Creating a cheat table for mono Unity roguelike game.

[ChronosMrk1]

The game is a single player rogue-like and I can find the values I want pretty easily after starting a run but it's a pain to have to do it every time so I want to make a table. I tried to use pointer scanning to make a table first but I couldn't find the pointers to the variables and found out that you can't pointer scan for unity games. This is the first table I've ever tried to make I apologize for my noobiness and I'd appreciate it if you can help me out with this. I do know how to code (mostly python, SQL, and R).

What I've done so far:
I've used ILSpy to find the public class "CharacterScript" where the private float variable called "stamina" is located. I go to cheat engine attach it to the game and activate mono features. I use the mono dissector to find the variable in the class "stamina". (It has an offset of 170 but the offset is useless in this case because for mono unity games you can't use offset, I think?) I find instances of class while the game is open and before a run has started and I find three (there are three characters in the game). But because the run hasn't started all their stamina values are 0. When I start a run There are now 7 instances. I find the 3 instances that correspond to the 3 characters. I add the addresses of those three instances to my address list as well as their stamina addresses.

But at this point I don't know what do do next. I tried to see what accesses the instance addresses and I got a list when I checked to see what writes to this address I get nothing. For the stamina values when I check to see what writes to this address for the stamina values then I get the address to the CharacterScript:ChangeStamina function with the code: # movss [rsi+00000170],xmm5. When I start a new run new instances are created and I don't know where they're coming from, pointer-wise. Every time it runs it calls the InitializeCharacter function and sets the stamina at max. So I know I can just edit the code there so that the characters always start with 9999 stamina. Or if I removed the ChangeStamina function the characters stamina wouldn't change but I want to be able to set and freeze the values at will, so I need a way to add the variable to the table on every run and on every start up.

I'd really appreciate any help anyone would be willing to give me. Or maybe a some hints at least.

[Friggin rando]

why dont you try this tutorial by Chris Fayte. This video goes through injection copies and should give you everything you need to solve your issue.

[ChronosMrk1]

why dont you try this tutorial by Chris Fayte. This video goes through injection copies and should give you everything you need to solve your issue.

This doesn't solve my issue. The injection part is pretty easy to understand. It's just that he's not using the mono features of cheat engine. Sometimes CE's Pointer Scan method doesn't work well with certain games. If the game is Unity, and uses mono, you may be able to use mono dissector (Built-in to CE). I'm trying to use the info from ILSpy as well as the dissect mono feature to find the pointer.

[ChronosMrk1]

Unless I'm misunderstanding what I'm supposed to get from this?

[Friggin rando]

Unless I'm misunderstanding what I'm supposed to get from this?

unless i'm misunderstanding what you are trying to do (please correct me if I am), you're just looking to have a pointer you can use to always have access to your stamina value at the beginning of a run. using injection copies, you can make your own pointers. you're saying that stamina is being written to by the opcode movss [rsi+00000170],xmm5. so its moving a float value into the address stored in the rsi register + offset 170. you can write a script to copy the address stored in the rsi register at the time of opcode execution into a symbol. Then you can just reference the symbols name as your base address for a pointer and add your offset and you will have a pointer for your stamina value when you have that script running. The only extra thing you might have to do is write in a compare to your script if multiple addresses are being written to by the opcode. considering you said that there are 3 characters with 3 unique values, you'll have to do a compare and make a separate symbol for each of them (but you can still put it all in the same script).

[bbfox]

There is no only-one answer here. This maybe a shared code for all characters.
Try to use built-in CE's tools:
on movss [rsi+00000170],xmm5:
find out what addresses this instruction access ==> dissect structure / open dissect data with selected addresses

Some games will crash here.

