Soccer Gaming Forums
Registration is free! Calendar Find other members Frequently Asked Questions Rules User CP Tools Home


Go Back   Soccer Gaming Forums | FIFA Forums, FIFA Mods, Futball > FIFA Series > FIFA 13 Forum > FIFA 13 PC Editing Forum

View Poll Results: Your thoughts about the TUT
Amazing!! 12 48.00%
Good 10 40.00%
Not so Good 0 0%
duh 3 12.00%
Voters: 25. You may not vote on this poll

Reply
 
Thread Tools Search this Thread Rating: Thread Rating: 59 votes, 5.00 average. Display Modes
Old 27-12-2012, 11:16:AM   #1
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
Modding FIFA 13 With CE - Cheat Engine Tutorial for Beginners

Cheat Engine Tutorial For Absolute Beginners

I’ll be sharing with you what I have learned about cheat engine and its possible uses in game modding. Just to list a few of the things that I have been able to edit in Fifa 13 in my less-than-a-week on and off messing around with cheat engine -
Ball Placement
Ball Velocity
Friction
Ball Stickiness
Air Thickness ( affects ball curve dramatically)
Ball spin
Number of players on field ( so far in practice match)
Camera movement ( complete up-down-left right, any angle)

List can go on a little longer but I’ll end it with saying that If you know how to use cheat engine and you can put your rational abilities into it , you can pretty much edit every single thing in Fifa ( or any game at that). If this sounds interesting then feel free to read on. The things I have just listed are just the tip of the iceberg as you may now see.

The good news is that you don’t need to be an expert in programming to achieve what you want with cheat engine ( though it helps no doubt). I am no expert myself. I don’t know a single computer language and know how to just operate a pc. What I listed above is a simple result of messing with it for just 4-5 days. All you need is being good at operating a pc. Leave the rest to me. Lets start.


LETS START

Ok. So go to www.cheatengine.org and download cheat engine 6.2. Its completely free with no strings attached whatsoever. DarkByte is the creator. If you want to Honor his effort do this by making some donations. Make sure you download version 6.2 of the CE.

Before I ask you to open Cheat Engine. Let me make some points clear. As I said earlier I am no expert , so the terminology I will be using may range from noobish to elite. The meat of the tutorial is to make you able to use CE and not to debate over RAM or ROM, memory or address, this or that etc etc. The thread is not for this purpose.

Lets begin with the introduction to some important terms ( no debate over how I define them)

Address - “0016B454” this is an address. It’s a location in memory that stores a particular value.

Value – It’s the value that a particular address holds. For eg: the value of the address that holds ‘the number of players’ will be 11 ( in 4 byte, not in FLOAT because no. of players don’t require decimals, it can only be a whole number).

Types of values are Binary (1,0 – on,off), byte, 2byte, 4byte, Float, Double, String (text), Array of Bytes.

The disadvantage of byte values are –
1. Depicting values in negative (-) is not possible
2. Decimels are not possible ( i.e 2.2 cannot be written in 4 byte).

The advantage of bytes is that you don’t need to depict simple numbers such as 11 in decimals. The value of 11 in float will be 1.541428311E-44 :P. No point in translating it into float values.

Float and Double ( called ‘double float’ too) values support decimals. If you want to depict the position of ball on the field you would use float values simply because they let you go into detail regarding where EXACTLY the ball is . Byte values cannot go into such detail. A single addition in a byte can mean that the ball moves 50-60 meters.

So if you are searching for a a certain value within the memory. You can search better If you know what the value is possibly in. Common sense may tell you that ‘No of players’ will never be in float values because that much detail is simply not needed. And ball position, acceleration etc values will never be in bytes because ball position requires precision.

Almost all the values in FIFA are either in 4byte or float ( like all modern games). 4bytes for non-decimals. Float for values that require decimal level precision.

Now lets begin the practical part of the tutorial.

open your cheat engine. This is how it should look like -




There is an inbuilt tutorial within cheat engine which I recommend you do sometime. For now , be with me.

Add this line in the Product.ini file –
(FULLSCREEN=0
SCREEN_WIDTH=800
SCREEN_HEIGHT=600

This will make sure your game opens in windowed mode so that you don’t have to go in and out of the game the tough way.

Now START Fifa..

Start a match. And pause it there.

Now click the PC icon on the top left of CE to open the list of processes. Select FIFA 13 from the process. The CE has now attached itself to the game.





Now go the camera setting of the game and make sure it is set to custom instead of default. Set the slider value of height to 20. Now get back to cheat engine. We are now going to search for the address for the Cam Height. We know that the value presently is 20 and we also know that the value will be in 4bytes because the slider does not have any decimal point movements. We will be using this to begin searching for the Camera address.

