Forge By Games #ForgeByGames: March 2017

Tuesday 28 March 2017

Forge By Games - using 4 Bytes Unknow Search to hack most of the games with Cheat Engine

Forge By Games - How to Cheat in games with Cheat Engine : for example : Ori and The Blind Forest - Definitive Edition

I always start with 4 bytes unknow value search, even it take longer time to search. But,
by this way, I will be free from getting no result, then have to do another new search again.
For me, is better to get the result one time than 2 or 3 times.

Usually 4 bytes unknow value search with increase and decrease will work most of the times.
But for very hard to find value like position x,y,z for the game character's location,
use Float unknow value search with changed and not change , will be a better choice.
Use 4 bytes unknow value search with changed and not change , if the value is encrypted, example: Chicken Invaders 4 Ultimate Omelette.

in this video, I will show you how to find unknow value using 4 bytes ,then convert it

also I will use a game I like lot to show it

Ori and The Blind Forest - Definitive Edition

_ PC game 2015

I am using Cheat Engine version 6.6

here the detail of my Cheat sample :
Cheat Engine -Tutorial x64 bit
Step 4: Floating points (PW=890124)

Now, the detail for
Ori and The Blind Forest - Definitive Edition

the health HP is shown by orb, for now the max HP is 3,
but it's value is store in float and not count as 1 2 3.
the game logic is: float +4 = orb +1 ; so 1=4, 2=8 3=12 (very strange? huh?)
I found it using 4 bytes unknow value search with increase and decrease ,then convert it,
form that I know it is a float value.

You need to get hurt first to activate the AOB script, the Array of Bytes code don't exit until you get damage of HP, but for this game getting hurt is the most easy thing, every where, anytime you can get hurt... Haha, don't worries, you will survive.

I just want to show it's strange game logic here. Also I like this game a lot, I always like hand drawn art more than 3d art, animated , retexture to 2d like games always are my favourite.

Never Alone , Child of Light , Ori and The Blind Forest are three of my favourite hand drawn like art games. Any game you like is hand drawn or retexture to 2d art ?

For all of you that are still reading this. Thank You !

Here I wish to thank Steven Chapman for his YouTube video
Cheat Engine Tutorial_ How to Hack GameMaker Games
This is how I learn about fstp st(*)
Sometimes if the stack not pop as it should, will cause error.
pop the stack to none, is very useful , Thanks !

this is episode 5 of my Youtube video about Cheat Engine
Forge By Games - using 4 Bytes Unknow Search to hack most of the games with Cheat Engine

click here to Subscribe my Youtube channel
Forge By Games , # ForgeByGames

my next video will be more detail for
4 bytes, integer, float, double, 8 bytes and string

-----------------------------------------------------

Forge By Games # ForgeByGames - Cheat Engine Tutorial series

episode 1 :
How To Find start point and End point of a program using Cheat Engine - ForgeByGames

episode 2 :
How To Enable Disable Button Of a Program using Cheat Engine -ForgeByGames

episode 3 :
Cheat Engine Special Trick + How to write a special script when normal AOB fail

episode 4 :
Forge By Games -Easy find Base Address of Multilevel Pointers special trick using Cheat Engine

episode 5 :
Forge By Games - using 4 Bytes Unknow Search to hack most of the games with Cheat Engine

episode 6 :
Forge By Games - Find out the relationship between value in Cheat Engine -part 1

-----------------------------------------------------

Thank you !

Forge By Games # ForgeByGames

Cheat Engine
http://www.cheatengine.org/

Don't forget to like the video.
Subscribe my channel on YouTube!
https://www.youtube.com/channel/UCSUASrRQWA6nPXe9sySqrBA

Oh yeah! To get more information, Follow my blog
https://forgebygames.blogspot.com
https://forgebygames.wordpress.com

Forge By Games # ForgeByGames    - FaceBook Page
https://www.facebook.com/Forgebygames-913857608744041/

Forge By Games # ForgeByGames    - Twitter tweet
https://twitter.com/ForgeByGames

Forge By Games # ForgeByGames    - Pinterest pin
https://www.pinterest.com/forgebygames/

Join us at FaceBook group
      Cheat the Game
https://www.facebook.com/groups/CheatTheGame/
I have learned a lot from here

Thanks for watching and reading this, now share it if you like it.

Friday 24 March 2017

Go to sleep now! Rest is part of the game.

Gamer, Youtuber, Streamer go to sleep. Countinue on what you are working on after get enough of rest. Like games: fill up your HP and MP first.
Sleep isn’t merely a time when your body shuts off. While you rest, your brain stays busy, overseeing biological maintenance that keeps your body running in top condition, preparing you for the day ahead. Without enough hours of restorative sleep, you won’t be able to work, learn, create, and communicate at a level even close to your true potential. Regularly skimp on “service” and you’re headed for a major mental and physical breakdown.

The quality of your sleep directly affects your mental and physical health and the quality of your waking life, including your productivity, emotional balance, brain and heart health, immune system, creativity, vitality, and even your weight. No other activity delivers so many benefits with so little effort!

Recently, Brian aka PoShYbRiD , Twitch Streamer Dies During 24 Hour Charity Live Stream.

Here’s the known information about the incident so far, via a mod posting in PoShY’s Twitch chat:

Known info so far: Around 3:30AM CST Poshy said he was going for smokes and left the stream running, He never returned. around 11AM CST we were all still here assuming he had fallen asleep. around 19:00 Sorelor sees him online in discord and messages him. The person who responded identified himself as a detective and asked Sore to call him. Sore spoke with him, Called the Virginia Beach police department to confirm the detectives identity. The detective confirmed Brian had passed.

According to PVPLive: Twitch.tv streamer PoShYbRiD has been found dead after a 24-hour streaming session for Charity on Twitch. It’s speculated that he died due to heart complications from severe sleep deprivation.

This guy made it 22 hours. RIP.
24-hour stream definitely are not healthy.
MAY HE REST IN PEACE

https://forgebygames.blogspot.com/2017/03/go-to-sleep-now-rest-is-part-of-game.html

Sleep for Health

Sleep needs vary across ages and are especially impacted by lifestyle and health. To determine how much sleep you need, it's important to assess not only where you fall on the "sleep needs spectrum," but also to examine what lifestyle factors are affecting the quality and quantity of your sleep such as work schedules and stress.

If you’re getting less than eight hours of sleep each night, chances are you’re sleep deprived. What’s more, you probably have no idea just how much lack of sleep is affecting you.

How is it possible to be sleep deprived without knowing it? Most of the signs of sleep deprivation are much more subtle than falling face first into your dinner plate. Furthermore, if you’ve made a habit of skimping on sleep, you may not even remember what it feels like to be truly wide-awake, fully alert, and firing on all cylinders. Maybe it feels normal to get sleepy when you’re in a boring meeting, struggling through the afternoon slump, or dozing off after dinner, but the truth is that it’s only “normal” if you’re sleep deprived.

I would like to say it again "Gamer, Youtuber, Streamer! Go to sleep now! Rest is part of the game."

Forge By Games # ForgeByGames

Sunday 19 March 2017

Forge By Games - anime manga quote - Mino Dono

ForgeByGames #anime #manga #quote
Mino Dono
Manga . Anime

sad ........

Mino Dono

Forge By Games #ForgeByGames

Friday 17 March 2017

Forge By Games - Easy way to find Base Address of Multilevel Pointers using Cheat Engine

Base Address is static which means it will not change even after game restart, it will always be at the same place in code format. BUT, a lot of games values are dynamic Address not static, they will change a lot : after loading, after restart, after ... after ...somethings; so the code you found will just work for short while. To deal with this problem, you need to write a script (AOB or code injection) or find the value Base Address. With Base Address you can just simply edit the value anytimes, save and reuse it again with Cheat Engine.

-----------------------------------------------------

if you don't understand what I am doing here, please watch my previous youtube video about Cheat Engine, this is episode 4

episode 1 :
How To Find start point and End point of a program using Cheat Engine - ForgeByGames

episode 2 :
How To Enable Disable Button Of a Program using Cheat Engine -ForgeByGames

episode 3 :
Cheat Engine Special Trick + How to write a special script when normal AOB fail

-----------------------------------------------------

For a long times, looking for Base Address is what i know, i don't know script. Looking for Base Address have been taken a lot of my time, from pointer to pointer, from pointer to dead end, from pointer to pointer before it, i am walking in circle a lot of times.
Things change only after i encounter the problem with : Chicken Invaders 4 Ultimate Omelette , i just don't know how, i search and search the web looking for answer, finally is Chris Fayte @ Cheat The Game youtube video that help. From that i know Geri, i read and read his articles many times until i understand what he means. (i am a slow learner, my weak point)
Now i know script, assembly code, and some special trick. I am still learning because i am just touching the surface, there a lot more i don't know : LUA , C++, VB , C# , JAVA , so on ..........

