Company of Heroes v2.501
::. Requirements :.:
* Company of Heroes v2.501
* Cheat Engine 5.5 or equivalent
* Completion of PART ONE and TWO
.:::..:.::: intro :::.:::::...
In this part of the tutorial, we will attempt to discover
game code we can modify to our advantage, and what makes
modifying game code difficult at times.
Subjects covered or touched upon:
- ACCESSING vs. MODIFYING (READ vs. WRITE)
.:::. Part 3 - When NOP is not enough :::.
As we remember from Part TWO the game code we discovered
that modified our resources was located at:
ww2mod.dll+1b542f - fstp dword ptr [ecx-04]
And by checking the disassembled code above and below this
line we discovered that the code was looped through
5 times, before ret'ing somewhere else.
Since it has been a while since I last ran COH I have lost
all the saved addresses I located in part ONE and TWO.
But instead of searching for manpower again, I will this
time do something else to locate manpower.
I will put a BREAKPOINT at ww2mod.dll+1b542f
This will also defeat DMA, beacuse the game code will ALWAYS
point to the right location for our values (and others, as
we will discover).
KEYWORD: Breakpoint - This tells your debugger (Cheat engine)
to stop executing game code when it reaches the specified
line of code. Giving you access to the register information
(EAX, etc..) as it is, when the line of code gets executed.
To put a breakpoint:
- Pause the game
- Open cheat engine as usual
- Attach to RelicCOH.exe
- Click 'memory view'
In the new window that appears, in the top portion (disassembly)
- Right click and select 'go to address'.
- Enter the following location "ww2mod.dll+1b542f"
- Click 'OK'.
If all goes according to plan, the disassembly view
will now show the following:
>>ww2mod.dll+1b542f - d9 59 fc - fstp dword ptr [ecx-04] ww2mod.dll+1b5432 - 75 f2 - jne ww2mod.dll+1b5426 ww2mod.dll+1b5434 - c2 20 00 - ret 0020 ww2mod.dll+1b5437 - cc - int 3
You now select the line indicated by the >>s above and right click
then select 'toggle breakpoint'. A new prompt will appear asking
you to confirm attaching the debugger. Click 'yes' to this prompt.
Alternatively you can press "f5" to breakpoint the line of code
you have selected.
The marked line should now appear as a 'green' line (when selected)
and a 'red' line otherwise. This indicates that you have a breakpoint
at that specific line of code. The game will only 'break' into the
debugger IF that line of code gets executed.
You can have multiple breakpoints in Cheat Engine, so you can debug
multiple areas of game code at the same time.
We attach a breakpoint to the above line of code because we
a) want to find the current address of manpower
Want to see what else gets modified.
..::: The Breakpoint is attached / Finding the values again ::::...
Now that we have attached a breakpoint, go back to the game and
unpause it. You game will immediately freeze, and the 'memory view'
window in cheat engine will have its title changed to
"Memory Viewer - Currently debugging thread 000000###".
This indicates that you have currently stopped executing the game
and are in debugging mode.
You will notice that the top right area of Memory Viewer have a lot
of values coloured in RED. The RED value means - This value
changed from the previous value. And is quite usefull when you are
debugging through lines of code, since you can quickly see which
areas of the register gets changed as you step through the game code.
KEYWORD: STEP - A Step means to execute 1 line of code at a time,
and is very usefull to see where the code "leads you" as well as
what gets modified (through the registers). In cheat Engine you
do a STEP by pressing "F7" when in Debugging mode.
Below is a quick rundown of the Register values as they looked
after the breakpoint (at ww2mod.dll+1b542f) was hit during game
EAX: F11B3B04 EBX: 00000000 ECX: 0F3FB750 EDX: 00000005 ESI: 00000002 EDI: 0A07E234 EBP: 3F27DB3C ESP: 005AF248 EIP: 6CF2542F
As we remembered from Part TWO, the registers had the following
functions at this point in time.
