Cheat Engine Tutorial

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 10:37 pm

So I'm having an issue with this one, I'm at the Step 9 of the Tutorial, I know how to cmp shared instructions with Player and Enemy.

But for some reason there is no group difference in the Dissect Data:

So Dave+Eric and Hak+Kitt

In the Dissect Data Dave+Eric+Kitt has the same value of 4 but Hal is with 3, there is nothing else which is group difference.

My Code is also included an ohk which I'm not sure I've set up correctly so if someone could tell me If I wrote it right:

Code: Select all

[ENABLE]
alloc(newmem,2048,"Tutorial-x86_64.exe"+2E0B7) 
label(returnhere)
label(ohk)
label(originalcode)
label(exit)

newmem:
cmp [rbx+18],4 // Offset and Value is not right It's just for demonstration.
jne originalcode
mov [rbx+08],(float)100

ohk:
cmp [rbx+18],3 // Offset and Value is not right It's just for demonstration.
jne originalcode
xorps xmm0,xmm0
movss [rbx+08],xmm0

originalcode:
movss [rbx+08],xmm0

exit:
jmp returnhere

"Tutorial-x86_64.exe"+2E0B7:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-x86_64.exe"+2E0B7:
movss [rbx+08],xmm0
//Alt: db F3 0F 11 43 08
If someone could go over the Tutorial to Step 9 and see what I mean in the Dissect Data, And Is there any other way of making the Script work so Group 1 (Me) Won't die?


[The extension png has been deactivated and can no longer be displayed.]


User avatar
++METHOS
Administration
Administration
Posts: 194
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 23

Re: Cheat Engine Tutorial

Post by ++METHOS » Fri Mar 03, 2017 10:41 pm

The structure that CE creates is dynamic, based on various data, and is basically a best-guess result. If you notice, offset 4 isn't even showing up. Furthermore, the strings for each name are shown, and those can be used for your compare.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Re: Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 10:42 pm

Could you explain what you mean, Is there any specific thing I should try ?

EDIT: I'm going to try something.

Although my ohk Is right?
Last edited by Kalas on Fri Mar 03, 2017 10:44 pm, edited 1 time in total.

User avatar
++METHOS
Administration
Administration
Posts: 194
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 23

Re: Cheat Engine Tutorial

Post by ++METHOS » Fri Mar 03, 2017 10:43 pm

You edited your post, so I edited mine. :D

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Re: Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 10:46 pm

If I wanted to make a standalone Script for ohk, could I just do that:

Code: Select all

[ENABLE]
alloc(newmem,2048,"Tutorial-x86_64.exe"+2E0B7) 
label(returnhere)
label(originalcode)
label(exit)

newmem:
cmp [rbx+18],3
jne originalcode
xorps xmm0,xmm0
movss [rbx+08],xmm0

originalcode:
movss [rbx+08],xmm0

exit:
jmp returnhere

"Tutorial-x86_64.exe"+2E0B7:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-x86_64.exe"+2E0B7:
movss [rbx+08],xmm0
//Alt: db F3 0F 11 43 08

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Re: Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 10:46 pm

++METHOS wrote:
Fri Mar 03, 2017 10:41 pm
The structure that CE creates is dynamic, based on various data, and is basically a best-guess result. If you notice, offset 4 isn't even showing up. Furthermore, the strings for each name are shown, and those can be used for your compare.
Could you post the code with the suggestion you made, how could I use Strings with my Script, I'm not familiar with these kind of stuff.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Re: Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 10:51 pm

Looks like I was on 64 bit of the Tutorial for some reason, I relaunched it and skipped to the 9th step again and this is my code:

Code: Select all

[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
cmp [ebx+10],1 // Offset of 10 and Value of 1 - Value 1 Is for Group 1 and Value 2 is Group 2
jne originalcode
nop
nop
nop
jmp exit

originalcode:
mov [ebx+04],eax
fldz 

exit:
jmp returnhere

"Tutorial-i386.exe"+26537:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+26537:
mov [ebx+04],eax
fldz 
//Alt: db 89 43 04 D9 EE
This is a Script for ohk, Is that the right format or I missed something?:

Code: Select all

[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
cmp [ebx+10],2
jne originalcode
mov [ebx+04],(float)0
jmp exit

originalcode:
mov [ebx+04],eax
fldz 

exit:
jmp returnhere

"Tutorial-i386.exe"+26537:
jmp newmem
returnhere:


 
 
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+26537:
mov [ebx+04],eax
fldz 
//Alt: db 89 43 04 D9 EE

User avatar
++METHOS
Administration
Administration
Posts: 194
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 23

Re: Cheat Engine Tutorial

Post by ++METHOS » Fri Mar 03, 2017 10:57 pm

In this case, your instruction is this:

movss [rbx+08],xmm0

rbx = base address of structure, which is why you have -8 after all of your addresses (health value is stored at [rbx+08]).

The ID strings are stored at [base+19], or [rbx+19].

That being the case:
newmem:
cmp dword ptr [rbx+19],'Dave' //you can also compare against hex value
je dave
cmp dword ptr [rbx+19],'Eric'
je Eric
cmp dword ptr [rbx+19],'HAL'
je HAL
cmp dword ptr [rbx+19],'KITT'
je KITT
jmp originalcode
There are many ways to do this.

User avatar
++METHOS
Administration
Administration
Posts: 194
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 23

Re: Cheat Engine Tutorial

Post by ++METHOS » Fri Mar 03, 2017 10:59 pm

One-hit kill scripts can be done many different ways, depending on how the code is being handled.

I have not looked at the CE tutorial in a long time, so I do not know how the data is being handled. If you are working from a write instruction, then you'll probably want to set your values to 0. If you are working from a read instruction, then you want to check if value is 1 or greater, if not, set to 1...if 1, jmp to originalcode.

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Re: Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 11:01 pm

Yea so I found that offset of 10 + value of 2 Is the Enemy

So I simply did mov [ebx+04],(float)0.

But first I went to newmem:

cmp [ebx+10],2
jne originalcode
mov [ebx+04],(float)0
jmp exit


I just hope that It's the right way to do even if I have another script above with Infinite Health, I just hope It wont conflict you know, It's not just for the Tutorial It's more in general game hacking.

User avatar
++METHOS
Administration
Administration
Posts: 194
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 23

Re: Cheat Engine Tutorial

Post by ++METHOS » Fri Mar 03, 2017 11:18 pm

I wrote a table for you as an example:
Attachments
Tutorial-i386.CT
(254.41 KiB) Downloaded 100 times

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 156
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 11

Re: Cheat Engine Tutorial

Post by Kalas » Fri Mar 03, 2017 11:21 pm

Oh so simply keep writing 0 to eax, and eax writes back to [ebx+04].

Am I right?, but yea I understand what you did there.

What's the dd for? Oh I understand never mind

User avatar
++METHOS
Administration
Administration
Posts: 194
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 23

Re: Cheat Engine Tutorial

Post by ++METHOS » Fri Mar 03, 2017 11:34 pm

As previously stated, scripts may vary, depending on how the data is being handled. For example, some games have a death sequence that must happen after or right before the health value becomes 0, and some games require weird values for certain events to actually happen.
newmem:
cmp [eax+04],(float)1.0
jge @f
mov [eax+04],(float)1.0
jmp originalcode

originalcode:
//code here
In this case, assuming that you are injecting using a read instruction (or any instruction that is constantly accessing health values), instead of forcing the health to be nothing, you are setting it to almost nothing, allowing the originalcode to execute, in the case where a flag needs to be set in order for the death sequence to occur. Also, for some games, you may not want instant death (as that will cause all characters to die, even if you do not attack them), which will defeat the purpose of the one-hit kill cheat.

Post Reply

Who is online

Users browsing this forum: No registered users