[SOLVED] Pointers to <value>. How to find and add.

[Bakfiets]

Hi there,

for the game I'm trying to learn cheat engine with, i have found the value for armor. However, CE is unable to freeze is, but my own 'script' does the job. I have found that the function is called "handleDamage" and is not triggered by me damaging enemies. I can't for the life of me figure out where it checks for 0 armor and thus should jump to the health part, but that's a whole different story.

Question is, I see a heck of a lot of tables having pointers to such values (P->????????). I can't figure out how to find and add the correct pointer to the adress list. In tutorials it just magically happens || worse, the tutor skips at this time to his next trick, thus ommiting the interesting part.
Why i want to do this? It is my understanding that it would negate the need for the script; not forgetting knowledge.

The RDI has a structue with the armor in it. RDI+00 is "autocreate pointers".
Am i missing something or is perhaps JIT-compiling the issue? It's a mono/unity game.

My code (iirc, stop mov-ing the calculated new armor value into the address where armor lives):

Code: Select all

:
aobscan(INJECT,F3 0F 11 AF B0 00 00 00 EB 22) // should be unique
... bla....

code:
  nop
  //movss [rdi+000000B0],xmm5
  jmp return

Full code:

Spoiler

Code: Select all

[ENABLE]

aobscan(INJECT,F3 0F 11 AF B0 00 00 00 EB 22) // should be unique
alloc(newmem,$1000,1AC7752E)

label(code)
label(return)

newmem:

code:
  nop
  //movss [rdi+000000B0],xmm5
  jmp return

INJECT:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 AF B0 00 00 00

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 1AC7752E

""+1AC774FF: F3 0F 10 45 D4           -  movss xmm0,[rbp-2C]
""+1AC77504: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
""+1AC77508: F3 0F 10 0D A0 02 00 00  -  movss xmm1,[1AC777B0]
""+1AC77510: F3 0F 5A C9              -  cvtss2sd xmm1,xmm1
""+1AC77514: F2 0F 5C C1              -  subsd xmm0,xmm1
""+1AC77518: F2 0F 5A E8              -  cvtsd2ss xmm5,xmm0
""+1AC7751C: F3 0F 11 6D D4           -  movss [rbp-2C],xmm5
""+1AC77521: F3 0F 10 45 D4           -  movss xmm0,[rbp-2C]
""+1AC77526: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
""+1AC7752A: F2 0F 5A E8              -  cvtsd2ss xmm5,xmm0
// ---------- INJECTING HERE ----------
""+1AC7752E: F3 0F 11 AF B0 00 00 00  -  movss [rdi+000000B0],xmm5
// ---------- DONE INJECTING  ----------
""+1AC77536: EB 22                    -  jmp 1AC7755A
""+1AC77538: F3 0F 10 45 D8           -  movss xmm0,[rbp-28]
""+1AC7753D: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
""+1AC77541: F3 0F 10 0D 57 02 00 00  -  movss xmm1,[1AC777A0]
""+1AC77549: F3 0F 5A C9              -  cvtss2sd xmm1,xmm1
""+1AC7754D: F2 0F 58 C1              -  addsd xmm0,xmm1
""+1AC77551: F2 0F 5A E8              -  cvtsd2ss xmm5,xmm0
""+1AC77555: F3 0F 11 6D D8           -  movss [rbp-28],xmm5
""+1AC7755A: F3 0F 10 87 B0 00 00 00  -  movss xmm0,[rdi+000000B0]
""+1AC77562: F3 0F 5A C0              -  cvtss2sd xmm0,xmm0
}

[Rudo]

If you are sure that the function "handleDamage" is not shared with enemies you can scan for that function and then nop it (use RET).

[FreeER]

If you can't freeze the value directly then you won't be able to do it with a pointer either, as for finding them, you can search [Link] and find several videos (including [Link] for manually finding them, on the second page lol).

I've found unity/mono games difficult to create pointers for however and tend to rely on scripts. One nice things about mono is you should be able to use the name directly instead of an actual AoB eg. (a snippet from a personal cheat table I made for The Swindle)

Code: Select all

// make sure mono is enabled so that the symbols are loaded
USEMONO()
//aobscan(INJECT,8B 40 5C 8B D0) // should be unique
define(INJECT,PlayerData:GetDaysRemaining+9)

I've seen a few tables that assert that the expected bytes are at that address as well.

As Rudo mentioned, if the function is only for the player then you can often simply change the prologue push ebp (0x55) to ret (0xC3) or ret n (C2 XX XX, 2 byte little endian) if that's what the function originally used, potentially setting the r/eax return value.

[Bakfiets]

Hey guys,

thanks for the replies! I found out how to use the pointer scan/map to isolate the pointer, and it indeed is able to freeze the value (the correct one this time )

Post was longer, but fixed the issue

old content

However, trying to use MONO in my script, the game keeps crashing on MONO (something with a monopipe).
Cheat Engine 6.7, not debugging or anything.

Triggers seconds later, after taking damage for the first time.

Code: Select all

USEMONO()
define(preventDamageDef,HealthHandler:sendDamage+64)


[ENABLE]
label(preventDamage)
registersymbol(preventDamage)

preventDamageDef:
preventDamage:
  db 85 C0 0F 84 5C 00 00 00

[DISABLE]
preventDamage:
  db 85 C0 0F 84 5C 00 00 00

error

Error:...gram Files (x86)\Cheat Engine 6.7\autorun\monoscript.lua:440: attempt to index a nil value (global 'monopipe')