Welcome to the Cheat Engine Tutorial. (v3.3)
This tutorial would try to explain thebasics of cheating on the games, and getting your more familiar with Cheat Engine.
First Open Cheat Engine if it hasn ' t beenopened yet.
Then click on the ' Open process ' icon. (TopLeft icon, with the computer on it)
When the process window is open find thistutorial. The process name is probably ' Tutorial.exe ' unless you renamed it.
Select it, and click "Open". Justignore all and buttons right now, but experiment with them later if youfeel like it.
When everything went right, the Processwindow should was gone now and at the top of CE the process name is shown.
Now, click NEXT to continue to the NeXTSTEP. (Or fill in the password-proceed to this particular step you want)
Step 2:exact Value Scanning (pw=090453)
Now it has opened the tutorial Withcheat Engine let's get on with the next step.
You can see at the bottom of this window isthe text health:xxx
Each time you click on ' Hit me ' your health gets decreased.
To get to the next step that has to find thisvalue and change it to 1000
To find the value there is different ways,but I ' ll tell you about the easiest, ' Exact value ':
First make sure value type was set to atleast 2-bytes or 4-bytes. 1-byte'll also work, but you'll run into a easy tofix problem if you've found the address and want to change it. The 8-byte mayperhaps works if the bytes after the address is 0, but I am wouldn ' t take Thebet.
Single, double, and the other scans Justdon ' t work, because they store the value in a different the.
When the value of type is set correctly, MakeSure the ScanType are set to ' Exact value '
Then fill in the number your health is inthe value box. and click ' First Scan '
After a while (if you had a extremely slowpc) the scan is doing and the results is shown the list on the left
If you find more than 1 address and Youdon ' t know for sure which address it's, click ' Hit me ', fill in the new Healthvalu E into the Value box, and click ' Next Scan '
Repeat this until your ' re sure you ' ve foundit. (that includes that there's only 1 address in the list ...)
Now double click the address in the list onthe left. This makes the address pop-up in the bottom, showing youthe current value.
Double Click the value, (or select it andpress enter), and change the value to 1000.
If everything went ok the next buttonshould become enabled, and you ' re ready for the next step.
If you do anything wrong while Scanning,click "New Scan" and repeat the scanning again.
Also, try playing around with the value Andclick ' hit me '
Step 3:unknown Initial value (pw=419482)
Ok, seeing that you've figured out how tofind a value using exact value let's move on to the next step.
First things first though. Since you aredoing a new scan that has to click on the new scan first, to start a new scan. (You may think the straighforward, but you're surprised how to many peopleget stuck on that step) I won ' t be explaining this step again, so keep this inmind
Now so you ' ve started a new scan, let ' scontinue
The previous Test we knew the initialvalue so we could does a exact value, but now we have a status bar where we don ' tkno W the starting value.
We only know this value is between 0and 500. And each time you click on ' hit me ' lose some health. The amount youlose is shown above the status bar.
Again there is several different ways tofind the value. (like doing a decreased value by ... scan), but I ' ll onlyexplain the easiest. "Unknown initial value", and decreased value.
Because you don ' t know the value of it isright now, a exact value wont does any good, so choose as ScanType ' Unknowninitial val UE ', again, the value type is 4-bytes. (most Windows Apps use4-bytes) Click First Scan and wait till it's done.
When it was done click on ' hit me '. You ' ll losesome of your health. (The amount lost shows for a few seconds and thendisappears, but you don ' t need that)
Now go to Cheat Engine, and choose ' Decreased Value ' and click ' Next Scan '
When that scan was done, click Hits me Again,and repeat the above till you only find a few.
We know the value is between 0 and Sopick, the one of the most likely the address we need, and add it to the list.
Now change the health to Proceedto and to the next step.
Step 4:floating points (pw=890124)
In the previous tutorial we used bytes Toscan, but some games store information on so called ' floating point ' notations.
(probably to prevent simple memory scannersfrom finding it's easy)
A floating point was a value with somedigits behind, the point. (like 5.12 or 11321.1)
Below you see your health and ammo. Bothare stored as floating point notations, but the health is stored as a float andammo is stored as a double.
Click on hits me to lose some health, and onshoot to decrease your ammo with 0.5
You have the to set BOTH values to Orhigher to proceed.
Exact value Scan would work fine here, Butyou could want to experiment with other types too.
Hint:it is recommended to disable "Fast Scan" for type double
Step 5:code Finder (pw=888899)
Sometimes the something is storedat changes if you restart the game, or even while you ' re playing. In Thatcase your can use 2 things to still make a table that works.
In this step I'll try to describe how touse the Code Finder function.
The value down here would be is at a differentlocation each time you start the tutorial, so a normal entry in the AddressList Wouldn ' t work.
First try to find the address. (You ' ve gotto the assume you know how to)
When you ' ve found the address, right-clickthe address in Cheat Engine and choose "Find out what writes to Thisaddress". A window would pop up with an empty list.
Then click the "Change Value" button inthis tutorial, and go back to Cheat Engine. If everything went right thereshould is an address with assembler code there now.
Click it and choose the Replace option Toreplace it with code this does nothing. That'll also add the code address tothe code list in the Advanced Options window. (Which gets saved if you saveyour table)
Click on stop, so the game would startrunning normal again, and close to close the window.
Now, click to change value, and Ifeverything went right the Next button should become enabled.
Note:when you ' re freezing the address witha high enough speed it may happen that next becomes visible anyhow
Step 6:pointers: (pw=098712)
In the previous step I explained the usethe Code Finder to handle changing locations. But this method alone makes Itdifficult to find the address to set the values of you want.
That's why there is pointers:
At the bottom you ' ll find 2 buttons. Onewill change the value, and the other changes the value and the location of Thevalue.
For this step you don ' t really need to knowassembler, but it helps a lot if you do.
First find the address of the value. Whenyou ' ve found it use of the function to find out what accesses this address.
Change the value of again, and a item willshow in the list. Double click that item. (or select and click on the more info) and a new window would open with detailed information in what happened when Theinstructio N ran.
If the assembler instruction doesn ' t haveanything between a ' [' and '] ' then use another item in the list.
If It does it would say what it think willbe the value of the pointer you need.
Go back to the main Cheat engine window (you can keep this extra info window open if you want and if you close It,remember What is between the [and]) and does a 4 byte scan in hexadecimal forthe value the extra info told.
When do scanning it may return 1 or a fewhundred addresses. The most of the time, the address you need would be the the Smallestone. Now click on manually add and select the Pointer checkbox.
The window would change and allow you totype in the address of a pointer and a offset.
Fill in as address the address you justfound.
If the assembler instruction have acalculation (e.g: [esi+12]) at the end and type the value in that ' s at theend. else leave it 0. If It is a more complicated instruction look at thecalculation.
Example of a more complicated instruction:
[eax*2+edx+00000310] eax=4c andedx=00801234.
In this case EDX would is the value Thepointer have, and eax*2+00000310 the offset, so the offset you ' d fill in wouldbe 2*4 C+00000310=3a8. (This was all Inhex, the use calc.exe from the windows in Scientific mode to calculate)
Back to the tutorial, click OK and Theaddress is added, If all went right the address would show P->xxxxxxx,with xx XXXXX being the address of the value you found. If thats not right,you ' ve done something wrong.
Now, change the value using the pointer youadded in and freeze it. Then click Change pointer, and if all went
Right the Next button would become visible.
And you could also use the pointer Scannerto find the pointer to this address
Step 7:code Injection: (pw=013370)
Code injection is a technique where oneinjects a piece of code to the target process, and then reroute the executionof C Ode to go through your own written code
In this tutorial you'll have a health valueand a button, that'll decrease your health with 1 each time you click it.
Your task is to use code injection toincrease the value of Your Health with 2 every time it is clicked
Start with finding the address and thenfind what writes to it.
Then when you ' ve found the code thatdecreases it browse to that address in the disassembler, and open the Autoassembler WI Ndow (Ctrl + a)
There click on template and then codeinjection, and give it the address that decreases health (If it isn ' t alreadyfilled I N correctly)
That would generate a basic auto assemblerinjection framework you can use for your code.
Notice the alloc, that'll allocate ablock of memory for your code cave, in the past, the pre Windows SYSTEMS,PEO Ple had to find code caves in the memory (regions of memory unused by TheGame), but that ' s luckily a thing of the past sinc E windows $, and Willthese days cause errors if trying to is used, due to SP2 of XP and the NX bitof new CPU ' s
Also Notice the line newmem:andoriginalcode:and the text "Place your code here"
As you guessed it, write your code herethat would increase the health with 2.
An usefull assembler instruction in Thiscase is the "ADD instruction"
Here is a few examples:
"ADD ,9" to increasethe address @ 00901234 with 9
"ADD [esp+4],9" To increase theaddress pointed-to-esp+4 with 9
In this case, you'll have the the samething between the brackets as the original code had that decreases your health
It's recommended to delete the line thatdecreases your health from the original Code section and else you'll have toincrease Your Health with 3 (you increase with 3, the original code Decreaseswith 1, so the end result was increase with 2), which might become confusing. But it's all up to you and your programming.
In some games the original code can existout of multiple instructions, and sometimes, don't always, it might happen that ACO De at another place jumps to your jump instruction end would then causeunknown behavior. If that happens, you should usually look near thatinstruction and see the jumps and fix it, or perhaps even choose Adifferent address to does the code injection from. As long as you ' re able tofigure out the address to change from inside your injected code.
Step 8:multilevel Pointers: (pw=525927)
This step would explain how to usemulti-level pointers.
In step 6 you had a simple level-1 pointer,with the first address found already being the real base address.
This step however is a level-4 pointer. Ithas A pointer to a pointer to a pointer to a pointer to a pointer to Thehealth.
You basicly does the same as in step 6. Findout what accesses the value, look at the instruction and what probably was thebase pointer value, and what is the OFFSE T, and already fill in or Writeit down. But in this case, the address you'll find would also be a pointer. Youjust has the to find out the pointer to, pointer exactly the same as Youdid with the value. Find out how accesses that address you found, look at Theassembler instruction, note the probable instruction and offset, and use that.
And continue till you can ' t get any further (usually when the base address was a static address, shown up as green)
Click change Value to let the tutorialaccess the health.
If you think your found the pointer pathclick change Register. The pointers and value would then change and your ' ll have3 seconds to freeze the address to 5000
Extra:this problem can also be solvedusing a auto assembler script, or using the pointer scanner
Extra2:in some situations it isrecommended to change CE ' s codefinder settings to Access violations when
Encountering instructions like Moveax,[eax] Since debugregisters show it after it is changed, making it hard tofind out T He the value of the pointer
Extra3:if you ' re still reading. You mightnotice if looking at the assembler instructions that the pointer isbeing read and filled out in the same C Odeblock (same routine, if you knowassembler, look up till the start of the routine). This doesn ' t always happen,but can be really useful in finding a pointer when debugging is troublesome
Step 9:shared Code: (pw=31337157)
This step would explain how to deal withcode that's used for other object of the same type
Often when you ' ve found Health's a unit oryour own player, you'll find that if you remove the code, it affects Enemiesa s well.
In these cases-must find out how todistinguish between your and the enemies objects.
Sometimes this was as easy as checking thefirst 4 bytes (Function pointer table) which often point to a unique locationfor The player, and sometimes it ' s a team number, or a pointer to a pointer toa pointer to a pointer to a pointer to a Playern Ame. It all depends on thecomplexity of the game, and your luck
The easiest method is finding whataddresses the code of found writes to and then use the Dissect Data feature tocompare a GAINST, structures. (Your unit (s)/player and the enemies) And Thensee If you can find out a-to distinguish between them.
When you had found out what to Distinguishbetween and the computer you can inject a assembler script that checks Fort He condition and then either don't execute the code or do something else. (One hit kills for example)
Alternatively, can also use this tobuild a so called "Array of bytes" string which you can use to Searchwhich would resu Lt in a list of all your or the enemies players
In this tutorial I has implemented themost amazing game you'll ever play.
It has 4 players. 2 Players belong to Yourteam, and 2 Players belong to the computer.
Your task is to find the code, Writesthe Health and make it so you win the game without freezing Your health
To continue, press ' Restart game Andautoplay ' to test ' your code is correct
Tip:health is a float
Tip2:there is multiple solutions
This article is from the "love to Learn bear children" blog, please be sure to keep this source http://molilinzi.blog.51cto.com/8282931/1885180
cheatEngine3.3 software comes with the original tutorial (English)