Put the value 20 in Value text field on the CE main screen. Make sure that value type is 4byte and scan type is ‘Exact value’. Now press ‘First scan’ button. Here is what you should get when you do that.. A lot of results I know . Notice the ‘Found: 38,927’ on the left side. And notice the address row accompanied by the value row. This is how the CE window looks like now. If not then you’ve done something wrong.




Now go into the game and slide down the height slider to 10. Come back to CE. Now we know that the address we are looking for has changed its value to 10. So we are now going to scan for the value 10 from the 38,000 addresses that came up after the first scan.

Now put 10 where you put 20 earlier. And click Next Scan. WARNING: (Don’t click New scan.) The moment you click it you are left with just 25 addresses. These were the addresses that changed to 10 when you moved the slider. TO narrow down further we are again going to move in-game slider. Lets move it to 7. Do it and come back. Now put 7 in value and do another ‘Next Scan’.

I am now left with just 3 addresses. Try changing each one of the address values one by one and see which affects the game. Change it to 100 to notice effect. Go into the game and move out of settings and resume the game. Did any of the address have an effect?. One surely will. Double click that address to add it to the address list below. Press CTRS+S to save your discovery. Every time you change the value of this address , the height value will change. I hope you understood the basics of finding an address that holds the value you want to change. In brief -

1. First scan initial Value
2. Change the value from the game and Next scan the next value.
3. Do step 2 until you are left with a few addresses
4. Change each one of them to see which actually has an effect.

SIMPLE.


Chapter 2 – Pointers -


If you are excited at your discovery of finding the address where FIFA stores its cam Height value then just wait till you close the game and restart it again. Do that. Close the game as well as CE. Make sure you have saved your discovery ( is saved as a .ct Cheat table file). Please close the game or you won’t be able to learn one of the most important skill I am about to teach you now.

Ok restart FIFA 13. Restart CE. Select FIFA process in CE. Load your saved table by pressing CTRL+0. Start match and pause the game.

What do you notice has changed in CE?.. Yup, the value of the address you saved has changed. This is because FIFA has now allocated that address to some other setting or factor. Its no longer the address that holds the value for Cam Height. This is known as Dynamic Memory Allocation Aka ‘DMA’. All the modern games use DMA to protect the game from being hacked so easily or at least permanently so easily. Every time a game is restarted the addresses move up or down to change where particular values are stored. That is what happened with your ‘discovery’, it got shifted somewhere else and this address that you had found and have now is holding the value of something else and not cam Height . Worry not, there are ways to discover permanency even in DMA. This is where ‘pointers’ come into picture… Pointers will help you to find a setting once and for all.

Before I begin to tell you the procedure to find pointers, this needs to be known -

There are two types of addresses. One are static addresses and other are dynamic ones. Static addresses are those addresses that do not change even when you restart the game or even the pc. They remain the same. Static addresses are shown in color green in CE and dynamic addresses are black always. Means green addresses will remain the same, the black addresses will change when the game restarts.

The address you found was a dynamic address and it can be a product of -

A Static Address’s Value + Offset1+ Offset2+ Offest 3 + and so on.. = the address you found. Don’t worry if this does not make much sense now. It will soon.

Our job is to find the static address from which the dynamic address we found emerged. The relation between the static address and dynamic address is known as Offset. If static address is 237827 and dynamic address is 273627 then offset = 273627-237827. Even the game itself needs a static address to get to its Dynamically allocated address. The game does this by referring to a certain static address and then adding offsets ( which too are always static i.e do not change when you restart the game) to it to come across a dynamic address valid for this session.

Now lets get to practical stuff. I’ll explain further as we go on. All this will make sense more than ever then.

Ok. So find the Cam Height Value again with the same procedure as earlier. I don’t need to tell you how to do that. If so then go back and do the earlier step again until you get it. Ok , So I am assuming that you have got an address again that holds the value of Cam Height for this session.

Notice how the last four letters of the new address are the same as earlier one . Only the first few letters have changed. Ok, Now were are going to find the pointers for the address. Before that change the value of the new address and make sure that it is the right address by checking the effect in-game. If done then carry on.

Now what we are going to do is find out what writes this address. Whatever writes this address is what that changes the address. If we can find that , we can go a little deeper and a little closer to the static address from which this address is calculated and allocated. WARNING: Before you carry on , go to (in CE) EDIT>SETTINGS>Debugger Options> and select ‘Use Kernelmode Debugger’ and tick ‘ability to step through kernel code’. If you don’t do this , your game will crash the very moment CE tries to read what accesses the address. Do this and carry on..

Now right-Click the address you have found ( hope you’ve already added it to the address list ) and select ‘find out what writes this address’, a new window will open. CE is now spying on what accesses and writes to this address. All you have to do now is go into the game and change the cam height value. The moment you do it , a line should pop-up in Scan window. Here is the line that comes up for me once I do that.




