Cheat Engine

[Geri]

This should be an article about beating the Cheat Engine tutorial until some point and more importantly, not just to beat the tutorial but understand what are You doing when You do it instead of following simple instructions. Now I must admit this is not the best article but I don't plan to bother with it anymore so I put it here, even if it's crappy. Mainly it is written for kids and complete noobs, so I have tried to be very simple.
It does not cover the last 2 steps in the tutorial.
The second part will cover basic assembly instructions and 2 examples on how to hack real games (Warhammer: Mark of Chaos and C&C Generals).
I have choosen these games because they are good examples, not because they are new, shiny and popular.
My scripts are not so user friendly, but I don't care until they are working.

Don't flame it, write a better one and show what You can do.
I have uploaded them to a site too and I will add a few more.
http://szemelyesintegracio.hu/cheats/41-game-hacking-articles/86-how-to-beat-the-cheat-engine-tutorial

http://szemelyesintegracio.hu/cheats/41-game-hacking-articles/87-basic-assembly-instructions-opcodes-and-examples


Changing a value in a program

The most basic method to change anything in the program is to modify a value in it. For example to search where is Your life stored in a game, and simply change the amount of lives You have. You are also able to freeze the value and prevent it from decreasing or increasing. Now download CE and install it.
In the installation directory, You will find the tutorial program, Tutorial.exe.


Step 1:
Start the tutorial exe file and CE too. Click on the "Open process" button in CE, and choose "Tutorial.exe" from the list. This will attach CE to the tutorial program and You can start hacking it. Click on the "Next" button in the Tutorial as instructed.

Step 2:
Now You can see a "game" in the tutorial. You have 100 Health and if You click on the "Hit me" button, Your health will decrease. In order to beat this challange, You need to find Your health and change it to 1000. Go to CE, type Your health's amount (which is 100 at the start) in the value box, then hit the first scan button. Now CE has filtered out every address which has a value of Your health but You have dozens of addresses and only one of them is the correct one. We will filter the results. Click on the "hit me" button in the tutorial and Your health will decrease. Now go back to CE, type in the new value of Your health and click on the "Next scan" button. Now You can see that only one value is in the list. Double click on it. Click on the value and change it to 1000. If You have done it right, You have 1000 health and the "Next" button is active in the tutorial. Click on it for the next challenge.

Step 3:
This challenge will be similar to the previous, but here You do not know the exact value of Your health, You can see a health bar only. So how do You search for a number if it is displayed as a graphic health bar? Click on new scan in CE. Choose "Unknown initial value" as Scan type and hit the first scan button. Then click on the "Hit me" button in the Tutorial and You will loose some health. You can also see how much health You have lost. Now if You check the Scan type menu in CE, You can see some choices. What happened with Your health's value? Increased, decreased, changed in any way or not have changed at all? Of course it has been decreased as we know now, so either choose "Decreased value" as a scan type, or choose "Decreased value by.." and type in the amount that You have lost from Your health. Keep searching until You find the address which may store Your health. If You got it, change it to 5000 and proceed to the next step of the tutorial.

Step 4:
You may have noticed that values may be stored in different forms in the memory. Now You need to change 2 values, one of them is float and the other is double. For detailed information about value types, click on Help in CE and read the Main Interface -> Value types part. Change the value type to float, and search for the first value just as You have done in Step 2. If You got it, change it to 5000, then do the same with the double type value.


DMA (Dynamic Memory Allocation)

DMA will make Your life a bit more difficult if You plan to hack games, because it means that the address where Your health is stored will change. You will not really find any games which is not using DMA so get used to it. The programs are using the addresses as temporary storages only and if You start a new level, restart the game etc, everything will be on a different location. Of course You can search for the value again, and again and again, but this is not needed. Now we will start to climb towards the more advanced methods of game hacking and learn to beat DMA. If You need more information on DMA, You can find out more here.