EAX - Was an address in memory EBX - Unknown ECX - Was -4 away from the location of manpower WHEN EDX was 5. EDX - Was counting down from 5 to 0. ESI - Unknown EDI - Unknown EBP - Unknown ESP - The Location of the stack EIP - The current location in game memory we are executing (as in, this is currently the location of ww2mod.dll+1b542f)
Based on our knowledge from Part ONE and TWO we know that
ww2mod.dll+1b542f - fstp dword ptr [ecx-04]
modified the manpower value.
And based on the breakpoint information we just got, we know that
ECX = 0F3FB750
This means that ECX-04 = 0F3FB74C and that this more than likely
is the location of our MANPOWER.
A quick test of this is to check the values near this location
in the lower portion of the memory viewer.
- Right click lower portion of memory viewer (the memory map)
- Select "goto address" and enter the value of ECX-04 (0F3FB74C)
- Right click again and select 'Display Type' float
If all was according to plan, the memory map should now show
the values of your manpower, oil, munitions, command points, cp xp.
Just like we found the values in Part ONE and TWO.
You can now update your cheat table through the method explained
in Part TWO to get the correct locations if you wish to modify
..::: Doublechecking the game code ::::....
Now it looks like we have found the location of game code we
would want to modify to give our player an advantage in game.
But before we go any further, we want to see what ELSE gets
modified by this line of code.
Unfortunately (or fortunately for learning purposes) many games
use the same line of code for many operations. This means that
we can not simply "NOP" (remove) the line of code to give the
player an advantage, because the line of code does stuff to both
the player and the ai, for example.
To check for this, we set a breakpoint as explained above, and
we CAN then watch what happens to the registers to see if something
strange is being done.
We know from before, that we have 5 values that we want to change.
Based on the memory map we saw before, and also based on the in
game values. These were MANPOWER, OIL, MUNITIONS, CPXP, CP.
We also know that EDX was 5 when the breakpoint was first hit.
And we know that the game code was supposed to loop 5 times,
(until EDX = 0).
And lastly, we know that ECX-04 when EDX was 5 gave us the location
to MANPOWER (and based on this location we can find all the other
values by increasing with 4 per value.)
In short, the below shows you the location of all the values
for the player resources when EDX = 5 and we are executing
the line of code at ww2mod.dll+1b542f.
ECX-04 ECX ECX+4 ECX+8 ECX+C(12) MAnpower Munitions Oil CP XP Command Points
To double check this, we will use another debugging function
KEYWORD: Run - Run means that, you return to the game from the
debugger, and it will continue to RUN until it reaches another
breakpoint (or the same one) again. In Cheat Engine this can
be reached with 'F9' button.
In our case, since we know that EDX was 5 and is supposed to reach
0, we can safely assume that we will reach this breakpoint again
very quickly. But lets see what happens.
Press F9 - which will "RUN" (exit debugging).
If you do not pay attention, it might look like nothing has happened.
But take a look in the top right corner of Cheat Engine. You will
notice that all the RED values have become black, except for just
a few of them.
These values are: ECX and EDX.
In my case: ECX is now 0F3FB754, and EDX is 00000004.
From our last breakpoint, ECX has increased by 4 and EDX decreased by 1.
Just as these lines of code, above our breakpoint tell us.
ww2mod.dll+1b5429 - add ecx,04 <- increase ecx by 4 ww2mod.dll+1b542c - sub edx,01 <- decrease edx by 1 ww2mod.dll+1b542f - fstp dword ptr [ecx-04] <<- our breakpoint
For our purposes, this means that ECX-04 which previously pointed
to MANPOWER now points to MUNITIONS.
No prize if you guess which value will be the next one pointed to.
So let us press F9 again and see what happens.
ECX now changed to 0F3FB758 and EDX 00000003. ECX-04 now points
We press 'F9' and observe that ECX and EDX now changed value again.
ECX-04 now points to Command Points XP, and EDX is now 00000002.
Again we press 'F9' and ECX-04 now points to Command Points, whereas
EDX is 00000001. This means that we have RUN through and discovered
the locations for our 5 important resource values.
So what happens when we press 'F9' again?
ECX Changes to 0F3FB764 and EDX changes to 0. In addition, ZF now
shows 1. ZF is the "Zero Flag" and as we remembered from Part TWO
we had a JNE (Jump short if not equal) just below our breakpoint.
ww2mod.dll+1b5432 - jne ww2mod.dll+1b5426 ww2mod.dll+1b5434 - ret 0020
This means that, since ZF=1, we will NOT execute the jump (which
was our loop) but instead execute "ret 0020".
But before we go so far, let us see if we can discover what is
hiding at the last ECX-04 (0F3FB764-04 = 0F3FB760). In my game
this value shows up as 202 float and I can not remember such
a value from anywhere, so let us add this to our cheat table and
see if we can do something with it later on.
Remembering from before, a RUN would let the game code execute
until it reached our breakpoint, whereas a STEP would go through
each line of code.
Knowing that we will not be looping through our code anymore,
because EDX was 0. I am curious to see what happens at RET-0020.
We will therefore STEP through the lines of code a bit, and see
where we end up.
Press 'f7' to step one line of code. Since we breaked at
ww2mod.dll+1b542f, we will now have stepped to ww2mod.dll+1b5432.
And you will notice that the register "EIP" has changed to reflect
This line of code was the "JNE", and since our ZF=1 we know
that "JNE" will not be executed. Therefore, we press 'F7' again.
And we end up at ww2mod.dll+1b5434 "ret 0020".
Our next press will therefore return us to the "calling procedure".
This is the area in the game code that jumped us to the game code
modifying our player values, and it could be an important place
to discover more information about how the game operates.
So we press 'f7' again, and we end up at...
ww2mod.dll+9 343D - pop edi
We then quickly scan the other lines of code, which show up as
(copied from Cheat Engine, just replace 6CE0 with ww2mod.dll+9)
6CE0 343E - 5e - pop esi 6CE0 343F - 83 c4 18 - add esp,18 6CE0 3442 - c2 08 00 - ret 0008
And they could probably contain more information information, but
we are not interested in these yet -- so we will remember the location
and information, but press F9 (to RUN) and see what happens next, instead
of "STEP"'ing through the next lines of code.
REMEMBER: When you have a problem, STEP + taking notes helps a lot.
But since we do not have a problem (YET) we will RUN instead.
So we press 'F9'...
And we are immediately back to ww2mod.dll+1b542f. Which is strange
you might wonder, since we ran through EDX from 5->0, and we have
already found all our player values.
So let us see what information we have now discovered..
ECX now shows 0F3FBA08 and EDX is again 5.
Again, we will use 'goto address' in the memory map (lower portion)
and select the value of ECX-04 (in this case, 0F3FBA04). We then
select "Display Type - Floats" and we notice something interesting.
1. These are not our values
2. But the "layout" is the same.
You now have to stop and consider some elements to the game.
a) You are the player and You have found your values in memory
You are fighting the computer AI
c) The values you have now found do not look like yours, but they
look like resource values.
d) Who else could need resources except the player?
Answer: The Computer AI.
Congratulations. You have found the location of the computer AI
values and you can add these to your cheat table as you did with
the player values in PART ONE and TWO.
..:::: What does this mean for WW2mod.dll+1b542f :::....
In short, this means that the line of code we found, that modified
the player resouce values, is actually a line of code that modifies
resource values, regardless of them being the players or the AIs.
This means that, we can not simply replace it with something that
gives us unlimited resources, as this would also give the computer
unlimited resources -- and you can be sure that the computer will
exploit this a lot faster than you ever could.
This is the reason why some game trainers seem great, except they
make the game a lot harder, since the player cheats also effect
the computer ai. And this is also what makes training games that
do this a lot harder.
HINT: It is always a good idea to BREAKPOINT a line of code you
discover modifies YOUR values, just to check if it modifies
something else as well, such as the COMPUTER values.
All is not lost however, since we now have three options open to us.
1. Rewrite the line of code with something "clever" that only
works for the player.
2. STEP' through lines of code until we find another spot that
ONLY modifies player values.
3. FIND another line of code that INTERACTS with our player values.
..::: Interaction :::....
As we remember from PART ONE and PART TWO, we looked for game code
that MODIFIED our MANPOWER Value. But this time we will look for
game code that INTERACTS with our MANPOWER Value, such as READING it.
We do this because we can safely assume that the game ONLY displays
information related to the player resources, since the computer does
not need numbers displayed on a monitor to know what they are.
To check for interaction, we first have to remove our breakpoint.
And we do this simply in the memory viewer, debugging portion, by
selecting the line of code with our breakpoint (the red line)
and then pressing 'f5'.
Since we were already debugging, we can press 'F9' to continue 'RUN'
ing the game code, which will basically resume the game execution.
And you will now notice that the game screen is updating again.
To look for INTERACTION, go to your cheat table, right-click MANPOWER
and select "Find out what accesses this address".
Our old familiar "The following opcodes.." window will now appear.
Return to the game, and unpause it. And you will immediately notice
that the OPCODES window now shows two lines of code.
6cf9270b - fld dword ptr [esi] <<- this looks new and 6cf2542f - fstp dword ptr [ecx-04] <<- this looks familiar
Doubleclicking both values give us 'extra info' which shows us
the register values as well as the lines of code above and below
the code we just found.
Doubleclick the "FSTP" line first, and you will notice that it looks
just like the code we checked out in PART TWO and eariler in part THREE.
You will also notice that EDX = 05. And we remember that EDX 05 was
Therefore we will inspect the other code line, and hope that it
is the line of code we have been looking for.
Below is the 'extra info' from the "FLD" I just found.
(At ww2mod.dll+22270B) - Just as before, write this down.
It is always usefull to "copy" the information from the 'extra info'
window to a notepad, and attempt to comment each line so you can get
some understanding as to what the values mean. This will help you
train the game. As you 'STEP' and 'RUN' through the code you will
get more understanding of the various register values and the game
code and the more you comment, the easier it is to train..
EAX=0F3FB568 << Not that far from MANPOWER ------. EBX=3F27DAE0 << unknown | ECX=005AF250 << Seems like location in stack -. | EDX=3F27DCF4 << unknown | | ESI=0F3FB74C << our MANPOWER location<--------+--' EDI=000003E8 << unknown | EBP=3F27DB3C << unknown | ESP=005AF230 << the stack location <--------' EIP=6CF9270D << Current line of code Probable base pointer =0F3FB74C 6cf92706 - fld dword ptr [edx] << Load value from EDX into FP Stack 6cf92708 - fstp dword ptr [esp] << Store value from FP Stack into ESP 6cf9270b - fld dword ptr [esi] << Load value from ESI into FP Stack 6cf9270d - fstp dword ptr [esp+04] << Store value from FP Stack into ESP+4 6cf92711 - fld dword ptr [esp+04] << Load value from ESP+4 into FP Stack
So this also seems like an interesting point to go training, but as we
remember from before - game code that modified player values also modified
computer values. And to quickly check this, assuming you added the
AI locations earlier (for manpower, etc) you can close the opcodes for
the player manpower, and select "find out what accesses this address"
for the AI Manpower, then return to the game, unpause, wait, repause.
Unlucky for us, it seems that the same lines of code interacting with
the player values are interacting with the AI values. At least the
ones we have found so far.
So now we have to think about what we know about COH for a second.
- Knowing that the same line of code is executed for both player and AI
- Knowing parts of the memory layout (Manpower, Oil, etc)
- Knowing that PLAYER code gets executed (EDX 5-0) before AI code (5->0)
- Knowing that we did NOT find the POPULATION CAP values
- Knowing that we can not simply NOP the code (remove it) because
it affects both player and computer AI.
Based on this we have a few alternatives we can go further with.
3a. Find population cap, and see if that can aid us with training
3b. Modify the game code we have found so that it only 'cheats' when it
is pointing to player values
3c. Step through the game code around the one we have found already, and
see if there is a "split" between player and computer code.
The next parts of the tutorial will cover some of these alternatives.
...::: End of part 3 :::....
Unfortunately the tutorial yet again became a bit complex, as well as
starting to grow in size. I have therefore decided to split it up into
3 additional parts, to explain the various approaches to training COH.
::::::::::::::::::::::::::::::::::::: instant0 / 2009.04.27 ::::