Cheat Engine/Memory Addresses

[magicbennie]

So i am trying to understand cheat engine, mainly the "addresses" where data is stored.

 

All is fine hacking fallout 1, but when the addresses keep changing and my cheat table becomes useless, I try to learn how to use static pointers.

 

I don't know how they work. from this: http://forum.cheatengine.org/viewtopic.php?t=334728&sid=c6e3e1f334971d8e96aaaabd4350fb56

I have worked out that windows gives them a space to work in, bla bla, but with the memory addresses, he/she kept saying:

 

 

 

All data in all games have addresses and values. An integer can have an address of 0x00443C0C and have a value of 100 (0x64)

and

 In this case, HEALTH is offset 0x4, MP is offset 0x8, LEVEL is offset 0xA, etc.

I understand they are memory addresses, but how do did she/he get 0xA offset for LEVEL? and why is (from the first quote) 100 = (0x64).

Where is HEALTH? Is it at the start of the program with a positive offset of +4? +0x4?

 

TL;DR: How do memory addresses add up? It seems not to just be +1 per increase in address location, but another system...

 

This is probably really basic...

[fizzlesticks]

100 = (0x64) is just some random example he gave. 100 in decimal is 0x64 in hex.

 

The picture is the start of some struct with a base address of 0x004EA804 (will most likely be a different address each time the game is run). Each member of the struct (health, mp, level...) are addressed by using the base address of the struct + some offset. You get this offset by subtracting the starting address of the struct from the address of the variable so, 0x004EA808 - 0x004EA804 = 0x4 the offset of health.

 

The point of using offsets is that they are constant. If you find a player object in memory the health will always be at the address of the object + 0x4 (for this game, other games will be different).

 

The offsets are based on the size of the variables in the struct. In a 32 bit program, if the first thing in the struct is an int, the next object will be 4 bytes away or the size of an int. If the first object is a short the next object may be either 2 bytes or 4 bytes away depending on how the compiler aligns them. In this case the first variable is a pointer to a weapon which is 4 bytes giving health an offset of 0x4. Now to get the offset of level, you add the sizes of all variables before it.

+ 4 for a pointer to a weapon

+ 4 for an int, health

+ 2 for a short, MP

= +10 decimal or 0xA in hex.

[magicbennie]

100 = (0x64) is just some random example he gave. 100 in decimal is 0x64 in hex.

 

The picture is the start of some struct with a base address of 0x004EA804 (will most likely be a different address each time the game is run). Each member of the struct (health, mp, level...) are addressed by using the base address of the struct + some offset. You get this offset by subtracting the starting address of the struct from the address of the variable so, 0x004EA808 - 0x004EA804 = 0x4 the offset of health.

 

The point of using offsets is that they are constant. If you find a player object in memory the health will always be at the address of the object + 0x4 (for this game, other games will be different).

 

The offsets are based on the size of the variables in the struct. In a 32 bit program, if the first thing in the struct is an int, the next object will be 4 bytes away or the size of an int. If the first object is a short the next object may be either 2 bytes or 4 bytes away depending on how the compiler aligns them. In this case the first variable is a pointer to a weapon which is 4 bytes giving health an offset of 0x4. Now to get the offset of level, you add the sizes of all variables before it.

+ 4 for a pointer to a weapon

+ 4 for an int, health

+ 2 for a short, MP

= +10 decimal or 0xA in hex.

Hex. Yeah I thought so, but when I put into a hex to decimal online converter, it refused to take the x (from the "0x64" address). I tried just using the 64, which worked and showed the value of 100. I think the x might not be included in the hex code, maybe its just there to tell the computer/programmer/user/hacker its a memory address.

 

I managed to work it out. I have the address for fallout 1's action points >

...that was until I accidentally deleted it. Damn. Gonna have to rescan memory again.

[Flojer0]

I think the x might not be included in the hex code, maybe its just there to tell the computer/programmer/user/hacker its a memory address.

Bingo, 0x## is standard notation for hexadecimal. Primarily used while working with memory contents and addresses in code and especially in hex editors. At least to my knowledge.