Click stop and double click the line. This window should show up now. ( note: The numbers will be different for you. Don’t get confused).




1a8 is the offset here. 17034500 is the value you’ll need to search for to find the address to which 1a8 will apply as offset to produce the address that presently holds the value for cam Height. Don’t close this window

Do this. Put the value (17034500) in value search and and an address will come up with the value you just put. Please tick the ‘HEX’ on the left side before you fill the value. If more than one addresses come up then its usually the one that is higher in the search. Usually not more than two address will come up. Now click the add address manually button in the bottom right above the address list.




A new window pops-up. Tick the pointer (5). Fill the address that the value had . Fill the offset ( 1a8 in my case)(7). Now notice how the faded out address above in the box shows exactly the value of Cam Height. This is a sign that your combination of address and offset have managed to sum up into the required address.

CLICK OK…




The pointer is now added to your address list . Notice how there is a ‘P>’ there. It means ‘pointer points to’. What is written after the P> is the address it is presently pointing to. This pointer will always recalculate the correct address even of you restart the game. At least that is what it should do. But there is another twist here. Did you notice that when you searched for the value 17034500 ( or what came up in your case), the address that came up was not green color but black. This means there is a high chance that the next time you turn the game on, this address too may have changed. See -

170346a8 ( Address for cam value for this session) = 0d2befa4 ( too a dynamic address) + 1a8 ( the offset)..

But the next time you turn the game on the address ‘0d2befa4’ may be replaced by something else ( remember DMA) which would not return the address of cam value when added with offset 1a8. It could be something like this ..

Pointer = od2fc347 +1a8 = whatever comes here will not be the address you wanted because the very address on which 1a8 is being applied has shifted.

So it becomes very important to be able to find static addresses. We know that neither the static address shifts position , nor does the offsets to be applied on it do. The only thing that changes is that the value that static address has. This is a trick that DMA applies. The value of the static address is actually not a value but yet another address. From the static address the game finds what the address is to which offsets are to be applied . Otherwise there is no way for even the Game itself to know where its storing what . So in simple words, If you can figure out the static address. All that is needed are the offsets to be applied on it. Whatever address then comes up is the true address for cam height for this session. When you close the game and restart. The pointer from the staic address will itself recalculate the value of the newly allocated address for cam value. Hope this makes some sense .I am trying my best. This will become crystal clear once you start messing around on your own.
The best way to find static addresses is to use the pointer scanner function. The method applied above has its own uses which will be discussed later on. But as I said the pointer scanner is the most time saving and efficient way to find static addresses with offsets pointing to the address you want.

Lets begin…

Right click the address for cam value and select ‘pointer scan for this address’. This screen should come up.





0. This is the value for which a static address wil be searched for ( Static address + offsets = this address)
1. Makes sure this is ticked. You know why.
2. Make use of the offset you found. You can leave it blank if you want to. No big deal. Pointer scanner will still come up with good results.
3. 3 is often enough in case of Fifa 13. There are games though that have 11 level deep pointers. Means you have to go down 11 offsets to arrive at a static address. Even 2 level is enough in FIFA 13. But just to make sure select one more i.e 3 levels.

OK> click OK, save scan file ( give it a name) and wait for the scan operation to finish. It can take some times but is worth it. This is what I get -





3 -- Base Address – These are the static addresses that potentially point to out Cam-height Address. These are green addresses that will never change whatever happens. These will be there doing the same job.
4 – Offsets that need to be applied to base address to calculate Cam-Height Address. Applying Offset simply means adding offsets as +.
1- This is a two level pointer with static address. Means Base Address + Offset 0 + offset 1 = 170346a8.

2. A 3 level pointer . Means Base Address + Offset 0 + offset 1 + Offset 2 = 170346a8. The rest too are 3 level pointers.

CONTINUED
MichaelCorleone is offline   Reply With Quote
Old 27-12-2012, 11:24:AM   #2
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
Double click all of these pointers to add them to your address list. Save your cheat table. I have asked you to add every pointer to address list because there is always a chance that even some of these pointers may start pointing to some other address once the game is restarted or the pc is. So lets not take the risk and add them all. Please save your work now by pressing ctrl+s..

Ok so this is how my address list looks like now.




Now what I am going to do is close the game. Close CE too. And restart the game and CE. Open my cheat table. Theoretically this is what should happen. ‘OLD ADRESS’ should not work ( or by co-incidence may be again allocated the CAM-Height Value). ‘WORKS NOW” address should stop holding CAM-HEIGHT VALUE TOO. A level 1 pointer should too not work because it had a dynamic ( not static) address as the base address. But I am expecting all of the ‘pointer results’ to point to the new address Allocated to ‘cam-height. The value too should show up the same as it is in Camera settings in-game. Ok. Lets see. Restart everything. (you too do). And start a match again and pause.