Compare the structure to identify what's the difference between characters/enemies.
The pattern may be in the dissected data, registers or stacks. In mono games, the most cases are in dissected data

[ChronosMrk1]

Unless I'm misunderstanding what I'm supposed to get from this?

unless i'm misunderstanding what you are trying to do (please correct me if I am), you're just looking to have a pointer you can use to always have access to your stamina value at the beginning of a run. using injection copies, you can make your own pointers. you're saying that stamina is being written to by the opcode movss [rsi+00000170],xmm5. so its moving a float value into the address stored in the rsi register + offset 170. you can write a script to copy the address stored in the rsi register at the time of opcode execution into a symbol. Then you can just reference the symbols name as your base address for a pointer and add your offset and you will have a pointer for your stamina value when you have that script running. The only extra thing you might have to do is write in a compare to your script if multiple addresses are being written to by the opcode. considering you said that there are 3 characters with 3 unique values, you'll have to do a compare and make a separate symbol for each of them (but you can still put it all in the same script).

Yes sorry, you are completely right that is what I'm trying to do. But from the code that he used in the video for the injection it looks like he used a static pointer as a base and I don't have a static pointer. And I tried to do the pointer map process and it didn't look like it worked and I got 0 pointers. Also I thought there was a way without using pointer map if you use the mono dissector with mono unity games. Am I wrong about this is doing a pointer map for multiple values then a pointer scan necessary every time?

Like in my labelled screenshots I posted for what accesses the current stamina value address and what accesses the CharacterScript class instance that the stamina value is inside. For most of these it says that it thinks the pointer is just the address of the class instance of 1628B2FF000. But the class instance is remade on every run and has a different address every run.

Accesses CharacterScript class instance (Which is made on every run for all 3 of the characters)

WhatAccessesCharacterClassInstanceAddress.png (84.42 KiB) Viewed 13257 times

Accesses stamina variable (Which is a field inside of the CharacterScript class with an off set of 170)

WhatAccessesChraracter1sStaminaValueAddress.png (50.08 KiB) Viewed 13257 times

[ChronosMrk1]

There is no only-one answer here. This maybe a shared code for all characters.
Try to use built-in CE's tools:
on movss [rsi+00000170],xmm5:
find out what addresses this instruction access ==> dissect structure / open dissect data with selected addresses

Some games will crash here.

Compare the structure to identify what's the difference between characters/enemies.
The pattern may be in the dissected data, registers or stacks. In mono games, the most cases are in dissected data

Okay so good new is that it didn't crash. But when I dissect structure I just get the ChracterScript class instance. Some of the values that seem like they may be function calls have pointers:

Screenshot 2024-12-24 185223.png (34.38 KiB) Viewed 13256 times

but the stamina value itself does not have a pointer towards it.

Screenshot 2024-12-24 185037.png (9.37 KiB) Viewed 13256 times

How would I make the stamina variable recoverable on each run and start up with this.
Sorry if the solution is obvious. I hope you can stick with me for a bit and help me out.

[ChronosMrk1]

I'm not sure what address I should use for the full injection.

[ChronosMrk1]

So I unfortunate the write instruction for each of the values for each of the characters are the same and will be the same for everyone of the stats since they're just instances of the same class. I made this crappy script to hopefully do a breakpoint after the write code executes then find which character it is. But honestly I've never coded in lua or assembly in my life so I barely know what I'm doing. Does it look right?

Code: Select all

[ENABLE]
alloc(newmem,$1000)
label(character1)
label(character2)
label(character3)
label(return)

registersymbol(character1)
registersymbol(character2)
registersymbol(character3)

newmem:
  cmp [rsi+unique_offset], value_for_character1
  je character1_handler
  cmp [rsi+unique_offset], value_for_character2
  je character2_handler
  jmp character3_handler

character1_handler:
  mov [character1], xmm5
  jmp code

character2_handler:
  mov [character2], xmm5
  jmp code

character3_handler:
  mov [character3], xmm5
  jmp code

code:
  movss [rsi+00000170],xmm5
  jmp return

character1:
  dd 0
character2:
  dd 0
character3:
  dd 0

255AF75F915:
  jmp newmem
  nop
return:

[DISABLE]
255AF75F915:
  db F3 0F 11 AE 70 01 00 00

unregistersymbol(character1)
unregistersymbol(character2)
unregistersymbol(character3)
dealloc(newmem)