Hello.
I am noob with CE, and i am tryign to learm find multilevel pointers.
But i have a problem to find Health pointer on The_Swords_of_Dittov1.14.01-202.
Can some one help my with it plz?
My finally is learm how to do for other games too...
I can find the pointer for the one sesion of the game, but change for every map, and every session.
Thx very much guys.
Can help with multilevel pointers find?
Re: Can help with multilevel pointers find?
You likely need to change the structure size and max. level. That or look into code injection and just hook the address.
[Link]
[Link]
Re: Can help with multilevel pointers find?
thx for reply.
how injection works, if the address change every time the game are reloaded?
i was try to to compare scanned address with another scaned adres after reload game, but one one address be finded...
thx for the help. (and sorry for my english)
how injection works, if the address change every time the game are reloaded?
i was try to to compare scanned address with another scaned adres after reload game, but one one address be finded...
thx for the help. (and sorry for my english)
Re: Can help with multilevel pointers find?
Check the wiki it goes over code injection and the use of AOBs. But basically you hook the code that accesses the address.
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
Code: Select all
define(bytes, 8B 47 58 5F 8D 14 F6)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobSkillPointsHook, Borderlands2.exe, E8xxxxxxxx83xxxx8Bxxxxxx8Dxxxxxx8Dxxxxxx8B)
define(injSkillPointsHook, aobSkillPointsHook+8)
assert(injSkillPointsHook, bytes)
registerSymbol(injSkillPointsHook)
alloc(memSkillPointsHook, 0x400, injSkillPointsHook)
label(ptrSkillPointsHook)
registerSymbol(ptrSkillPointsHook)
label(n_code)
label(o_code)
label(exit)
label(return)
memSkillPointsHook:
ptrSkillPointsHook:
dd 0
align 10 CC
n_code:
mov [ptrSkillPointsHook],edi
o_code:
mov eax,[edi+58]
pop edi
lea edx,[esi+esi*8]
exit:
jmp return
////
//// ---------- Injection Point ----------
injSkillPointsHook:
jmp n_code
nop
nop
return:
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injSkillPointsHook:
db bytes
unregisterSymbol(injSkillPointsHook)
unregisterSymbol(ptrSkillPointsHook)
dealloc(memSkillPointsHook)
{
//// Injection Point: Borderlands2.exe+BA6377 - 01C46377
//// AOB address: 01C4636F - Borderlands2.exe+BA636F
//// Process: Borderlands2.exe - 010A0000
//// Module: Borderlands2.exe - 010A0000
//// Module Size: 01AC7000
Borderlands2.exe+BA633C: 83 C0 04 - add eax,04
Borderlands2.exe+BA633F: 74 E4 - je 01C46325
Borderlands2.exe+BA6341: 8B 30 - mov esi,[eax]
Borderlands2.exe+BA6343: 85 F6 - test esi,esi
Borderlands2.exe+BA6345: 78 DE - js 01C46325
Borderlands2.exe+BA6347: 3B 77 5C - cmp esi,[edi+5C]
Borderlands2.exe+BA634A: 7D D9 - jnl 01C46325
Borderlands2.exe+BA634C: 8B 47 5C - mov eax,[edi+5C]
Borderlands2.exe+BA634F: 3B F0 - cmp esi,eax
Borderlands2.exe+BA6351: 7C 24 - jl 01C46377
Borderlands2.exe+BA6353: 85 F6 - test esi,esi
Borderlands2.exe+BA6355: 75 04 - jne 01C4635B
Borderlands2.exe+BA6357: 85 C0 - test eax,eax
Borderlands2.exe+BA6359: 74 1C - je 01C46377
Borderlands2.exe+BA635B: 68 E8082A02 - push 022A08E8 [00000000]
Borderlands2.exe+BA6360: 68 5C020000 - push 0000025C
Borderlands2.exe+BA6365: 68 F80B2A02 - push 022A0BF8 ["d:\bamboo\builds\man-mancanapccert-job1\development\src\core\inc\Array.h"]
Borderlands2.exe+BA636A: 68 C80B2A02 - push 022A0BC8 ["i>=0 && (i<ArrayNum||(i==0 && ArrayNum==0))"]
Borderlands2.exe+BA636F: E8 ACF64DFF - call 01125A20 <<<--- AOB Starts Here