Here is what I now get …




Wallah!! . Just as expected pointerscan result returned the correct value. More importantly they calculated the newly allocated address spot on. The earlier address was 170346a8, the one now is 170a46a8. ‘Works now’ address no longer works. ‘OLD ADRESS’ does not too. But wait a minute! The 1 level pointer works. You can see it is pointing to the right address.

Here is a simple explanation for this. Even 1 level pointers tend to work when the pc has not been restarted yet. And only the game has. Once the pc is restarted thought they fall like a pack of cards. But the ‘pointerscan results’ will stay forever. Even on other pc’s.. This is how trainers are made i.e using pointers. So the best practice is to
1. Find a pointer with static address as the base
2. At least 2-3 level deep pointers are good.

AND The best practice is to add 50+ ( if you get this much) pointers to your addresslist and restart the game to see how many of them survive. Delete the ones that start pointing to some other address. Then restart the pc and see the pointers that survived still. These are the pointers that are permanent. Use any one of them. You can even delete the others.

pointers are your doorway to not having to calculate the addresses every time you restart the game.
Before I end this chapter on pointers there is one thing I’d like you to know.

‘Base address’ ( static) has a ‘value’. The offsets are applied to the ‘value’ and not to the base address. The base address always remains the same. The ‘value’ it has changes. The game finds the address allocated to a certain setting by reading the ‘value’ of a base address and then applying certain offsets ( which too remain unchanged always) to it. Here is the trick of DMA. The ‘value’ of base address is not actually a value but simply an address disguised as ‘value’. This value changes everytime you restart the game. What this actually translates into is that the address to which offsets are applied to generate a certain address changes. The only way for the game to know the ‘changed address’ to which the offsets are applied is by referring to the static base address and reading its ‘value’ and assuming it not to be a value but an address. This is the very trick we use to create pointers. We find the static base address. When we add offsets , what actually happens is that offsets are applied assuming the ‘value’ of base address as yet another address itself. After the operation of offsets what comes up is the newly allocated address ( to a particular setting). Hope this clarifies something.

This is all for this chapter.

To Sum it all up –
1. Addresses store values. Changing values has an in-game effect whether visible or not.
2. Dynamic addresses, depicted in black, change every time the game or pc is restarted. Static addresses , depicted in green, are always the same.
3. DMA means dynamic memory allocation. This means that addresses keep shifting at each restart of game. It’s a protection method many games use.
4. Because of DMA , we need to figure out a way to recalculate the address each time. So what we do is we use the very trick the game itself uses to recalculate the address i.e read the value of a static address and then apply the offsets. Pointers come into picture here.
5. Pointers are simply a set of <Base Address +Offsets> that equal ( point to) a certain address. If the base address is dynamic, the pointer fails to point to right location once the game is restarted. If the base address is green though, the pointer will always recalculate and point to the newly allocated address for a certain setting or factor. This happens because neither the base address changes nor the offsets when the game is restarted.
6. Finding pointers is important because you don’t want to figure out where a certain setting/factor is every time by rescanning.
7. Byte values are mainly used for non-decimal values like ‘no of players’. Float/Double values are used mainly for values requiring pin-point precision. Binary values are used for on/off settings mainly but in FIFA 13 it seems that 4byte is used for that purpose too.


The next chapter will be about ‘Dissecting Data Structures’ – a very important skill.

And after that the last chapter will be about ‘tricks of the trade’ when trying to search for always moving values or when you don’t have any idea what the initial value could be like the location of the ball on the field, r even when you don’t know if the value has increased or decreased.


Rest of TUT may just be an extension with other random things...

Last edited by MichaelCorleone; 27-12-2012 at 11:27:AM.
MichaelCorleone is offline   Reply With Quote
Old 27-12-2012, 11:24:AM   #3
Grafsky
Senior Squad
 
Grafsky's Avatar
 
Join Date: Feb 2012
Posts: 1,637
Grafsky has a spectacular aura aboutGrafsky has a spectacular aura about
very useful
Grafsky is offline   Reply With Quote
Old 27-12-2012, 02:24:PM   #4
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
Chapter 3 – Dissecting Data/Structures


Start Fifa 13. Open CE. Open the cheat table you saved ( the one with pointers to Cam value). Start a match and go into the camera settings. Come back to CE. Don’t be surprised if only one of the pointers is pointing to the right address. Delete all other pointers except the one working. Or choose simply the one with less number of offsets among the working ones. This is what your address list should look like after deleting all except the one pointer.



Now copy (ctrl+C) and paste (ctrl+v) the pointer a few times. This is how your address list should look like then should look then –




Now we are going to leave the uppermost pointer alone and come to the second one. Double click the pointer address. In the window that comes up , notice the uppermost offset. Any change we make to this offset will have a change in regards to which address the pointer points to. If You add 4 into the offset ( 1a8+4 = 1ac) and the address will change by a value of four.



