|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Mon Aug 23, 2004 9:57 pm Post subject: 3D PINBALL FOR WINDOWS ///// POINTERS & CODE |
|
|
this is to try answer the most common questions from people new to cheat engine
using 3d pinball for windows space cadet as an example,,,
it might be an idea to print this and other tuts so its easier to work through them,,,
( this game gives you some free balls so be on the look out for that during this tut )
start 3D PINBALL FOR WINDOWS ,, and wait for the first ball to deploy
start cheat engine
click on the flashing icon in the top left of cheat engine
in the bottom of process list window
double click on PINBALL.EXE to attache the game to cheat engine
in the value box type in 3
go into the pinball game and lose a ball
wait for the next ball to be deployed
go back into cheat engine
type 2 into the value box
click on the next scan button
I got the address A9FEE6 yours may be different
ok
I'll double click on the found address A9FEE6 to add it to the bottom pane
click on the checkbox to freeze this address
go back into the PINBALL GAME
lose some balls to see if its the right address
if you have got it right you'll have infinite balls
-------------------------------------------------------------------------------
now to find the code that changes the number of balls
-------------------------------------------------------------------------------
go back into cheat engine
(if you want you can double click on the value part of the address in the bottom pane and change it back to 3 or 4 balls)
In the bottom pane again right click on the address A9FEE6 and choose
FIND OUT WHAT WRITES TO THIS ADDRESS
you will then get the debugger window
go back into pinball and lose another ball
in the debugger window you should see the address of the code that changes the number of balls
I got 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax
click on this to highlight the code,, and click on the ADD TO CODELIST button
a box called CHEAT ENGINE CODE will pop up
name balls
and hit the OK button
a window called ADVANCED OPTIONS WILL pop up with balls in it
you can right click it and choose REPLACE WITH CODE THAT DOES NOTHING
to show that the code has been nopped out the name will turn red
you can hit the ok button to close the advanced options window then the stop and close button to exit the debugger
then save your table,,,, but for now
just hit the ok button to close the advanced options window
in the debugger window look at the code 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax
now with the code highlighted click on the MORE INFORMATION button
the EXTRA INFO box will pop up
in this box under copy memory you will see the sentance
THE VALUE OF THE POINTER NEEDED TO FIND THIS ADDRESS IS PROBABLY 00A9FDA0
this is the address held in the ESI register below this you can see all the values that the registers held at the instant you lost a ball,,
as you can see ESI=00A9FDA0
and highlighted in red you can see
01015F02 - mov [ esi + 00000146 ],eax
this is all in hexadecimal
so the ESI register holds 00A9FDA0 therefore
[esi + 00000146] = [ 00A9FDA0 + 00000146 ]
00A9FDA0 + 146 = 00A9EEF6
the first address I found when I started scanning at the start of the game
so note down the address 00A9FDA0
and the offset 146
close the EXTRA INFO window
in the main cheat engine window ,,,hit the new scan button
next to the value box theres a hex checkbox ,, check it so you can enter a hex value
put in our address without the zeros in front of it A9FDAO
and hit the first scan button
you will get a couple of hundred results
i'll try the first address on the list 009A4356
click on the add address manually button
click on the poiter checkbox and you will see the ADD ADDRESS window change
where it says ADDRESS OF POINTER type in our address 9A4356
and in the OFFSET [HEX] box type in 146 ,,,,,,,,, remember [esi + 00000146]
and hit the ok button
hopefully a new address with should look like this in the bottom pane
No description P->00A9FEE6 4 bytes 0x00000003
or how ever many balls you got left
you can freeze the number of balls from this pointer now,,,,,
in games that use Dynamic Memory Allocation ,,, DMA
and use the same code to change things for you and the enemies,,
pointers are usfull
------------------------------------
ok a couple of things
1) this game don't use dma ,, but its an easy game to practice on
2) Its free and most people have it
3) so for newcomers it gives an idea of how to use the basic search / pointer / and advanced options
well as they say thats my two cents
|
|
Back to top |
|
|
the_brilliance Advanced Cheater Reputation: 0
Joined: 15 Nov 2003 Posts: 82
|
Posted: Tue Sep 21, 2004 4:52 pm Post subject: |
|
|
Or you could just change the score.
|
|
Back to top |
|
|
Snow1337 Catastrophic Cheatah Reputation: 1
Joined: 12 Oct 2004 Posts: 183 Location: Your, Computer
|
Posted: Wed Oct 27, 2004 9:41 am Post subject: |
|
|
umm.. that added nothing to this tutorial o.0
Nice tutorial, should help some people :p
_________________
|
|
Back to top |
|
|
Voa How do I cheat? Reputation: 0
Joined: 06 Nov 2004 Posts: 0 Location: Your, Computer
|
Posted: Sun Nov 07, 2004 4:05 am Post subject: |
|
|
Hahaha, thanks man this really helped me=p
I'm proud of myself
|
|
Back to top |
|
|
Davethewave Expert Cheater Reputation: 0
Joined: 06 Mar 2005 Posts: 210
|
Posted: Sun Mar 06, 2005 5:35 pm Post subject: |
|
|
3d pinball space cadet doesn't count how many balls I have, just how many I've used, so I tried this with mine sweeper's timer, I got as far as "in the debugger window look at the code 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax
now with the code highlighted click on the MORE INFORMATION button
the EXTRA INFO box will pop up "
I don't know what the debugger window is, couldn't find that code in the memory viewer so I'm assuming that isn't the debugger window, plus I can't find the Extra info box I am an ULTRA newb to this stuff so go easy on me so I didn't go any further because I got lost at this point. Thanks though! It showed me some stuff I didn't know existed
|
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Thu Mar 10, 2005 11:57 pm Post subject: |
|
|
ok for minesweeper the addresses for the timer and number of mines seems to be static... ok they stay the same on mine.....
you can do a byte search for the number of mines, that just speeds up the search and gives more accuracy,,
a little bit more on searching.... for known numbers
1) for numbers from 1 to 255 , use BYTE search
2) for numbers from 256 to 65535 , use 2 BYTE search
3) for numbers from 65535 up use 4 BYTES
then you get into double words ect ,
try to use the simplest method first then build up the compexity of your search if it is needed,
-----------------------
minesweeper is a simple byte search from what I see,,,,,,,,,,,,,,
to find the number of mines .. just start the game ...
and you have 10 mines....
ok you know how to start cheat engine ane select the minesweeper proccess. so next..
on the beginner level you have ten mines..
so here we go....................
1) ENTER 10 ... for your first search value
2) SCAN TYPE >>>>> choose >>>>> EXACT VALUE
3) VALUE TYPE>>>>>>choose >>>>> BYTE
-----
4) in minesweeper clock on the game menu and select INTERMEDIATE
this will change the number of mines to 40........
5) in cheat engine change the value to 40 .... and click on the NEXT SCAN button ...
6) ok this gave me 3 results.. next change minesweeper to expert..
this gives 99 mines in the game...
7) well I still had 3 results..
8) ok change minesweeper back to BEGINNER so you got ten mines...
9)hmmm all 3 addresses in the cheat engine window still change back to
10 mines ....
OK DOUBLE CLICK ON EACH ADDRESS TO ADD THEM TO THE BOTTOM PANE..so you can change the values of each address....
10) here's an old trick... change all the values in your address list by 1 or more
ok for example... here's my addresses
01005194 10
01005330 10
010056a4 10
......
SOOO if we change 01005194 to 20
AND .................. 01005330 to 30
AND .................. 010056a4 to 40
click on the smiley to start a new game ...
hmmm we have got 40 mines to play with...... so the address we need to play around with is
10056a4
change the value at this address to 1 ,, click on the smiley to start a new game ...and hoho only 1 mine....
----------
the timer you can find by using the byte search as well,,,and you get away with an "exact value scan type in this game"
the trick here is to set up the pause hotkey in settings ( the button just under the cheat engine logo in the main cheat engine window)
for timers its always a good idea to try to freeze the game..
-----------------------------------------------------
here is the code address for the timer
1002ff5 inc [0100579c]
------------------------------
just right click it in the memory view window and change it to code that does nothing..
oh and a good habit is to save it to code list and save it any code you find to a table
then you just have to right click the code line you found and disable it anytime you want....
hope that helped
keep at it we are all begginers when we are learning something new :wink:
here's a table to start you off
_________________
|
|
Back to top |
|
|
Davethewave Expert Cheater Reputation: 0
Joined: 06 Mar 2005 Posts: 210
|
Posted: Fri Mar 11, 2005 3:11 am Post subject: |
|
|
Thanks! I messed around with it, I should have posted before, I figured all this out but still need to try to understand ASM more. Sometimes NOPing stuff has side effects, I wish I could better understand so I can manipulate it Thanks again.
|
|
Back to top |
|
|
The light tower Newbie cheater Reputation: 0
Joined: 26 Jun 2005 Posts: 11 Location: Canada, BC, Vacouver
|
Posted: Sun Jun 26, 2005 11:31 am Post subject: i've got a question. |
|
|
Every time when i finnish hacking something on the internet and reopen cheat engine, all the address in my cheat engine dosn't work, how do u make them work?
|
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Mon Jun 27, 2005 10:09 am Post subject: |
|
|
when you find your addresses
you need to breakpoint them to find the code thats changing them, then either code inject or find the pointer to the address (like in the pinball tut above),
quite often the first pointer you find is a general pointer,
and not the base pointer,
in a internet game it just about certain that the first pointer you find is a general pointer, (lots of typing pointer there)
so you can try
putting a breakpoint on the 1st pointer you find
then putting a breakpoint on the 2nd pointer you find , that points to the
1st pointer,
you may have to try this several times before you get to the base pointer,
---------
you might try doing a text search , and recalculate your addresses from that, how to recalculate addresses is here on the forum somewhere,
for instance you might do a text search for your characters name in the game,
and recalculate your ammo address from that,
sometimes this will work, depends on the game,
---------
then there's code injection, plenty of tutorials on that all over the web,
---------
if the game folder has an unencrypted save game file , you might be able to hex edit it,
--------
just mess around till you find what works,
don't get too stuck on any one method of game fix...
---------
if all else fails just search for the address each time lol,,
---------
lots of multiplayer games have cyclic redundancy checks,
and your lives ,health ammo items are server based, so you change an item and the servers pc says thats wrong
you have not got 999999 million grenades
and trys to reset your ammo/ or kick you,
also many punkbuster like programs that do check's every few cycles,
I tend to just mess with single player games, and just play online,
to save getting ip banned from servers lol...
<<cough>> the directX mess can come in handy sometimes though<<cough>>
_________________
|
|
Back to top |
|
|
Extremest How do I cheat? Reputation: 0
Joined: 04 Jul 2005 Posts: 3
|
Posted: Mon Jul 04, 2005 8:19 pm Post subject: |
|
|
I did the pinball one that you did and it worked the pointer and all, but when I restart the game it doesn't work. How can I make something that will always work?
|
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Tue Jul 05, 2005 12:11 am Post subject: |
|
|
just decided to simplify things here
_________________
Last edited by me on Fri Jul 08, 2005 6:53 pm; edited 2 times in total |
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Tue Jul 05, 2005 12:12 am Post subject: |
|
|
and leave just the static pointer to base address in bits in...
maybe a seperate debugger explanation is needed at a later time, >>>
_________________
Last edited by me on Fri Jul 08, 2005 7:12 pm; edited 2 times in total |
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Tue Jul 05, 2005 12:44 am Post subject: |
|
|
when you do the first hex search for the balls pointer,
and you get your 346 possible addresses, if you have got the pinball game in windowed mode and not full screen,,
while in the game just press F2 lots of times and you will see that it is the first pointer address that changes while the rest stay the same,,
so try the using the second and third addresses in the list with the 146 offset,
I kept getting all the pointer addresses that held 00AB0C10
while the first pointer in the list kept changing
_________________
Last edited by me on Fri Jul 08, 2005 7:04 pm; edited 1 time in total |
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
Posted: Tue Jul 05, 2005 2:30 pm Post subject: |
|
|
put a breakpoint on AB0C10 and you get to the static address that holds your pointer address,,,
010140CC - mov ecx,[01023638]
if you look at the registers in the extra info pic you see ecx is holding AB0C10 from the contents of 01023638,,
if you goto this address in the hex window of the memory viewer you will see the base pointer address , written backwards of course , low bytes first,
_________________
Last edited by me on Wed Sep 07, 2005 1:57 pm; edited 1 time in total |
|
Back to top |
|
|
me Grandmaster Cheater Reputation: 2
Joined: 24 Jun 2004 Posts: 733 Location: location location
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|