Borderlands2.exe+BA6374: 83 C4 10 - add esp,10
//// INJECTING START ----------------------------------------------------------
Borderlands2.exe+BA6377: 8B 47 58 - mov eax,[edi+58]
Borderlands2.exe+BA637A: 5F - pop edi
Borderlands2.exe+BA637B: 8D 14 F6 - lea edx,[esi+esi*8]
//// INJECTING END ----------------------------------------------------------
Borderlands2.exe+BA637E: 5E - pop esi
Borderlands2.exe+BA637F: 8D 04 90 - lea eax,[eax+edx*4]
Borderlands2.exe+BA6382: 5B - pop ebx
Borderlands2.exe+BA6383: 8B E5 - mov esp,ebp
Borderlands2.exe+BA6385: 5D - pop ebp
Borderlands2.exe+BA6386: C2 0400 - ret 0004
Borderlands2.exe+BA6389: CC - int 3
Borderlands2.exe+BA638A: CC - int 3
Borderlands2.exe+BA638B: CC - int 3
Borderlands2.exe+BA638C: CC - int 3
Borderlands2.exe+BA638D: CC - int 3
Borderlands2.exe+BA638E: CC - int 3
Borderlands2.exe+BA638F: CC - int 3
Borderlands2.exe+BA6390: 55 - push ebp
Borderlands2.exe+BA6391: 8B EC - mov ebp,esp
Borderlands2.exe+BA6393: 8B 45 08 - mov eax,[ebp+08]
Borderlands2.exe+BA6396: 53 - push ebx
Borderlands2.exe+BA6397: 50 - push eax
//// Template: I2CEA_AOBFullInjection
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}
-
Twistedself
- Noobzor
- Posts: 12
- Joined: Sat Jun 30, 2018 12:38 am
- Reputation: 12
Re: Can help with multilevel pointers find?
Iittle off-topic, but you can aobscanmodules, then just the (variableName, module, ?? ??)? and it works the same way as a regualar aobscan(VariableName, ?? ??) but only scans within the module?
@OP if you post the game or an address I can help you make this work. Tim is saying that you don't need the pointer if you have the code, you can just scan for the assembly(opcode) via AOB that uses that address.
They way I normally do it is , lets say;
your code is:
push edx
mov edx, [esi+eax*8+4]
When you dissassemble you have the following bytes (I am making this up with no code)
a3 43 F0 D2 37 28 24 64
You know the variable is what ever the value is after they do esi+eax8*+4 and shove that into edx. So identify the byte range that is esi"""""""+4 and mask out those bytes. In our example something like
a3 43 F0 D2 ?? ?? ?? ??
Then write the code like
Aobscan(WantedVariableOrig, a3 43 F0 D2 ?? ?? ?? ??)
This will take the value at the AOB and load it into your variableORIG. make sure to add a lable and registersymbol(multiple if you will use that data more than once)
Then just go into your code
[enable]
alloc
label
register
activateScript:
mov edx, [WantedVariable]
jmp [WantedVariableOrig]+1
WantedVariable:
dd (float) 1.5
deactivateScript:
mov edx, [esi+eax*8+4]
jmp WantedVariableOrig
[disable]
unregister
dealloc
Something like this. I am very new to ASM and coding in general! I am self taught and I am sorry If my information is off. I do like helping tho and I hope I covered your question.
@OP if you post the game or an address I can help you make this work. Tim is saying that you don't need the pointer if you have the code, you can just scan for the assembly(opcode) via AOB that uses that address.
They way I normally do it is , lets say;
your code is:
push edx
mov edx, [esi+eax*8+4]
When you dissassemble you have the following bytes (I am making this up with no code)
a3 43 F0 D2 37 28 24 64
You know the variable is what ever the value is after they do esi+eax8*+4 and shove that into edx. So identify the byte range that is esi"""""""+4 and mask out those bytes. In our example something like
a3 43 F0 D2 ?? ?? ?? ??
Then write the code like
Aobscan(WantedVariableOrig, a3 43 F0 D2 ?? ?? ?? ??)
This will take the value at the AOB and load it into your variableORIG. make sure to add a lable and registersymbol(multiple if you will use that data more than once)
Then just go into your code
[enable]
alloc
label
register
activateScript:
mov edx, [WantedVariable]
jmp [WantedVariableOrig]+1
WantedVariable:
dd (float) 1.5
deactivateScript:
mov edx, [esi+eax*8+4]
jmp WantedVariableOrig
[disable]
unregister
dealloc
Something like this. I am very new to ASM and coding in general! I am self taught and I am sorry If my information is off. I do like helping tho and I hope I covered your question.
Re: Can help with multilevel pointers find?
Thx very much rellay for the help.
I going around 1 moth reading and tryig to learm how it work... But i am sure my problem are the comprension of the english, going better when see the examples.
I make this code, but something wrong, because when i execute; the game crash.
i was do with template cheat table framework and AOB injection.
And not modify any part off atm.
thx both guys.
I going around 1 moth reading and tryig to learm how it work... But i am sure my problem are the comprension of the english, going better when see the examples.
I make this code, but something wrong, because when i execute; the game crash.
i was do with template cheat table framework and AOB injection.
And not modify any part off atm.
Code: Select all
{ Game : The_Swords_of_Ditto.exe
Version:
Date : 2019-05-05
Author : ChusskiNew
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,The_Swords_of_Ditto.exe,5C C8 F2 0F 11 0E 89 F0) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
movsd [esi],xmm1
mov eax,esi
jmp return
INJECT+02:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT+02:
db F2 0F 11 0E 89 F0
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "The_Swords_of_Ditto.exe"+4921E
"The_Swords_of_Ditto.exe"+491F5: DD 5C 24 20 - fstp qword ptr [esp+20]
"The_Swords_of_Ditto.exe"+491F9: F2 0F 10 44 24 20 - movsd xmm0,[esp+20]
"The_Swords_of_Ditto.exe"+491FF: EB 04 - jmp The_Swords_of_Ditto.exe+49205
"The_Swords_of_Ditto.exe"+49201: F2 0F 2A 06 - cvtsi2sd xmm0,[esi]
"The_Swords_of_Ditto.exe"+49205: F2 0F 5C 07 - subsd xmm0,[edi]
"The_Swords_of_Ditto.exe"+49209: F2 0F 11 06 - movsd [esi],xmm0
"The_Swords_of_Ditto.exe"+4920D: C7 46 0C 00 00 00 00 - mov [esi+0C],00000000
"The_Swords_of_Ditto.exe"+49214: EB 0C - jmp The_Swords_of_Ditto.exe+49222
"The_Swords_of_Ditto.exe"+49216: F2 0F 10 07 - movsd xmm0,[edi]
"The_Swords_of_Ditto.exe"+4921A: F2 0F 5C C8 - subsd xmm1,xmm0
// ---------- INJECTING HERE ----------
"The_Swords_of_Ditto.exe"+4921E: F2 0F 11 0E - movsd [esi],xmm1
"The_Swords_of_Ditto.exe"+49222: 89 F0 - mov eax,esi
// ---------- DONE INJECTING ----------
"The_Swords_of_Ditto.exe"+49224: 8D 65 F8 - lea esp,[ebp-08]
"The_Swords_of_Ditto.exe"+49227: 5E - pop esi
"The_Swords_of_Ditto.exe"+49228: 5F - pop edi
"The_Swords_of_Ditto.exe"+49229: 5D - pop ebp
"The_Swords_of_Ditto.exe"+4922A: C2 04 00 - ret 0004
"The_Swords_of_Ditto.exe"+4922D: CC - int 3
"The_Swords_of_Ditto.exe"+4922E: CC - int 3
"The_Swords_of_Ditto.exe"+4922F: CC - int 3
"The_Swords_of_Ditto.exe"+49230: 55 - push ebp
"The_Swords_of_Ditto.exe"+49231: 89 E5 - mov ebp,esp
}Re: Can help with multilevel pointers find?
Yes. It's good for larger module based games, which most newer games are.Twistedself wrote: ↑Sun May 05, 2019 5:12 pmIittle off-topic, but you can aobscanmodules, then just the (variableName, module, ?? ??)? and it works the same way as a regualar aobscan(VariableName, ?? ??) but only scans within the module?...
And any non hex number in a CE aob string is seen as a wild card, so ending one with all wildcards is pointless; i.e. "a3 43 F0 D2" is basically equal to this "a3 43 F0 D2 ?? ?? ?? ??". Not sure if CE just ignores it or if it would actually make the scan take longer.Twistedself wrote: ↑Sun May 05, 2019 5:12 pm...
Aobscan(WantedVariableOrig, a3 43 F0 D2 ?? ?? ?? ??)
...
Try doing a manual AOB scan (in the CE scan UI) and make sure you only get 1 address, or at least the first address is the right one. And just increase the AOB until it's works. But the code looks fine so that would be my guess at this point.
Re: Can help with multilevel pointers find?
Hello guys.
I am know near to learm... but i dont know where are me wrong..... i think the problem are i am working on bad address... any idea? thx guys
by mobs hitting my, reloading game, i take 4 times the bytes, from diferent address. This address are the one i can change to up health again.
Its was i tryng without luck:
Finding address:
opcodes write at address:
memory viewer:
codes listing on notepad to compare:
I am know near to learm... but i dont know where are me wrong..... i think the problem are i am working on bad address... any idea? thx guys
by mobs hitting my, reloading game, i take 4 times the bytes, from diferent address. This address are the one i can change to up health again.
Its was i tryng without luck:
Finding address:
opcodes write at address:
memory viewer:
codes listing on notepad to compare:
Code: Select all
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 40 00 00 00 00 00 00 00 00 0A D7 A3 70 3D 0A D7 3F 00 00 00 00 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00
00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00 00 00 00 00 00 00 00 00 78 78 78 78 00 00 00 00Code: Select all
[ENABLE]
aobscanmodule(health,The_Swords_of_Ditto.exe+4921e,?? ?? ?? ?? ?? ?? 59 40)
label(dittohealth)
registersymbol(dittohealth)
health:
dittohealth:
[DISABLE]
unregistersymbol(dittohealth)Re: Can help with multilevel pointers find?
Hello guys, i am getting crazy....
Any idea?
thx for advanced
Any idea?
thx for advanced
Re: Can help with multilevel pointers find?
Try an actual injection hook and use the AOB injection template, but it looks like that might be shared instruction and you'll have to filter it out someway. If you are unsure how to do that, do the CE tutorial.
[Link]
[Link]
Re: Can help with multilevel pointers find?
Thx Tim. I really appreciate your help, this wiki with images is great I'm moving forward a lot. But I know I'm not a great student, I think it's devolved to my inlges ... but I've completed it until Step 9 and those examples do not help me understand what happens when I try it in the Ditto game.
It's as if the address is looping or something like that ...
I have managed to find a pointer that when I get hit the initial address appears but I can not get more of that. This pointer when passing between screens does not change, but if when restarting the game.
If I understood correctly:
-injection hook: is to inject another direction on which you are looking. When I do this the game crash. To avoid this, I would need the address that was not shared, no?
-AOB injection template:
It is to avoid looking for a pointer, like in Step 9, if you do not look for the correct bytes, several times you compare them and with the pattern create an AOB that looks for it alone. But as I only find the initial address, and this is not serving me because of many patterns that I do ... when I set it up in the AOB, it finds a direction that has nothing to do ...
cant understand what i doing wrong...
It's as if the address is looping or something like that ...
I have managed to find a pointer that when I get hit the initial address appears but I can not get more of that. This pointer when passing between screens does not change, but if when restarting the game.
If I understood correctly:
-injection hook: is to inject another direction on which you are looking. When I do this the game crash. To avoid this, I would need the address that was not shared, no?
-AOB injection template:
It is to avoid looking for a pointer, like in Step 9, if you do not look for the correct bytes, several times you compare them and with the pattern create an AOB that looks for it alone. But as I only find the initial address, and this is not serving me because of many patterns that I do ... when I set it up in the AOB, it finds a direction that has nothing to do ...
cant understand what i doing wrong...
Re: Can help with multilevel pointers find?
If you used a template, then it most likely crashes because more than one address is accessed by the instruction. Step 9 of the tutorial goes over shared instructions.
No AOB injection is for using a "scan signature" to deal with the instructions address changing, like after an update and even some games the address will change after a reboot. The injection hook itself is for "hooking" the base of the address you want to basically make your own pointer.chusski wrote: ↑Tue May 07, 2019 6:13 am...
-AOB injection template:
It is to avoid looking for a pointer, like in Step 9, if you do not look for the correct bytes, several times you compare them and with the pattern create an AOB that looks for it alone. But as I only find the initial address, and this is not serving me because of many patterns that I do ... when I set it up in the AOB, it finds a direction that has nothing to do ...
Re: Can help with multilevel pointers find?
Well, let's see if I do the steps correctly.
1- I look for the direction of life. (100)
-Busco 100 (is Double)
-I get hit
-I look for Decrease
2-With the direction of Life: (00123BBB)
-I do Find writte to address:
-In the beginning I was 2 and its counters do not stop going up.
-I let them stick and an instruction is added (always the same: 0109921E - F2 0F11 0E - movsd [esi], xmm1)
-in this instruction I do show dissasembler
3-Find what access to this instruction: (difficult because the game slows down a lot)
-I let them hit me. and I stop it.
- Appear hundreds of addresses.
-Address 3 addresses with 1 counter. (Double)
-Only one of them has the value of life. which is the same as at the beginning (00123BBB)
What i need do next? compare the hundreds of addresses that come out?
In the tutorial Step 9 only 4 and it is easy to find the differences, more or less ....
If i compare the 3 address that have 1 counter, really dont know what i am looking for...
thx again
1- I look for the direction of life. (100)
-Busco 100 (is Double)
-I get hit
-I look for Decrease
2-With the direction of Life: (00123BBB)
-I do Find writte to address:
-In the beginning I was 2 and its counters do not stop going up.
-I let them stick and an instruction is added (always the same: 0109921E - F2 0F11 0E - movsd [esi], xmm1)
-in this instruction I do show dissasembler
3-Find what access to this instruction: (difficult because the game slows down a lot)
-I let them hit me. and I stop it.
- Appear hundreds of addresses.
-Address 3 addresses with 1 counter. (Double)
-Only one of them has the value of life. which is the same as at the beginning (00123BBB)
What i need do next? compare the hundreds of addresses that come out?
In the tutorial Step 9 only 4 and it is easy to find the differences, more or less ....
If i compare the 3 address that have 1 counter, really dont know what i am looking for...
thx again
Re: Can help with multilevel pointers find?
@ chusski
In order to help you out, on version 1.15.02-202 REL, by Plaza, if you have that one, test this option below.
So while playing, load that table and F2 ..ESC then so that the visual will activate and you'll have unlimited bombs, i can find the health also..let me know if this works for your version, on the version i've mentioned works very well.
In order to help you out, on version 1.15.02-202 REL, by Plaza, if you have that one, test this option below.
So while playing, load that table and F2 ..ESC then so that the visual will activate and you'll have unlimited bombs, i can find the health also..let me know if this works for your version, on the version i've mentioned works very well.
- Attachments
-
- item-bomb.CT
- (1.17 KiB) Downloaded 105 times
Re: Can help with multilevel pointers find?
Thx very much for the help VampTY.
I am working at with The_Swords_of_Dittov1.14.01-202. Only workign with that because, i was stard with it.
Too Got installled 1.15.02-202 REL. But its np i can try tomorrow. Now i a at work.
If you can find way to health pointer, its great to see your work. And help my alot see it, for understand my wrong.
But i want understand what i am doing bad, and learm how this world works. really i am getting crazy with that pointer, but iam new on CE.
Thx again for all your time guys.
I am working at with The_Swords_of_Dittov1.14.01-202. Only workign with that because, i was stard with it.
Too Got installled 1.15.02-202 REL. But its np i can try tomorrow. Now i a at work.
If you can find way to health pointer, its great to see your work. And help my alot see it, for understand my wrong.
But i want understand what i am doing bad, and learm how this world works. really i am getting crazy with that pointer, but iam new on CE.
Thx again for all your time guys.
Who is online
Users browsing this forum: hades1224