The simple point is that this is one of the way to change the address. But the meat of it is in the reason I am talking about changing the address a little.

Do this. Change the 1a8 to 1a0 i.e decreased by 8. Don’t exit the window yet. Notice the value of the faded out address above. Now go into the game and move the ZOOM slider. Simultaneously notice if it makes any change to the value of the faded out address. It does!! So, you’ve found the permanent pointer to the zoom settings without having to go through value searching and pointer scanning.


Here is the point. Fifa 13 like all other games saves values in groups. If you have found one of the addresses in the group there is high chance that the adjacent or related settings/factors are lying at a difference of +- 4,8,12,16,20,24,28 and so on. Merely changing the Cam-height address by 8 landed you at the cam-zoom address. In a very similar manner every single setting surrounding is lying close to the address of cam-height.


As an example, do this. Where the offset was 1a8 earlier , add 10 i.e change the offset to 1b8. What do you get the value of. To know, try moving the sliders to see which one affects the value of address with offset 1b0. Wallah!! You’ve found the address of Pro-Cam-Zoom value. I hope you get the point. Put simply, once you’ve found one address to a certain characteristic , you can be sure that surrounding addresses are related addresses and are worth exploring to save your time.


As a further illustration of my point, if you can find the Y position of the ball ( length of the pitch), you can immediately find X ( width of pitch) and Z ( vertical) values if the positioning of the ball. You can then modify the values to teleport the ball around.

One way you can go about exploring surrounding addresses is to keep changing the offsets up or down to see the effect. This is how I started doing it. I did it this way until I discovered the data dissector. Now we are going to use our cam-height address with data dissector to explore what surrounds it.

Delete all other pointers except the first one. Right-click the first one and select ‘Browse this memory region’. This screen should pop-up -





In the menu-bar above, go to - Tools> Dissect Data Structures. Or simply use CTRL+D. A window should pop up. Notice the address on top left. This is the region of memory we will be exploring. Don’t do anything to it. Simply go to structure>define new structure > Click Ok> Click Yes> CLICK OK. This screen should come up -





The first row is Offset. The second row is value type. You’ll see a lot of float values when we are in regions that deal with ‘physics’. Here there are only 4bytes because decimal level precision is not required. Notice how there are numerical followed in the next columg by CDCDCD…. Our interest is in the numerical. Leave CDs alone. This whole window is like the ‘windows explorer’ where all the files are spread in front of you.

The uppermost value (20) as you may have guessed is the Cam-Height. If not sure then simply change the Cam-height slider in the game and see if it effects the 20 value. Now do this – go into the game and change every setting and notice its effect in the data dissector window. You can resize the data dissector to include more values in a single screen. As you change the settings in the game you would notice that certain values in the DD ( data dissector) change. Whatever value changes is the address for that particular setting/factor. By selecting that address in DD and pressing A you can add it to your address list where you can add a description to it.

What If I ask you to now find out the value of ‘Single player camera’. I mean if its tele, broadcast, end to end etc. You will try by changing the sp camera mode and seeing the change within the DD. Try this and see if you can figure out where SP camera value is stored…. I am waiting..

If you have found the value, good. If not, here is why. The SP camera value is above from where our DD starts. Any address lower than 171546a8 is not a part of the present window. To include it you have to move down the address. Just subtract 30 from 171546a8 ( use calculator with programming mode on). The value you get is 17154678. Paste this in the text field on the left ( in DD). You may notice how there is a shift in the values. Its because the focus of dd has now shifted down to a lower region. Now try searching for SP camera value by changing it. If you do not see any movement , scroll down a little in DD and carry on until you find the place where values change. Usually you’ll find it a little above where you found Cam-Height value. Any value you find in between these two too will be a part of camera settings in the game. You can recognize it and press A to add it to address list and then add description.

I hope you get the whole picture.

To sum it all up -

1. If you’ve found the address to a certain setting/factor there is high chance that all related settings are also bundled around the adjacent addresses. You do not have to search for each one separately. This is the good news.
2. A better way to explore a memory region is using the data dissector.

Nothing great but very useful. Little things that save time and effort. There are other advanced uses for data dissector which I myself am yet to learn. When I do , I’ll share.

Next chapter ‘tricks of the trade. How to find values hard to find?
MichaelCorleone is offline   Reply With Quote
Old 27-12-2012, 03:12:PM   #5
AndreaPirlo21
Potenza
 
AndreaPirlo21's Avatar
 
Join Date: Aug 2012
Location: Where rationale and irrationale intertwine
Posts: 2,021
AndreaPirlo21 is a glorious beacon of lightAndreaPirlo21 is a glorious beacon of lightAndreaPirlo21 is a glorious beacon of lightAndreaPirlo21 is a glorious beacon of lightAndreaPirlo21 is a glorious beacon of lightAndreaPirlo21 is a glorious beacon of light
Great job, MC. Not many go out of their way to make a nice tut. Even though I did most of this myself, I found this very, very useful.

