Cheat Engine

soulx` · Cheater Reputation: 0 Joined: 06 Jun 2006 Posts: 25

Well bit bored so i thought id mess about with code injection and decided to write this to help beginner's to gamehacking learn more about code injection..

I will be using Windows Minesweeper to show this on as this saves my PC alot of ram and almost everyone has this on there PC Wink

In this tut i will be showing you how you can use code injection to get a specified game to do what ever you want it to do when you want it to do it.
I will be using Tsearch , not because i do not like CE i think CE is one of best memory scanners out there , but because ive always used Tsearch, i suggest you work with the tool you know best.

Ok let's start..

I load up minesweeper and tsearch, if you use CE which you most likely do, load that up. (dont let me put you off because i use Tsearch, it is just what im use to using)
Start playing you will notice your time is going up by 1 each time.. lets get the address for this value.. Now your probably saying, u cant enter in the exact value because it changes before you can do that.. so what we will do is peform a "Range" search, set your range search to scan for the value 10-20 , when your time hits 10 , peform the search.

You will get several address's, now let your time increase a bit and do a search has increased, do this until your down to 1 address which is the timer address, you will know it's the correct one because it will be increasing by 1 every second. Ok now lets see what is happening at this address, so lets Auto Hack (tsearch) / Find out what writes to this address (cheat engine, correct me if im wrong on this) . Ok once you do that, you will see almost straight away the following:

1002FF5: inc dword ptr [0x100579c]

Bingo , this is increment , meaning this is increasing the value stored at 100579c by 1 every second. Now, we could simply NOP this to stop the timer so our time will not increase, but that would be no fun and wouldnt really help you much with learning code injection..
So im going to show you how to add 400 to the timer using code injection.

Ok, now find a code cave, i use 0x10bb0 for most games, and will be using this code cave for minesweeper, you can find your own if you like, now to make our code injection script to add 400.

I use t search which uses Easywrite for code injection, so load up what ever CE uses to write scripts for code injection.

Since i choose 0x10bb0 for my code cave, this is the first thing i set in my script, i do this by typing:

Offset 0x10bb0

Now that this is done the next line of code is what will be writing 400 to our address, so that the timer will show 400, we do this by adding the following line to our script:

mov dword ptr [0x100579c],0x190

Now this is what writes 400 to our address 100579c , now your probably asking yourself where i get the 190 from? well since i wanted to add 400 to that address, i had to convert that to HEX which = 00000190 , there is many converter's out there which can do this for you.

next what we do is jump to the next procedure, the address to the next procedure is 1002ffb i found this out by looking at the address below are event 1002FF5: inc dword ptr [0x100579c] , if you dont do this , minesweeper will most likely freeze or close. So lets add this to our script :

jmp 0x1002ffb <- jump to the next procedure

Next we want the game to read our funtion mov dword ptr [0x100579c],0x190 and not inc dword ptr [0x100579c] , so we declare the offset 1002ff5 ( as this is where the event inc dword ptr [0x100579c] is taking place ) , what this really does is brings us to that offset and waits for you to tell it something to replace it with, we do this by adding the following to the script:

offset 0x1002ff5 <-- using this location now we will...
jmp 0x10bb0 <-- jump to our code cave to use our own function

That's it complete! Now your whole script should look like this:

offset 0x10bb0 <- using our code cave
mov dword ptr [0x100579c],0x190 <- write 400 to the address 100579c
jmp 0x1002ffb <- jump to the next procedure
offset 0x1002ff5 <- using the original procedure
jmp 0x10bb0 <- jump to our code cave

Trainer Making Kit Poke codes for my script:

Poke 10BB0 C7 05 9C 57 00 01 90 01 00 00 E9
Poke 10BBB 3C 24 FF 00
Poke 1002FF5 E9 B6 DB 00 FF

I use a converter to convert my script into Poke codes, so i can make a trainer with my script.

Now to get this back to normal we can write the following script:

offset 0x1002ff5 <- original procedure
inc dword ptr [0x100579c]

Poke code for this script:

Poke 1002FF5 FF 05 9C 57 00 01

Thats all there is to it.. this will set the original procedure's event back to what it was to begin with.

I made a trainer out of the script in TMK, you can download here if you wish to see it in action.

http://rapidsharing.com/download.php?id=719D3E1A

Now this was only a demonstration, obviously adding 400 to your timer in minesweeper has a very bad effect, but in other games this method can be very helpfull to you, ie: you have 100 health, with this method you could change it to what ever you like , same with ammo, and lots of other things, im not saying this script will work with other games, as it will not but it will lead you in the right direction to start making your own code injection scripts for other games.

There is much much more things you can do with code injection , i hope this has helped some beginner's learn more about code injection, i recommend you try making your own scripts and practice on different games, practice makes perfect Smile

Enjoy

Dark Byte · Posted: Sat Jun 10, 2006 5:31 am Post subject:

Just one caution to add to this:
If you have a recent cpu (bought within the last year) and have sp2 and no modified bios settings or boot.ini, then codecaves like 0x10bb0 will not work since they arn't marked as executable and will cause a access violation when executed.

In ce you can use the fullaccess(10bb0) command to make it executable as well

also, for those that don't know how to use ce and the assembler, I have converted the script for tsearch to a ce assembler script

dEagle · Posted: Sun Jun 18, 2006 4:14 am Post subject:

Is it possible to Inject codes with Cheat Engine?
I don't know how to write scripts with Cheat engine
And also im not good at T-Search

chelvan · Newbie cheater Reputation: 0 Joined: 20 Jun 2006 Posts: 12

sorry, i am a complete noob .. can i ask . how u find the next process in ce ?

jmp 1002ffb
// where did u find that?? i can only do a ctrl g to find 100579c but if i know that already .. i don't need to search for it if i am making one

Dark Byte · Posted: Wed Jun 21, 2006 1:10 am Post subject:

find the timer and then find out what writes to that address

Xion9 · How do I cheat? Reputation: 0 Joined: 02 Jul 2006 Posts: 7

thx alot...what a got tut
pushhhhhhhh

ZeroTech · How do I cheat? Reputation: 0 Joined: 13 Jan 2008 Posts: 7

wow thanks man works fine for me.
tho it was a little confusing trying to find how to add the code cave using CE.
If anyone else is having that problem like i did.

just after u "Find Out What Writes To This Address"
Select "Show Disassembler"

Then Right Click the Address You Found and Pick the Last Option
"Create Jump and initialize Code-Cave"
Then input (If using The Guide) "010bb0" and "32" for space i think it was.

Then Select "Tools" Tab and Select "Auto Assembler"

add

alloc(mycave,32)
mycave:
mov dword ptr [100579c],190
jmp 1002ffb

1002ff5:
jmp mycave

and Press Execute.
Done.

Smile

1 question i do have concerning the guide.

im bad with the calc could someone post how to convert using the calc

i no its Scientific Calc. and Hex Box checked. but i dont understand how 400 = 190

thx.

again nice tut help alot

Slugsnack · Posted: Mon Jan 21, 2008 10:54 am Post subject:

Go to calculator, and scientific view, and make sure the decimal box is checked. Type in 400 and press the hex box and it should convert it to 190.

If you don't understand where it got that number from then remember decimal is base 10 and hexadecimal, base 16. So 190h = 1*16^2 + 9*16^1 + 0*16^0 = 256 + 144 + 0 = 400d.

Kapps · Posted: Sat Jan 26, 2008 12:46 am Post subject:

Easier to tick Hex in the value search thingy part of CE, put in the number, then untick Hex to convert from Hex to Decimal, or vice-versa.

tornarrow · Posted: Tue Jan 29, 2008 11:16 pm Post subject:

Nice. thanks

Dizzle342 · Posted: Thu Feb 28, 2008 3:25 am Post subject:

this helps thanks

SILENT_SUFFERER · Cheater Reputation: 0 Joined: 28 Mar 2012 Posts: 28

Viajante759 · How do I cheat? Reputation: 0 Joined: 24 Nov 2012 Posts: 4

Hello guys;

Im playin at the moment "War Commander", Its a app game from Facebook.

Ive already changed the easiest things using "Cheat Engine" and im trying for some days to "Scan" the timer from the buildings so I can do like a "Instant Building" turn 01d11h30m into 00d00h00m.

My problem is, I dont have the knowledge to do it, and It might be quite hard to Scan aswell.

Will w8 for some answers to see if I can get my answer ^^

Cya around Guys, Ty!

sullx · Cheater Reputation: 0 Joined: 03 Jan 2013 Posts: 37

Dark Byte · Posted: Wed Jan 09, 2013 5:31 am Post subject:

I know, and using that cave will cause crashes on XP sp2 and later, as that isn't a game allocated address, but a default windows allocated region, (The environment) which have been set to non executable

Also, writing memory to an existing memory cave will increase the chances for a CRC fail since you're changing bytes that the game knows the initial state of

Anyhow, the part that triggers the crc failure is the part where you're modifying the memory
In this example, writing the jmp instruction at 1002ff5 will trigger it, as 1002ff5 would certainly be checked

But this topic isn't about crc bypasses, I recommend looking up the stealthedit plugin for ce, or using the change register on breakpoint method and change eip to your code