|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
JackSparrow2684 How do I cheat? Reputation: 0
Joined: 25 May 2016 Posts: 6
|
Posted: Wed May 25, 2016 5:51 am Post subject: Help for NewBeginner |
|
|
Hi all, I'm a NewBeginner whit cheat engine, I downloaded the version 6.5.1, done tutorial and then thought to try what I learn.
So I download 3D Pinball version 6.1 build 7601, and start to use CE.
windows 7 sp1
1. First I try do like in tutorial step2, when I do scan, I find only one address whit rigth value, but if I try to change it, nothing happens, if I continues play game, I earn score from value that I had before use CE.
2. So I thought maybe its a pointer, so I did like in step 6 to find pointer, but when I do hex scan for "the value of the pointer needed to find this address is probably xxxx" dont find nothing.....
3. so I use browser and find some tutorial for pointer scanner, do first pointer scanner whit "scan for address", and find 800m adress, than tourn off/on game, do new simple scan, find another time only one address, copy address, past in "rescan memory...." in "address to find" but after a 4 time I repeat it, it still stay at 600m, looks like I do something wrong.
If anyone have time to lose whit newbeginer can explain me what I do wrong?
P.S. It's looks like I'am only one who cant hack pinball ahahahahah
|
|
Back to top |
|
|
Cake-san Grandmaster Cheater Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
Posted: Wed May 25, 2016 11:40 am Post subject: |
|
|
You need some basic knowledge of backtracing and assembly if you want to find the real variables in this game because simple scanning for variables in this game will net you only display address.
Guide:
Let say you want to find the "real" address for score.
You start your scan and narrow the result until you get an address.
You try to change the value for that said address but it revert back to its original state.Then that address is a display variable.
This's where backtracing take place.Find out what write/accesses that address ,then do something that will change the value for the address.
Some instructions should populate the write/accesses windows.
One of the instruction might looks like this:
01013C93 - 74 0C - je PINBALL.EXE+13CA1
01013C95 - 8B 4D 0C - mov ecx,[ebp+0C]
01013C98 - 89 08 - mov [eax],ecx <<This's the instruction that write to the address
01013C9A - C7 40 04 01000000 - mov [eax+04],00000001
01013CA1 - 5D - pop ebp
EAX=03CF661C
EBX=03DB7158
ECX=0003F5AC
EDX=0003F5AC
ESI=000001F4
EDI=000001F4
ESP=000CFC60
EBP=000CFC60
EIP=01013C9A
As you can see , EAX is the display address and ECX is the value that being copy from the real address ( you should see EDX had the same value as ECX ) .
When you open the disassembler at that location you might see this:
Code: |
PINBALL.EXE+13C89 - 8B FF - mov edi,edi
PINBALL.EXE+13C8B - 55 - push ebp
PINBALL.EXE+13C8C - 8B EC - mov ebp,esp
PINBALL.EXE+13C8E - 8B 45 08 - mov eax,[ebp+08]
PINBALL.EXE+13C91 - 85 C0 - test eax,eax
PINBALL.EXE+13C93 - 74 0C - je PINBALL.EXE+13CA1
PINBALL.EXE+13C95 - 8B 4D 0C - mov ecx,[ebp+0C]
PINBALL.EXE+13C98 - 89 08 - mov [eax],ecx
PINBALL.EXE+13C9A - C7 40 04 01000000 - mov [eax+04],00000001 { 1 }
PINBALL.EXE+13CA1 - 5D - pop ebp
PINBALL.EXE+13CA2 - C2 0800 - ret 0008 { 8 }
|
There're nothing much we can do here because ECX's value come from
the stack (ebp+0C) . Oh well, just rightclick mov edi,edi instruction and click Break and trace the instruction.Set the Maximal trace count ( I just leave it to default value ) and click OK (before that, you can check step over instead of single step but for this game and breakpoint location, you don't have to ) . On some games, you have to set the condition because the instruction is accessing more than 1 address ( share code ) but for this game , as always, you don't have to. When the breakpoint has been set , go to your game and make something that will populate the tracer windows.When the break point has been hit , you should see more instruction.Right-click and expand all. Go to the top-est instruction and double click the instruction below the ret 0008 instruction,eg: pop edi.
Some of the instruction:
Code: |
PINBALL.EXE+17569 - 8B 34 85 58470201 - mov esi,[eax*4+PINBALL.EXE+24758]
PINBALL.EXE+17570 - 0FAF F7 - imul esi,edi
PINBALL.EXE+17573 - 03 B1 2A010000 - add esi,[ecx+0000012A]
PINBALL.EXE+17579 - 8D 41 52 - lea eax,[ecx+52]
PINBALL.EXE+1757C - 01 30 - add [eax],esi
PINBALL.EXE+1757E - 8B 10 - mov edx,[eax] <- this is where EDX come from.
PINBALL.EXE+17580 - 81 FA 00CA9A3B - cmp edx,3B9ACA00 { 0.00 } <- compare the edx value with 1000000000 in decimal
PINBALL.EXE+17586 - 7E 0B - jle PINBALL.EXE+17593 <-if less than that said value, jump to PINBALL.EXE+17593 skipping some instruction.
PINBALL.EXE+17588 - 81 C2 003665C4 - add edx,C4653600 { -916.84 }
PINBALL.EXE+1758E - FF 41 56 - inc [ecx+56]
PINBALL.EXE+17591 - 89 10 - mov [eax],edx
PINBALL.EXE+17593 - FF 30 - push [eax] <- the jle jump here
PINBALL.EXE+17595 - FF 71 32 - push [ecx+32]
PINBALL.EXE+17598 - E8 ECC6FFFF - call PINBALL.EXE+13C89 [b]<- the call lead to the previous instruction
PINBALL.EXE+1759D - 5F - pop edi
|
I did mentioned that ECX and EDX on previous instruction had the same value and there you go , you can see this instruction : mov edx,[eax] and 2 line above it is : lea eax,[ecx+52] and if you go deeper using info on the tracer windows you should see this instruction:
Code: |
PINBALL.EXE+CED6 - 8B 0D 40500201 - mov ecx,[PINBALL.EXE+25040] { [03DB2F28] } <- base address for the score
PINBALL.EXE+CEDC - 50 - push eax
PINBALL.EXE+CEDD - E8 44A60000 - call PINBALL.EXE+17526 <- this call leads to a little above from the 2nd previous instruction.
|
So, in conclusion the pointer for the real score address is [PINBALL.EXE+25040]+52
I'm sorry for the poor language and explaination.
Regards.
_________________
... |
|
Back to top |
|
|
JackSparrow2684 How do I cheat? Reputation: 0
Joined: 25 May 2016 Posts: 6
|
Posted: Wed May 25, 2016 2:55 pm Post subject: |
|
|
thanks a lot, now its work .
I understand that my "long walk to freedom" is only at begin .
P.S. and now its time for me to go learn backtracing and assembly
|
|
Back to top |
|
|
Cake-san Grandmaster Cheater Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
|
Back to top |
|
|
JackSparrow2684 How do I cheat? Reputation: 0
Joined: 25 May 2016 Posts: 6
|
Posted: Wed May 25, 2016 4:35 pm Post subject: |
|
|
Cake-san wrote: | unchecking Fast Scan option before scanning |
ahahaha yeah this way is more easy , however show me backtracing was a good idea, becouse, I'm pretty sure simple scan will not work for most games
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu May 26, 2016 2:03 am Post subject: |
|
|
Also, you can change your scan settings so that byte and two bytes are included in the 'all type' category, that way you don't have to mess with it again.
|
|
Back to top |
|
|
JackSparrow2684 How do I cheat? Reputation: 0
Joined: 25 May 2016 Posts: 6
|
Posted: Thu May 26, 2016 3:30 am Post subject: |
|
|
For pinball dont worked, only if uncheck Fast Scan can find whit simple scan the rigth address on my pc, but whit Fallout 4 was usuefull do scan whit all tipe of value, thx.
P.S. and yes, I know that in fallout 4 most things can be done whit console command, but in this way I feel hacker ahahahahah
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu May 26, 2016 3:54 am Post subject: |
|
|
It works for pinball. You have to go to your settings and add those types to your 'all type' category first.
|
|
Back to top |
|
|
JackSparrow2684 How do I cheat? Reputation: 0
Joined: 25 May 2016 Posts: 6
|
Posted: Thu May 26, 2016 4:28 am Post subject: |
|
|
Omg , you are right, now work too , but I have another isue, address that I find work, but I'm not able to add something like 100kk, if I put that value, he set score higher than older, but not at 100kk, so I can add only small higher score from old, instead whit unchecking Fast Scan option I find address where I can add 100kk score. Why this happen?
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Thu May 26, 2016 4:34 am Post subject: |
|
|
Because you're probably trying to edit a 1 byte or 2 byte value. Just change it to 4 byte or 8 byte.
|
|
Back to top |
|
|
JackSparrow2684 How do I cheat? Reputation: 0
Joined: 25 May 2016 Posts: 6
|
Posted: Thu May 26, 2016 5:29 am Post subject: |
|
|
Yes, that was problem, now its work , so many way to do the same things, so I think that is possible hack everything whit CE, just must find the rigth way, rigth?
|
|
Back to top |
|
|
LetMeKnow How do I cheat? Reputation: 0
Joined: 10 Dec 2016 Posts: 0 Location: Internet
|
Posted: Sun Dec 18, 2016 7:18 pm Post subject: Pinball Address, Value + Score HELP! |
|
|
++METHOS wrote: | It works for pinball. You have to go to your settings and add those types to your 'all type' category first. |
Hi
Could you guide me on how to alter score in Pinball? The game I play is a flash game but I have no idea how to find the address/right value with this pinball game. I play first automatically the score is 100000 if it hits it goes by 25000 some zones in pinball are worth more. This is the tricky part. I also can't seem to create infinite balls in the standard 5 ball pinball game. Any help will do. I've asked and I get 0 answers. In CE these values turn red I know I'm doing something wrong but I don't know where to start. There's no explanation in videos or tutorials. Is it a pointer thing? If so. What can I do to change the settings? Do I have to change 4 byte?
I will rep u if you can help in any way.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|