Cheats Game hacking articles Dissect data/structures in Cheat Engine (Latest update: 30th January, 2011)
Dissect data/structures in Cheat Engine (Latest update: 30th January, 2011)
This tutorial will show You how to use the data dissector to find interesting values and analyze data.
I will use Cheat Engine 6.0 in the tutorial. You can download it from here:
http://www.cheatengine.org
Our target process will be Armies of Exigo's DEMO version. It is small, freely available, very easy to find values and a fairly good game (one of my old favorites), so it is an excellent choice for demonstration. Use Google to find dozens of links for the demo but here are some links to keep up the pace:
http://www.gamershell.com/download_6761.shtml
http://www.fileplanet.com/144582/140000/fileinfo/Armies-of-Exigo-Demo
Our task will be to find a few unit's structure, analyze them and find a "player ID" to create a god mode cheat.
Start the game and play it a bit. If You have played Warcraft and similar games, this game will be familiar to You.
1st task: Finding the unit's health and the code which is changing the health
This should be very easy, the health of a unit it displayed when it is selected. It is stored as a Float type value. Find some enemies, search for Your health and if You have found it (You should have only 1 result in Your list), add it to the table.
Now right-click on it and choose "Find out what writes to this address". Go back in the game, loose some health and You will find this code:
005DA8DC - D9 5E 04 - fstp dword ptr [esi+04]
2nd task: Finding some more unit's health
Now You have the code which is changing the health for all units when they are taking damage. Your task is to find a few unit's health, including enemy and friendly units. Get 2 units and find some enemies. Right-click on the code that You have found and choose "Find out what addresses this code reads from". Make sure that Your test subjects will not die in the process. It would be optimal if You could find at least 2 friendly and 2 enemy unit's health. Like this:
3rd task: Checking the structures
Now You should have enough addresses to start analyzing a unit's structure. So what are structures? To keep it short, let's just say that some values are stored together in one place instead of scattered around in the memory (You can find many more info about structures on the Cheat Engine Forum).
In our case, the most important data about a unit is stored together in a structure as You will see it in a minute. The start of the structure (the base address) is usually the register between the [], which is in our case ESI. ESI+04 is the address of the health, so we can clearly see that the health is stored almost at the start of the structure. Ok, what kind of information can we find here?
1. Open the memory browser and use Tools->Dissect data/structures.
2. As we have 4 units to compare, use File->Add extra address to add 3 more address slots.
3. Now in the address slots, type in the address of ESI, which is in our case the health address-4 for all 4 units.
4. If it is done, use Structures->Define new structure.
5. You can give a name for the structure, but it is not important, click Ok.
6. Click Yes and allow Cheat Engine to guess the type of the values automatically. It will do a very good job.
7. It is enough to analyze 4096 bytes now, so click on OK again.
Now You see 4 coloumns with a bunch of data using red and green colors. Red means that the values in the structures are different, green means the values are perfectly matching in the structures for all 4 units.
To make things even easier for us, we can even create groups. As we will try to analyze the differencies between friendly and enemy soldiers, let us put enemies in a different group. Right-click on the enemy unit's address and choose Change group. Set all enemy unit's group to 1.
You can immediately see that some colors has changed and some values are shown with blue color. Blue color means that the value is the same inside that group, but it is different compared to other groups.
Here is a picture of what should You see:
Now we can go on with the analyzis. I told You this will be an easy game so You will immediately see the important values.
offset 0000 [ESI]: As You can see, the first value is 0 for friendly units and 1 for enemy units. Yes, You are right. This value is storing the owner of the unit. 0 is the human player so if this value is not 0, the unit is an enemy unit.
offset 0004 [ESI+04]: We know that already, this is the health of the unit. :)
offset 0008 [ESI+08]: If You have a sharp eye, You can probably see that this value is the maximum amount of health for the unit.
offset 000C [ESI+0C]: Mana of the unit.
offset 0010 [ESI+10]: Max mana of the unit.
This info is already enough for us to make a god mode script and if You find the code which is changing the mana, You can easily create an infinite mana script too, which will work for Your units only.