Ok, enough of my past, back to Pointers, Base Address, Multilevel Pointers
Base Address is the root of pointers,
and pointer is pointing to the value you want to change or keep.

simple Level 1 pointers : Base Address --> pointer --> game value (dynamic Address).

For multilever pointers : Base Address --> pointer --> pointer --> pointer --> pointer --> pointer --> game value. (some games have Lv7 + multilever pointers, what a trouble maker)

With Base Address there are tons ways to use it, the problem is : finding it is hard, very hard sometimes, worse is can't found it in some of my past record.

-----------------------------------------------------

simply said to myself : "you did it, after all these years, you finally found the answer"

After watching video made by FreeER atubeacct at YouTube,
Cheat Engine Manually Finding Multilevel Pointers

I figure out this special trick to easily find the Base Address, after doing many camparing.
FreeER atubeacct have said it there are relationships between pointers, and i do found many of them; but i have give myself a mission, find the easiest way. Yes, i have found it after many try and fail.

click here to Subscribe my Youtube channel
Forge By Games , ForgeByGames

-----------------------------------------------------

if you don't understand what I am doing here, please watch my previous youtube video about Cheat Engine, this is episode 4

episode 1 :
How To Find start point and End point of a program using Cheat Engine - ForgeByGames

episode 2 :
How To Enable Disable Button Of a Program using Cheat Engine -ForgeByGames

episode 3 :
Cheat Engine Special Trick + How to write a special script when normal AOB fail

-----------------------------------------------------

note to myself and you that reading this line. Base Address always will be static, so the final target search must be something that have ****.exe+??? ; if not, you must have been overlook it ; -ff is -255 , maybe the base address is just at -33 or somethings, so just check each   Find Assembly code result start from top to bottom, the final target is in one of them. -ff can be expand to -6ff , -ffff or what you think it should; or reduce to -6f , -cf or what you think it should.

For all of you that are still reading this. Thank You !

Special Thanks to FreeER atubeacct
he have been helping me since the 1st Cheat Engine video :
How To Find start point and End point of a program using Cheat Engine - ForgeByGames

Thank you All !
    Forge By Games # ForgeByGames

Because of the Cheat Engine 6.6 Tutorial Step 8 is how i learn the trick to find the start point and end point of games address, then enable the next button. And the trick i use here : a special and fast way to Base Address through comparing multilever pointers.
I was looking for a way to solve the multilevel pointers test by using AOB Script.
Eventually, i fail and fail again, but this is not a total lost, i have learn new tricks.
But, I still trying Cheat Engine 6.6 Tutorial Step 8 - Multilevel Pointers can it be solve using AOB Script ?
Any help is welcome.
Still hoping for a AOB Script that can change the value to 5000 after the pointer change and before the 3 second end.........   and a way to change the countdown from 3 seconds to 3 minutes or somethings less or more....
For anyone out there, if you know how, please let me know. I want to learn.

-----------------------------------------------------

Forge By Games # ForgeByGames - Cheat Engine Tutorial series

episode 1 :
How To Find start point and End point of a program using Cheat Engine - ForgeByGames

episode 2 :
How To Enable Disable Button Of a Program using Cheat Engine -ForgeByGames

episode 3 :
Cheat Engine Special Trick + How to write a special script when normal AOB fail

episode 4 :
Forge By Games -Easy find Base Address of Multilevel Pointers special trick using Cheat Engine

episode 5 :
Forge By Games - using 4 Bytes Unknow Search to hack most of the games with Cheat Engine

episode 6 :
Forge By Games - Find out the relationship between value in Cheat Engine -part 1

-----------------------------------------------------

Thank you !

Forge By Games # ForgeByGames

Cheat Engine
http://www.cheatengine.org/

Don't forget to like the video.
Subscribe my channel on YouTube!
https://www.youtube.com/channel/UCSUASrRQWA6nPXe9sySqrBA

Oh yeah! To get more information, Follow my blog
https://forgebygames.blogspot.com
https://forgebygames.wordpress.com

Forge By Games # ForgeByGames    - FaceBook Page
https://www.facebook.com/Forgebygames-913857608744041/

Forge By Games # ForgeByGames    - Twitter tweet
https://twitter.com/ForgeByGames

Forge By Games # ForgeByGames    - Pinterest pin
https://www.pinterest.com/forgebygames/

Join us at FaceBook group
      Cheat the Game
https://www.facebook.com/groups/CheatTheGame/
I have learned a lot from here

Thanks for watching and reading this, now share it if you like it.

Thursday 16 March 2017

Forge By Games - quote of the day - Try

ForgeByGames #quote n art
quote of the day
art by
ForgeByGames

art name: Try

Forge By Games #ForgeByGames

About Me

Saturday 4 March 2017

my thanks to Cheat Engine and Dark Byte (3)

Cheat Engine Forum is working again! Yay!

Today is a good day !

Before this, i am very sad about what happen at forum.cheatengine.org , recently it have been targeted by the big company from the game industry (Seems like its due to copyright claims by Bethesda, claiming Cheat Engine is violating the works of companies like Bethesda ect...) [you know the big one can name any reasons]
giving Dark Byte the admin and creator of Cheat Engine such a Big problem.
Read more here
{ the site cannot work correctly at that time due to DDos atack }
Besides an amplified DDoS attack also a 'Notice of Infringment' from a representative of Bethesda and others. (is this coincidence ? ................ )

Dark Byte , my thanks to you for all your hard work, i hope all the problem have ben solved.

i am releasing a series of all i learn from forum.cheatengine.org , since it working now i think this will be the final part.
Thanks!
Forge By Games # ForgeByGames

this is the 3rd post i learn

all credit go to , all these from

http://forum.cheatengine.org/viewtopic.php?t=570083
{ this site was down due to DDos atack and the other trouble stuff, now it working fine}

writen by
Rydian
Grandmaster Cheater Supreme

Invincibility Code Fixes (Segregating Players/Enemies)

{ You get no damage while your enemies still get damage }

In many cases with making code patches (AOB scripts, injection, what-have-you) for games, the
simplest way to go about making invincibility for the player is to find the code that damages the
player and disable it in one way or another. However for a number of games this will also make
enemies invincible (or whatever the code effect is) and this is undesirable.

This guide will show you three main methods to solve this problem in order of ease. I will be using
Rogue Legacy as the example game and focusing on invincibility, but the basic concepts used here
can apply to almost any other game and code situation. This guide also assumes that you know
the basics of making code edits with CE, otherwise you wouldn't be having this issue.

1 - Target Unique Reads
The basic problem with invincibility codes making monsters invincible too is that the code is shared,
the code you targeted affects all "players" or "entities" or whatever, so when you edit the code it
changes the effect for everything that the code runs on.

So instead of neutering the code that edits your health, take a different approach. Find some
code that reads just your own health, and then edit that code so it also sets your health to full
constantly, overriding other changes to it.

The first thing to do is, as usual, find your health address. This time right-click it and find what
accesses the address. Run around, hit, and be hit by other enemies for a few seconds and
then stop the logging. Check out the instructions, chances are there will be a lot of them.

For this type of case, we want to find one of the codes that's running all the time. It could be a
number of different functions to do this, such as the code that reads your HP in order to draw or
update the health bar on-screen, or code that constantly checks your HP to determine if you died.

We have two opcodes that ran a lot during the short test (the first two), so either of them should
work fine. We'll choose the first one for simplicity here. Click it and click "Show Disassembler"
as usual to bring it up in the memory browser window. The first thing to do is to make sure that
it's an opcode you know enough to edit or overwrite.

If so, then the next step is to make sure that the code only works on us. Right-click the highlighted
line and choose "Find what addresses this code accesses" to bring up a new logging window.

"But Rydian, this is a .NET game, if you click th-" Shhhh. This is a general tutorial so we shouldn't
be relying on things like that which won't give any info for other games. Just follow along as if
the data collector didn't exist because for most games it doesn't and you need to guess+test.

You should run around, hitting other monsters, getting hit, and repeating "SCIENCE HERE, MAKE
WAY FOR SCIENCE HAPPENING" while testing to see if the code edits other addresses. Then check to see if the targeted opcode works on just player data or the data of other things too.

In this case the targeted opcode only reads our health so we're good. In your case if it reads more,
then you'll want to check out other opcodes that do constant reads in order to find one that works.

Anyways once you have code that reads your address and only your address, you can edit it to
overwrite the value what whatever you want depending on what your goal is. Just because the
original purpose was to read doesn't mean you can't tell it to also write, you know.

So like that the game will constantly refill your health, and only do it to your health.

2 - Hack A Different Mechanic
While normally the fastest and most direct method to avoid taking damage in games is to neuter
the function that subtracts from your health, there's other mechanics you can focus on as well.
One of my favorites is "mercy invincibility" and that's what this will focus on. There's other mechanics you can focus on as well if you think outside of the box, but this is often simple enough.

This is a concept in many games where, after getting hit, you have a brief period where you can't
get hit again (a mechanic intended to prevent stunlock on the player). Usually during this period
you'll be flashing or faded out or something, and enemies won't be able to harm you (and in many
cases won't even collide with you). Since this is a mechanic originally designed to prevent
annoyance for the player, this tends to be a mechanic that only applies to the player you're
controlling so that means it will rarely run into the issues that health codes can run into.

So since mercy invincibility lasts a specific amount of time, there must be a value to keep track of it
and game code to set, count down, and check that value. There should also be code that checks to
see if the player is invincible or not when trying to hurt him. So there's two ways to go about this.

For both of the methods, depending on the game you may find it useful to be able to pause and resume the game quickly. If you go into Cheat Engine's settings, in the hotkey settings you can set hotkeys for speedhack values. I tend to set one hotkey for speed 0 and another for speed 1. This means I can press one hotkey to "pause" the game and a second hotkey to resume. This gives plenty of time to scan for short-lived timer values or flags for mercy invincibility.

In this case we'll search for a value that increases when you get hit, and then decreases as the timer for invincibility wears off (and then raises again when you get hit). After some time spent searching, the value has been found!

So there's two ways we could approach this. The first method would be to find what writes to that address and find the code that's responsible for making it count down. This is what I tend to do when I want a quick-and-easy invincibility code, because it's a simple process to find the timer and disable it. So here I ran around and got hit twice, and allowed the timer to count down twice.

And the targeted code is the one we need. It's the one that reduces the timer repeatedly until it's empty, so if you edit that code to no longer write the edited value then once you get hit the first time your invincibility shouldn't wear off anymore. Yayyyy.

Now, what if we wanted to, instead, change the logic? With the quick-and-easy invulnerability code, the player still needs to get hit once to activate it. To see another method of doing it, find what accesses that address and you'll see some comparisons and stuff.

Now there's three of them here, and it's not immediately obvious which is the one we want. One of them might be just for the visual effect, one of them might be a check for setting it off instead of on, etc. So here is where you just need to guess and test. The middle one is the one that fires off when you get hit and it turns on, so that's the correct one in this case and it's the one I'll be targeting. Looking at it...

So it seems to be comparing the invincibility value to 0, and if it's higher than 0 it jumps to some other code instead (JG = "Jump if Greater"). If you edit the jg to be jmp instead, then it will always jump to the other code, so when you contact a monster it'll always think you're invincible and won't damage you! So this is a secondary method of getting invulnerability, editing the check instead of the write.

Now... a different method for invincibility could be to find the code dealing with an "invulnerable" flag.
This will generally be a byte value (but it could be something different of course) and in most cases will be 1 or 0. It could either be "1 for invincible" or "1 for attackable", so check both ways. Get hit, pause the game (either normally or with speedhack) while invulnerable and scan, do a different scan when it wears off, etc. Depending on the game you may have to do an unknown initial value scan and scan for differences.

However in the case of Rogue Legacy, it seems that it only uses the invincibility timer. So instead of the game checking for an invincibility flag, the code checks to see if the timer has any time left in it in order to determine if you're invincible or not. Rogue Legacy isn't the only game that does this, so if the quick and easy invincibility flag search didn't work, you may need to do the above timer method.

3 - Check The Player Structure
This is one of the more traditional ways of using injection to get invincibility for just the player. However it also requires learning more about the game (specifically the entity structure for it) in order to use it effectively, so since it needs more research and work and custom assembly it's the third method listed.

The basic idea is to have the game do a check like "is this a player or an enemy?" by comparing values, and then either continue with the code to cause damage if it's an enemy, or skip over it if it's the player.

This method involves looking at the structure for entities in the game and comparing two instances (which will generally be the player versus an enemy) to find differences. To be able to look at and compare the structures, we should first find the base address of the player structure. To put it simply, for this example it's the player's health minus the health offset. So let's say my current health address in a certain run is 0368A400 and the offset (code that writes/accesses will show this) is +118. Doing some hex math returns 0368A2E8 as the base address for the player. Remember that putting the Windows calculator into scientific mode presents you with a hex selection box you can use to do hex math.

Now that we know the base address of the player, we should open the structure dissect window. In the
memory viewer (CTRL+B), go to Tools - Dissect data/structures. In the new window enter the base
address for the player's data into the box at the upper-left and choose Structure - Define New Structure.

Give it a name like Player (for .NET games like Rogue Legacy it offers to use the actual structure name) and if you're doing this on a different game you'll be asked for a size (the default works) and whether CE should try to auto-fill some of the data (yes). When that's all done you should see a bunch of stats or whatever for the structure you chose. Since this is a .NET game we have it easy and it's all mapped out for us already, but with most games it'll be unlabeled best-guess entries.

The next thing to do is to find the base address... of an enemy. So for this you should find the address
to their health and then subtract the offset (118 for this example) from it. For my run I got an enemy
with a health address of 226F5AD0, so that enemy structure's base address would be 226F59B8. Back in the structure window, go to File - Add extra address. A second text box should pop up next to the first one, put the enemy's base address in here. Then the display should show both data sets.

Green addresses are the same for both the player and enemy, red addresses are different. So using
this display, we can try to figure out which pieces of data (offsets) would be good for a comparison to
determine if the target is the player or an enemy. Again, in .NET games like Rogue Legacy we're
granted a big benefit in that the offsets are labeled and stuff. For other games you'll have to poke
around, see what other things in the structure you can find, and guess+test.

For this tutorial we'll just pretend we poked around a lot and found offset +104 (StepUp) and it seems
to always be the same value for the player (10) but different for enemies. Make sure to check what type of value it is, in this case it's 4byte, gotta' remember that. So now you'll want to go back to making a generic template script for the health code. Find the code that writes health when hit like usual, and when you tell CE to generate the template the code: section should look something like this.

What we want to do is add a check (comparison, cmp) to see if some values are as expected (if the target is the player), and if it's equal skip (je) past the original line of code and jump back to where it continues.

So the first line added is the comparison. Notice how it says "dword" after the cmp? This is to tell AA
how much memory to read and compare. It's very important to note the right size there, because if the
offset in the structure is 1 byte and you're reading 4, the comparison is bound to have false failures.

1 byte = "byte"
2 bytes = "word"
4 bytes = "dword"
8 bytes = "qword"

When it comes to float ("dword") or double ("qword") values, you can do exact comparisons (je or jne).
However doing greater/lesser comparisons may be a bit more complex and/or involve more code.

Also notice that even though I said the value of StepUp is 10 for the player, it checks against A. Remember that AA interprets things as hexadecimal values by default!

The second line is je (jump if equal) to the return location that CE sets up when the script executes.

Anyways, now that the script checks part of the structure against the known value for the player, the code should properly grant you immunity to damage while still letting monsters get damaged. So yay, done!

This guide just covers the basics with a simple example, and if you run into other situations it's expected that you know at least a little assembly since this type of thing usually needs a good understanding of what the game is doing and such.

by
Rydian
Grandmaster Cheater Supreme

==================================================================================

http://forum.cheatengine.org
it will be a big lost, if you gone!
I am so HAPPY that you back, Working FINE !
Great Site!
Thanks!

