How to beat the Cheat Engine tutorial

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
Posts: 1159
Joined: Thu Mar 02, 2017 7:48 pm
Reputation: 64

How to beat the Cheat Engine tutorial

Post by STN » Wed Apr 19, 2017 12:45 am

Recreating Geri's tutorials and articles before his site got wiped out. Wealth of information in it!

Hi, I am Geri and this should be an article about beating the Cheat Engine tutorial until some point and more importantly, not just to beat the tutorial but understand what are You doing when You do it instead of following simple instructions. Now I must admit this is not the best article but I don't plan to bother with it anymore so I put it here, even if it's crappy. It does not cover the last 2 steps in the tutorial.

If You need some more guidance, check out the Tutorial videos for Cheat Engine page and You will find videos about this tutorial. This will greatly help You but of course it is still recommended to read this article to know what's going on on the videos.

Changing a value in a program

The most basic method to change anything in the program is to modify a value in it. For example to search where is Your life stored in a game, and simply change the amount of lives You have. You are also able to freeze the value and prevent it from decreasing or increasing. Now download CE and install it.
In the installation directory, You will find the tutorial program, Tutorial.exe.

Step 1:
Start the tutorial exe file and CE too. Click on the "Open process" button in CE, and choose "Tutorial.exe" from the list. This will attach CE to the tutorial program and You can start hacking it. Click on the "Next" button in the Tutorial as instructed.

Step 2:
Now You can see a "game" in the tutorial. You have 100 Health and if You click on the "Hit me" button, Your health will decrease. In order to beat this challange, You need to find Your health and change it to 1000. Go to CE, type Your health's amount (which is 100 at the start) in the value box, then hit the first scan button. Now CE has filtered out every address which has a value of Your health but You have dozens of addresses and only one of them is the correct one. We will filter the results. Click on the "hit me" button in the tutorial and Your health will decrease. Now go back to CE, type in the new value of Your health and click on the "Next scan" button. Now You can see that only one value is in the list. Double click on it. Click on the value and change it to 1000. If You have done it right, You have 1000 health and the "Next" button is active in the tutorial. Click on it for the next challenge.

Step 3:
This challenge will be similar to the previous, but here You do not know the exact value of Your health, You can see a health bar only. So how do You search for a number if it is displayed as a graphic health bar? Click on new scan in CE. Choose "Unknown initial value" as Scan type and hit the first scan button. Then click on the "Hit me" button in the Tutorial and You will loose some health. You can also see how much health You have lost. Now if You check the Scan type menu in CE, You can see some choices. What happened with Your health's value? Increased, decreased, changed in any way or not have changed at all? Of course it has been decreased as we know now, so either choose "Decreased value" as a scan type, or choose "Decreased value by.." and type in the amount that You have lost from Your health. Keep searching until You find the address which may store Your health. If You got it, change it to 5000 and proceed to the next step of the tutorial.

Step 4:
You may have noticed that values may be stored in different forms in the memory. Now You need to change 2 values, one of them is float and the other is double. For detailed information about value types, click on Help in CE and read the Main Interface -> Value types part. Change the value type to float, and search for the first value just as You have done in Step 2. If You got it, change it to 5000, then do the same with the double type value.

DMA (Dynamic Memory Allocation) -

DMA will make Your life a bit more difficult if You plan to hack games, because it means that the address where Your health is stored will change. You will not really find any games which is not using DMA so get used to it. The programs are using the addresses as temporary storages only and if You start a new level, restart the game etc, everything will be on a different location. Of course You can search for the value again, and again and again, but this is not needed. Now we will start to climb towards the more advanced methods of game hacking and learn to beat DMA. If You need more information on DMA, You can find out more here.

Step 5:
First find the value as usual and add it to the list. Right-click the address in Cheat Engine and choose "Find out what writes to this address". A window will pop up with an empty list. Now click on the "Change value" button in the tutorial and go back to CE. You can see a code now, like this one: mov [eax],edx This is the assembler code which is writing to the address that we have found, for example the code that is changing Your health. Add this code to the code list. You can check Your code list by clicking on the Advanced options at the bottom of CE. Right-click on the code that You have found, and choose "Replace with code that does nothing". Now click on the "Change value" button in the tutorial and if You have done it right, Your health will not change at all. This is because You have "switched off" the assembler code which should change Your health.

This has covered the basics, now You know how to search for values and how to find a code which is changing that value. It is time to learn a bit about assembler codes because at the end, these codes will be the key to hack and modify games.

