Как найти entity list

Join Date: Apr 2020

Location: Germany

Posts: 1,007

Reputation: 36027

Rep Power: 122

Points: 68,883, Level: 38

Level up: 68%, 1,317 Points needed

Activity: 2.1%

Question to Discuss:
I’ve been using the method explained below which has been working for me for almost every single game so far.
However this often gives me several entitiy lists, that store the position of the entities only, but not anything else like health or amount of ammo and stuff like that.
I then have to search manually through each of these Entity Lists, to find the one that also has additional information such as health.
To just find an Entitiy List that stores the positions it takes me 2-10 Minutes, but to find an Entity List that stores multiple Information I need up to an hour.

So I’m curious if there is a better or faster way to directly find the entity list, that stores all of the information such as health, position, ammo, and not just the position of the entities.
My guess would be reversing the game structure in IDA, however I’m not that experienced with IDA yet, and have no idea if it would be faster, or the same «struggle» to reverse and find the correct entity list with it.
So if someone has a better / faster method feel free to share it below

How I find Entity Lists (short version):
So in my case I’m using Cheat Engine to find the Entity list.

1. Search for the local player position, which returns a list of results.
2. Remove «lagging» positions that don’t update as smooth as the other ones.
3. Check which instructions accesses the position and see if they continue to access the position when not moving or tabbed out of the game. If no instruction is shown, remove the address.
4. Check «what addresses this code accesses» to see if the instruction writes to the positions of other players, in addition to the own local player position.
5. If it also accesses other Player Positions Double-click each of the position addresses that are displayed inside the «accessed addresses window» to add them to the address list and subtract the position offset to get the base address.
6. Find the locations in memory where each base address is stored, and copy all results to the address list, renaming them with increasing numbers for each entity.
7. Sort the list by «Address» and look for a sequence of addresses that are 4, 8 or more bytes bytes apart, indicating an entity list.
8. If an entity list is found, use pointerscan to find the address of the list and loop through it to find the position of each entity by adding the offsets back.

If you want the more detailed version:

I also recorded a Video of me just finding a random Entity List which stores the Player Positions in Arma3 using the explained method above (in case someone cares).

__________________

Last edited by iBaseult; 26th December 2022 at 05:47 PM.

Join Date: Dec 2022

Location: Benelux

Posts: 151

Reputation: 2092

Rep Power: 15

Points: 3,450, Level: 5

Level up: 82%, 150 Points needed

Activity: 6.3%

Thank you so much for making this,
This is exactly what i needed

Have a nice day

__________________

Last edited by 33c0c3; 26th December 2022 at 06:36 PM.

Threadstarter

Join Date: Apr 2020

Location: Germany

Posts: 1,007

Reputation: 36027

Rep Power: 122

Points: 68,883, Level: 38

Level up: 68%, 1,317 Points needed

Activity: 2.1%

Well it works fine, just wondering if there is a faster method but feel free to use it

__________________

Join Date: Dec 2022

Location: Benelux

Posts: 151

Reputation: 2092

Rep Power: 15

Points: 3,450, Level: 5

Level up: 82%, 150 Points needed

Activity: 6.3%

I am trying it now but this seems faster than what i tried

Have a nice day

———————

I am trying it for the game cgso right now but i end up with 440 addresses, it doesn’t go down do i need to check all 440 value’s?

__________________

Last edited by HX73D; 26th December 2022 at 06:07 PM.

