Welcome to the Cheat Engine Tutorial.(v3.3)
This tutorial will try to explain thebasics of cheating on games, and getting you more familiar with Cheat Engine.
First open Cheat Engine if it hasn‘t beenopened yet.
Then click on the ‘open process‘ icon. (topleft icon, with the computer on it)
When the process window is open find thistutorial. The process name is probably ‘tutorial.exe‘ unless you renamed it.
Select it, and click "Open". Justignore all the other buttons right now, but experiment with them later if youfeel like it.
When everything went right, the processwindow should be gone now and at the top of CE the process name is shown.
Now, click NEXT to continue to the nextstep. (Or fill in the password to proceed to that particular step you want)
Step 2: Exact Value scanning (PW=090453)
Now that you have opened the tutorial withCheat Engine let‘s get on with the next step.
You can see at the bottom of this window isthe text Health: xxx
Each time you click ‘Hit me‘ your health gets decreased.
To get to the next step you have to find thisvalue and change it to 1000
To find the value there are different ways,but I‘ll tell you about the easiest, ‘Exact Value‘:
First make sure value type is set to atleast 2-bytes or 4-bytes. 1-byte will also work, but you‘ll run into an easy tofix problem when you‘ve found the address and want to change it. The 8-byte mayperhaps works if the bytes after the address are 0, but I wouldn‘t take thebet.
Single, double, and the other scans justdon‘t work, because they store the value in a different way.
When the value type is set correctly, makesure the scantype is set to ‘Exact Value‘
Then fill in the number your health is inthe value box. And click ‘First Scan‘
After a while (if you have a extremely slowpc) the scan is done and the results are shown in the list on the left
If you find more than 1 address and youdon‘t know for sure which address it is, click ‘Hit me‘, fill in the new healthvalue into the value box, and click ‘Next Scan‘
repeat this until you‘re sure you‘ve foundit. (that includes that there‘s only 1 address in the list.....)
Now double click the address in the list onthe left. This makes the address pop-up in the list at the bottom, showing youthe current value.
Double click the value, (or select it andpress enter), and change the value to 1000.
If everything went ok the next buttonshould become enabled, and you‘re ready for the next step.
Note:
If you did anything wrong while scanning,click "New Scan" and repeat the scanning again.
Also, try playing around with the value andclick ‘hit me‘
Step 3: Unknown initial value (PW=419482)
Ok, seeing that you‘ve figured out how tofind a value using exact value let‘s move on to the next step.
First things first though. Since you aredoing a new scan, you have to click on New Scan first, to start a new scan.(You may think this is straighforward, but you‘d be surprised how many peopleget stuck on that step) I won‘t be explaining this step again, so keep this inmind
Now that you‘ve started a new scan, let‘scontinue
In the previous test we knew the initialvalue so we could do a exact value, but now we have a status bar where we don‘tknow the starting value.
We only know that the value is between 0and 500. And each time you click ‘hit me‘ you lose some health. The amount youlose each time is shown above the status bar.
Again there are several different ways tofind the value. (like doing a decreased value by... scan), but I‘ll onlyexplain the easiest. "Unknown initial value", and decreased value.
Because you don‘t know the value it isright now, a exact value wont do any good, so choose as scantype ‘Unknowninitial value‘, again, the value type is 4-bytes. (most windows apps use4-bytes)click first scan and wait till it‘s done.
When it is done click ‘hit me‘. You‘ll losesome of your health. (the amount you lost shows for a few seconds and thendisappears, but you don‘t need that)
Now go to Cheat Engine, and choose‘Decreased Value‘ and click ‘Next Scan‘
When that scan is done, click hit me again,and repeat the above till you only find a few.
We know the value is between 0 and 500, sopick the one that is most likely the address we need, and add it to the list.
Now change the health to 5000, to proceedto the next step.
Step 4: Floating points (PW=890124)
In the previous tutorial we used bytes toscan, but some games store information in so called ‘floating point‘ notations.
(probably to prevent simple memory scannersfrom finding it the easy way)
a floating point is a value with somedigits behind the point. (like 5.12 or 11321.1)
Below you see your health and ammo. Bothare stored as Floating point notations, but health is stored as a float andammo is stored as a double.
Click on hit me to lose some health, and onshoot to decrease your ammo with 0.5
You have to set BOTH values to 5000 orhigher to proceed.
Exact value scan will work fine here, butyou may want to experiment with other types too.
Hint: It is recommended to disable"Fast Scan" for type double
Step 5: Code finder (PW=888899)
Sometimes the location something is storedat changes when you restart the game, or even while you‘re playing.. In thatcase you can use 2 things to still make a table that works.
In this step I‘ll try to describe how touse the Code Finder function.
The value down here will be at a differentlocation each time you start the tutorial, so a normal entry in the addresslist wouldn‘t work.
First try to find the address. (you‘ve gotto this point so I assume you know how to)
When you‘ve found the address, right-clickthe address in Cheat Engine and choose "Find out what writes to thisaddress". A window will pop up with an empty list.
Then click on the Change value button inthis tutorial, and go back to Cheat Engine. If everything went right thereshould be an address with assembler code there now.
Click it and choose the replace option toreplace it with code that does nothing. That will also add the code address tothe code list in the advanced options window. (Which gets saved if you saveyour table)
Click on stop, so the game will startrunning normal again, and close to close the window.
Now, click on Change value, and ifeverything went right the Next button should become enabled.
Note: When you‘re freezing the address witha high enough speed it may happen that next becomes visible anyhow
Step 6: Pointers: (PW=098712)
In the previous step I explained how to usethe Code finder to handle changing locations. But that method alone makes itdifficult to find the address to set the values you want.
That‘s why there are pointers:
At the bottom you‘ll find 2 buttons. Onewill change the value, and the other changes the value AND the location of thevalue.
For this step you don‘t really need to knowassembler, but it helps a lot if you do.
First find the address of the value. Whenyou‘ve found it use the function to find out what accesses this address.
Change the value again, and a item willshow in the list. Double click that item. (or select and click on more info)and a new window will open with detailed information on what happened when theinstruction ran.
If the assembler instruction doesn‘t haveanything between a ‘[‘ and ‘]‘ then use another item in the list.
If it does it will say what it think willbe the value of the pointer you need.
Go back to the main cheat engine window(you can keep this extra info window open if you want, but if you close it,remember what is between the [ and ] ) and do a 4 byte scan in hexadecimal forthe value the extra info told you.
When done scanning it may return 1 or a fewhundred addresses. Most of the time the address you need will be the smallestone. Now click on manually add and select the pointer checkbox.
The window will change and allow you totype in the address of a pointer and a offset.
Fill in as address the address you justfound.
If the assembler instruction has acalculation (e.g: [esi+12]) at the end then type the value in that‘s at theend. else leave it 0. If it was a more complicated instruction look at thecalculation.
example of a more complicated instruction:
[EAX*2+EDX+00000310] eax=4C andedx=00801234.
In this case EDX would be the value thepointer has, and EAX*2+00000310 the offset, so the offset you‘d fill in wouldbe 2*4C+00000310=3A8. (this is all inhex, use calc.exe from windows in scientific mode to calculate)
Back to the tutorial, click OK and theaddress will be added, If all went right the address will show P->xxxxxxx,with xxxxxxx being the address of the value you found. If thats not right,you‘ve done something wrong.
Now, change the value using the pointer youadded in 5000 and freeze it. Then click Change pointer, and if all went
right the next button will become visible.
extra:
And you could also use the pointer scannerto find the pointer to this address
Step 7: Code Injection: (PW=013370)
Code injection is a technique where oneinjects a piece of code into the target process, and then reroute the executionof code to go through your own written code
In this tutorial you‘ll have a health valueand a button that will decrease your health with 1 each time you click it.
Your task is to use code injection toincrease the value of your health with 2 every time it is clicked
Start with finding the address and thenfind what writes to it.
then when you‘ve found the code thatdecreases it browse to that address in the disassembler, and open the autoassembler window (ctrl+a)
There click on template and then codeinjection, and give it the address that decreases health (If it isn‘t alreadyfilled in correctly)
That will generate a basic auto assemblerinjection framework you can use for your code.
Notice the alloc, that will allocate ablock of memory for your code cave, in the past, in the pre windows 2000 systems,people had to find code caves in the memory(regions of memory unused by thegame), but that‘s luckily a thing of the past since windows 2000, and willthese days cause errors when trying to be used, due to SP2 of XP and the NX bitof new CPU‘s
Also notice the line newmem: andoriginalcode: and the text "Place your code here"
As you guessed it, write your code herethat will increase the health with 2.
An usefull assembler instruction in thiscase is the "ADD instruction"
here are a few examples:
"ADD [00901234],9" to increasethe address at 00901234 with 9
"ADD [ESP+4],9" to increase theaddress pointed to by ESP+4 with 9
In this case, you‘ll have to use the samething between the brackets as the original code has that decreases your health
Notice:
It is recommended to delete the line thatdecreases your health from the original code section, else you‘ll have toincrease your health with 3 (you increase with 3, the original code decreaseswith 1, so the end result is increase with 2), which might become confusing.But it‘s all up to you and your programming.
Notice 2:
In some games the original code can existout of multiple instructions, and sometimes, not always, it might happen that acode at another place jumps into your jump instruction end will then causeunknown behavior. If that happens, you should usually look near thatinstruction and see the jumps and fix it, or perhaps even choose to use adifferent address to do the code injection from. As long as you‘re able tofigure out the address to change from inside your injected code.
Step 8: Multilevel pointers: (PW=525927)
This step will explain how to usemulti-level pointers.
In step 6 you had a simple level-1 pointer,with the first address found already being the real base address.
This step however is a level-4 pointer. Ithas a pointer to a pointer to a pointer to a pointer to a pointer to thehealth.
You basicly do the same as in step 6. Findout what accesses the value, look at the instruction and what probably is thebase pointer value, and what is the offset, and already fill that in or writeit down. But in this case the address you‘ll find will also be a pointer. Youjust have to find out the pointer to that pointer exactly the same way as youdid with the value. Find out what accesses that address you found, look at theassembler instruction, note the probable instruction and offset, and use that.
and continue till you can‘t get any further(usually when the base address is a static address, shown up as green)
Click Change Value to let the tutorialaccess the health.
If you think you‘ve found the pointer pathclick Change Register. The pointers and value will then change and you‘ll have3 seconds to freeze the address to 5000
Extra: This problem can also be solvedusing a auto assembler script, or using the pointer scanner
Extra2: In some situations it isrecommended to change ce‘s codefinder settings to Access violations when
Encountering instructions like moveax,[eax] since debugregisters show it AFTER it was changed, making it hard tofind out the the value of the pointer
Extra3: If you‘re still reading. You mightnotice that when looking at the assembler instructions that the pointer isbeing read and filled out in the same codeblock (same routine, if you knowassembler, look up till the start of the routine). This doesn‘t always happen,but can be really useful in finding a pointer when debugging is troublesome
Step 9: Shared code: (PW=31337157)
This step will explain how to deal withcode that is used for other object of the same type
Often when you‘ve found health of a unit oryour own player, you will find that if you remove the code, it affects enemiesas well.
In these cases you must find out how todistinguish between your and the enemies objects.
Sometimes this is as easy as checking thefirst 4 bytes (Function pointer table) which often point to a unique locationfor the player, and sometimes it‘s a team number, or a pointer to a pointer toa pointer to a pointer to a pointer to a playername. It all depends on thecomplexity of the game, and your luck
The easiest method is finding whataddresses the code you found writes to and then use the dissect data feature tocompare against two structures. (Your unit(s)/player and the enemies) And thensee if you can find out a way to distinguish between them.
When you have found out how to distinguishbetween you and the computer you can inject an assembler script that checks forthe condition and then either do not execute the code or do something else.(One hit kills for example)
Alternatively, you can also use this tobuild a so called "Array of byte" string which you can use to searchwhich will result in a list of all your or the enemies players
In this tutorial I have implemented themost amazing game you will ever play.
It has 4 players. 2 Players belong to yourteam, and 2 Players belong to the computer.
Your task is to find the code that writesthe health and make it so you win the game WITHOUT freezing your health
To continue, press "Restart game andautoplay" to test that your code is correct
Tip: Health is a float
Tip2: There are multiple solutions