Solved Pointer scan returns no results

[roarboar]

Mostly, when I run a pointer scan for a second or third time there are 0 results. I do it exactly as described in the tutorials. Is there a reason why this could happen?
Or is that really just not possible and Im doing something wrong?

 

[Rake]

You have to do everything 100% perfectly for it to work. If you make 1 tiny little mistake, you get 0 results. This is very common for newbs.

Keep practicing.

 

[velreine]

What game, and what are you searching for?

- And what have you set the pointerlevel to be?

 

[roarboar]

What game, and what are you searching for?

- And what have you set the pointerlevel to be?

In this case for css, here are screenshots where I demonstrate what I do:
Unfortunately I dont have the permission to put images here so ill paste the link.
First I search for a pointer, i pick 1 at random:
https://i.imgur.com/JdalcrO.jpg

I click on pointer scan and use these settings:
https://i.imgur.com/8H1jrgm.jpg

these are the results, for some reason I got the results pretty quickly, like I mostly do.
https://i.imgur.com/ZQiAQHP.jpg

I restart the game, find the pointer again, rescan
https://i.imgur.com/XT4wK5r.jpg

I do it one more time
https://i.imgur.com/MvAG1kI.jpg

And I get an empty result set
https://i.imgur.com/hP1PKWl.jpg

To me it seems like I am not doing anything wrong, any ideas?

 

[roarboar]

What game, and what are you searching for?

- And what have you set the pointerlevel to be?

In this case for css, here are screenshots where I demonstrate what I do:
Unfortunately I dont have the permission to put images here so ill paste the link.
First I search for a pointer, i pick 1 at random:
https://i.imgur.com/JdalcrO.jpg

I click on pointer scan and use these settings:
https://i.imgur.com/8H1jrgm.jpg

these are the results, for some reason I got the results pretty quickly, like I mostly do.
https://i.imgur.com/ZQiAQHP.jpg

I restart the game, find the pointer again, rescan
https://i.imgur.com/XT4wK5r.jpg

I do it one more time
https://i.imgur.com/MvAG1kI.jpg

And I get an empty result set
https://i.imgur.com/hP1PKWl.jpg

To me it seems like I am not doing anything wrong, any ideas?

 

[roarboar]

What are you looking for? Health, Ammo?

In the screenshots that I linked I used health as an example, but I got this issue with most stuff.

 

[roarboar]

Make sure that health is interger not float, which I saw you used on your screenshot.

Does it explain tho why i get 0 results using a pointer scan after several retries?
If it was a float and not an integer then I wouldnt be able to find the pointer to begin with.

 

[roarboar]

Sorry for asking... And yes it does.

Alright I have made another attempt at this.
I have found that the game ALSO uses a byte to store the health. So I went on pointer scanning as usual. What I did notice is that the same address was returning every time.
I know that this adress still cant be reliably used on its own because after several reboots its usually gone.
But I kept on using this address for the pointer scan, and I noticed that as long as I used that address the pointer scan worked. When I picked another address (which is also another byte that contains the players health) I instantly got 0 results.

Tbh it just feels like cheatengine is malfunctioning on my computer or pointer scan just rarely works.

Any ideas?

 

[c5]

Automatic pointer scanning will not always yield results for you. If I were you, I'd breakpoint the memory address see what accesses it, run a debugger and trace back where the static gets set and where offsets get added

 

[roarboar]

Automatic pointer scanning will not always yield results for you. If I were you, I'd breakpoint the memory address see what accesses it, run a debugger and trace back where the static gets set and where offsets get added

OKay I see, So if I am to do as you describe then I would check in cheatengine what accesses that address. then open olly, attach it to the process, go to that address by pressing ctrl + g. But after that I dont know exactly what to do. What will I be looking for to find the real address? I guess I would be looking for mov's most of the time but how will I know what instructions to look for exactly and how do i know when I have found the real address.

I also know the other method in CE to find what accesses the address and then search for that hex value, add the address of that value + the offset.
But CE always displays several offsets and I dont know which 1 is the right one.
like here: https://i.imgur.com/V4uC273.png

ALso ive found that this method doesnt always find what youre looking for.
For the sake of practice I tried to find the current gold of the player in dota2, and using that method I could only find the gold that you begin the game with and the current gold just wasnt anywhere to be found.

But back to the method you mentioned, debugging it with olly. Is it a fool proof method of finding addresses or are there times when it fails as well?

EDIT: I happened to find a reliable address for the players health in css, but this was done by picking one of the 255 k pointers that were returned before it all went to 0. Also I am not at all sure if the address that I have could change on another PC or whatever, it did work after several reboots on my own pc tho.

 

[c5]

When you hit a breakpoint, and execution is paused, the address of the health (or whatever), is in the stack and accessed. Now you are going to go backwards. You'll look what register held the address and see how it got there. Practise and play around with olly in those matters and you'll get the hang of it.

 

[roarboar]

When you hit a breakpoint, and execution is paused, the address of the health (or whatever), is in the stack and accessed. Now you are going to go backwards. You'll look what register held the address and see how it got there. Practise and play around with olly in those matters and you'll get the hang of it.

Okay thanks, back to olly it is then. Would you say olly is more reliable for finding addresses than CE? Also, would you be able to find ANY addresses in olly, such as all enemy coordinates etc?