Join Date: Nov 2013

Location: Turkey

Posts: 739

Reputation: 3897

Rep Power: 243

Points: 15,114, Level: 16

Level up: 9%, 1,286 Points needed

Activity: 9.5%

__________________

Join Date: Apr 2017

Posts: 88

Reputation: 790

Rep Power: 148

Points: 5,651, Level: 8

Level up: 23%, 849 Points needed

Activity: 4.8%

Join Date: Apr 2020

Posts: 965

Reputation: 37168

Rep Power: 123

Points: 56,793, Level: 35

Level up: 49%, 1,907 Points needed

Activity: 22.9%

Join Date: Jul 2021

Location: WorldWide

Posts: 10

Reputation: 149

Rep Power: 45

Points: 1,382, Level: 2

Level up: 97%, 18 Points needed

Activity: 7.9%

Join Date: Aug 2020

Posts: 16

Reputation: 10

Rep Power: 67

Points: 2,048, Level: 3

Level up: 93%, 52 Points needed

Activity: 17.1%

Join Date: Feb 2020

Location: Agartha

Posts: 1,189

Reputation: 37923

Rep Power: 129

Points: 44,579, Level: 31

Level up: 99%, 21 Points needed

Activity: 11.4%

I honestly feel like static analysis is much faster, not just for this but for a lot of things i see people use CE for. I end up using ce for its memory viewer mostly.

Once you realize you can just rebase to 0x0 (or use this if ur worried about stuff breaking which has never happened to me at least in a game hacking context) you can pretty much do most of your searching in ida

Now i have no idea if this is still viable in games with virtualization/obfuscation as those would make static analysis a lot harder but i dont play or cheat in games so i only do this stuff out of curiosity and its been working perfectly fine for me.

Usually my «»»»workflow»»»» is: find stuff related to what i wanna do in ida (via xrefs and stuff, this is probably way harder to do in some games and cheat engine might be more efficient in those cases) -> get my sigs/offsets(by rebasing to 0) -> start writing code and testing along the way using ce’s memory viewer or windbg to check that my code is doing what its supposed to do in memory

__________________

Last edited by laurier; 3rd January 2023 at 09:17 AM.

Threadstarter

Join Date: Apr 2020

Location: Germany

Posts: 1,007

Reputation: 36027

Rep Power: 122

Points: 68,883, Level: 38

Level up: 68%, 1,317 Points needed

Activity: 2.1%

Thanks a lot for sharing your experience. I’ll give IDA a try on my next Project

__________________

Join Date: Sep 2005

Posts: 18,417

Reputation: 426179

Rep Power: 0

Points: 1, Level: 1

Level up: 0%, 1 Points needed

Activity: 0%

While this may be useful for people that have almost no idea about reverse engineering, this is a really terrible way of finding an entity list.

You literally have the games source code for this game in specific (Same with like, all unity games).
And with unreal, you have the engine source code.
Likewise with like 99% of other engines.

You’d probably save yourself time looking at that stuff, instead of spending 4 hours in cheat engine scanning for increased/decreased values and praying to allah that you somehow get the entity list.

Very big waste of time, and a poor way to teach beginners imo.

PS: I was actually excited when you posted this because i thought it was gonna be a solid guide, but meh.

Last edited by GDPR_Anonymous; 3rd January 2023 at 10:29 AM.

Join Date: Dec 2018

Location: St. Petersburg

Posts: 247

Reputation: 2119

Rep Power: 112

Points: 7,172, Level: 9

Level up: 62%, 428 Points needed

Activity: 5.9%

__________________

Dionysus#3247

Join Date: Feb 2020

Location: Agartha

Posts: 1,189

Reputation: 37923

Rep Power: 129

Points: 44,579, Level: 31

Level up: 99%, 21 Points needed

Activity: 11.4%

Its very true that just looking at engine source code (or chucking the game in dnspy for .NET) is suuuper useful and lets u write cheats extremely fast, however i’m curious as to how you’d approach a game where these techniques don’t apply (which is rare nowadays but just imagine)

Personally i’d still go for static analysis first but his method doesn’t seem that bad if you have no info on how the game internals works, what do you think?

__________________

Join Date: Sep 2005

Posts: 18,417

Reputation: 426179

Rep Power: 0

Points: 1, Level: 1

Level up: 0%, 1 Points needed

Activity: 0%

It’s very rare that you find a game engine where you have 0 engine source code, 0 game source code (Unity/Dnspy, DayZ PBO’s, etc), and 0 of anything else really.

But if that were to occur, then IDA still exists, and string search in ida still exists.

If you really learn assembly, then you can tell what the assembly/pseudo in ida is actually doing.

But then again i guess some people dont like learning to that extent idfk

Last edited by GDPR_Anonymous; 3rd January 2023 at 10:43 AM.

