Cheat Engine

[Mclane]

Just joined the forum and thought I'd say a hello to everyone on here. Been a long time cheater but more on the older machines like the C64, Atari 8bits, Snes and Amiga's.

Shame we didn't have software like this back there then...

Righty, I'm a bit rusty and have ran into a problem with a certain game. The game is a remake of an old Amiga Classic, was called Deluxe Galaga at that point but changed to Warblade on the PC to avoid Arcade copyright.

A search for warblade will show it...

I'm having trouble finding the number of lives, have hacked all other things like score, money etc but the lives are getting to me. I've tried a few different things but when I tried an unknown value check I sat there for an hour plus and the electricity cut off thanks to a circuit breaker.

Any how, would anyone be willing to give it a try and explain what and how you did to find it. I've tried standard values, adding one so it counts to 0 for a bne to jump in but I'm a tad lost and an explanation of the method used would be fantastic.

Also, could someone point me to an explanation of 'doubles', looked on the site but did not see anything. I'm fine with floats etc but never heard of a double.

Thanks..

[OSIRIS]

There is a tutorial that comes with CE. It will teach you stuff like this.

[Mclane]

[OSIRIS]

I suck a this stuff but this is what I think you would do.

Do a 4byte scan for the value of your health.
Lose some health (An enemy damages you)
Then scan again for the new value of your health.

Repeat until you have one value left.
Then you can change to something.

[Mclane]

I suppose what I'm trying to do is learn technique ala short cuts via experience rather than purely 'how do I cheat' which I'm not too bad but rusty.

I'm from the days of eor'ing screen ram etc, there wasn't much anti cheat protection in those days except checks for alternate hacking O/S roms etc.

[mark_the_hacker]

Or try doing the *8 method which the value you have you times it by 8 and scan, then the next value *8 again until you get the right one.

[random5566]

Finding the address was pretty straightforward. Just use 4 byte unknown initial value scan, then scan for a value decreased or increased, depending on whether your lives decreased or increased. I narrowed it down to about 4 addresses, all of them green, meaning static. Added those addresses to the table, right clicked one of the addresses 008468a8, and choosed find out what writes to that address, loss a life, and the debug window shows the address of the instruction/opcode involved in decreasing the life :
005ec7a3 - 89 90 a8 68 84 00 - mov [eax+008468a8],edx

Make an AA script that nops the instruction :

[Labyrnth]

[Mclane]

[random5566]

Double jumping? You mean tapping twice on the jump key to make the player/character jump once from the ground then once more while in mid-air?

Normally, it has all to do with the player's state.
State 0 - player is on the ground
State 1 - player has jumped once and is now in the air
State 2 - player has jumped twice

To hack infinite jumps, you would then have to find the specific address that stores the state of the character. Bear in mind, that the initial state, 0, does not have to be 0. It could be any number, so first do an initial scan with an unknown value. In the game, press the jump key, player jumps, pause game, go back to CE, scan for an increased value, back to the game, unpause, let the player fall back to the ground, go back to CE, scan for a decreased value, repeat this process over and over until you narrow the addresses to about 10.

Manually freeze each address and test it out in the game, and through trial and error you should find the address that stores the state. Assuming the initial state is 0 when the player is on the ground, and 1 when the player has jumped once and is in mid-air. Set the value of that address to either 0 or 1 and freeze it and you should have infinite jumps.

If the address you've found isn't green in color, it means it is not a static address and will change once you restart the level/game. To find the base address, follow Stefon's advice and go through steps 1 to 9 of the "Tutorial.exe" found in your CE programs folder.

If you really can't find the base address, you could also right click that address and find out what writes to that address. Find the opcode that increases the state of the address, nop it, or modify it so that the base address always has the value 0 and you should have infinite jumps.

Of course, this method is not foolproof. There are a hundred ways to code Tetris, and similarly there are probably a hundred ways you could code a platformer where the player jumps. Suppose instead of player states, the programmer instead checks for height offsets to determine the state the player is currently at i.e., the height of the player when he was on the ground, and the (maximum height of the player) while he is in mid-air or on the second jump. You would have to find another way to hack infinite jumps.

I'm new to cheating and Cheat Engine, so there may be a better approach to this. Funny now that you mention it, the 'sample and see what changes' method is a technique employed by noobs and veterans alike (especially me) . Looking at opcodes and values (especially structures) is something the pros do almost exclusively, using breakpoints and tracing (something I hope to be able to do well enough some day) .

[Psy]

^ Its a good enough start random, thats for sure. And that explanation will defo help out newbies. Good job, keep it up! This sort of approach works on a load of MMORPG clients. Take for example perfect world. You can normally just double-jump, however, if you freeze the value at '1', the game thinks you have just performed the one, and you can keep going.

That would be a more common way of it getting stored as opposed to a compare on the actual height. You have to bear in mind that the Z-axis in many games is wuite variable, ie. you could run up a hill or reach a new level which may be situated higher or lower than where you were, which would make a height compare inefficient

Failing that, take player co-ords and look within the structure. The player jump modifer is most times in there. Its not difficult, its just a matter of bytes away.

~Psy

[Mclane]

Thanks for all the help, it's very appreciated!

[random5566]