Now my test units don't have mana so 0C and 10 has 0 value.
Just a short video to keep up the pace if You are confused about something:
YouTube has disabled this video, so here is a backup, hosted on this site:
Dissect data/structures in CE 6.0 video
All we have to do now is write a script which is checking the value of ESI when the health would be changed and if it is 0, change the unit's health to maximum.
God Mode script (this is an old script that I have made ages ago):
fstp dword ptr [esi+04] //original code which is changing the health
pushfd //save flags
pushad //save registers
cmp [esi],0 //check if ESI=0
jne +6 //if ESI is not 0, the code will jump over the next 2 lines, jumping to the "popad" instruction
mov eax,[esi+08] //copy the max health on eax
mov [esi+04],eax //copy eax to the health, so max health = health
popad //load registers
popfd //load flags
Feel free to use code injection and try out the script, it will make Your units invincible.
If You want, go for it and create an unlimited mana script too. It should be piece of cake now.
Conclusion:
Now You have seen a real example of how values are stored in structures. We have searched for the health only, but with the help of the data dissector, we have easily found the player ID, max health, mana and max mana too. And we could find even more, like attack speed, attack range, attack power, unit speed, unit rank, vision range, co-ordinates and many more.
In FPS games, You can use the same method to compare Your player's structure to the enemies' structure. Find the health, armor, co-ordinates, gravity modifier, speed modifier and many more values that are related to Your charachter.
Or find the ammo for Your weapons and compare Your weapons' structure. Find the ammo, max ammo, rate of fire, weapon range, and many more weapon related values.
The same goes for racing games and other simulators, RPG's and so on...
There is one last important information that You need to know. Structures are sometimes connected to other structures. Like tables in a database. It may happen that a unit's information is stored in 2 or more structures, not just in one. Usually structures are connected to each other with pointers, so in a structure, sometimes You may find pointers that are pointing to another structure which also holds further information that You may need. It is always useful to check out the pointers to see where are they pointing. They are the connection to some useful information.
Examples:
In RTS games, a pointer in the unit structure may point to the "player structure" which holds the amount of resources and other information about the player. Sometimes You can use this pointer as a player ID for the unit if You have found a way to connect both structures.
In FPS games, a pointer may point to the name of the charachter, usually to "Player" or similar string, and You can use this string to compare and create a god mode. If You check a weapon structure, usually You find a pointer which is pointing to the charachter's structure, this way You can create unlimited ammo for weapons that are pointing to Your charachter's structure only.
In summary, You need to realize that data and structures are connected to each other by pointers. Be creative, patient, vigilant and You can figure out where are these connections and how to use them to Your advantage.
Just a small "extra":
I have already written about the Data dissector's options and You can find it in the CE helpfile too, but here it is anyway:
This option is a fine tool to examine or compare data in similar memory regions or structures. It can be used if you wish to compare your charachter's structure with the enemy's structure in an FPS or strategy game, but of course it can be used for other purposes too.
File->New window: This option will open a new dissect window.
File->Import: Import a structure.
File->Export: Export a structure.
File->Save values: Save the content of the window in a file.
File->Add extra address: Add a slot for an extra address for comparing.
View->Change colors: Customize the colors of this tool.
View->Update interval: Customize the value update interval.
Structures: Create a new structure with Define new structure, then give a name and a size for the structure. If you have more than one structure, you can choose the one that you need from here.
Commands: Rename and Delete structure will rename and delete the currently used structure.
Automatically guess offset types will allow CE to guess the type of values in the structure.
If you have added one or more addresses to the window, you can right-click on an address and sort them into groups. This is very useful because you can compare the values in every structure and also see if the values are the same in the same group, or they are different inside the group too (e.g. you can add 2 enemy unit and 2 friendly unit in an RTS game and place the enemies in a different group, thus you will see what is common between friendly units and what is common between enemy units)
If you right-click on an entry in the window, some additional options will be available, such as Memory browse this address, Memory browse this pointer and Add to address list.
That's the end of it, I hope You will find interesting values whatever You are searching for in whatever game.
For now, I think I will play a bit with Armies of Exigo, keep experimenting with any game that You like. :)
Peace!
Geri
To see an example of how can You modify things in an FPS game with the data dissector, read this topic:
http://forum.cheatengine.org/viewtopic.php?p=5188854
The videos are here:
Hozzászólások
This will help me out
That what I'm asking for ..
Thanks too much Geri for all yours efforts
FM
OK,, This the code for Mana:
00470E2C - 89 41 0C - mov [ecx+0C],eax
so,...etc... then
1. Dissect data/structures.
2. Add extra address ( i already have 5 addresses)
3. in my case the Mana address-0C for all
4. my players 0 the others not 0 (1,3 and 5)
5. I wrote a script which is checking the value of ECX when the MANA would be changed and if it is 0, change the unit's MANA to maximum.
pushfd
cmp [ecx],0
jne originalcode
mov eax,[ecx+10]
mov [ecx+0C],eax
popfd
originalcode:
mov [ecx+0C],eax
ret 0004
it's work fine with me but i don't know if that right
The other :
in your script you used +6 then you said //the code will jump over the next 2 lines, jumping to the "popad" instruction
what is mean +6 ? in other script you wrote 0C ... etc?
That's all for now
Your script has an error. I am surprised it didn't crash, guess You were lucky.
If the "jne originalcode" is jumping to the originalcode section, the "popfd" instruction will not be executed as it is jumped over as You see.
pushfd
cmp [ecx],0
jne originalcode
mov eax,[ecx+10]
mov [ecx+0C],eax
originalcode:
popfd
mov [ecx+0C],eax
ret 0004
This way however it will be executed regardless of that the code has jumped or not as originalcode is executed anyway.
You always have to make sure to care of the push/pop instructions whether the code will jump to somewhere or not. It is a common mistake and causing lots of troubles for beginners.
yep it didn't crash, but my players walk slowly ... so that why i asked you to look at my script thanks ..
as you said:
It is a common mistake and causing lots of troubles for beginners.
so, i have to learn from my mistakes !!
The jne +6 means jump over 6 bytes. Because that 2 line of code is taking up 6 bytes when it is compiled.
Its mean any compiled will take 6 bytes ??
or there is another way to calculate my jump bytes ??
i like yours ,, it's so cool and too easy
so ,, my script will look like as you method :
pushfd
cmp [ecx],0
jne +6
mov eax,[ecx+10]
mov [ecx+0C],eax
popfd
originalcode:
//mov [ecx+0C],eax
//ret 0004
The opcode is usually 1 byte (well not exactly, but let's say it is about 1 byte).
And the rest is depending on the number of parameters. For example:
jmp 40506070
This would be 5 bytes. One for the "jmp" and 4 bytes for the address.
je +6
This would be 2 bytes only. One for the jump and one for the "6" parameter.
If You spend more time with assembly and looking at codes, You will know how much space do they take up and how is it working. You can see them in the disassembler view so not hard to learn it.
I have a question
Always represented with 0 and 1 computer player
Or this may be an example 621 and 200 computer player
Hi delta! :)
It can be anything that you can use to identify your units. In many cases, you can even use pointers too, which are pointing to the same memory region where your money or other faction information is stored.
Usually there is a player ID number like in this case and it is also usual that 0 or 1 is the human player but in some cases it may be a color ID, like "blue player = 0, red player = 1" etc.
If there is no obvious ID, nowhere, then you can try to hunt for pointers but I don't like that solution as in that case you have to write a script with 2 hooks and this will decrease the chance of compatibility with later versions. If it is not too difficult, I write scripts with one hook only because aobscan will work better that way.
Another question
I get to find his example difference Blazblue Calamity Trigger
The ID was offset 28
And the energy was 848 Offset
As I conclude that the player was in 28 id
Because would not fail to be enough to similar areas
Trace?
Where to look for the 1
I ask this because the offset distance of 28 to 848 is hard to find energy
Explain if you have time please
A cikk hozzászólásainak RSS-csatornája.