Forge By Games # ForgeByGames

Friday 3 March 2017

my thanks to Cheat Engine and Dark Byte (2)

i am very sad about what happen at forum.cheatengine.org , it have been targeted by the big company from the game industry (Seems like its due to copyright claims by Bethesda, claiming Cheat Engine is violating the works of companies like Bethesda ect...) [you know the big one can name any reasons]
giving Dark Byte the admin and creator of Cheat Engine such a Big problem.
Read more here
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}
Besides an amplified DDoS attack also a 'Notice of Infringment' from a representative of Bethesda and others. (is this coincidence ? ................ )

Dark Byte , my thanks to you for all your hard work, i hope the problem will only be temporary.

i am releasing a series of all i learn from forum.cheatengine.org

i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames

this is the 2nd post i learn

all credit go to , all these from

http://forum.cheatengine.org/viewtopic.php?t=572465
{ the site don't work correctly for now due to DDos atack and the other trouble stuff, hope it just temporary}

writen by
Rydian
Grandmaster Cheater Supreme

Pointer Scanner + Injection Copies + AOB To Data -Cheat Engine Guides

Making your table have the right addresses each time without having to re-scan every time you run
the game is something everybody wants, but a lot of people aren't sure how it's done. Finding the
game's native pointer path for the value you want to keep track of is the traditional way, but just
because it's traditional doesn't mean it's the best. In fact with how complex games are getting and
how many of them are being written in dynamically-managed languages nowadays (with some games
actually getting compiled in RAM each launch), a lot of games don't even have native pointer paths
built off of static base addresses anymore and the traditional pointer-finding method fails.

So I'm going to show you three modern techniques to make your table re-find the data for you each run.
For this tutorial I will be using the game Rogue Legacy as it's written in .NET and thus benefits from this.

- Pointer Scanner
Cheat Engine has a pointer scanner function now that's capable of finding all sorts of pointer paths
that the traditional methods won't find. It's fairly easy to use too. The first thing you're going to want
to do is the same as in any hack, and that is to scan the game to find what the current address of a
value is. In this case I'll go for health. Once you have that value found and it's in your table, right-click
it and choose one of the Find What ... This Address options.

Tip: I recommend you use "accesses" when possible, but in many cases "accesses" will be really slow
(for example when looking at coordinates) so choose "writes" if "accesses" is slowing things down.

Once Cheat Engine is logging what happens to our health address, I'm going to run around like a ninny
and get hit a few times and then look at the log window and see what popped up. In this case we're
trying to find the offset for health.

In this case it's pretty obvious that the offset is +118. You'll use this info to narrow down the pointer
searches. What you want to do now is Stop and Close that (bottom-right button) and then go back to
the normal address list. Right-click the health address you found and choose to run the Pointer Scanner.
When you do you'll see something like this pop up.

See the red highlighted parts? You're going to want to tell it to only keep results that end with a
certain offset, and then tell it that the final offset is 118 (because that's what we saw earlier).
The other two things you may want to change are the maximum offset (in this box it's decimal!)
and the depth. Generally the newer and more complex the game is, the bigger the max offset and
depths you may need to go. I recommend starting with an offset of 1024 and a depth of 4 for most
games, and if that ends in failure after a rescan then raise the values and try again. Anyways for
this game I'm using for an example, what's shown in the screen should be fine.

When you start the scan, it'll have you save the scan results somewhere. I recommend you choose a
place other than where your cheat tables are. I personally just made a "pointer scans" folder inside
the cheat table folder. Name the scan whatever you like. The scanning process can take from a minute
to an hour or more depending on the offset/depth...

So I recommend you have some Youtube videos or something to do in the meantime. Once it's done
with the initial scan you should see the results. Just like with a normal scan, the first set of results will
be the biggest, don't be scared by the number of results. What I recommend you do now is close the
game and restart it. Get back to where you were before, and scan for your health address, right-click it,
and open the pointer scanner. But this time, close the main popup window because you'll want to open
the previous scan results and work from there.

Simply put in the new address and let it filter the scan down. You could also simply give it the current
value instead of the address and let it work off of that, and while that is less work, it's also less precise,
as in it won't filter out as many bad pointers as specifying the new address itself will filter out.

Do a couple of rescans until you've narrowed it down to the point that it stops dropping tons of pointers
each scan. Unlike scanning for memory addresses normally, when doing pointer scans you will often
end up with a bunch of different pointers that work. Just like in life, there's many paths that can lead
to the same result, so don't expect the pointer scanner to go down to just 1-3 options like with normal
scans, because with many games you'll be left with 100 or more, all functional.

- Injection Copies
If pointer scanning isn't your thing or it's taking too long for you, a much faster method is to inject some
code that will copy the base address of the structure for us. As you saw in the above method, by looking
at code that reads/writes the address you can often find an offset. If you're looking for something like
player health, generally other stats like the player's mana and strength or whatever will be in the same
structure. You can try to find these addresses normally and see if they're very close or similar, if they're
very close to eachother (~1024 +/-) than you can usually be assured that they're in the same structure.

So the basic idea is to find some code that works on something in the structure, and then edit that code
a bit to make it copy the right data for us every time. The first obstacle will be to find code that only
affects the structure you want. For Rogue Legacy, let's find our health value, find what accesses it (as
before you may need writes instead if accesses brings up way too many things), then once you have some
functions there click Stop. Pick one of the instructions that has something like "eax+00000188" in it.
Basically you'll want a function that works off of a register plus an offset, so we know that it deals
with the base address of the data we want. Once you see an acceptable target, click one of the functions
and then click the "Show Disassembler" button to open the memory viewer at the right location.

So at the time that target code executes, ebx+00000118 is our health value. This means that ebx contains
the base address of the player structure and +0x118 bytes from that is the health value. So if we can edit
this script to constantly copy the value of ebx out for us, we can have a "pointer" to the player's health
address (and any other stats in the structure) that won't break across restarts!

Anyways as you see in the screenshot, this will show the game's code that's In the disassembler window,
and now we want to see if that target code works off of just the data we want (which is good) or if it's a
shared/global function that works for lots of different things (we don't want that in this case). Right-click
the code and click "Find what addresses this instruction accesses" and you'll see a new window.

Play the game some more and do various things, and check back on that window now and then. If it only
shows one address as being accessed (which is in this case our health address) then you're good. However
if it shows multiple addresses as being accessed, then that's not a decent target for this technique and you
will want to target something else. Preferably something that's either unique to the player (such as MP if
enemies don't have MP limits) or something that's only displayed for you and not the enemies (like some
of your stats or something).

So once you've found code and you're certain it only affects the address you're targeting and has the right
notation in it (register+offset so we know it knows about the base address), it's time to actually write the
script for it. With the line of code highlighted in the disassembler, press CTRL+A and that should open the
Auto Assembler window. In there go to Template - Cheat Table Framework Code, and then click
Template - AOB Injection. Click okay on the address it asks for (by default it'll use the address of the
line that was highlighted when you opened the AA window), and when it asks for a name you should give
it something short and descriptive. In our case we're targeting code that reads HP, so here I chose
"hpreading".

After accepting that, you'll see the injection script template that CE has generated. After erasing the
comments and spacing (I do that just so I don't have to scroll all the time), it'd look something like this.

Now in order to tell this script to additionally copy the base address for our use, we'll add just two lines to it.

The first line, the globalalloc() function, is shorthand for allocating some memory and registering a label to
it globally for other scripts and things to use. The first argument is the name for the label. Personally I
pick something like _xbase because I try to use an underscore to mark things exposed for the table, and I try
to name the base address value copies something meaningful. The second argument is the number of bytes
to allocate. For 32-bit programs and things using less than 4GB of RAM, in most cases you'll only need 4

The second addition is what tells the game to actually copy the base address for us. In almost all cases
it's as simple as telling AA to do "move, into the value of the allocated memory, the contents of the register".
Replace the register with whatever one is actually used with the offset in the original code, of course.

The idea is that when this script is turned on, the code that you targeted will also copy the base address of that
structure to the allocated memory each time. And this memory has a label that we can use in the table to
reference it. So after adding those lines to your script, go to File - Assign To Current Cheat Table.
Do not click "Execute".

Now that script should be an entry in your cheat table. You'll probably want to close the AA window and then
rename the script copy in the table or something. You should be able to check it, and it should enable. Then
to actually see the fruit of your labor and use the results of that script, in CE's upper portion click the
"Add address manually" button. In there, you can use either the pointer syntax or manually type in the base
and offset like [_playerbase]+118.

Yup, there we go, as long as that script is turned on the game will be copying the base address of the player
structure for our use, and we can pull up anything in that structure with that syntax. So you can keep finding
stats in that structure, and then with one script the game will always tell you the right addresses!

- AOB To Data
So you may have a structure (set of stats/options) that you want to target, but in some situations pointer
scanning and injection just aren't feasible options. You may be working with a game running in an
interpreted environment (flash, web browser, scripting) or one that updates quite often and the code
changes while the data you're targeting stays mostly the same. In these cases and more, you can create a
scan right to the data structure you need instead and have CE fill in the rest of the addresses for you.

So, going on the same example as above, finding the health address and it's offset. You're going to want
to do to two things with that offset. You're going to want to write it down for later (write something like
"+118 = health" in notepad) and you're going to want to take your health address and subtract 118 from
it in hex. The default Windows calculator program can operate in hex if you put it in scientific mode first.

Once you have your health address with 118 (in hex) subtracted from it, that's the address to the
start of the player/character structure. Back in CE, click Add Address Manually and put in that
address. The type doesn't really matter, but I tend to make it binary so that it stands out visually in
the address list. I did it here and named it Player Structure Start, though a name isn't really needed.

Now you're going to want to click that address and press CTRL+B to open the Memory Browser. You
should see a new window, and the bottom half will be divided into three sections, like the screenshot.
You're probably going to want to resize the Memory Browser window until the middle section measures
16 bytes/pairs across, like in the screenshot.

The left section is the starting address of each row, the middle of the actual RAM contents in Hexadecimal,
and the last row is the RAM contents expressed in ASCII. For this we want to focus on the middle section.
Click and drag in the middle section to select the first three rows or so. For some games just the first two
will do, for others you may need 5-7 rows, but for Rogue Legacy 3 is all we'll need. Once you have the
rows selected, press CTRL+C to copy them and then go and paste them into Notepad or something, making
sure to add back in the line breaks.

Then you'll want to close the game, start it back up, and do this again, copying another sample of what that
data looks like. I recommend doing things like loading in different characters and settings and a few
restarts just to make sure you have a wide range of samples. Here's four I picked up for this example.

Code:

A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

A8 1E E3 00 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

A8 1E 6B 03 00 00 00 00 00 00 00 00 28 12 87 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

A8 1E 75 05 00 00 00 00 00 00 00 00 28 12 75 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

What you're going to want to do is compare all the data samples you have, and for the digits that don't
match on them, replace them with a question joe. For for this example, the signature for my data is...

Code:

A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ??
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

Now that you have your data signature to the player base, it's time to make the script that will scan for it.
Go back to the memory browser and in it, press CTRL+A to open the Auto Assemble window. Paste this.

Code:

[ENABLE]
aobscan(player, A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ?? 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00)
label(_player)
registersymbol(_player)

player:
_player:

[DISABLE]
unregistersymbol(_player)

Of course replace the example signature with the one you've made. I'm using "player" for the labels here
but if you're searching for another type of data replace the label with whatever other human-readable tag
you feel like. Then go to File -> Add To Current Cheat Table. Do NOT click "execute". Once it's been
added to the table, you can open it and edit/okay it from within there safely.

If you can click to check that script and it checks (it may take a second or two while it scans), then you're
good to continue. If it does not check by the time CE starts responding again, then that means it could
not find a match for the signature so you should double-check on that.

So what was all this signature work for anyways? Well, now's the time to see the fruits of your labor.
Remember how I had you note down what the health address was? Well, go to add an address manually
and for the address, type _player+118 (or whatever the health offset is). That's right, CE will understand
what you mean and when you run the script and it finds the player structure start and assigns it the label
of _player, any other addresses that work off of that will have it filled in. So let's say I added mana too.

Then I check the script and...

Bam, the table did the scan and finding and assigning for me so I don't need to scan for those values
manually any more. All you have to know is a signature for the structure and the offsets, and you can
make a scan like this. When it breaks, generally you only need to update the signature being scanned
for and the rest will fix itself. Feel free to keep scanning and adding offsets!

LF2005 wrote:

Code:

you didn't explained this code
isn't there a mistake, it seems that you call for the scanner to the label player, then you declare a label _player & register the Symbol _player, then initialize player & _player, and in the end finalize _player

is possibly to make more parameters ?

_player is what's used and referenced in the table itself, outside of the script.

If you mean making the script find two different structures, then chances are making two separate scripts would be best as game updates might change one and not the other.

[quote="Rydian"][size=16][b]- Foreword[/b][/size]
Making your table have the right addresses each time without having to re-scan every time you run
the game is something everybody wants, but a lot of people aren't sure how it's done. Finding the
game's native pointer path for the value you want to keep track of is the traditional way, but just
because it's traditional doesn't mean it's the best. In fact with how complex games are getting and
how many of them are being written in dynamically-managed languages nowadays (with some games
actually getting compiled in RAM each launch), [i]a lot of games don't even have native pointer paths
built off of static base addresses anymore[/i] and the traditional pointer-finding method fails.

So I'm going to show you two modern techniques to make your table re-find the data for you each run.
For this tutorial I will be using the game Rogue Legacy as it's written in .NET and so benefits from this.

[size=16][b]- Pointer Scanner[/b][/size]
Cheat Engine has a pointer scanner function now that's capable of finding all sorts of pointer paths
that the traditional methods won't find. It's fairly easy to use too. The first thing you're going to want
to do is the same as in any hack, and that is to scan the game to find what the current address of a
value is. In this case I'll go for health. Once you have that value found and it's in your table, right-click
it and choose one of the Find What ... This Address options.

[img]http://s12.postimg.org/4rbvnabfx/find_what_accesses.png[/img]

[i]Tip: I recommend you use "accesses" when possible, but in many cases "accesses" will be really slow
(for example when looking at coordinates) so choose "writes" if "accesses" is slowing things down.[/i]

Once Cheat Engine is logging what happens to our health address, I'm going to run around like a ninny
and get hit a few times and then look at the log window and see what popped up. In this case we're
trying to find the offset for health.

[img]http://s12.postimg.org/q8rq8ds31/offset_118.png[/img]

In this case it's pretty obvious that the offset is +118. You'll use this info to narrow down the pointer
searches. What you want to do now is Stop and Close that (bottom-right button) and then go back to
the normal address list. Right-click the health address you found and choose to run the Pointer Scanner.
When you do you'll see something like this pop up.

[img]http://s12.postimg.org/6pijla3xp/pointer_scan_first.png[/img]

See the red highlighted parts? You're going to want to tell it to only keep results that end with a
certain offset, and then tell it that the final offset is 118 (because that's what we saw earlier).
The other two things you may want to change are the maximum offset (in this box it's decimal!)
and the depth. Generally the newer and more complex the game is, the bigger the max offset and
depths you may need to go. I recommend starting with an offset of 1024 and a depth of 4 for most
games, and if that ends in failure after a rescan then raise the values and try again. Anyways for
this game I'm using for an example, what's shown in the screen should be fine.

When you start the scan, it'll have you save the scan results somewhere. I recommend you choose a
place other than where your cheat tables are. I personally just made a "pointer scans" folder inside
the cheat table folder. Name the scan whatever you like. The scanning process can take from a minute
to an hour or more depending on the offset/depth...

[img]http://s12.postimg.org/mmhbhzwbx/scan_in_progress.png[/img]

So I recommend you have some Youtube videos or something to do in the meantime. Once it's done
with the initial scan you should see the results. Just like with a normal scan, the first set of results will
be the biggest, don't be scared by the number of results. What I recommend you do now is close the
game and restart it. Get back to where you were before, and scan for your health address, right-click it,
and open the pointer scanner. But this time, close the main popup window because you'll want to open
the previous scan results and work from there.

[img]http://s12.postimg.org/6kesblwml/pointer_scanner_open.png[/img]

[img]http://s12.postimg.org/f3y69d4z1/rescan_menu.png[/img]

[img]http://s12.postimg.org/od0cjhdv1/rescan_options.png[/img]

Simply put in the new address and let it filter the scan down. You could also simply give it the current
value instead of the address and let it work off of that, and while that is less work, it's also less precise,
as in it won't filter out as many bad pointers as specifying the new address itself will filter out.

Do a couple of rescans until you've narrowed it down to the point that it stops dropping tons of pointers
each scan. Unlike scanning for memory addresses normally, when doing pointer scans you will often
end up with a bunch of different pointers that work. [b]Just like in life, there's many paths that can lead
to the same result[/b], so don't expect the pointer scanner to go down to just 1-3 options like with normal
scans, because with many games you'll be left with 100 or more, all functional.

[size=16][b]- AOB To Data[/b][/size]
Sometimes pointers just aren't an option. You may be working with a game running in an interpreted
environment (flash, web browser, scripting) or one that updates quite often and data tends to shift
around like it has a mind of it's own. In these cases and more, you can create a scan right to the
structure you need and have CE fill in the rest of the addresses for you.

So, going on the same example as above, finding the health address and it's offset. You're going to want
to do to two things with that offset. You're going to want to write it down for later (write something like
"+118 = health" in notepad) and you're going to want to take your health address and subtract 118 from
it. The default Windows calculator program can operate in hex if you put it in scientific mode first.

[img]http://s11.postimg.org/8vhy0asqb/calc_options.png[/img]

Once you have your health address with 118 (in hex) subtracted from it, [i]that's the address to the
start of the player/character structure[/i]. Back in CE, click Add Address Manually and put in that
address. The type doesn't really matter, but I tend to make it binary so that it stands out visually in
the address list. I did it here and named it Player Structure Start, though a name isn't really needed.

[img]http://s21.postimg.org/4y6h6e0yf/address_list_structure_start.png[/img]

Now you're going to want to click that address and press CTRL+B to open the Memory Browser. You
should see a new window, and the bottom half will be divided into three sections, like the screenshot.
You're probably going to want to resize the Memory Browser window until the middle section measures
16 bytes/pairs across, like in the screenshot.

[img]http://s21.postimg.org/c5crg0193/memory_view.png[/img]

The left section is the starting address of each row, the middle of the actual RAM contents in Hexadecimal,
and the last row is the RAM contents expressed in ASCII. For this we want to focus on the middle section.
Click and drag in the middle section to select the first three rows or so. For some games just the first two
will do, for others you may need 5-7 rows, but for Rogue Legacy 3 is all we'll need. Once you have the
rows selected, press CTRL+C to copy them and then go and paste them into Notepad or something, making
sure to add back in the line breaks.

Then you'll want to close the game, start it back up, and do this again, copying another sample of what that
data looks like. I recommend doing things like loading in different characters and settings and a few
restarts just to make sure you have a wide range of samples. Here's four I picked up for this example.

[code]A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

A8 1E E3 00 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

A8 1E 6B 03 00 00 00 00 00 00 00 00 28 12 87 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

A8 1E 75 05 00 00 00 00 00 00 00 00 28 12 75 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00[/code]
What you're going to want to do is compare all the data samples you have, and for the digits that don't
match on them, replace them with a question joe. For for this example, the signature for my data is...

[code]A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ??
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00[/code]

Now that you have your data signature to the player base, it's time to make the script that will scan for it.
Go back to the memory browser and in it, press CTRL+A to open the Auto Assemble window. Paste this.

[code][ENABLE]
aobscan(player, A8 1E ?? 0? 00 00 00 00 00 00 00 00 28 12 ?? ?? 00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00)
label(_player)
registersymbol(_player)

player:
_player:

[DISABLE]
unregistersymbol(_player)[/code]
Of course replace the example signature with the one you've made. I'm using "player" for the labels here
but if you're searching for another type of data replace the label with whatever other human-readable tag
you feel like. Then go to File -> Add To Current Cheat Table. Do NOT click "execute". Once it's been
added to the table, you can open it and edit/okay it from within there safely.

If you can click to check that script and it checks (it may take a second or two while it scans), then you're
good to continue. If it does not check by the time CE starts responding again, then that means it could
not find a match for the signature so you should double-check on that.

So what was all this signature work for anyways? Well, now's the time to see the fruits of your labor.
Remember how I had you note down what the health address was? Well, go to add an address manually
and for the address, type _player+118 (or whatever the health offset is). That's right, CE will understand
what you mean and when you run the script and it finds the player structure start and assigns it the label
of _player, any other addresses that work off of that will have it filled in. So let's say I added mana too.

[img]http://s21.postimg.org/qaikhtaaf/aob_setup_no_run.png[/img]

Then I check the script and...

[img]http://s21.postimg.org/9lh4lwdp3/aob_setup_hasrun.png[/img]

Bam, the table did the scan and finding and assigning for me so I don't need to scan for those values
manually any more. All you have to know is a signature for the structure and the offsets, and you can
make a scan like this. When it breaks, generally you only need to update the signature being scanned
for and the rest will fix itself. Feel free to keep scanning and adding offsets!

[img]http://s7.postimg.org/4zukp8f5n/filled_out.png[/img][/quote]

@Rydian my friend programmer maked a program that adds wildcards automatically.

I'm having trouble with the pointer scan. I'm using Cave Story to test this, with the HP address. Checking for access, I get this: 0042133E - 0FBF 0D CEE64900 - movsx ecx,word ptr [Doukutsu.exe+9E6CE]

So I add 9E6CE as offset, leave everything else as it is, and run the scan.. which then returns 0 results. Changing around max offset and level didn't help. What's wrong?
Doukutsu.exe+9E6CE is a static address. If you add it to your address list, it will always show your health without any additional effort.

Quote:

A8 1E 17 01 00 00 00 00 00 00 00 00 28 12 88 03
00 00 00 00 8F 00 00 00 56 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00

This ^ How'd you get this? the screenshot before it doesn't even show anything similar. Did I miss something?

Also I've skimmed over your other guide with AOB, however there your not getting it from the bottom, but taking them from the bytes in the top half.

So yea I'm really confused here. Please help.

Edit: Apologies, both seem to work. I was simply confused as to why both works.. but well both are byte /facepalm

I can share my own program:

http://forum.cheatengine.org/viewtopic.php?t=572933

Its coded under VBS (open source) and you can compare more than 2 AoB to get the best wilcard-aob

I coded an easy tool to generator patters for our AoB scan routines, the script is very simple; you only need to add some array of bytes (min 2, max infinite) and the script will generate a valid pattern, example:

Here is the script: http://pastebin.com/tQsvbSkh

Just copy&paste the script in a TXT file (notepad) and save it as whatever.vbs

Set oWSH = CreateObject("WScript.Shell")

Set oFSO = CreateObject("Scripting.FileSystemObject")

T = InputBox("Enter array of bytes nº 1:")

T = T & vbcrlf & InputBox("Enter array of bytes nº 2:")

X = 3

While MsgBox("Do you want to introduce another array of bytes?", vbYesNo, "AoB Pattern Generator") = vbYes

T = T & vbcrlf & InputBox("Enter array of bytes nº " & X &":")

X = X + 1

Wend

AoB = Split(T, vbcrlf)

F = ""

W = 0

X = 0

For i = 1 To Len(AoB(0))

For u = 1 To UBound(AoB)

If Mid(AoB(u), i, 1) <> Mid(AoB(0), i, 1) Then

F = F & "?"

W = W + 1

X = 1

Exit For

End If

If X <> 1 Then F = F & Mid(AoB(0), i, 1)

X = 0

Set File = oFSO.CreateTextFile("aob.txt")

File.Write "Original array of bytes:" & vbcrlf & vbcrlf

File.Write Replace(T, vbcrlf & vbcrlf, vbcrlf) & vbcrlf & vbcrlf

File.Write "Total array of bytes: " & UBound(AoB) + 1 & vbcrlf

File.Write "Total wildcards used: " & W & vbcrlf & vbcrlf

File.Write "Your AoB Pattern:" & vbcrlf & vbcrlf & F

File.Close

'MsgBox F

If MsgBox("AoB Patter Generator finished" & vbcrlf & vbcrlf & "Do you want to open aob.txt file?", vbYesNo, "AoB Pattern Generator") = vbYes Then

oWSH.Run "notepad.exe aob.txt"

End If

whipsmack wrote:

Cave Story doesn't use pointers for health, it's always a static address there. Same with the + version, which is an update of the original engine. That's why I used a .NET game for this example, 'cause you'll want something that actually does move memory around dynamically.

0vad0z3 wrote:

I have a question about your AOB to Data script, Rydian.

Is it possible to add something onto your script to make more specific, the address I want?

For example we'll use the address "0AD2425C". I want the script to search for the wild carded array of bytes of this address while also searching for the end value of the address, in this case "C".

Or even make the script search around a certain address for the wildcarded array of bytes. Like search around in a 100 bytes parameter of address "0AD2425C" for array of bytes.

I wouldn't know how to do that. In cases where the AOB signature itself is getting more than one result, it generally means that you need to try a different angle or approach if what you're targeting can't be uniquely identified.

Tigerlemur wrote:

So I'm trying to follow along with this tutorial in Medieval Total War 2 for gold (there's already a table, I think, but I'm just doing it to learn). I found the address, I found the offset... Those parts were easy. I got to the quoted step and got these results:

[snipped]

The script didn't work.

I noticed pretty quickly that the codes are really different and I have to put in lots ?s. To be certain I had the offset correct, I checked it each time, and the address -did- allow me to change the gold value in game, so I don't think that's the problem. Are Total War games bad for this? Is there a trick I'm missing in the way it was coded or..?

As a secondary note, I noticed a couple of places that weren't static, but only appeared to change a between two types. The ninth pair only ever was DC or C4. Should I try using that rather than a question mark?

I'd like to learn this method. The pointer scanner can REALLY eat up data sometimes, and bigger games have some reeeaaallly deep multi-level pointers.

In that situation, the memory area you're targeting isn't good for a signature. Try something else that's close to what you're looking at, perhaps something a few lines earlier.

Or, try finding the base of the structure of what you're looking for (like if health is eax+18, target eax).

by
Rydian
Grandmaster Cheater Supreme

==================================================================================

http://forum.cheatengine.org
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}

i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!

Forge By Games # ForgeByGames

=================================================================

FreeER “aka” atubeacct
have share this:

You can use the wayback machine (aka the internet archive) to access some pages including this wonderful guide and the first 6 pages of comments

https://web.archive.org/web/20150908103929/http://forum.cheatengine.org/viewtopic.php?t=542093&postdays=0&postorder=asc&start=0
{note}

Hopefully the forum itself being down is just temporary but... there's probably no harm in saving / rehosting (with credit as done here of course) any particularly useful posts/discussions (downloads may not work but at least 5k+ of the cheat tables have been hosted at https://github.com/Hexorg/CheatEngineTables that would still leave some lua extensions potentially lost in a worst case scenario and many scripts and useful tips from the posts theirselves).

=================================================================
{note}
this link is for
COMPLETE CheatEngine Tutorial(with pictures) UPDATE JAN 2015
at my thanks to Cheat Engine and Dark Byte (1)

I am not good at finding link, any link to the old post is welcome.
Thanks!
Forge By Games # ForgeByGames

Thursday 2 March 2017

my thanks to Cheat Engine and Dark Byte (1)

i am very sad about what happen at forum.cheatengine.org , it have been targeted by the big company from the game industry (Seems like its due to copyright claims by Bethesda, claiming cheat engine is violating the works of companies like Bethesda ect...) [you know the big one can name any reasons]
giving Dark Byte the admin and creator of Cheat Engine such a Big problem.
Read more here

{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}
Besides an amplified DDoS attack also a 'Notice of Infringment' from a representative of Bethesda and others. (is this coincidence ? ................ )

Dark Byte , my thanks to you for all your hard work, i hope the problem will only be temporary.

i will release a series of all i learn from forum.cheatengine.org

i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames

this is the 1st part

all credit go to , all these from

http://forum.cheatengine.org/viewtopic.php?t=542093
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}

writen by
YoungDragon
Grandmaster Cheater Supreme

COMPLETE CheatEngine Tutorial(with pictures) UPDATE JAN 2015
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}

Hey, here is a good tutorial(Well, I think it's pretty good) that I made. Hope you like it.
-------------------------------------
Table of contents:
1. Introduction
2. The tutorial introduction
3. Tutorial 1
4. Tutorial 2
5. Tutorial 3
6. Tutorial 4
7. Tutorial 5
8. Tutorial 6
9. Tutorial 7
10. Tutorial 8
11. Other related stuff
12. Credits
-------------------------------------

Chapter 1: Introduction

Welcome to YoungDragon's Cheat Engine tutorial, updated January 23, 2015. It needs some updating due to new tutorials in cheat engine, and because Imageshack really sucks. Pictures now on Imgur. In this tutorial, there are 12 chapters. Also, I recycled most of the old stuff, changing Chapter 9 to a way better method. Thid took me hours to make, and even more hours to update it. Anyways, this will give you a basic and more advance chance to try CheatEngine! Cheat Engine is a program which allows you scan addresses, change values, search process memory, and allows you to edit stuff you wouldn't usually be able to edit. Cheat Engine was founded and invented by Dark Byte. It's a very powerful and well known program. Cheat Engine can be downloaded here: Click me to go to the url!. Most Anti-virus's think Cheat Engine is a virus. It is NOT a virus. I want to make that perfectly clear. It has some tools that Anti-Virus's think are dangerous like hacking tools. If you are too scared to download it, download the retarded idiot version(It's for retarded idiots who don't trust anybody, by the way). Cheat Engine is a completely SAFE program. Also, http://www.cheatengine.org is NOT responsible of any illegal use of Cheat Engine. If you get caught using it illegally, it's your problem. It was not intended for illegal use. Now, we will continue to the tutorial. Here is an image on what the program looks like(v6.4):

-------------------------------------

Chapter 2: The tutorial introduction
Cheat Engine comes with a FREE TUTORIAL! That's great! We will use that in this guide. To find it, click start, all programs, find the directory where Cheat Engine was installed(By default, it's Cheat Engine [version]), click Cheat Engine tutorial.

Here is what it looks like(v3.2)

This is where we will start the whole tutorial, which will help you with everything you need to know. Here is what Dark Byte wrote:

Dark Byte wrote:

Welcome to the Cheat Engine Tutorial. (v3.2)

This tutorial will try to explain the basics of cheating on games, and getting you more familiar with Cheat Engine.

First open Cheat Engine if it hasn't been opened yet.
Then click on the 'open process' icon. (top left icon, with the computer on it)

When the process window is open find this tutorial. The process name is probably 'tutorial.exe' unless yourenamed it.
Select it, and click ok. Just ignore all the other buttons right now, but experiment with them later if you feel like it.

When everything went right, the process window should be gone now and at the top of CE the processname isshown.

Now, click NEXT to continue to the next step. (Or fill in the password to proceed to that particular step you want)

Now, you will have to get the process of Cheat Engine Tutorial. On the top left of the screen, there is a glowing computer.

Click it to open the process menu.

Click the Cheat engine tutorial process.

Click Open and you have successfully gotten a process loaded in Cheat Engine!

Press "Next" to go to tutorial 1 and read Chapter 3.

Note: You can save the passwords it gives you so you can continue where you were. Thank Dark Byte!

Chapter 3: Tutorial 1

This is the most BASIC tutorial you have! After you press next, this is what you will get:

Dark Byte wrote:

Step 2: Exact Value scanning (PW=XXXXXX)
Now that you have opened the tutorial with Cheat Engine lets get on with the next step.

You see at the bottom of this window the text Health: xxx
Each time you click 'Hit me' your health gets decreased.

To get to the next step you have to find this value and change it to 1000

To find the value there are different ways, but I'll tell you about the easiest, 'Exact Value':
First make sure value type is set to at least 2 bytes or 4 bytes, 1 byte will also work, but you'll run into an easy to fixproblem when you've found the address and want to change it. The 8-byte may perhaps works if the
bytes after the address are 0, but I wouldn't take the bet.
Single, double, and the other scans just don't work, because they store the value in a different way.

When the value type is set correctly, make sure the scantype is set to 'Exact Value'
Then fill in the number your health is in the value box. And click 'First Scan'
After a while (if you have a extremely slow pc) the scan is done and the results are shown in the list on theleft

If you find more than 1 address and you don't know for sure which address it is, click 'Hit me', fill in the newhealth value into the value box, and click 'Next Scan'
repeat this until you're sure you've found it. (that includes that there's only 1 address in the list.....)

Now double click the address in the list on the left. This makes the address pop-up in the list at the bottom,showing you the current value.
Double click the value, (or select it and press enter), and change the value to 1000.

If everything went ok the next button should become enabled, and you're ready for the next step.

Note:
If you did anything wrong while scanning, click "New Scan" and repeat the scanning again.
Also, try playing around with the value and click 'hit me'

This tutorial stores your health using the 4 byte data value. Cheat Engine uses this by default. In this case, you are given the EXACT value of health you have (100). Go to Cheat Engine and in the Value box, type in 100. Click first scan.

Look to the left. Find a table that shows "Address" and "Value". An address is where the data is stored and the value is what the data is. The actual value.

Go to the tutorial and click "Hit me". Your health should go down. My health got to 99. The health you got will be called "myHp". Whenever I refer to myHp, you get the number you have as your health. Go back to Cheat Engine and then type myHp(The health number) you got into the value box. Then press next scan.

You should come up with ONE value. Now, my address is 01855F30. Your address will be different. If it's different, don't say "OMGZZZ, I DIDZ IT WRONGZZZZ. FUCKZZZ THIS TUTORIALZZZ!!!!!!!!" It will not be the same every time. Addresses change. Double click the address with the value of myHp(The health number. Mine is 95). It should then also be at the bottom.