 

[c5]

Okay thanks, back to olly it is then. Would you say olly is more reliable for finding addresses than CE? Also, would you be able to find ANY addresses in olly, such as all enemy coordinates etc?

Yes, you can search for values in memory the same way you can with CE. Ollydbg is just more of a personal preference for me, although I'm aware of CE has a debugger aswell, with olly you still have tons of more options in that field.

 

[roarboar]

Hmm... Depends. I use OllyDBG when I need to make classes that I can use ReClass. You could find enemy cords in OllyDBG I would use CE though.

How would you go on about finding enemy coords in CE? I am not asking for a step by step tutorial but just general guidelines.
I mean certainly its more difficult than asking 1 friend to go up and down the stairs and check for increased/decreased value. Thinking about that logically, would give you the address of 1 player maybe, but definitely not all.

 

[velreine]

"client.dll"+0076EA9C -> 086C1F00

[086C1F00+C] -> 1F579A48

1F579A48+154 = 1F579B9C

struct PlayerInfo
{
char name[32];
int team;
int hp;
float x;
float y;
float z;
float ang1;
float ang2;
float ang3;
};

size: 64 bytes.

Offset between players structures: 140.

 

[roarboar]

"client.dll"+0076EA9C -> 086C1F00

[086C1F00+C] -> 1F579A48

1F579A48+154 = 1F579B9C

struct PlayerInfo
{
char name[32];
int team;
int hp;
float x;
float y;
float z;
float ang1;
float ang2;
float ang3;
};

size: 64 bytes.

Offset between players structures: 140.

So I checked it out and it seems you are entirely correct.
How did you find it so casually? This just seems like rocket science to me.

 

[roarboar]

Any chance you could share your ways with us velreine?

Also a question on the sidenote, I decided to not hesitate and start making an application that utilizes your information.
I have noticed that sometimes the player coords are empty for some players, while health is always accurately tracked. Is there any reason why the coords shouldnt always be in my memory or is something just going wrong?

EDIT: it actually seems that its the enemies position that is obscure,. at least some of them, ill post more details later.

 

[velreine]

That is because the engine doesn't render / send you the position of the enemies if their not visible or too far away.

[EDIT]: Oh and yeah i can show you how i did it tommorow probably just respond to this message with a quote and I'll definetly remember it .

 

[roarboar]

That is because the engine doesn't render / send you the position of the enemies if their not visible or too far away.

[EDIT]: Oh and yeah i can show you how i did it tommorow probably just respond to this message with a quote and I'll definetly remember it .

Okay, cant wait !

 

[velreine]

Ok so basicly the first thing i did was search for my own HP, and then i would play around with the values, and trying to hurt myself etc etc, restarting the round etc. Trimming the addresses abit down.

- Now you'll have multiple addresses pointing to your health.

Then i basicly do a pointerscan on all of those addresses one by one, most of them will not return any pointer paths (set your pointerlevel to 2.)

Then when i find an address that has multiple pointer paths I'll simply double-click all of them, so that Cheat Engine stores the pointer paths. I store all pointer paths leading to the address (without restarting the game). I do that with all the addresses pointing to the health.

Then when i restart the game I'll see all the pointers still pointing to my own HP. And I'll simply cut the rest out. - Think logical when adding pointer paths. Example your HP is prolly not shaderxapi.dll + offset. It's more likely to be something in the client.dll , or engine.dll or matsystem.dll. Depending on what you're looking for.

I hope this helps, it's hard to explain or recreate as it takes some time but it's worth it in the end.

[EDIT]:

Woops and when I've found these addresses you add that address to a program called ReClass, then try making it like 1024 bytes bigger. It'll give you a bigger overview, and try using your calculator to go a few bytes back and add to ReClass from that address. Then it's basicly just puzzling around untill you find something that makes sense. E.g you see an address having the value 1.293993 it's probably not an integer but a float, you'll get the idea trust me .

 

[roarboar]

Ok so basicly the first thing i did was search for my own HP, and then i would play around with the values, and trying to hurt myself etc etc, restarting the round etc. Trimming the addresses abit down.

- Now you'll have multiple addresses pointing to your health.

Then i basicly do a pointerscan on all of those addresses one by one, most of them will not return any pointer paths (set your pointerlevel to 2.)

Then when i find an address that has multiple pointer paths I'll simply double-click all of them, so that Cheat Engine stores the pointer paths. I store all pointer paths leading to the address (without restarting the game). I do that with all the addresses pointing to the health.

Then when i restart the game I'll see all the pointers still pointing to my own HP. And I'll simply cut the rest out. - Think logical when adding pointer paths. Example your HP is prolly not shaderxapi.dll + offset. It's more likely to be something in the client.dll , or engine.dll or matsystem.dll. Depending on what you're looking for.

I hope this helps, it's hard to explain or recreate as it takes some time but it's worth it in the end.

[EDIT]:

Woops and when I've found these addresses you add that address to a program called ReClass, then try making it like 1024 bytes bigger. It'll give you a bigger overview, and try using your calculator to go a few bytes back and add to ReClass from that address. Then it's basicly just puzzling around untill you find something that makes sense. E.g you see an address having the value 1.293993 it's probably not an integer but a float, you'll get the idea trust me .

Okay thanks, sounds good. Is there any reason you set pointer level to 2? How do you set it anyway, is it the "Max Level" field that you are talking about?
The feedback i have been receiving thus far is highly appreciated