Cheat Engine

balrog_svr · How do I cheat? Reputation: 0 Joined: 13 Sep 2011 Posts: 2

Cheat Engine 6.2 Tutorial Step 9 actions:

1. Found the address for health of Player 1, Player 2, Player 3, Player 4 via scanning for the float value

Player 1 00098FAC
Player 2 01B3007C
Player 3 01B70084
Player 4 01B88424

2. Using "Find what writes to this address" option on the Player 1 I found out the memory address of the Player 1:

>>004250C6 - mov [ebx+04], eax -----where EBX=00098FA8

the offset 04 provides the location of the health of the player in question.

3. Now, i created and defined new structure to get the offset for the Group to which players were assigned:

a. Browse this memory region (CRTL+B) from Player 1
b. Dissect data/structure (CTRL+D) from Tools menu
c. Adding 4 Extra Addresses (for all players) with the offsets found in step 2:

00098FAC-04
01B3007C-04
01B70084-04
01B88424-04

d. I found that offset 10 contains the group ID# to which players are assigned

Player 1 & Player 2 ====> Group ID#1
Player 3 & Player 4 ====> Group ID#2

4. Now, i find out what accesses this address for Player 1 when he is hit. The following is the result:

0042507E - D9 43 04 - fld dword ptr [ebx+04]
0042509D - D8 6B 04 - fsubr dword ptr [ebx+04]
004250C6 - 89 43 04 - mov [ebx+04],eax
004250CB - D9 43 04 - fld dword ptr [ebx+04]
00425107 - FF 73 04 - push [ebx+04]

Looking at the first access in disassembler i get this:

1. Tutorial-i386.exe+25076 - 0F85 CD000000 - jne Tutorial-i386.exe+25149
2. Tutorial-i386.exe+2507C - D9EE - fldz
3. Tutorial-i386.exe+2507E - D9 43 04 - fld dword ptr [ebx+04]
4. Tutorial-i386.exe+25081 - DED9 - fcompp
5. Tutorial-i386.exe+25083 - DFE0 - fnstsw ax
6. Tutorial-i386.exe+25085 - 9E - sahf
7. Tutorial-i386.exe+25086 - 75 0F - jne Tutorial-i386.exe+25097
8. Tutorial-i386.exe+25088 - A1 74145500 - mov eax,[Tutorial-i386.exe+151474]
9. Tutorial-i386.exe+2508D - E8 5E940E00 - call Tutorial-i386.exe+10E4F0
10. Tutorial-i386.exe+25092 - E9 B2000000 - jmp Tutorial-i386.exe+25149
11. Tutorial-i386.exe+25097 - 89 75 CC - mov [ebp-34],esi
12. Tutorial-i386.exe+2509A - DB 45 CC - fild dword ptr [ebp-34]
13. Tutorial-i386.exe+2509D - D8 6B 04 - fsubr dword ptr [ebx+04]
14. Tutorial-i386.exe+250A0 - D9 5D D0 - fstp dword ptr [ebp-30]
15. Tutorial-i386.exe+250A3 - D9EE - fldz
16. Tutorial-i386.exe+250A5 - D9 5D CC - fstp dword ptr [ebp-34]
17. Tutorial-i386.exe+250A8 - D9 45 D0 - fld dword ptr [ebp-30]
18. Tutorial-i386.exe+250AB - D9 45 CC - fld dword ptr [ebp-34]
19. Tutorial-i386.exe+250AE - DED9 - fcompp
20. Tutorial-i386.exe+250B0 - DFE0 - fnstsw ax
21. Tutorial-i386.exe+250B2 - 9E - sahf

Looking at the disassembler, as a novice, my intuition tells me that what i need is located on the line #13 with float subtraction
(fsubr dword ptr [ebx+04]) and storing of the result (fstp dword ptr [ebp-30]).

what does fsubr dword ptr [ebx+04] really mean?
This is what it would look like if we would write it in a regular C math expression:

ST(0) = EAX-ST(0); // subtract ST(0) from the REAL4 value pointed to by EAX and store the result in ST(0)

5. Using line 13 for Auto Assemble with code injection at: "Tutorial-i386.exe"+2509D:

alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(friendly)

newmem:
cmp [ebx+10], 1 //i am checking if the player who is hit belongs to group 1
je friendly //if the player is from group 1 i will jump to the special code for friendly players
jmp originalcode

originalcode: //this code is kept so the enemies are getting hit
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
jmp returnhere

friendly: //this will allow to increase friendly unit health in the amount of a hit they should take
fadd dword ptr [ebx+04] //add the REAL4 value pointed to by EAX to ST(0)
fstp dword ptr [ebp-30] //stored the result of the ST(0) computation in the address specified by [ebp-30] and pops st(0)
jmp returnhere

"Tutorial-i386.exe"+2509D:
jmp newmem
nop
returnhere:

6. Now when i hit friendly i get the health of Player 1 and Player 2 to increase, but Player 3 and Player 4 will get their health reduced if hit.
Now click on auto play and you are a winner.

Please note I have never studied or used assembler. I googled for the references of assembly commands to figure out what to do. If you have any questions please let me know.

Xylem · How do I cheat? Reputation: 0 Joined: 04 Dec 2011 Posts: 1

this works for me, thanks brother, learnt heaps

chinccw · How do I cheat? Reputation: 0 Joined: 03 Mar 2013 Posts: 1

there is some part where i dont really understand. anyway your code is working so i can slowly try to figure out . thx alot Very Happy

Nemexia55 · Posted: Mon Feb 17, 2014 9:36 am Post subject: so hard!

so hard!

phadeb · Cheater Reputation: 0 Joined: 25 Jun 2007 Posts: 35

It crashed with this :

Nemexia55 · Posted: Mon Mar 17, 2014 4:42 am Post subject:

Finally I could do it!!!

JohnDude · Newbie cheater Reputation: 0 Joined: 30 Aug 2013 Posts: 20

for 6.3 version
"Find what writes to this address" is enough to do it.

ebx = player's address
10 - health offset
ebx + 10 gives player's hp
2 - team offset

Nemexia55 · Posted: Wed Dec 10, 2014 4:57 pm Post subject:

LOL i think this is the easiest code for this level!!
EXPERTS, please let me know if there is any problem in my coding because i'm not professional in Assembly but want to become professional Smile

Nemexia55 · Posted: Wed Dec 24, 2014 4:08 pm Post subject:

i have made this please check it and let me know if my scripts are wrong Smile