Threadstarter

Join Date: Apr 2020

Location: Germany

Posts: 1,007

Reputation: 36027

Rep Power: 122

Points: 68,883, Level: 38

Level up: 68%, 1,317 Points needed

Activity: 2.1%

Hey, thanks for your reply.

I started this thread as a discussion / question based thread, asking for further & better methods to reverse entity lists rather than guiding someone into doing it my way, which is why this Thread has the [Discussion] tag instead of the [Tutorial] one.
The method I shared is just there as a reference, so you can shed some thoughts about it and possibly lead me into a better direction than what I’m currently doing, not trying to teach beginners to follow it this way.

I’m learning for myself and planning to do a detailed instruction wise Tutorial for reversing Entity Lists like the Cheat Engine one (once I have a solid method), but first I’d like to get some feedback and improvement ideas, as I already suspect the method I’m currently using is not the best one.

While it may be beneficial to use the engine’s source to find and reverse an entity list, I am able to find them in most games with CE within 5-10 minutes, which is sufficient enough for me (to just create a basic esp).

But as I mentioned in my thread, I struggle to find an Entity List with more information about each entity than just the position, which is why I started this «Discussion» thread, to get more ideas and what is working best for you.

So it’s great that you’re here to share your thoughts on it

__________________

Last edited by iBaseult; 4th January 2023 at 08:31 PM.

Join Date: Apr 2020

Posts: 965

Reputation: 37168

Rep Power: 123

Points: 56,793, Level: 35

Level up: 49%, 1,907 Points needed

Activity: 22.9%

For what it’s worth, I do think that point regarding time taken has a very real place in all of this. I have a similar workflow for what’s been described in the opening post here that I will utilize when working on new games, even if I know such engine resources are available to me. The reason is as was already described:

If I’m working on a game that I know I’m not going to want to devote a longer time to reverse engineering, I think techniques like the one @iBaseult described have a lot of merit; and those are techniques I’ve personally seen very seasoned «veterans» make use of as well.

To add to this discussion in a constructive way: I once saw somebody make use of standard rendering interfaces (such as those like Direct3D) for finding player/bone positions automatically. I myself have only done something like this in a very limited capacity with Payday 2, but there’s some interesting research on this idea by DrNseven if ever that interested you. I know this is a little more theoretical, but maybe a fun topic to look into

__________________

Join Date: Apr 2022

Location: invalid module

Posts: 14

Reputation: 410

Rep Power: 28

Points: 802, Level: 1

Level up: 81%, 98 Points needed

Activity: 9.5%

I agree for the most part. If I’m reversing a game that’s using an engine I’m familiar with, I can find an entity list in a debugger before IDA is done parsing the module. However, if I want a comprehensive understanding of everything, I’ll spend my time in IDA.

Join Date: Dec 2018

Location: The Shores of Hell

Posts: 10

Reputation: 169

Rep Power: 108

Points: 3,165, Level: 5

Level up: 46%, 435 Points needed

Activity: 5.0%

This might be considered off-topic, but how do you find the entity list in a game that has no localplayer? Right now I’m reversing Insaniquarium Deluxe, and there is no player character. There’s just fish AI in a tank. Almost all of the tutorials I can find are for shooter games.

I’m able to find the position of an individual fish by using increased value/decreased value when they’re swimming up and down, and the XYZ for that individual fish is stored nearby in memory. I’m having trouble finding the entity list, or some way to use a relative offset to find all other fish.

While reversing the game I found that I can change the growth state of the fish; when you buy a fish, they spawn in as baby guppies, this growth state is literally stored as a 4-byte int, «1», a teen fish is «2» and an adult fish is «3». When the fish are adults, they produce the most money.

End goal is to make a function in my cheat that can find all the guppies and change them to adults.

__________________

Last edited by mistercomedy; 5th January 2023 at 08:28 PM.
Reason: changed wording to make more clear

Join Date: Nov 2022

Location: CodingSophia#4941

Posts: 109

Reputation: 2087

Rep Power: 17

Points: 4,128, Level: 6

Level up: 59%, 372 Points needed

Activity: 14.3%