Tutorial

 
Ingame memory pointer tutorial

Index

1.
Finding usable simulator values in game memory
1a.Example: Find a gear memory location
1b.What are hexadecimal values ?
1c.How to find simulator relevant data in a game like lateral, vertical or longitudinal g-force
1d.Overview: How to differ pointer values, static values and structure values
2.Tutorial 1: Finding a static game value (integer and float as sample)
2a. Use static values in x-sim force injector
3.Tutorial 2: Finding a dynamic pointer value with 1 depth
3a. Tutorial 2.1: Finding a dynamic pointer value with structure offset
4.Tutorial 3: Finding multiple depth dynamic pointer values
5.Insert found values in x-sim force-injector and use them in x-sim

Additional tutorials that may help you also:
English:
http://forum.cheatengine.org/viewforum.php?f=14
German:
http://forum.extreme-gaming.de/topic,1686,-%5Btut-1%5D-spiele-cheaten%2C-grundlagen.html
http://forum.extreme-gaming.de/topic,1696,-%5Btut-2%5D-dma%2C-pointer.html
http://forum.extreme-gaming.de/topic,1734,-%5Btut-3%5D-2nd-gen-pointer%2C-trainer-erstellen.html


Findingusable simulator values in game memory


The main idea of cheating software is to find a memory location in a game .exe file, which stores something like live or health bar values and change them to higher level. This idea is also usable for simulator movements, because the cheat programs are well designed and very easy to use. But we have not to find health values or something to cheat. We search for the current speed displayed in our car cockpit or the gear value or perhaps we are able to find the real force values out of a game. Please note: only use this difficult solution if there is absolutely no developer designed simulator interface. This solution has one big problem: if u patch your game and use another game.exe file with different size, all the found values are worthless. For that we create a online database to store the found values and share them with other X-Sim users which will be very thankfully for that.
First we have to know something about how to find normal values like gear and speed. This values you can see in the cockpit view of any racing game u like. The gear value is the easier value to find, because it is not a precision value with many numbers behind the dot. This will help us to find out the method how the game will store the gear number in the game memory. Windows use for each program running virtually 4GBytes of memory. Since not all memory is needed it can be virtually reduced to fit your physical memory in your computer. Good cheat programs also detect how much the used memory is and therefore it will only search in this smaller range. The next part will show you how you find a value in the game memory. This you have to do very often, so you have to learn this part very intensity, because this is the base material for the rest of this tutorial. If you cannot find the gear in a game, you cannot continue with the other descriptions.



Important, you will need this procedure in each tutorial as first step.
Use the software PointerGenerator.exe of Tutorial 1 as game simulator or use your own game.

Example: Find your gear in the game memory:

0.
Start the game ;)
1. Pause the game and remember the gear number shown in the cockpit view
2. Exit to windows with ALT+TAB keys
3. Run the €žCheat Engine 5.3 or newer application found in the internet (Also €žArtmoney application us usable)
4. Fill out the value box with the gear number and choose “Exact Value” with bytes = integer value
5. Run the “First Scan” button and you will find all memory locations where the gear number value is in it
6. Change to your game again with ALT+TAB and undo the pause
7. Change your gear, perhaps only go faster until the gear changes automatically, then pause the game again
8.Exit again to windows with ALT+TAB and insert the new gear value in the cheat engine application
9. Now do a Next Scan with the button
10. ....... do this again from 5 to 8 until the right box shows you only ONE value ......
11.Is there more than one value left, insure with dual screen the correct changing gear value by comparing the game with chat engine found-box. (decide for one)
12. notice the memory address, it is in Hexadecimal value
13. reboot your computer and redo up to 12. Is the address the same as before your reboot, you found a static value, if not you found a dynamic pointer value.

Ok, what are hexadecimal values ?
The decimal numbers uses 0,1,2,3,4,5,6,7,8,9 as number but the hexadecimal number system adds A,B,C,D,E,F for 10=A, 11=B, 12=C etc. to reach 16=2*8 Bytes in a computer system. If you don't know how to translate this value to a normal decimal number where you can do well known mathematical operations, use the windows calculator of Microsoft. Open your calculator and choose Scientific in the menu. Then you are able to switch the radio button on the bottom of the input line to Hex. Then insert the value out of the cheat engine and write it in the input line of the calculator. Then press Dec and you will see the translated decimal value. This can also be done in the revert direction to convert decimal values to hexadecimal values.


How to find simulator relevant data in a game like lateral, vertical or longitudinal g-force
The main goal for X-Sim is to get some values to control a simulator. They are called G-forces and turning speeds. G-forces are longitudinal, lateral and vertical forces and turning forces are yaw, pitch and roll. The easy way to find them is to search in your game, where they are displayed in numbers like the roller coaster simulator nolimits do. Then you can search them like you do with the speed value. Also some external tools for the game you use can help displaying them and then search them. But normally these games use a special programer interface like network export or MMF files, so use better this way and contact a plugin programer of x-sim.



What we can do, if there are NO displayed forces ?
This is the hardest way to find some movement. Therefore the cheat engine and Artmoney can search for unknown values (drop boxes) or changed values. You then can drive your car hard left and pause the game. Now the cheat engine make a virtual backup of the memory. Unpause the game and drive hard right. Pause again and the cheat engine will compare the memory to find the changes. You have to do this very often. The found values will get less with each search you do. It is very difficult, because you have to insure, that you really drive HARD left or right, because if the force is not really defined you loose your search result with one bad search. You can find longitudinal and lateral forces with this procedure, vertical forces are not really to get.



Why we search for the speed value ?
As you see I look every time for the speed value. This has some reason I will explain now:
If you get the current speed (meter per second) you can use the injector to convert the changing of the speed in the longitudinal force (m/s²). The force-injector will capture value by value and get the difference of the speed value from one to another speed value. You can then use this value in your simulator for forward-backward force. Then you can try to find the lateral force with the yoda force-feedback scanner and a force feedback wheel. The combination of yoda and the injector can help you finding a solution for your game.

Hint:The speed is normaly given by the programer in meter per second = m/s.
If you search for km/h, which is displayed in the cockpit, you won't find the real calculated value, but perhaps some display values. It is necessary to read the km/h or mph value and calculate them to m/s. This means in km/h as sample: 36km/h divided by 3,6 = 10 m/s (meter per second). Also think this way if you do not find other values like °C or Kelvin, meter to inches and so on ...
Please note: the virtual game value of this tutorial is only to learn the search process, you have to find out such tricks by your own. Please inform you of the physical values you try to find.


Overview: How to differ between pointer values, static values and structure values


First we have to know something about the memory management of windows and your game program. I will begin with the first graphic, which shows us two types of values that maybe used by the programer of a application/game.
The first type is a variable, a changing value, that is generated in the code and is located at a static position (blue) after program start. This values are generated at the program startup and are never changed in their position in the memory.
The second type of values are generated later in the game dynamically. But to reach the positions of these values there are generated pointer static.
A pointer is a value like a static variable, but it includes not the target value but a new memory position, where to find this target value. The size of such a pointer is normally 4bytes, because windows can address 4GByte's of memory for each process. Tools like the cheat engine or Artmoney can search for the value, but if you have a dynamically generated value the memory position will change after you have restarted your game or computer. This is a problem, because we have to find the static pointer memory address, read out the new memory location and readout the value in this new memory position. This is possible with the cheat engine. Then we can use the DMA (Dynamic Memory Address) dialog in the force-injector tool of X-Sim to import the found readout way. The injector can handle up to ten redirection’s via pointers but most games only use up to three redirection’s.


(click images for bigger view)

Ok, but programers of the current time use not only one variable, they collect their values to so called structures.
An programer example, how it looks like in C++ programing language:

structureVEHICLE
{
integer gear;
float speed;
float RPM;
}

To get now the RPM, you need a pointer to the start of the VEHICLE variable and jump with a offset of 8 (4bytes integer gear + 4bytes float speed) to the start memory address of the RPM float value.
Ok, this is what the programer will do, but we will do that in invert direction. We will find the RPM value with the cheat engine, but we need the static pointer memory address later to find the RPM again. This is explained in Tutorial 2.1 .

Tutorial 1: Finding static game values (integer and float as sample)





First we try to find a integer value (-2147483648 to 2147483647) out of my testprogram "PointerGenerator.exe" which is included in the tutorial package you can download at x-sim. Therefore start the program and press the "Generate a integer as static value in process memory" button. After you have done this, the progress bar begins moving to simulate a random ingame value like the speed of a car. You have to press "Pause the virtual game value with this button" to pause the "virtual" game. Then you will find a current value below the bar. This is the value we will try to find now with the cheat engine. In a real game this value could be the speed gauge value, you see in your car, or the gear value found also in your game cockpit.



Now open the cheat engine. On the top of the dialog you find the notice “No Process Selected”, so we select now the Process of the X-Sim “PointerGenerator.exe” with the green blinking button.

Continue with the “OK” Button. Then we have to fill out the form with our searched value. A Integer is 4 bytes long and signed, we know the “Exact Value” and use the other settings as they are. In the value box we write the value of our virtual gauge found in the pointer generator. This value is not hexadecimal because no gauge in a car will display the current speed in hexadecimal. Then press the “First Scan” button. The cheat engine will now search the whole program memory for the given value with type integer. Normally the duration is much longer than in our small application, but we don't need to spend much time in front of a progress bar in this tutorial. Now you will find the result on the left side of the cheat engine. The number of same results will be shown on the top of the box. The box shows you the address of the found memory value and it's current size. This is shown in realtime, so we can change to our pointer generator and continue the progress bar movement. We will see the value in the cheat engine will change identically to the value shown in the pointer generator. Then you will notice, that all negative values are not shown as negative but something about 4294967296 (2³²) minus the negative value. That is a bug of the cheat engine, that negative integer values are not displayed but searched. Now we have to remove the other values out of the box and add them in the box below the search results. This is a list of found values which we can load later again. To find the absolute value, pause the value in the pointer generator and insert the new displayed value in the cheat engine where you inserted the first value. Overwrite the old one with the new one and press “Next Scan” button. The cheat engine will now only search in the found values box left. If one of these values are identically with the new value it will be left in the box. So you can find changing values everywhere in the memory. Now add this value to the cheat engine list and save this project with the disk button found on the top of the dialog.
Now: reboot your computer ! Every memory locations will be lost, so we can be sure that another one can reproduce this value.
After rebooting your PC start the pointer generator again and start the moving integer value. Let it run this time without pause it and start your cheat engine. Select your process as before. Then load your found value with the load button left of the save button. The value shown in the below table should now change it's value as before (only positive values are correct displayed). This is now our fixed static game value we can add in the force injector tool of X-Sim.
But before we change to the force-injector tool, we search for static float values. Floats are signed precision values with 4 byte. There also are 8 byte floats out there which are called “double” for double precision floats. We will only try out to find the normal 4 byte float values, because the search routine is similar to the float values.
Now close the cheat engine and the PointerGenerator.exe to start a new scan. Open the generator again and press “Generate a float as static value in process memory” this time. Now you will find the randomly changing progress bar with float values instead of integer values. Start now the cheat engine again and change the “Scan type” to “Value between” and the value type to “Float”. Since we cannot insert a exact float value, because the speed gauge could be rounded, we have to search all memory values in a range of their size. You can also try a exact value, the cheat engine will try a range automatically, but this is not as sure as do it by yourself.

Be warned: only use the lower value on the left side in cheat engine, else the result is zero !!

Example: if we search for 14.168 we have to insert a range between 14.167 and 14.169 to get the searched float value.
Now continue like you did with the integer values. With floats, signed values are displayed also signed.

Normally floats are easier found than all others, because the 4 byte combination is very rare in the whole program memory. If more than one value is found, redo the “Next Scan” with changed values in the Pointer Generator.

Hint: to differ it is a static value or not, always REBOOT your PC !!!
Reason: if you close your game and restart it with the same car, the same track in the same mode it is possible that the game can generate exactly the same memory condition for the values you search for. Also verify your results with other cars, tracks and game modes (single player, multiplayer, championship, single race etc.). They must all work with your found value !

After we have finished the search, note the memory hexadecimal address found in the display boxes. We now are able to insert them in the force-injector tool of x-sim and use it as simulator control.
Therefore open the force-injector and search the process name like you did in the cheat engine. Please note, the injector may display other names, because it search not for window names but for process names.

How to use the found value in x-sim force injector:

After we found the static integer and the static float value we will try to over give them in the X-Sim force injector, which is able to convert changing speed to acceleration and gear shifting to gear rumple. Therefore we open the force-injector tool that comes with the X-Sim package and search for the process name (1) like we did in the cheat engine. Now we see on the bottom if the program has been started or not. We can use this detection as simulator actuator start in the profiler later, or we use additional Force Feedback detection with Yoda2. We should also insert the current patch version of the game as a notice for later use or the online database. Then we have to insert the offset value in decimal numbers into the (2) box. If we only have the hexadecimal values there is a hex to decimal converter right to the box. Don't use the pointer DMA button in this case. Then we have to give the correct value type (3) i.e. integer for gear value or float for speed value. The Factor you can choose is necessary for float values. Because the profiler only accepts integer values you have to multiply a low float to bring the numbers behind the dot in front the dot for more precision.



Then we have to decide if we want to convert (4) this value in this memory position. For now we only choose normal, no calculation needed, to see only the result value. As next step we have to decide where in the force-profiler box this value will appear. The force-injector tool is an addon to the normal plugin system of the X-Sim force-sender. The plugin's of the force-sender will appear from position 21 up to 40 in the force-profiler receive window. The force-injector will overwrite each of the 40 positions with the value you give. If you choose “none” plugin in the force-sender all the values from 21 to 40 are not used, but if you choose one plugin additionally, you have to decide which value you do not need and which then will be overwritten by the injector (5). The note you give (6) to the value will appear in the force-profiler if you are longer over the receive box (tool tip).
If all is correct inserted you should see the value changing like in the cheat engine. No save this project, so you can load it again later.


Tutorial 2: Finding a dynamic pointer value


You have found the speed value in the game ?
But then after a reboot or a restart of the game this value is found in a total different place in the memory ?
Then you have a dynamic generated value found.
The big different between static values and dynamic values is the type of storing data’s in a game. Some games use dynamic memory to avoid cheating, some other games are designed to generate more instances of some objects like cars or track relevant data’s. As you see on the left there is a base pointer and in the memory space of this pointer is a new memory address stored. This points on a group of values or one single value. Is there a group of values like on the left side, you have also to find out the offset from the position the base pointer points to the real game value. In our tutorial we first try to find a pointer value with zero offset and then continue to find a grouped value and it's offset from the start of the group. The first action you have to do is every time to find the (speed, gear ..) value in the memory. This found memory address is every time the start of our deeper search. We will find the “way” from this value to its static “base” pointer. Please get some notice block and something to write with. It is not easy as the static pointers.

Ok, let's start with the zero offset dynamically generated pointer value. This is only to understand the next tutorial step, normally we use the procedure of tutorial 2.1 and find a zero offset instead of assuming it is zero. Therefore the PointerGenerator.exe creates random memory space each time it starts. So the pointer we search is every time you start this tutorial software on a static position but it will point every time to another memory position in the memory. With our known strategy of tutorial 1 and above we are able to find the shown virtual game value in the memory, but then we have to find the base pointer of this value. To generate such a dynamic pointer start the generator and press “Generate a integer pointer in process memory”. Then search the shown integer displayed on the bottom again with the general search procedure of the beginning of this tutorial. If there is only one value address left remember this address. To do so, you have to press the button with this symbol in cheat engine: (select your found line first) You will find your result in the lower list box of the cheat engine. Now restart the generator and also the cheat engine. Do the same again and you will see, the memory addresses are different you found. You can store the bottom list and restore it if you like. But you can also write down your results to some piece of paper.

We now have to find the memory address where this different memory address is stored, the static base pointer (graphic above).And here you know how to find this place of the base pointer. It is the same routine you found the virtual game value. Only insert this time not the shown value, but the memory address you found. This value is stored in the static pointer and will be changing it's value every time you start the generator. Change the input of a “Exact value” to HEX input (the check box left of the input edit box) and insert the found value address like you see in the left “Found”-box. Ok, now you find only ONE result, because only ONE basepointer has the information where the rest of the value exists. (In some games this could be more base pointers, because they could be copied. This should be no problem, choose one of them and continue.) This new memory address is the base pointer. The value in it's 4 bytes points to a location of the true value. You can insert this value in the force-injector like you see in 3.)
Try this also for the float value and insure the found static base pointer is always the same if you restart the PointerGenerator.exe .



Tutorial 2.1: Finding a dynamic pointer value with structure offset


Now we practice the real live application of a game. A programer collects all car values in one big area and declares it with a pointer to the first byte in the memory. This means we have to find out this big collection of stored values. Our luck, we only need ONE of this values, we found as a speed value. So we only need the position of the base pointer (100000 in the graphic above) then the force-injector reads it's value (200000) adds the offset value (4 bytes) and use this stored memory value in address (200004 to 200008) to read out the speed value (float or integer). But we have to find out the offset value by our self, because the injector cannot know it. The cheat engine therefore has a debugger included. A debugger can follow your game step by step of the commands the programer wrote. The programing language is here native assembler, but you don't need any knowledge about programming or assembler commands to find out the offset. The cheat engine will display the necessary needed values for you. They are displayed very hidden, but we learn now how you can read them out of the debugger information sheet of cheat engine.
Open the pointer generator and press the Tutorial 2.1 integer button “Generate a integer structure pointer in process memory”. Then do the normal search procedure to find the dynamic place of the virtual game value like you did in the tutorial before. Insert the one found dynamic address with the button in the bottom list.

Now invoke the context menu of the inserted line in the bottom list box with a right click on it and attach the debugger if asked. (Press continue)
Then choose the menu option “Find out what writes to this address”. This will look in the running game, which command will use this address and then it will be displayed on the screen.


Now you will see a blank list box. This list box will change it's content only if there is a access to this memory address you selected. In some games you have paused there is always some action in the background that could update this box immediately. But in the pointer generator there is only a access, if you continue the value running. So continue the value and a entry will appear in the list box. Select now this entry and press the “More information” Button found on the right.





You will be informed about the event that has written in this memory place. You can see a assembler command named “mov” = move with a offset value. Also the ecx stands for a value as shown in the ECX register below. This is the start of all car data and is here our found address minus the offset of 4 (hexadecimal) = 009BDA28. Now we continue like we did in tutorial 2.0 . We search now the game execution code for our real address value 009BDA28. We will find a base pointer on the left side as we did in tutorial 2.0 .
Now we should write down our results:

1. found base pointer
2. the offset value

Do this on a piece of paper or in the windows editor step by step. This 1 depth pointer is not often used. Normally there are a big number of redirected pointers until you reach the real base pointer. In the next Tutorial we search a 2 depth pointer as a example, but in most cases there are 3 depth and up used. It is very difficult not to loose the orientation. So please write down your results and compare the found values with a restarted game to insure the base pointer and offsets are equal.

Hint: the base pointer is a very low address in the game memory. It should be in range of 00xxxxxx hexadezimal.

Tutorial 3: Finding multiple depth dynamic pointer values

This is a step by step tutorial to find the base pointer of the “Tutorial 3: ...” section of the pointer generator. It is based on the tutorial 2 up to 2.1 and uses the next step of pointer depth. Therefore the first steps are equal as ever, start the generator and find the generated value. In this case you know that we only have 2 depths to find, but you should try to ignore this and search like you should do in a real game.




(The left graphic shows only a sample of a 2 depth pointer, the addresses are not equal to the pointer generator addresses)


1. Start pointergenerator.exe and press the “Generate 2 depth dynamic integer pointer with offset”
2. Pause randomly the changing value with the button. (Simulates changing a value in the game)
3. Start cheat engine and select the pointer generator process.
3. Search the virtual game value with the cheat engine as a exact value with 4 bytes.
4. If there are more results, continue the virtual game value and do a “Next Scan”.
5. Move the found address with the button in the bottom listbox.
6. Right click on it and choose the “€žFind out whatwritesto this address” option.
7. Continue the game value in the pointer generator, pause it after you see some entry in the debugger list box. Press “More information”.
8. Find out the offset value and the address where the data memory area begins (= last address minus offset or displayed in the box behind “probably”)
9. Search the memory with this address where the data begins. You will find one address, called a pointer.
10. Depth 1 completed: Write down the offset value. This value is needed in the force-injector.
11. Add the found address/pointer to the bottom list with the button.
12. Right click on it and choose the “Find out what accesses to this address” option. (Note: There comes more than one results, because every access is logged.)
13. Get the “More information” dialog and get the offset value (Note: offset is always in hexadecimal) and the beginning of the data area after “probably”.
14. Search the memory with this address where the second data begins. You will find in this case the base pointer.
15. Depth 2 completed: Write down the address of the base pointer and the offset value.
16. Restart the pointer generator and the cheat engine and do 1 up to 15. Insure the base pointer and offsets are equal.

Go straight to the next tutorial and check the values with the force-injector.
If your game seems to use more than two depths pointers you have to do step 11 to 15 until you get the non changing static base pointer.

Insert found values in x-sim force-injector and use them in x-sim

The found values in Tutorial 2 or 3 can now be used and checked in the force-injector application of X-Sim. Therefore we need our down written values of this tutorials and insert them in the force-injector dialog. The different between the static values to the dynamic values is the “DMA” button of the injector and the following dialog.

 

You now can see your value changing in the injector main dialog.
This was the last step we do in this tutorial. Please share your found game values with the other members of X-Sim. The online database will help you to do this. You can upload your knowledge also if the profile for a game is not complete. You can name them therefore with “Beta try:” or some notice what you have found. Then some others can continue with your found values. Also you are able to find some offset values stored in the database and extend them with your own values.