Cheers
__________________
><

AndreaPirlo21 is offline   Reply With Quote
Old 27-12-2012, 11:53:PM   #6
regularcat
Manager
 
Join Date: Jun 2008
Posts: 12,688
regularcat is a jewel in the roughregularcat is a jewel in the roughregularcat is a jewel in the rough
good share for those who are interested, but i have moved the thread because it is a tutorial and not a mod, so it is now in the editing forum.

the poll is a little silly.

Last edited by regularcat; 28-12-2012 at 12:00:AM.
regularcat is offline   Reply With Quote
Old 27-12-2012, 11:57:PM   #7
$ido (F|G)
Senior Squad
 
$ido (F|G)'s Avatar
 
Join Date: Nov 2006
Location: 盖尔森基兴
Posts: 1,456
$ido (F|G) has a little shameless behaviour in the past
Send a message via ICQ to $ido (F|G) Send a message via AIM to $ido (F|G) Send a message via MSN to $ido (F|G) Send a message via Yahoo to $ido (F|G)
nice work MichaelCorleone thank you for sharing this stuff with us!
__________________
Legends may sleep, but the never die...
Twitter | Facebook | YouTube
$ido (F|G) is offline   Reply With Quote
Old 28-12-2012, 07:20:AM   #8
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
Chapter Last - Cracking Tough Nuts


Lets begin what is possibly the last chapter of this tutorial. Before we begin let me make clear something I already should have. You and only you are responsible if you use cheat engine to cheat on online games. If you got you or anyone else into trouble , you are solely responsible.

OK, In this chapter I’ll be demonstrating how to find the locations of tough values. Tough values are the ones that have any of these characteristics –

1. You don’t know the range of values. It could be anywhere from 0-9999999. So you are out of idea where to begin from.
2. You cannot manipulate the value. You could move the slider earlier but there will be values you cannot be easily manipulate in-game and this makes it hard to be able to detect the values.

3. You don’t have an idea if the value has decreased or increased. Imagine ball location. How do you figure out if the left is the (–) side or the right is.

4. Then there are values that are completely static and lying deep down somewhere. AN example can be gravity. Gravity in FIFA as far as I can tell does not undergo any change. As it contributes as a factor to many of the physics related movements in the game , its lying somewhere deep down in the memory structure off-shooting into various factors. Such values are not easy to find unless you have some idea of the range between which they are.

Before we begin let me shed some light upon two types of values. Values can be broadly divided into two – Display values and Real Values. Real values are the actual values that make a change. The real value for ball location , if changed, will immediately teleport the ball. The display value if changed will have no effect as it is only reading from the real value. Display values are simple copies of the real values that are used for other purposes. Any change you make to display values will not have any effect on the game. The display value will simply return back to what it was because it continuously read from real value. Real value never changed , only display value did. What can be very confusing is that because display values are the copies of real value, they change exactly the same way i.e always have the same values. It becomes hard to find which is display value and which the real one of which display values are a copy of. In this tut, there will be two tricks to sepserate the wheat from the chaff.

I may have left something regarding tough values but lets just get to the practical part. I am going to guide you through getting to value of the ball location in the game. If you can find the ball location , you can easily teleport it anywhere. But the real good news is that once you find ball location of a single axis, other axis will be easy to find ( remember DD), not only that but all other physics related values are lying around. Finding the address for ball location means finding the address for all other ball related factors like – Ball acceleration, ball spin, friction etc etc.. So lets get going.. This can get long and tough but the end result is all worth it..

Open FIFA. And start a practice match with only a GK selected for the defending team. Start CE, attach to fifa 13 process and don’t open any table if it asks you to. We need a blank addresslist.

Though I have already found all the values regarding ball physics and that too after a lot of headache, but still I’ll be doing this again from scratch as part of the demonstration. This can get long and tough as I’ve told you.

Now when I started I had no idea what the value of ball location could be. All I knew was that the length of the pitch refers to the Y-axis, the width to the X-Axis and the Vertical to the Z-Axis. I decided to go for Y-axis. I did not know which side of the pitch was the (-) side and which the (+). I was pretty sure from My experience with other games that the initial place where the ball is placed at kick-off is 0. I assumed that the left is the (+) side and the right side is the (-) side. These were the basic assumption I started with. So lets start. ( there won’t be as many pics this time as you already know the basics of cheat engine).

