Hi all,
this guide is based on the tutorial video from kraqurjak (sadly deleted, but theres a version from Cheat the Game, see the end of the post) and own experience. Since I prefer to have written guides, I just try to deliver some of that on my own. Let me now how you like it 
A game engine which is quite commonly used is the "unreal engine". Sometimes you can detect them on the unreal-logo, another hint is when the name of the exe-file ends with -unreal.exe.
Usually it would be quite a bit of work to dissect such a game (to be honest: I'd fail at it), but luckily for us the cheater Cake-san has created an absolute awesome table for us - a collection of scripts to almost automatically cheat unreal engine-games. If you don't have a fitting game at your hands, grab a copy of "Shadow Burglar" on steam, it uses the unreal engine and it's free.
Getting playerbase address
Run the game and load his table into Cheat Engine. Now activate his script called "Unreal Engine". This will take a few seconds, after that you will see among some other things a section "PlayerBase" with an address.
Now we select this PlayerBase-Entry and press F5 to see which code accesses this very address. Most likely we will get several codes, so checkout if our playerbase-address is the only one which is accessed by the found code(s). You will almost certainly find at least one code which only accesses the playerbase address.
In the case of "Shadow Burglar" I chose the code
Code: Select all
ShadowBurglar_Unreal-Win64-Shipping.exe.text+2973177: 4C 8B 0F - mov r9,[rdi]So, on this location we make a code injection to copy the playerbase address:
Code: Select all
[ENABLE]
aobscanmodule(pbase,ShadowBurglar_Unreal-Win64-Shipping.exe,4C 8B 0F 4C 8D 44 24 40 48 8B D0)
alloc(newmem,$1000,pbase)
label(code)
label(return)
label(playerbase)
newmem:
mov [playerbase],rdi
code:
mov r9,[rdi]
lea r8,[rsp+40]
jmp return
playerbase:
dq 0
pbase:
jmp newmem
nop 3
return:
registersymbol(pbase playerbase)
[DISABLE]
pbase:
db 4C 8B 0F 4C 8D 44 24 40
unregistersymbol(*)
dealloc(newmem)
So, now we have a script which successfully copies the correct address of the playerbase. Before you do something else: save your table!
Sometimes the scripts tend to crash Cheat Engine and we don't want to start over
Dissect the data playerbase address
Activate our newly created script. Of course you will not see any difference, but we now have a new variable called "playerbase" to our use.
So below our script, add another adress manually. Set it to be a pointer with base address PlayerBase and offset zero.
Here comes the real magic: activate from Cake-sans script collection the point "Enable UE Structure Lookup". This will integrate his scripts into the "dissect data" function (Ctrl-D).
Invoke the "dissect data" window, use [playerbase] as our address and let CE create a new structure. You will notice the name of the structure is not the common "new structure" but instead has a name like playerdata_C or something. And there are lots of useful values including a full descriptive name! Awesome!
Now, deactivate every single script except our own one, because we only want to keep the [playerbase] variable and save your table again, the risky part with chances of crashing is now over.
Create table entries using playerbase address
Walk through the entries of the "dissect data" window. At every entry which sounds interesting, select it and press "A" to add the entry into your address list.
What makes this way so awesome: every single entry in our address list will now automatically read "[playerbase]+xxxx". So if you are done with the dissect window, you can simply drag&drop the created entries below or script which gets the playerbase address and we're done.
Video from Cheat The Game:
The Next Level
There has been another video by Kraquarjak but it ist deleted, sadly. But happily, I've saved a copy on my NAS (really handy to have 10 TB free space sometimes). I like this guy, but he's no Chris Fayte, so I found this 1-hour-video somewhat hard to follow.
Doing as advised before, you'll end up with a table which uses an AOB Injection to get the current Playerbase Address, below the script there are the entries of interesting values with offset-addresses like +1a0. Now, in most cases these offsets will not change even when there's a new update to the game. But it can happen, depending on how much the developers are changing in the data structures. In these cases, it is worth the effort to use this way...
You' are abe to use the names instead of the offsets. Let's say you have a dissect table named player_c and there is as offset +150 the entry healthvalue. Using the "old"way described above you will get an address [playerbase]+150. Now you can change it into [playerbase}+player_c.healthvalue, Cheat Engine will look up the offset in the dissect data, find the +150 Offset and use it.
Now if the game changes and you would just update the dissect-data and ta-daaa, wour table is up-to-date again.
Of course you'd need to leave the dissect-data information in your table when releasing it. And/or you could add some code to your table alongside the dumper and populate the needed structures automatically, almost the same thing as in using the UE Dumper.
Code: Select all
createThrad/(ue4createstruct('/Script/Engine.GameEngine', 'GameEngine',0)
createThrad/(ue4createstruct('/Script/Engine.GameGameViewportClient', 'GameViewport',0)
createThrad/(ue4createstruct('/Script/Engine.GameState', 'GameState',0)
have fun,
Marc