Step 6:
Now You will learn about pointers a bit. Pointers are addresses which contains the address of Your health as a value. Well not exactly, but almost. Lets check it out how. Search for the value and add it to the list. Find out what writes to the address like in step 5. If You have found the code, click on more information. You should see something like that:
mov [eax],edx

Now what is that? This is the code which is changing the health but how?
This is a very simple instruction. It means "copy the content of edx register
to [eax] address".
What is a register?
Registers are used by the assembler codes to store values, just as memory addresses, but registers can be used way much faster than memory addresses and there are only a few of them so their values are always changing. You can read more about registers in the CE help file, but this is enough at the moment.

Now check out the instruction again:

mov [eax],edx

mov means "copy" in assembly. It will copy the 2nd operand to the first.
In this case, edx contains the new value of health after You have been hit, which should be written to the health's address. eax contains the address of Your health.
[eax] means the value which is stored on the address, contained by eax.
If You put a register between [ and ] it means "the value which is stored on the
address, contained by the register".
So eax is the address of Your health, for example 0096EEE8.
[eax] is the value of Your health (for example 100 health), which is on the 0096EEE8 address.
In most cases, You will see more between the [ ] then just a register. For example You may see [eax+10]. This means that the program is referring to an address which is eax+10. In this case, eax+10 is 0096EEF8 .
I hope You got that part, because it will be extremely important in the future. I have written an article for total beginners about assembly, if You feel like You may need it, You can find it here:
Explaining assembly in a very simple way

Now back to the case. If You have clicked on more information, You can see the code that You have examined and the value of the registers. Make sure to remember what is between the [ ] and what is the value of the register. Now click on "Hex" left to the value box in CE, type in the value of the register and search for it. You have found the address of the pointer. Click on "Add address manually". Select pointer, and type in the address of the pointer that You have found. If You have done it right, You have added an address to the table which will "track" the location of Your health, wherever it is.

You need to know that pointers are very unreliable, the pointer's address may also change in some games so in most cases it is totally useless to work with them.

Step 7:
Code injection is the part where You will start to use advanced methods to modify the code itself instead of just changing values. Search for the value that we want to modify. Find out what writes to the address. Add it to the codelist, then right-click on it and choose "Open the disassembler at this location". You can see the assembler code in the browser now. Go to Tools-> Auto-assemble, or press CTRL+A. Now You see a small window where we will begin to tinker with the code. Click on Template->Cheat table framework code. Now You can see an Enable and a Disable section. Obviously, the code under enable section will be used when the cheat is enabled and the disable section is used when we disable it. Click on Template->Code injection. You can see a template for changing the assembler code now. It is important to know that every text behind // is not part of the code, it is just a comment. Any text that You put after // in a line will not be used by the program, You can use it to make notes for Yourself etc. Scroll down a bit until You see this section:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here

dec [ebx+00000310]

In this part, the original code may be different for You, it has to be the code that is writing to Your health. Our task is to modify the code from "decrease one life" to "increase with 2 lives". In order to do so, lets check out some basic assembler instructions.

"dec" will decrease the value with 1

"inc" will increase the value with 1

"sub" will subtract the second operand from the first,
e.g. sub [ebx+00000310],4 would mean "decrease the value on ebx+0310 with 4".

"add" will add the second operand from the first,
e.g. add [ebx+00000310],4 would mean "increase the value on ebx+0310 with 4".

"mov" will copy the second operand to the first,
e.g. mov [ebx+00000310],4 would mean "change the value on ebx+0310 to 4".

What do we need to change in the code in order to accomplish our task?

It should look like this:

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
add [ebx+00000310],2

//dec [ebx+00000310]

First we have added our own code to increase the health with 2 and we have also put a // before the original code, so we have "switched it off".

Click on File->Assign to current cheat table. In the cheat table, You can see an "Auto assemble cheat". Right-click on it and You will see a menu, where You are able to enable and disable Your cheat and also change the script that You have made if You wish. By double clicking on the "Auto assemble cheat" text, You are able to rename Your script, like "God Mode" or "Invincibility" whatever. Enable Your cheat and lets see how it works. Click on the "Hit me" button in the tutorial and if You got it right, Your health will increase by 2 instead of decreasing.

Step 8 includes multi-level pointers which is not a big deal if You know about pointers already, especially if You use the pointer scanner in CE. Step 9 is more difficult, You need to know how to program in C if You wish to accomplish it.

That is all for now. If You want to learn about assembly instructions and see some examples on how to use them in real games, read this article:
Basic assembly instructions (opcodes) and examples


Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest