cheat engine and mono

narcolepticnerd June 15, 2016 0 comments

If its a unity game(or really anything using mono) then you can use Cheat Engine’s mono features.

For Example, To temporarily find theGrid instance:

  • Make sure you have CE 6.4+
  • Attach to the process, The mono menu will appear at the top of CE
  • Go to Momo->Activate mono features, then go to Mono->Dissect mono
  • Expand the root tree node in the dissect mono menu, then expand Assembly-CSharp
  • Now search for “:theGrid”, this might take a while.
  • After you found it, right click on ::TheGrid->Methods->GetPhysicalPositionFor and click “JIT”, this will print the memory address of the Just-In-Time assembly for this function to the lua console
  • Copy the memory address and go to it in the memory view(Ctrl+M to open memory view, Ctrl+g to goto a address)
  • Place a breakpoint here(F5) and when its triggered, copy the EAX register, this is the current instance of the theGrid class.
  • (Make sure you remove the breakpoint(F5) and continue execution(F9) before trying to use any other mono dissect features)

Alternatively, A more universal way which should work for almost any class

  • Make sure you have CE 6.4+
  • Attach to the process, The mono menu will appear at the top of CE
  • Go to Momo->Activate mono features, then go to Mono->Dissect mono
  • Expand the root tree node in the dissect mono menu, then expand Assembly-CSharp
  • Now find your class, (“:theGrid”, in this case)
  • After you found it, right click on its “Get” method and click “JIT”, this will print the memory address of the Just-In-Time assembly for this function to the lua console
  • Copy the memory address and go to it in the memory view(Ctrl+M to open memory view, Ctrl+g to goto a address)
  • Place a breakpoint here(F5) and when its triggered, press Execute till return(Shift+F8), now copy the EAX register, this is the current an instance of your class.

Finding the actual tiles from this:

  • From the Memory View window, open “Tools->Dissect data/structures” or use the hotkey: Ctrl+D
  • Paste the previously copied address into the textbox and go to “Structures->Define new structure”
  • If CE’s mono features are working correctly(MAKE SURE THE GAME IS RUNNING), it should automatically detect the class and suggest the name “theGrid”, it will also ask if you want to automatically fill out the structure.
  • Unfortunately, a few things cant be automatically filled into the struct, for example the GridOrigin field is a Vec3(just 3 float32s), or more importantly: the TileArray field is actually defined as “public Tile[,] TileArray;”.
  • Right click the TileArray field and change its element from 4 bytes to pointer
  • If you expand the TileArray field and look at it a bit you may notice something: 8 groups of 6 pointers, conveniently the same size as our tile board.
  • Now we need the per tile information, if you open a new structure dissect window and copy the address of one the elements being pointed to in the TileArray it will automatically try to fill out the Tile class.

A few final notes:

  • A permanent path to the theGrid instance can be found pretty easily with CE’s pointer scan feature.
  • If you are working with a game that isn’t using mono in the future, I would definitely use ReClass over CE’s “Dissect data/structures” menu

I’ll just leave these here also, in case you need them for anything:

Tags:

Category: Uncategorized

Leave the first comment