In the value type select Float ( you know why). And now instead of selecting ‘Exact Value’ in ‘Scan Type’, select unknown initial value. The text field should disappear. The reason I am not selecting 0 as the initial values is that we cannot be 100% sure that 0 is the value at kick-off. Now click first scan. I found 571,969,536 addresses. We are now going to narrow down from here.
Now kick-off the ball ( hope you had the game paused till now). And take it to the right side a little. Then pause the game. Now we know ( or assume) that the ball location on Y-axis has decreased. So for the next scan, select ‘decreased value’ from ‘scan type’. Click next scan. Now notice how many addresses did you find this time. I found 1,971,272. Don’t worry if you have more or less. Now we are going to take the ball further to the right, then pause the game and do a ‘decreased value’ ‘next scan’ again. Ok do it now. I did it, and now I am left with just 425,013 addresses. Now we are going to bring the ball to the left , then pause the game, and then do an ‘increased values’ scan. Do it. I am now left with just 268,147 addresses.

Now keep the game paused. Now we are going to do an ‘Unchanged value’ scan. Select unchanged value and then click next scan. I’m left with 223,717. Keep clicking the next scan until the number of addresses stop decreasing any further. Ok after clicking next scan a 50 ir si times, I see its decreasing only at a snails pace. I am left with about 180,000 addresses. I hope you understand why we did the unchanged value scan – simply because we have paused the game and the ball is exactly at the same position as it was during the last scan. There are values that keep changing even when the game is paused, any of such value cannot be a ball location value.

Now take the ball further to the left. And do an increased value scan. I am left with just 75,162 addresses. I hope you get the idea of moving the ball and scanning accordingly. If you can go on doing this you will be left with around 1500 addresses.

After kicking the ball around for a little while, I am left with about 1300 addresses. Its becoming hard now to decrease it further. Its all about using your imagination now and you can decrease it further. HINT: Figure out what other factors are very similar to ball location and try filtering them out. EG – Ball location and ball speed are similar.

When the values are not decreasing any further, its time to take a gamble . You can lose all your work or you can gain what you want. Lets bring in our assumption of the center line being 0 on Y-AXIS. Now we are going to do a bigger than/smaller than scan. Take the ball to the left side of the center line, pause the game. Now in scan type select ‘ Bigger than’. In the value field put 0. Then do a next scan. I have 1300 addrsses. Lets see how many remain after this scan. NO big difference :P. I am left with 1,276. Now take the ball to the other side of the line and do a ‘smaller than 0’ scan. Do it. Now take the ball further towards the GK, close the D. Again do a smaller than 0 scan. OK, so nothing budges. We are stuck at 1,255 addresses. I told you to use your imagination back there.

Here is what I am going to do. I suspect that some of the 1,255 addresses are related the speed of the ball. So what I am going to do is. Bring the ball to center line and do a scan ( increased or decreased according to where I came here from). Then I am going to take the ball close to the opponent GK D. and kick it back to left side and pause it immediately ( 10,20 m away from the kicker). Technically at this point, the ball speed has increased ( left side is the (+) remember) yet the ball location has decreased ( in comparision to the last scan which was done at the center line). Now I am going to do a decreased scan ( or smaller than 0 scan) and I hope the addresses will go down… Wallah!! 400 addresses. Ok so that’s a big achievement because the closer you get to the address the lesser the rate at which addresses decrease. We still need to go down to at most 200 addresses before we can apply the next tactic.

Now do this. Score a goal. The ball should come at the kick off place, pause the game. Now do a scan for exact value 0. I am now left with 360 address after this scan. We are getting closer.
Now for the next tactic. We know that many of the values left are display values , only one is the real value. There is a minute difference between the time display values take to update a compared to real values. The further removed a display value is in the structure from the real value, the more time it will take to get updated ( theoretically). Before we go on any further save your scan results by pressing CTRL+ALT+S. You are going to take the ball and pass it to a player on the other side of the line. But you have to pause the game immediately as the ball crosses the center line. Be as quick as possible. Now do a smaller than scan( or bigger than depending on where the ball is now). The moment I do this, I am left with 327 addresses. This means 33 addresses that got struck out did not manage to get updated wuick enough and were still lingering in the previous position. Hope this is making sense. We are going to apply this trick again and again until there is no further decrease in addresses.

After doing this a few time along with some more increased/decreased scans, I am left with 280 addresses , we can begin the next tactic now. Add all the addresses to the address list. Before you begin, press CTRL+ALT+S. Now add all addresses by using shift and arrow key to select them. Right click and add to address lsit.
Now we are going to freeze the addresses in groups of 20.. i.e each time you are going to select 20 addresses and then freeze them. Select the upper 20 addresses ( approx) and press space. You’ll see a cross come to left side of selected addresses. This means that these addresses have been frozen to the value they have. Their values cannot change as long as they are frozen. Now go into the game and see if the ball is still moving. If it is then any of these is not the right address for ball location. Press space again to uptick and then press delete. And go on to the next two values and do the same. NOTE: you may come across a value that does not actually freeze the ball location but actuall alter the ball display value. The ball will flicker between its actual place and the one where a display values has been frozen. Do not mistake this for having frozen the ball location. You’ll see that the AIs are still moving towards the actual ball and not its stuck projection. Anyways, go on.

