Cheat Engine

alamedamow · How do I cheat? Reputation: 0 Joined: 23 Apr 2014 Posts: 5

Hi all,

I've been trying to teach myself how to use CE and I have a question which I hope I haven't overlooked an answer to in various tutorials.

I've scanned and located a single address which matches the displayed money value, I then use "what writes to this address" and find a single opcode highlighted below 16A0DB57.

++METHOS · Posted: Wed Apr 23, 2014 7:38 pm Post subject:

If you change the value of your money by using the address that you found and it does not work (test by changing the value and then gaining/losing money), then you should not proceed with pointer scanning or injection.

If changing the value actually does work (and not just change the display value, but the actual value), and nop'ing the instruction that writes to your address does not stop the money value from changing, then you can look to see what else is writing to that value by looking at which instructions are still writing to that value after you nop the original instruction. There could be multiple instructions that handle the money value, or, a primary instruction that you are not targeting.

If you have found the correct address, I would recommend trying an instruction that accesses your address as opposed to writes to it...that way, the change is immediate, without relying on some other event for the value to be updated etc.

alamedamow · How do I cheat? Reputation: 0 Joined: 23 Apr 2014 Posts: 5

Thanks for replying METHOS,

++METHOS · Posted: Wed Apr 23, 2014 8:22 pm Post subject:

Either the address is wrong or it isn't. If you say that it works for changing the money value, then you can proceed with injection. If it doesn't work, you are wasting time with this opcode or any other relating to it.

First, find the correct address. If you have found the correct address, I can help you with the injection.

Remember, the value may get written to by different instructions. One instruction may be used to subtract money and another to add. One instruction may be used only for bonuses or some other event. This is why you should:

1. keep the debugger open to see if any other instructions are actually writing to your address.
2. don't even bother with write instructions in the first place (unless you have to)...that way, you can change the value immediately, regardless of what is happening in the game.

alamedamow · How do I cheat? Reputation: 0 Joined: 23 Apr 2014 Posts: 5

My original search address is obviously "wrong" in that it is not the "source" money value. However, this is for a tower defense game and for a full map this address follows my displayed money value exactly for dozens if not hundreds of additions and subtractions due to all available earning/spending possibilities. The above opcode is the only one writing to this searched address.

I'm not looking for help with injection, just finding the "source" money address. When you say it is pointless to proceed from anything other than the true money address; is this because it is impossible or extremely difficult to backtrack the "source" money value from my searched value?

++METHOS · Posted: Wed Apr 23, 2014 9:28 pm Post subject:

I wouldn't say that. It's just not the approach that I would take. It's much easier to just find the value. Besides, you may waste all of that time, only to realize that the instruction isn't even connected to the real address.

If the game is an online game, you may be wasting your time altogether.

alamedamow · How do I cheat? Reputation: 0 Joined: 23 Apr 2014 Posts: 5

This is for Bloons TD 5 on Kongregate. Although the "monkey money" or "green cash" seems to be stored server side, I'm 100% sure the regular cash used on each individual map is client side. This is a fairly old game and it's more to allow me to learn techniques rather than to hack the game.

Let me present this from another angle. For various tutorials, the general steps are, 1) Find an address which matches your money 2) Find what addresses write to this money address 3) Open that address in the disassembler and look at the code preceding the opcode of interest.

It's explained that you look at the preceding code because this is where they process the pertinent data before continuing down the line and hitting your move opcode to push that data in to your original searched address.

Well in this case, there's a jump opcode right before my opcode of interest, so in the "spirit" of step 3, I'm no longer to examine the code before the opcode of interest right? If I want to find the lines of code which processed the money value leading up to my opcode of interest, don't I have to go looking for another jump or call opcode which would lead to my opcode of interest?

++METHOS · Posted: Wed Apr 23, 2014 11:16 pm Post subject:

Online, multiplayer games are prohibited for discussion. Not sure if this game qualifies.

Regarding the instruction that writes to your address...you may have to utilize AOB as the location of the instruction may be changing regularly. Additionally, the only thing that you should have to change is the actual instruction that is writing to your money value (i.e. no need to look above for any conditional jump).

For example:

alamedamow · How do I cheat? Reputation: 0 Joined: 23 Apr 2014 Posts: 5

It's definitely not multiplayer. People can verify if they wish by looking up bloons td 5 on kongregate.

Yes, if this address were the true storage address of cash it would be easy to freeze or modify the movq. Unfortunately as I stated before, although this particular address always has a double value which matches my current cash, modifying it or freezing it doesn't have any affect on the display or actual cash.

This is why I was trying to find where xmm0 was assigned previous to the movq step. xmm0 is one step closer to the true money storage right?

++METHOS · Posted: Thu Apr 24, 2014 1:54 am Post subject:

Rydian · Posted: Thu Apr 24, 2014 5:14 am Post subject: