Cheat Engine Tutorial Guide (x32) - Part 2

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
TheyCallMeTim13
Administration
Administration
Posts: 980
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 154
Contact:

Cheat Engine Tutorial Guide (x32) - Part 2

Post by TheyCallMeTim13 » Wed Apr 18, 2018 1:09 pm

https://wiki.cheatengine.org/index.php? ... _Guide_x32
Cheat Engine Tutorial Guide (x32) - Part 2

Continued from: Cheat Engine Tutorial Guide (x32) - Part 1


Step 5
When you start step 5 you should see the form looking like this.
Image

So first find the value then add it to the address list.
Go ahead and save the table and the password at this point, just in case the debugger isn't setup right.
If you need help setting up the debugger see: Debugger options
After you have the address in the address list right click it then select find out what accesses this address.
Image

Cheat Engine will prompt you about attaching the debugger, just click the yes button.
Image

Then a debugger form will open, now click the change value button, and you should get code that shows up in the debugger form.
What we want is a write instruction. So we will be looking for some thing like one of the following:

Code: Select all

mov [**],**
add [**],**
sub [**],**
*** [**],**
Select the code line of the write instruction, you can click the show disassembler button to see the code in memory, then click the replace button.

Don't forget to click the stop button.
Image

The replace button will replace that line of code with NOPs.
Cheat Engine will prompt you for a name for the entry it will add in the advanced options list.
Enter a name and click the OK button.
Image

Now click the change value button back on the tutorial.
The next button should become enabled, then click the next button to advance to the next step.

When entries in the advanced options list are replaced, they will show up with red text.
Image

The advanced options list can be viewed by clicking the advanced options button in the status bar on the bottom left corner of the Cheat Engine main form.
To restore the original code for an entry in the list, right click the entry and select restore with original code.
Image

Note that the text is black after restoring.
Image


Step 6
When you start step 6 you should see the form looking like this.
Image

So first find the value then add it to the address list.
After you have the address in the address list right click it then select find out what accesses this address.
Image

Then click the change value button, to have the process access the address.
When choosing the code to find the base address for the pointer, try to select an instruction that doesn't write to the same register as the base address.
Here we're interested in the value between the square brackets ('[' and ']'), so here we want the value of EDX.
Image

The offset here is 0, if the instruction had some thing like this:

Code: Select all

mov [edx+12C],eax
Then the offset would be '12C' (0x12C), note that this is in hex.
Now set the scanner for 4 bytes, exact value, check the hex check box, then take the value found and put that as the value to scan for.
When ready click the first scan button.
Look in the found address list for address with green text, these are static addresses.
Image

Add one to the cheat table, double click the address of the memory record that was added to the address list, copy the address then check the pointer check box, and paste the address in the pointers base address.
If you are unsure how to do this look here: How to add addresses to the address list
So my pointer will look like this.

Code: Select all

["Tutorial-i386.exe"+XXXXXX]+0
It should be setup some thing like this, remember to set the offset to the offset you found.
Image

Click the OK button when the pointer is setup.
Now freeze the value at 5000 and click the change pointer button, the next button should become enabled.
If the next button doesn't become enabled then select another address from the found list, look for a green one that had it's value changed, and set it up like the last one and see if it points to the right value, if so change the value freeze and click the change pointer button.
Click the next button to advance to the next step.


Step 7
When you start step 7 you should see the form looking like this.
Image

Here we'll follow the the same procedures as step 5, but instead of clicking replace click the show disassembler button.
Image

This will open the disassembler view form at the instruction's address.
Image

With the instruction selected press Crtl+A, to open an auto assembler form.
In the auto assembler form menu select template then select full injection.
Image

This will generate some script to start you out.
Image

Now we need to add some code that will increase the value by 2, then remove the original code that decreases the value.
For increasing the value we can use INC or ADD.
So let's try some thing like this.

Code: Select all

//...
newmem:
  add [ebx+478],2 //// Here Cheat Engine will assume that the value size is 4 bytes (dword)


code:
  //sub dword ptr [ebx+00000478],01
  jmp return


address:
  jmp newmem
  nop
  nop
return:
//...
Now add the script to the cheat table.
If you are unsure how to do that look here: How to add script to table
Then enable the script and click the hit me button.
This should enable the next button, so click the next button to go to the next step.


Step 8
When you start step 8 you should see the form looking like this.
Image

So here we will follow the same steps as step 6, except we'll see what accesses the base address we find, and we'll keep repeating this until a static base is found.
So here is my first debugger output.

Code: Select all

00425EB2 - B8 A00F0000 - mov eax,00000FA0
00425EB7 - E8 3488FEFF - call Tutorial-i386.exe+XXXXXX
00425EBC - 89 46 18  - mov [esi+18],eax  <<<<<<
00425EBF - 8D 55 D4  - lea edx,[ebp-2C]
00425EC2 - E8 493E0100 - call Tutorial-i386.exe+XXXXXX

EAX=00000441
EBX=01869F80
ECX=00000000
EDX=00000441
ESI=01829F68  <<<<<<
EDI=005DF300
ESP=0160F6E4
EBP=0160F71C
EIP=00425EBF
I did find a static base on the first scan of the base address but I remember this being a false base. So here what we want is a base address in the form of 'process.exe+offset', you can try one of the others that look like 'module.dll+offset' but I want to say that here they will prove to be false pointers. And yes most newer games will have many false values and pointers.

And the debugger output from the address holding: 01829F68

Code: Select all

00425E73 - E8 98270F00 - call Tutorial-i386.exe+XXXXXX
00425E78 - EB 5B - jmp Tutorial-i386.exe+XXXXXX
00425E7A - 83 3E 00 - cmp dword ptr [esi],00  <<<<<<
00425E7D - 74 56 - je Tutorial-i386.exe+XXXXXX
00425E7F - 8B 36  - mov esi,[esi]

EAX=000000CA
EBX=01869F80
ECX=7EFDD000
EDX=00006D0C
ESI=018332A0  <<<<<<
EDI=005DF300
ESP=0160F6E4
EBP=0160F71C
EIP=00425E7D
And the debugger output from the address holding: 018332A0

Code: Select all

00425E31 - E8 DA270F00 - call Tutorial-i386.exe+XXXXXX
00425E36 - E9 9A000000 - jmp Tutorial-i386.exe+XXXXXX
00425E3B - 83 7E 14 00 - cmp dword ptr [esi+14],00  <<<<<<
00425E3F - 0F84 90000000 - je Tutorial-i386.exe+XXXXXX
00425E45 - 8B 76 14  - mov esi,[esi+14]

EAX=00006F01
EBX=01869F80
ECX=7EFDD000
EDX=0000AAB3
ESI=018BA4F8  <<<<<<
EDI=005DF300
ESP=0160F6E4
EBP=0160F71C
EIP=00425E3F
And the debugger output from the address holding: 018BA4F8

Code: Select all

00425DF0 - E8 1B280F00 - call Tutorial-i386.exe+XXXXXX
00425DF5 - E9 DB000000 - jmp Tutorial-i386.exe+XXXXXX
00425DFA - 83 7E 0C 00 - cmp dword ptr [esi+0C],00  <<<<<<
00425DFE - 0F84 D1000000 - je Tutorial-i386.exe+XXXXXX
00425E04 - 8B 76 0C  - mov esi,[esi+0C]

EAX=00005FAA
EBX=01869F80
ECX=7EFDD000
EDX=00014D08
ESI=018CA6F0  <<<<<<
EDI=005DF300
ESP=0160F6E4
EBP=0160F71C
EIP=00425DFE
Now we scan for that base '018CA6F0' and you should find a static address, but in real games you would keep going until a static base is found.
With that static address as the base my pointer will look like this.

Code: Select all

[[[["Tutorial-i386.exe"+XXXXXX]+C]+14]+0]+18
Image

After you have found the pointer, freeze it at 5000, then click the change pointer button. If you found the right base the next button should become enabled after about 2 seconds. So click the next button to go to the next step.


Continued: Cheat Engine Tutorial Guide (x32) - Part 3
Last edited by TheyCallMeTim13 on Tue May 01, 2018 12:51 am, edited 7 times in total.

Post Reply

Who is online

Users browsing this forum: No registered users