Step 5:
First find the value as usual and add it to the list. Right-click the address in Cheat Engine and choose "Find out what writes to this address". A window will pop up with an empty list. Now click on the "Change value" button in the tutorial and go back to CE. You can see a code now, like this one: mov [eax],edx This is the assembler code which is writing to the address that we have found, for example the code that is changing Your health. Add this code to the code list. You can check Your code list by clicking on the Advanced options at the bottom of CE. Right-click on the code that You have found, and choose "Replace with code that does nothing". Now click on the "Change value" button in the tutorial and if You have done it right, Your health will not change at all. This is because You have "switched off" the assembler code which should change Your health.

This has covered the basics, now You know how to search for values and how to find a code which is changing that value. It is time to learn a bit about assembler codes because at the end, these codes will be the key to hack and modify games.

Step 6:
Now You will learn about pointers a bit. Pointers are addresses which contains the address of Your health as a value. Well not exactly, but almost. Lets check it out how. Search for the value and add it to the list. Find out what writes to the address like in step 5. If You have found the code, click on more information. You should see something like that:
mov [eax],edx

Now what is that? This is the code which is changing the health but how?
This is a very simple instruction. It means "copy the content of edx register
to [eax] address".
What is a register?
Registers are used by the assembler codes to store values, just as memory addresses, but registers can be used way much faster than memory addresses and there are only a few of them so their values are always changing. You can read more about registers in the CE help file, but this is enough at the moment.

Now check out the instruction again:

mov [eax],edx

mov means "copy" in assembly. It will copy the 2nd operand to the first.
In this case, edx contains the new value of health after You have been hit, which should be written to the health's address. eax contains the address of Your health.
[eax] means the value which is stored on the address, contained by eax.
If You put a register between [ and ] it means "the value which is stored on the
address, contained by the register".
So eax is the address of Your health, for example 0096EEE8.
[eax] is the value of Your health (for example 100 health), which is on the 0096EEE8 address.
In most cases, You will see more between the [ ] then just a register. For example You may see [eax+10]. This means that the program is referring to an address which is eax+10. In this case, eax+10 is 0096EEF8 .
I hope You got that part, because it will be extremely important in the future.

Now back to the case. If You have clicked on more information, You can see the code that You have examined and the value of the registers. Make sure to remember what is between the [ ] and what is the value of the register. Now click on "Hex" left to the value box in CE, type in the value of the register and search for it. You have found the address of the pointer. Click on "Add address manually". Select pointer, and type in the address of the pointer that You have found. If You have done it right, You have added an address to the table which will "track" the location of Your health, wherever it is.

You need to know that pointers are very unreliable, the pointer's address may also change in some games so in most cases it is totally useless to work with them.

Step 7:
Code injection is the part where You will start to use advanced methods to modify the code itself instead of just changing values. Search for the value that we want to modify. Find out what writes to the address. Add it to the codelist, then right-click on it and choose "Open the disassembler at this location". You can see the assembler code in the browser now. Go to Tools-> Auto-assemble, or press CTRL+A. Now You see a small window where we will begin to tinker with the code. Click on Template->Cheat table framework code. Now You can see an Enable and a Disable section. Obviously, the code under enable section will be used when the cheat is enabled and the disable section is used when we disable it. Click on Template->Code injection. You can see a template for changing the assembler code now. It is important to know that every text behind // is not part of the code, it is just a comment. Any text that You put after // in a line will not be used by the program, You can use it to make notes for Yourself etc. Scroll down a bit until You see this section:


newmem: //this is allocated memory, you have read,write,execute access
//place your code here


originalcode:
dec [ebx+00000310]

In this part, the original code may be different for You, it has to be the code that is writing to Your health. Our task is to modify the code from "decrease one life" to "increase with 2 lives". In order to do so, lets check out some basic assembler instructions.

"dec" will decrease the value with 1

"inc" will increase the value with 1

"sub" will subtract the second operand from the first,
e.g. sub [ebx+00000310],4 would mean "decrease the value on ebx+0310 with 4".

"add" will add the second operand from the first,
e.g. add [ebx+00000310],4 would mean "increase the value on ebx+0310 with 4".

"mov" will copy the second operand to the first,
e.g. mov [ebx+00000310],4 would mean "change the value on ebx+0310 to 4".


What do we need to change in the code in order to accomplish our task?

It should look like this:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
add [ebx+00000310],2


originalcode:
//dec [ebx+00000310]

First we have added our own code to increase the health with 2 and we have also put a // before the original code, so we have "switched it off".

Click on File->Assign to current cheat table. In the cheat table, You can see an "Auto assemble cheat". Right-click on it and You will see a menu, where You are able to enable and disable Your cheat and also change the script that You have made if You wish. By double clicking on the "Auto assemble cheat" text, You are able to rename Your script, like "God Mode" or "Invincibility" whatever. Enable Your cheat and lets see how it works. Click on the "Hit me" button in the tutorial and if You got it right, Your health will increase by 2 instead of decreasing.


Step 8 includes multi-level pointers which is not a big deal if You know about pointers already, especially if You use the pointer scanner in CE. Step 9 is more difficult, You need to know how to program in C if You wish to accomplish it.

Assembly instructions (Opcodes):

"dec" will decrease the value with 1

inc : increase the value with 1

sub : subtract the second operand from the first,
e.g. sub [ebx+00000310],4 would mean "decrease the value on ebx+0310 with 4".

add : will add the second operand from the first,
e.g. add [ebx+00000310],4 would mean "increase the value on ebx+0310 with 4".

mov : copy the second operand to the first,
e.g. mov [ebx+00000310],4 would mean "change the value on ebx+0310 to 4".

lea: copy the result of the second operand to the first operand
e.g. lea eax,[esi+30] would mean copy esi+30 to eax.
This is good to save pointers.

cmp : compare, 2 registers, or a number and a register.
e.g. cmp esi,2 //compare esi to 2
cmp esi,ecx //compare esi to ecx
The result of the comparing will be stored in a flag. To see more about flags,
check out the CE help file.

jmp : jump to and address
You can use the jmp instructions to jump to a specific address (long jump), or to jump forward or backward x bytes (short jump).
e.g. jmp +0000000A //this instruction would mean to jump forward 10 bytes in the code.

Conditional jumps:
You can use conditional jumps to jump to a specific address, or to jump
forward or backward x bytes.

je : jump to a location if the previous compare's result was equal
e.g.
cmp esi,2
je 0f445566 //if esi is equal to 2, the program will jump to 0f445566 address.


jne: jump to a location if the previous compare's result was not equal

jg : Jump if Greater
jl : Jump if Less


push : save a register or flag in the stack
pop : load a register or flag from the stack
pushad : save all registers in the stack
popad : load all registers from the stack
pushfd : save all flags in the stack
popfd : load all flags from the stack

The stack is a "storage" where You can put values and load them from it. However You are not able to save and load the values in any order. The last value in the stack that You push in will be the first one that You pop out.

For example lets assume ecx=3, edx=2 and the stack stores the following values.


4
5
6

Now we put an instruction like "push ecx". Then the stack will look like this.

3
4
5
6

Now we also put in edx with "push edx". The stack will look like this.

2
3
4
5
6

Now we want to pop a value from the stack, like "pop ecx".

In this case, the program will pull out the first value from the stack, which is 2,
and put it to ecx. So ecx=2 and the stack look like this.

3
4
5
6

If we give a "pop edx" instruction now, edx will be 3, and the stack will look like

4
5
6

The result: The stack is the same as when we have started, but ecx=2 now, and edx=3, we have changed their values with each other.

If You use pushad and pushfd, then popad and popfd, make sure to use them in the correct order.

pushad
pushfd
...
popfd
popad

or

pushfd
pushad
....
popad
popfd

So what You push in first should be popped out first. What happens if You dont?

WRONG example:

pushfd
pushad
....
popfd
popad

Result: You will push the flags into the stack, then push in the registers and with popfd instruction, You will load the value of the registers to the flags, which will totally mess up the program and most likely it will crash.

Why do we use push, pop and the stack anyway?
In assembly, You are not able to use 2 values as operands in the same instruction.
e.g. mov [ecx],[edx] is not a valid instruction. If You wish to move the value on [edx] to [ecx], first You need to put [ecx] to a register, then copy the register to [ecx]. However changing a register's value for Your own puproses without restoring it later will result in errors. Also when You use the cmp instructions, You change the status of the flags, so sometimes it may be needed to restore the flag values too.


For a fine example on how to use the stack, compare, conditional jumps and mov, I will describe how did I make a "God Mode" for my soldiers in an RTS game, Warhammer: Mark of Chaos.

First of all You need to search for a soldier's health and check which code is writing to the address of health. However, this code is changing all of the soldiers' health in the game, including the enemy soldiers. So if You just turn off this code, everyone will be invincible. That would not be useful.

The code which is changing the health is the following:
008d0f08 - d9 56 04 - fst dword ptr [esi+04]

If You look in the memory browser, You will realise that the soldier's data structure is very simple in this game. As You can see it in the code, the health is stored on esi+04. The maximum health of the unit is 4 bytes later, so it is on esi+08. One more information: if the value before the health (esi) is 0, then the unit is Your unit. If it is not, then an enemy unit.

So the data structure is the following:
[esi] = player ID, if it is 0, then the unit is Yours
[esi+04] = health
[esi+08] = max health


With these information, we can plan our script now. It should do the following:
Check if the unit is Your unit.
If it is Your unit, change the healt to the maximum health.

The script will look like this:

fst dword ptr [esi+04] //original code which is changing health
pushad //save the registers
pushfd //save the flags
cmp [esi],0 //check if the player ID is equal to 0
jne +6 //if it is not 0, the program will skip the next 2 lines
mov eax,[esi+08] //copy the value of max health to eax
mov [esi+04],eax //copy eax to the health, so max health=health
popfd //load flags
popad //load registers


Well, thats it. A simple code which will make only Your units invincible, but the enemies will take damage normally. Notice that before I have used cmp, I have saved the flags and before I have changed eax register's value, I have saved the registers too. At the end of the code, I have loaded back the original flags and registers so I was able to use the flags and registers as I wanted in my code, without crashing the program.


Another good example: Unlimited money for the player only in C&C Generals.

It is pretty easy to find the code which is changing the money for the players in Generals, but if You wish to make script that will give You unlimited money for You only, here is a simple hint which is working with most of the games.

When the game is working with the money, it is using different addresses to store Your money and the amount of money that is displayed on Your screen. This means that when You search for money, You will find 2 addresses.

1. The money that You actually have.
2. The amount that You see on the screen in the game.

The game is checking Your money about 10 times in a second and display the correct amount to Your gameplay screen.

1. You have an address where Your money is stored.
2. A code is reading how much money You have on that address.
3. A script is copying the value of the money to the address where You can see the displayed amount of money.

Why is that important?
It is important because only the player's money is displayed on the screen, so the code which is reading how much money do You have in the 2nd step is accessing to Your money only. If You have the code which is accessing to Your money only, You can easily write a script to change Your money, but not for the enemies.

How to find that code?
It is simple. Find the address where Your money is stored, but after that, You need to choose "Find out what accesses this address". You will get the code which is reading from the address, not just the one which is writing to it.

The code which is reading the amount of Your money is:
mov ebx,[eax+38]

Now all You need to do is write a script which is changing Your money when the program
is reading it:

mov ebx,[eax+38] //read Your money
mov [eax+38],000f423f //change Your money to 999999 (which is 000f423f in hex , and you could also use (float)999999 instead )


Now You have learned another method which will save You from the troubles ahead if You want to find a specific code.

Peace!
Geri

[AhMunRa]

Just so I'm clear on Step 8 it is pretty much repeating Step 6 over until you find the specific Ptr.

[Geri]

Yes, exactly. That is why I was lazy to write down the same again. The built-in pointer scanner in CE is pretty cool, I think that most of the users are using the scanner instead of searching for pointers "manually".

[AhMunRa]

I'd rather step through manually, it gives me a chance to see how the program is functioning. After I solve it manually, I'll play with the pointer scanner.

Thank you again for your help.