for something that writes to CurrentHP/MP1 and it'll update when either changes, based on your script.

If your on-write instruction is something simple like:
movss [rbx+0000013C],eax
You can pull the address by using a symbol to store the base address at rbx:
mov [myBasePointer],rbx

You can add a pointer to your symbol "myBasePointer" with offset 13C to find your Current HP/MP, and change the offset from that base to properly locate the other nearby values.

If your instruction affects many different addresses often, you may need unique identifier byte(s) to cmp against to only find your one base address. You can find this unique section by using the Structure Dissect tool. You may also need to do this step in general if your instruction is too "simple", or lacks a clear offset:
movss [rbx],eax
In this case, the instruction is likely shared code for many parts of an application, and you'd need that unique section to make sure you only find the address you want.

If you're certain you'll find your address easily, but notice it change randomly, you can run another cmp check against your symbol itself, for the default value you give it when defined. If it's not the default value, you've already stored an address in it and can jump to regular code instead of replacing the symbol's value.
So instead based from what function writes into "MaxHP", I tried to track down from what accessing the "MaxHP" as mentioned. But there are like 3 other functions than one that writing into it.

Lets say the function that writes into "MaxHP". This function when triggered repeated times will write on two addresses (MaxHP and Current HP) and also some random addresses for only 1 time (displays perhaps?)

Code: Select all

game.exe+AAAA : mov [rcx+01],al


Note the addresses and offsets are different than example I gave in first post, but just to make it simple.

While the other three functions accessing the MaxHP solely it are

Code: Select all

game.exe+BBBB : movzx eax, byte ptr [rdx+01]
game.exe+CCCC :  movzx edx, byte ptr [rax+01]
game.exe+DDDD :  movzx ecx, byte ptr [rax+01]
So what should I write in the table?

User avatar
GreenHouse
GreenHouse!
GreenHouse!
Posts: 662
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 525

Re: Listing what a pointer function writes into?

Post by GreenHouse »

That looks like a 'GameMaker' game, which is annoying to make scripts for. But you could Google up something like "GameMaker Cheat Engine". There's a Youtube tutorial for it, explaining how to find things to compare.

cHAOSfRED
Noobzor
Noobzor
Posts: 10
Joined: Sun Jun 17, 2018 12:26 pm
Reputation: 0

Re: Listing what a pointer function writes into?

Post by cHAOSfRED »

GreenHouse wrote:
Fri Jul 16, 2021 9:26 am
That looks like a 'GameMaker' game, which is annoying to make scripts for. But you could Google up something like "GameMaker Cheat Engine". There's a Youtube tutorial for it, explaining how to find things to compare.
No, it is UE4 game. So not that "pixel RPG" gamemaker kind.

User avatar
GreenHouse
GreenHouse!
GreenHouse!
Posts: 662
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 525

Re: Listing what a pointer function writes into?

Post by GreenHouse »

cHAOSfRED wrote:
Sat Jul 17, 2021 1:16 pm
No, it is UE4 game. So not that "pixel RPG" gamemaker kind.
Then do what EpicBirdi said. Remove the offset of the address, and look what accesses it. And then if there are multiple characters, in an specific offset there has to be an ID or something which you can compare in a script, and then mov to an alloc each character that way.

cHAOSfRED
Noobzor
Noobzor
Posts: 10
Joined: Sun Jun 17, 2018 12:26 pm
Reputation: 0

Re: Listing what a pointer function writes into?

Post by cHAOSfRED »

GreenHouse wrote:
Sat Jul 17, 2021 1:31 pm
cHAOSfRED wrote:
Sat Jul 17, 2021 1:16 pm
No, it is UE4 game. So not that "pixel RPG" gamemaker kind.
Then do what EpicBirdi said. Remove the offset of the address, and look what accesses it. And then if there are multiple characters, in an specific offset there has to be an ID or something which you can compare in a script, and then mov to an alloc each character that way.
When you said "Remove the offset of the address", means I have to look up [rcx+00] address, not the "game.exe+00" address??

User avatar
GreenHouse
GreenHouse!
GreenHouse!
Posts: 662
Joined: Fri Oct 12, 2018 10:25 pm
Reputation: 525

Re: Listing what a pointer function writes into?

Post by GreenHouse »

cHAOSfRED wrote:
Thu Jul 22, 2021 3:12 am
When you said "Remove the offset of the address", means I have to look up [rcx+00] address, not the "game.exe+00" address??
Yes, if the address that you have is +13C (which is written by movss [rbx+0000013C],eax ), then remove 13C from it and look for that one.

Post Reply

Who is online

Users browsing this forum: kucing13