At a certain point in freezing values by groups , you’ll see that the ball actually cannot move the length of the pitch ie it can move up-down, and vertically but not horizontally. This means that the Real value for ball location has been frozen. In other words , its one the values in the 20 values you just froze. Unfreeze all the values and now freeze each value one by one and go to the game to see which one effects the ball location. You’ll soon arrive at the right value. Wallah!! You’ve found the value for the ball location.


In my case the address is , 0FC29120. Notice the last 4 letters. These letters are never going to change , only the first few will. You can now change the value of your address to see the immediate change in ball location. The ball should teleport to the location that new value points to. Here is some more good news.

Add 4 to the address you’ve got and you have the address for Vertical location of ball. Add another 4 and you have the X-axis location of the ball. I have already told you how to use the DD. Use that to explore the regions of this memory. You’ll find other interesting stuff such as ball speed, stickiness, bounce, friction etc…

By clicking ‘find out what writes to this region’ and then checking the addresses that write to this address in the DD, you have every chance of bumping into other deeper Static physics related factors such as ‘THE GRAVITY’.

But before you go on this endeavor, make sure you find permanent pointers to this address. And save them.

That’s it for now. This chapter was to give you a general idea of cracking tough nuts with your creativity. There are a lot of other things I have learned but these necessarily don’t ask for another chapter of their own. Mess around with CE and you will come across them.

This marks the end of the TUT. Extensions may come if I find something worth sharing. Thanks for being with me.

P.S - I may want to create a thread with list of permanent pointers to various factors in the game which you can contribute to too. Sharing addresses is much better for me than making encrypted exes in fear of getting my work stolen… See ya..

Last edited by MichaelCorleone; 28-12-2012 at 07:34:AM.
MichaelCorleone is offline   Reply With Quote
Old 28-12-2012, 07:22:AM   #9
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
Quote:
Originally Posted by regularcat View Post
good share for those who are interested, but i have moved the thread because it is a tutorial and not a mod, so it is now in the editing forum.

the poll is a little silly.
Yup. The poll seems silly to me too. Can it be removed now?

Sorry for the inconvenience of having to move it.
MichaelCorleone is offline   Reply With Quote
Old 28-12-2012, 07:26:AM   #10
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
I forgot to mention a few things .

1. The addresses for Practice match and real match are different. Real match address = PracticeMatchAdress + 7A0...

2. Freeze is not an actual freeze of the value. Its just the automation of putting a single value again and again. If you freeze something to 10 this means that CE will keep putting 10 there again and again. In Settings of CE you can even lower or increase the freeze interval.

Sorry for all the typos that I now see in the last chapter. Will correct the sometimes.

Last edited by MichaelCorleone; 28-12-2012 at 07:41:AM.
MichaelCorleone is offline   Reply With Quote
Old 28-12-2012, 08:12:AM   #11
goldfinger
Youth Team
 
goldfinger's Avatar
 
Join Date: Jan 2012
Location: Croatia
Posts: 329
goldfinger will become famous soon enough
Great turorial, corleone.
You can also change game speed (slow it down) with CE:
http://www.soccergaming.com/forums/s...d.php?t=175862
goldfinger is offline   Reply With Quote
Old 28-12-2012, 09:00:AM   #12
MichaelCorleone
Youth Team
 
MichaelCorleone's Avatar
 
Join Date: Nov 2012
Location: Sicily.
Posts: 213
MichaelCorleone is on a distinguished road
Quote:
Originally Posted by goldfinger View Post
Great turorial, corleone.
You can also change game speed (slow it down) with CE:
http://www.soccergaming.com/forums/s...d.php?t=175862

Yup. With speed-hack function you can do it. But the issue is it does not feel natural at all. It becomes slow in a laggy sense. This is not the same as slowing it down in game settings. When we slow it down from game settings, the game actually has a set rules that come into picture to slow the game rather than actually just toning down the speed.
MichaelCorleone is offline   Reply With Quote
Old 28-12-2012, 09:19:AM   #13
goldfinger
Youth Team
 
goldfinger's Avatar
 
Join Date: Jan 2012
Location: Croatia
Posts: 329
goldfinger will become famous soon enough
Ok. Did you manage to find another way using CE so it will affect all apects of the game (ball movement, player movement etc)?
Something like super slow setting in game settings (now we only have slow/normal/fast).
goldfinger is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump





































All times are GMT +1. The time now is 06:17:AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
You Rated this Thread: