Cheat Engine

breadbin · How do I cheat? Reputation: 0 Joined: 23 Apr 2012 Posts: 3

hi all, i'm just trying to learn how to mess around with dos games and what not and i'm trying in the long run to edit the exe itself to introduce a permanent cheat. so i decided to learn with a really old dos game called dangerous dave. (probably not the easiest way to learn!!)

first of all it is packed with lzexe so i had to unpack it

I am using XP and have the game in the ntvdm and CE has found the correct memory address for the score. I just chose the score for handiness sake cos there are loads of diamonds on the level to increase it easily.

after much confusion in trying to find the address i used the search - "All" and address from 00000000 to FFFFFFFF and found it. address is 0002F5F0

i can edit that address and increase my score etc but i want to hardcode it into the exe and i was looking for the instructions that write to the memory. in the address box at the bottom i right click on the address and choose to find out what writes to this address so i do that - go back to the game and increase the score and go back to CE and see there are 2 lines in the box but they aren't right.

i tried a few times and most of the time they are 00 add [eax], al with the same up and down each way for ages. which i think corresponds to bit of the exe which is filled with zeroes and other times it is different but nothing that i was expecting like a mov or add or inc. just seems to land in a random part of the file.

is it something basic that i am missing? thanks

Dark Byte · Posted: Mon Apr 23, 2012 1:11 pm Post subject:

I really doubt this works but try this:
Open the memory view window, in the hexadecimal part go to the address of your score
There select the bytes that make up the score, rightclick and set a "Data Breakpoint->break on write"

Now change the score (make sure you're not fullscreen)
The debugger will break now.
Check out the CS value and the EIP value

do the following formula: CS*10+EIP to get to the address of the instruction that accesses it.

And there you have it, the instruction that accesses your score. Note though that ce doesn't do 16-bit disassembling, so you have to replace the eax/ebx addres specifiers to ax/bx etc...

CE also doesn't do 16 bit assembling so there's not much you can do with it except nopping

breadbin · How do I cheat? Reputation: 0 Joined: 23 Apr 2012 Posts: 3

thanks for that dark byte - i can't get it to work - i can't get it to run in a window whatever i check in the compatibility properties and so it crashes every time the write breakpoint breaks. its a pity cos its a great piece of software - doubt i'd find anything like it for dos

another quick question - is there a way i can convert the memory address i get in cheat engine to a segment:offset type that is used in dosbox debugger? i use cheat engine and hook it to dosbox and find the address that is holding the score in the game. lets say it 33FA00BB is there a way to convert this so as i can see it in the data window in dosbox debugger and maybe put a breakpoint on it? sorry if its a stupid question:)

Dark Byte · Posted: Tue Apr 24, 2012 4:56 am Post subject:

First off, you first need to find out where address 0 is stored and hope dosbox uses a solid block for memory emulation (so not split up into seperate chunks for rom/bios)

Easiest method is to use the dos debugger and look at address 0000:0000 and then do an array of byte scan for those bytes

So let's say that the start is at 33f80000
that means that the physical address is stored at 200BB

(Are you sure the dosbox debugger doesn't allow for physical address breakpoints?)

Now that address needs to be converted to a realmode addressing format

a realmode to physical address conversion is done by the formula (segment*0x10+offset)

To give an idea:

breadbin · How do I cheat? Reputation: 0 Joined: 23 Apr 2012 Posts: 3

thanks again dark byte i got it working and was able to breakpoint into were the addresses were changed. took me awhile to understand that the segment should be 2000: and not 0002: but once i noticed this it was grand.

i was able to scroll through the assembly and see what was going on with the score and lives and what not. was able to find the instructions in the hex file too which was even better and make a hard coded patch, not that i'm gonna play it or anything but it was fun discovering.

in answer to your previous question yes i think that dosbox does allow setting breakpoints on linear memory but i didn't know it at the time and sure i wouldn't have learned as much as i did if i had known.

onto something else now:)

rodrigames · Posted: Wed Apr 25, 2012 3:46 pm Post subject:

breadbin and Dark Byte, thanks to the two of you, there probably will be a lot of requests for new hard coded patches for old DOS games. You can count on me to make some of those requests in the single player cheat request subforum on this site. Congratulations.