2

Would it be possible to avoid searching values and setting them (i explained, what I need bellow) in cheat engine? I know you can find pointers of adreses and create trainer, but the problem is that the apps, I use cheat engine on, get updated a lot by my companies, and the pointers change every time. Meaning, I would have to create new trainers multiple times a week. Basically almost every day..

I would like to automate this, since, what I need, is quite easy:

1) open cheat engine and select application by name (example.exe)

2) Find float values that are equel to 100.0

3) wait for 2 seconds (so I can change stuff in app)

4) find float values that have changed to 200.0

5) wait 2 seconds (so I can change stuff in app)

6) find float values that now have changed to 300.0

7) at this point there will only be 3 values found. So I need to select the last one and freeze it to 500.0, so even if the app changes it back to 300.0, it gets set to 500.0 again.

As you can see, it's super annoying to do this manually, and I don't want to create like 3 trainers almost every day. Just to use them like 3x that day.

So my question is, would it be possible to automate this?

I'm not asking for complete code, but some detailed info with links would be highly appreciated, as I have used cheat engine a lot, and I know a lot about programing, I have 0 experience and knowledge about cheat engine scripting.

PragmaticEd
  • 505
  • 1
  • 4
  • 14
  • 1
    When I used to make WoW bots, this would be done by mapping out the various structs in memory. For example, we'd find out that the character list is stored at an offset in some struct, and from there, we could begin mapping out the vtable for its member items, etc... –  Jul 27 '17 at 19:38
  • Did you do that using cheat engine? – PragmaticEd Jul 27 '17 at 19:42
  • I used cheat engine to map them out and do the manual work, but it's not really an appropriate tool for "properly" doing this kind of work. –  Jul 27 '17 at 19:53

2 Answers2

3

Would it be possible to automate this? Yes it would be. You could automate this by creating a cheat engine script at the least or creating a trainer. Your question also states that you want to do it without creating a trainer, so no.

The Cheat Engine LUA or simple Cheat Engine scripting framework includes functionality for everything you're wanting to do:

openProcess()   //to get process access rights for the process
MemScan::firstScan()  //to scan for 100.0f
MemScan::nextScan()  //to filter/rescan the results
sleep()  //to pause execution
memrec_freeze()  //to freeze

The link you're requesting is to the LUA and Auto Assembler Tutorial section of the official Cheat Engine forum

When the game you're working on updates frequently, you are correct that pointers become a burden to reverse and update each patch. The solution is to use array of byte signature scanning to locate assembly instructions that access the variables you're wanting to access. Don't worry CE has you covered on that as well, AOBScan().

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59
3

Most of the time you can create a script that will handle updates. For example, once you find the address, right-click and do 'find out what accesses this address'. Wait for something to change the value and the window that pops up will show you the code that changes that address. Right-click on one of the results and open the disassembler. Let's say it's the line movsd xmm0,[ecx] here:

8B 01 - mov eax,[ecx] 89 06 - mov [esi],eax EB 54 - jmp Game.exe+45951 F2 0F10 01 - movsd xmm0,[ecx] F2 0F11 06 - movsd [esi],xmm0

Select that line and hit CTRL+A to open the auto-assembler window. Then from the Template menu select 'AOB Injection'. Save this to your table and close the window, then open up that new script. There will be a line near the top that starts with aobscanmodule. If you see an error there it couldn't determine a unique signature for that memory location. If there is no error, then when the game is updated and the addresses change, it should still be able to find it. There should be a section that looks like this:

code: movsd xmm0,[ecx] movsd [esi],xmm0 jmp return

This is relocated code. The original code in the game is replaced with a jmp to a newly allocated memory area where this code is assembled, then the jmp return goes back to after that code in the original memory region.

You need to know a touch of assembly. The instruction movsd xmm0,[ecx] loads the floating point value in the memory location pointed to by ecx into the xmm0 register. This accesses the memory location you care about, so you could just set that value like this:

code: mov [ecx],(float)500.0 // set value to 500.0 movsd xmm0,[ecx] movsd [esi],xmm0 jmp return

Now whenever the program tries to run that code which accesses that memory location, it will instead jump to the new memory location, update the value at that address to 500.0, then run the original code and jump back.

When the aobscanmodule line does show an error it means that there are too many sections of code that are too similar. The logic looks backwards and forwards several lines of assembly and looks for the hex bytes, ignoring addresses that might change if the game is updated. For instance nothing in that code will probably change when the game is updated, there are no pointers and just one fairly close jmp instruction.

To be extra careful you might want to stop the window that is finding code accessing that address, then right-click on that line of code and select 'find out what addresses this instruction accesses'. If more than one address appears in the window then you're kinda screwed without more help because it is a generic piece of code used for more values than just the one you care about.

Jason Goemaat
  • 28,692
  • 15
  • 86
  • 113