Cheat Engine

Aecial · Cheater Reputation: 2 Joined: 27 Jun 2012 Posts: 44

About:

**Can't post images yet, gave the URL extensions for imgur instead.

This Tutorial involves using Ollydbg to find additional methods of hacking a game that is otherwise too difficult to hack in any methodical fashion through CE alone. This is not noob friendly and assumes you know many things about hacking games already. This is geared more towards advanced game hackers, and thus this guide does not spoon feed step by step instructions containing every little detail. Most information that needs to be pulled from this guide is highlighted in red.

CE's debugger may be capable of doing everything mentioned in the guide on its own (not 100% sure if this is true), but Ollydbg's GUI is easier to handle and the two programs work in conjunction very nicely.

Prerequisites:

- Optional: The game BrickShooter Egypt to follow along
- CE
- Ollydbg - Take your pick of the version. Earlier versions (1.x) have better plugin support and later versions (2.x) I believe can do 64 bit but have limited plugin support (if any). I personally prefer 1.0.
- MUST be experienced in reading/modifying assembly and writing scripts in CE.
- A brain

Notes:

- Don't attach CE's debugger while Ollydbg has it open. This will either give CE an error or crash it, or crash the target game.

- Making edits in Ollydbg is fine for testing, but if you save the .exe the changes you make will be permanent. After finding addresses, it is recommended that you attach CE to the same process Ollydbg is running and add the desired addresses to the code list that you wish to edit (find them in memory view first so you can get the offsets, ie 'game.exe+0420F0' rather than 07D420F0)

- Multiplayer games usually do not like being opened in Ollydbg, and some games (especially ones that want to protect themselves from Crackers) have anti-debugging features. Either abort this method if you can't find any strings when Ollydbg loads the game or get really good at using Ollydbg Wink

Preface:

Many games, especially puzzle games, tend not to have 'values' that can easily be manipulated.

Lets say we had a game of tic-tac-toe on our computer.

Ideally, we might get lucky when scanning memory we might find '0' represents a blank square, '1' could be 'O', and '2' could be 'X'. We easily write a hack that replaces 2s with 0s and go on our way.

Imgur URL: /hmiCj

OR we could get unlucky and have no values (not even complex ones or those of different data types) associated with any of these things. Then what? Most would give up at this point.

Intro:

That's where Ollydbg comes in! This method is not 100% effective, though it has a high success rate in my experience. Lets take the game BrickShooter Egypt, a game I have recently used this method on.

Its a simple puzzle game; lines of blocks on each side, clicking one on the inner most band sends it to the center. If 3 blocks of the same colour touch, they are removed. The level is won when no blocks remain.

Imgur URL:/3S0kK

Information gathering:

How would you approach hacking this with CE? You could try to scan to see if you can make it require less blocks touching to clear them (1 or 2 rather than 3) or search for total number of blocks and make that 0 so it thinks the game is won.

However you'll be disappointed to find that neither of these methods work. What is the best way to progress from here? You could try to blindly scan for values that have a very low chance of working, but we all know how that ends up. Instead, lets use Ollydbg to search for some strings! Look around menus for important strings that indicate winning, losing, out of time -- anything you can find

Upon winning a round, we see this screen:

Imgur URL: /xhqtk

Take note of the "Level Complete" string. This is where it gets fun.

Code searching:

Fire up Ollydbg, open the .exe for your game.

After it is loaded up in Ollydbg, run it (play button up top). Right click anywhere and do 'Search for' > 'All referenced text strings'.

Imgur URL: /prqdn.jpg

A list will appear. Scroll to the very top, right click and 'Search for Text'

Search for a string that will likely bring you to code near where its functions are.

We try "Level Complete". No results.
We try "Level Complete". with ignore case. No results.
We try "LevelComplete", omitting the space and get results.

*Had no results been found, trying key words such as "level", "win", "lose", etc could have led us to a solution.

There are many interesting things to explore here. We will stay on the same path for simplicity.

Right click a string worth exploring nearby code(in our case'LevelComplete') and click 'Follow in disassembler'.

Finding a Point of Exploitation:

Great! Now this is where knowledge of ASM comes in use. If you don't know any or this is too hard for you, go back and learn before you attempt this.

Scroll up and put break points on the preceding until you've placed a considerable amount. Your goal here is to back trace until you:
a) Find the compare or jump that tests for winning conditions
b) Find a compare or jump that is accessed by something else before the 'Level Complete' code, and modify the jumps to go to the win code instead.

Imgur URL: /HCCKh

For this tutorial, option b is significantly easier, so we will go with that. This may not always be the case.

Breakpoints have been set. Iif you immediately break without doing anything, option A is easier. If you don't immediately brake, do different things such as opening menus, hitting buttons, losing, or winning and continue to work from there.

After setting ~10 break points on every jump above our instruction, I found that the code we are viewing is accessed by many functions. When bringing up the 'esc' menu, we landed on a breakpoint.

Carefully stepping from jump to jump, I found that a certain instruction passes both 'WinPanel' and 'LevelComplete'.

Imgur URL: /kGs2A

Exploitation:

This part is mostly on you. I have ommited my changes from this guide because they will differ from the ones you make in your game. Apply your knowledge of memory editing, ASM, CE, and/or LUA to write a script that utilizes the information gathered in Ollydbg.

Open memory view and go to the addresses you want. From here you can get their offsets since Ollydbg won't do that (see note up top).

Once you have all the code you found in Ollydbg in Cheat Engine that you wish to modify, you can close Ollydbg and do the rest in CE now that you have a comfortable spot to work from.

Nop the jumps you don't want, guarantee the ones that you do want. Working backwards from the information you gain from the string search can lead to a lot of possibilities, there's no way I can walk you through them all.

Conclusion:

Through these methods I was able to find addresses in Ollydbg, go to them in CE and write scripts there. I figured out that hitting esc to bring up the Escape Menu landed on one of my break points, and I was able to modify a single jump to redirect the code and make me win the level instead. A cheat table has been attached showing these results.

You may find that when all else fails, this tends to be a very reliable method. I've written several hacks using this method where the normal method of scanning for values has proven too difficult or worthless.

Hopefully you have learned something new and are more capable of hacking games that seem difficult at times. If you have questions or suggested modifications to this guide please post them or PM me.

Author: Aecial