Creating a cheat table - Super Speed Hack

From Cheat Engine
Revision as of 08:01, 30 December 2017 by TheyCallMeTim13 (talk | contribs)
Jump to navigation Jump to search


This page is a sub page of: Creating a cheat table - Full guide

Now after a restart, this is what my table looks like.

Tutorials.Dishonored.SuperSpeed.01.png


Step 1

So let's take our base address and have a look in dissect data structure, from the Cheat Engine main form press Ctrl+M then press Crtl+D and put in the base address and create a new structure if you don't have one already made.

Note: You can use symbols for the address, but our ptrCoordBase pointer base holds the address so input it like this:

[ptrCoordBase]

Then I like to name the structure after the pointer I am using so again [ptrCoordBase].

Now find and label the values you have found already, then go to the area with the coordinates.

What we are looking for, are the player Deltas (Δ). Delta is basically math slang for rate of change in a system, there is a little more to them but if you remember the "train is moving at rate X" kind of stuff from math then you have used Deltas (Δ).

And with the dissect data structure visible just run around and jump to find some floats that are: 4 bytes apart, 0 with no movement, and show values when moving that seem to be in the right ball park for the movements made (you may need to set the type to float if the structure was created when the player was not moving). You can also lock the address and then add the ''[ptrCoordBase] base to a new address.


From right to left: Standing still, moving forward, jumping.

Tutorials.Dishonored.SuperSpeed.02.png

So in the above picture we can see 3 addresses that change only when moving, 0 when still, and are all 4 bytes apart.

I believe these to be the player Deltas (Δ).

Tutorials.Dishonored.SuperSpeed.03.png


So lets add then to the table.

[ptrCoordBase]+1B4
[ptrCoordBase]+1B8
[ptrCoordBase]+1BC


So now the table should look some thing like this:

Tutorials.Dishonored.SuperSpeed.04.png


Step 2

So lets see what accesses this address. What we are looking for is instruction that only runs when we move.

And you get a whole list of instructions.

Tutorials.Dishonored.SuperSpeed.05.png


Now we are look for a movement speed multiplier, and what I was told when learning was to see what accesses to the Delta or the Coordinate, then look around and place break points, and find addresses and freeze or set them to different values to see what happens.

You will find stuff that messes with the menu, the camera, the player aperance, and all kinds of other stuff (plus a few crashes), but we are looking for values that have an effect on movement so move on, but saving info and any static address found can be useful latter.

Dishonored.AK::MemoryMgr::SetMonitoring+D78C8 - F3 0F10 89 B4010000   - movss xmm1,[ecx+000001B4]
Dishonored.AK::MemoryMgr::SetMonitoring+D78D0 - F3 0F10 91 B8010000   - movss xmm2,[ecx+000001B8]
Dishonored.AK::MemoryMgr::SetMonitoring+D78D8 - F3 0F10 99 BC010000   - movss xmm3,[ecx+000001BC]
Dishonored.AK::MemoryMgr::SetMonitoring+D78E0 - 0F57 FF               - xorps xmm7,xmm7
Dishonored.AK::MemoryMgr::SetMonitoring+D78E3 - F3 0F59 C8            - mulss xmm1,xmm0
Dishonored.AK::MemoryMgr::SetMonitoring+D78E7 - F3 0F59 D0            - mulss xmm2,xmm0
Dishonored.AK::MemoryMgr::SetMonitoring+D78EB - F3 0F59 D8            - mulss xmm3,xmm0
Dishonored.AK::MemoryMgr::SetMonitoring+D78EF - F3 0F10 05 905C1E01   - movss xmm0,[Dishonored.AK::StreamMgr::CreateDevice+47ABC0] { [1.00] }
Dishonored.AK::MemoryMgr::SetMonitoring+D78F7 - F3 0F5E 45 08         - divss xmm0,[ebp+08]
Dishonored.AK::MemoryMgr::SetMonitoring+D78FC - F3 0F59 C8            - mulss xmm1,xmm0
Dishonored.AK::MemoryMgr::SetMonitoring+D7900 - F3 0F58 4D F4         - addss xmm1,[ebp-0C]
Dishonored.AK::MemoryMgr::SetMonitoring+D7905 - F3 0F59 D0            - mulss xmm2,xmm0
Dishonored.AK::MemoryMgr::SetMonitoring+D7909 - F3 0F58 55 F8         - addss xmm2,[ebp-08]
Dishonored.AK::MemoryMgr::SetMonitoring+D790E - F3 0F59 D8            - mulss xmm3,xmm0
Dishonored.AK::MemoryMgr::SetMonitoring+D7912 - F3 0F58 5D FC         - addss xmm3,[ebp-04]
Dishonored.AK::MemoryMgr::SetMonitoring+D7917 - F3 0F11 4D F4         - movss [ebp-0C],xmm1
Dishonored.AK::MemoryMgr::SetMonitoring+D791C - F3 0F11 55 F8         - movss [ebp-08],xmm2
Dishonored.AK::MemoryMgr::SetMonitoring+D7921 - F3 0F11 5D FC         - movss [ebp-04],xmm3
Dishonored.AK::MemoryMgr::SetMonitoring+D7926 - 0F2F F7               - comiss xmm6,xmm7


Now looking for the movement speed multiplier you will see code like this:

Dishonored.AK::SoundEngine::StartOutputCapture+118A47 - F3 0F10 86 ECFCFFFF   - movss xmm0,[esi-00000314]
Dishonored.AK::SoundEngine::StartOutputCapture+118A4F - F3 0F11 45 F4         - movss [ebp-0C],xmm0

So the value is being pushed to the stack and used latter, so let's try some thing else.


Step 3

Now in this game, and with many others, when crouched we move slower than when standing. So let's use that, now multiplying by a negative or zero really won't work for the math, that game uses, so we should be looking for a float that is grater than zero, most likely in or near the player structure, and deceases when crouched (with standing being that base line).

So lets have the player stand then scan for an unknown value, crouch and scan for a deceased value, then stand and look for and increasing value, and do some unchanged value scans when standing still and crouched still.

Now here is where we need to make some guesses, like that when writing a decimal number most people will write a more round number (so stuff like 0.5, but the computer will often change a value a little to be able to store it so stuff like 0.6000000238 is OK and this would have be write as 0.6), and there should be one or multiple with different values.

So after weeding it down a fare amount start looking around the player base.

Tutorials.Dishonored.SuperSpeed.06.png

Here I find only one value that matches what I'm looking for so lets add it to the table, and let's just do the math to find the offset from the player base.

1165A58C - 1165A000 = 58C
[ptrCoordBase]+58C


Step 4

Now lets try to change it, but when we change it we find that it just goes back the original value. So lets see what accesses the address.

Tutorials.Dishonored.SuperSpeed.07.png

Lets just NOP that instruction and change the value to see if we found what we are looking for.

So click the Show disassembler button and on the memory view form right click the instruction line and select Replace with code that dose nothing, a prompt will ask you to add it to the code list with a name like "Change of movss [esi+0000058C],xmm0", just click Yes (we will need it to restore the code later).

Tutorials.Dishonored.SuperSpeed.08.png

And you should see some NOPs.

Tutorials.Dishonored.SuperSpeed.09.png

Now let's change that value, I start with 1 but not much change so I set it to 2, and I found my multiplier.

So we could just leave it like this it totally works but, lets keep going.

So on the memory view form right click and select Restore with original code.

Tutorials.Dishonored.SuperSpeed.10.png


Step 5

So I went ahead and rechecked what accesses the address, and I find that 2 instructions constantly run but 1 only runs when moving, so let's start there.

Tutorials.Dishonored.SuperSpeed.11.png


So here is some script to over ride the value:

Tutorials.Dishonored.SuperSpeed.12.png

But now running is the same speed as crouched and that won't work for me, so let's see what we can do. Let's just multiply the multiplier.


Tutorials.Dishonored.SuperSpeed.13.png

And now we have a super speed hack.

Now often times you will need to try different things and other injection points but it works so time to move on.


And as an example, here is the script I actually use on my cheat table:

Tutorials.Dishonored.SuperSpeed.14.png


Links