Now, you see the "Next" button is grey and blocked so you can't go to the next tutorial. ( Sad

) Don't worry, we will make it clickable now! To go to the next tutorial, the value has to be >1000(Greater then 1000). Double click the value section at bottom left side. You should get this:

Change the value to 1000 and press OK.

Go back to Cheat Engine tutorial and see that the Next button is unlocked! WAIT! Don't click it. Click "Hit me" and your Health should go UP to 99x.(Change the value to 1000 and press Next to finish Tutorial 1)

You have now finished Tutorial 1!

Chapter 4: Tutorial 2

This tutorial will help you in finding unknown values, like if all you got is a loading bar. Here is what Dark Byte wrote.

Dark Byte wrote:

Step 3: Unknown initial value (PW=SEXSEX)
Ok, seeing that you've figured out how to find a value using exact value let's move on to the next step.

In the previous test we knew the initial value so we could do a exact value, but now we have a status bar where we don't know the starting value.
We only know that the value is between 0 and 500. And each time you click 'hit me' you lose some health. The amount you lose each time is shown above the status bar.

Again there are several different ways to find the value. (like doing a decreased value by... scan), but I'll only explain the easiest. "Unknown initial value", and decreased value.
Because you don't know the value it is right now, a exact value wont do any good, so choose as scantype 'Unknown initial value', again, the value type is 4-bytes. (most windows apps use 4-bytes)click first scan and wait till it's done.

When it is done click 'hit me'. You'll lose some of your health. (the amount you lost shows for a few seconds and then disappears, but you don't need that)
Now go to Cheat Engine, and choose 'Decreased Value' and click 'Next Scan'
When that scan is done, click hit me again, and repeat the above till you only find a few.

We know the value is between 0 and 500, so pick the one that is most likely the address we need, and add it to the list.
Now change the health to 5000, to proceed to the next step.

Click new scan and the table with address/value should clear. Also, select the address we changed to 1000 and click the delete button on the keyboard. This should get rid of that to get rid of future confusion. Now, you see a full progress bar with a value you do not know. Every time you press Hit me, you will get "-(Random number)". Here is what it looks like:

Go to cheat engine and find value type. By default, it's 4 byte. Change 4 byte to "Unknown initial value" and click Scan.

Now, the think should go back to normal like nothing happened. It should go back to 4 byte. Now, go back to the tutorial app and click Hit me. You should see a thing that says "-(Random number)". Click Hit me now.

As you can see, I lost 8 hp. Go to Cheat Engine, change value to type to "Decreased value by...". Now put the number of HP you lost in the box. Then press Next scan.

Keep on doing this until you have less than 10 addresses. Now, I ended up with 4 addresses. 1 of them is 116. The others at 4,000,000,00+. You have to get at least 5000 for the "Next" button to unlock. Which one do you think is correct if the "Next" button is locked? Yes, it's the address with the value of 116. Double click it to send it to the bottom. Change the value to 5020. Click "Hit me" and the progress bar should get full. If it didn't, you did it wrong. Change the value to 5000 and click Next. This is how you get unknown values quickly. If you do not know what the value decreased by, change the value type to "decreased value" and hit "next scan".

Chapter 5: Tutorial 3

In this tutorial, you will be dealing with different data types. We were dealing with 4 bytes. This time, we will deal with float and double. This is what Dark Byte wrote.

Dark Byte wrote:

Step 4: Floating points (PW=890124)
In the previous tutorial we used bytes to scan, but some games store information in so called 'floating point' notations.
(probably to prevent simple memory scanners from finding it the easy way)
a floating point is a value with some digits behind the point. (like 5.12 or 11321.1)

Below you see your health and ammo. Both are stored as Floating point notations, but health is stored as a float and ammo is stored as a double.
Click on hit me to lose some health, and on shoot to decrease your ammo with 0.5

You have to set BOTH values to 5000 or higher to proceed.

Exact value scan will work fine here, but you may want to experiment with other types too.

First, click New scan. Delete the address we changed to 5000. Keep scan type to Exact Value, but change Value type to Float.

Now, type 100 into the value textbox and click First Scan.

I got 2 addresses! That's good. Now, click Hit me. I got 97.4. Go to cheat Engine and type 97.4 (Or whatever you got) into the textbox and click Next Scan. I came up with 1 address. We will do what we did in the other tutorials, we will double click and change the value.

Change it to 5000.
Click New Scan and do NOT delete the float address change. Change the value type to Double. Scan 100.

I came up with 1 value. Click "Fire" on the tutorial to see if it is the value. If you get 99.5 in Cheat Engine. That's it! Double click and change the value to 5000. The "Next button" should unlock. Click next to Continue.

Congrats! You just finished the "BASICS!" Yes, the basics. If you thought that was hard, try doing to tutorial again and again until you get it right. Now, we will go to Medium. Then Hard.

This is Medium.

Chapter 6: Tutorial 4

This is a harder tutorial. We will find out how to use the Code Finder.

Here is what Dark Byte wrote:

Dark Byte wrote:

Step 5: Code finder (PW=NOPW4U)
Sometimes the location something is stored at changes when you restart the game, or even while you're playing.. In that case you can use 2 things to still make a table that works.
In this step I'll try to describe how to use the Code Finder function.

The value down here will be at a different location each time you start the tutorial, so a normal entry in the address list wouldn't work.
First try to find the address. (you've got to this point so I assume you know how to)
When you've found the address, right-click the address in Cheat Engine and choose "Find out what writes to this address". A window will pop up with an empty list.
Then click on the Change value button in this tutorial, and go back to Cheat Engine. If everything went right there should be an address with assembler code there now.
Click it and choose the replace option to replace it with code that does nothing. That will also add the code address to the code list in the advanced options window. (Which gets saved if you save your table)

Click on stop, so the game will start running normal again, and close to close the window.
Now, click on Change value, and if everything went right the Next button should become enabled.

Note: When you're freezing the address with a high enough speed it may happen that next becomes visible anyhow

First, find the address. All the previous tutorials found out the address. So now, you know how to do it. Use 4 bytes.
I have found the address. Here is what I got:

Now, double click it to make it go down. Right click the address(After you put it at the very bottom) and press "Find out what writes to this address". A new window should pop up.(If it ask you about a debugger, press yes)

Click "Change Value" where the tutorial is and then go back to Cheat Engine. Now, you should see something new. A bunch of stuff like "eax", "ebx", "ebp", "xxx", "sex", ect, ect might pop up, but in our case, only one thing shows up.

Select it and click the replace button. ANOTHER window should pop up. Remove everything that was in it.

Press OK.

Now, Click "Stop" and then "Close". Go to the tutorial and click Change Value. It should stay the same and then the "Next" button should be unlocked!!! As Charlie Sheen would say, Winning.

Chapter 7: Tutorial 5

Now, this is more advanced then the last tutorial. Still in the medium section, BUT it's a little bit hard. This one uses pointers. Ok, first, get the address with the value of 100. At this point, you should know how to get an address.

Here is what Dark Byte wrote:

Dark Byte wrote:

Step 6: Pointers: (PW=XXXXXX)
In the previous step I explained how to use the Code finder to handle changing locations. But that method alone makes it difficult to find the address to set the values you want.
That's why there are pointers:

At the bottom you'll find 2 buttons. One will change the value, and the other changes the value AND the location of the value.
For this step you don't really need to know assembler, but it helps a lot if you do.

First find the address of the value. When you've found it use the function to find out what accesses this address.
Change the value again, and a item will show in the list. Double click that item. (or select and click on more info) and a new window will open with detailed information on what happened when the instruction ran.
If the assembler instruction doesn't have anything between a '[' and ']' then use another item in the list.
If it does it will say what it think will be the value of the pointer you need.
Go back to the main cheat engine window (you can keep this extra info window open if you want, but if you close it, remember what is between the [ and ] ) and do a 4 byte scan in hexadecimal for the value the extra info told you.
When done scanning it may return 1 or a few hundred addresses. Most of the time the address you need will be the smallest one. Now click on manually add and select the pointer checkbox.

The window will change and allow you to type in the address of a pointer and a offset.
Fill in as address the address you just found.
If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that's at the end. else leave it 0. If it was a more complicated instruction look at the calculation.

example of a more complicated instruction:
[EAX*2+EDX+00000310] eax=4C and edx=00801234.
In this case EDX would be the value the pointer has, and EAX*2+00000310 the offset, so the offset you'd fill in would be 2*4C+00000310=3A8. (this is all in hex, use calc.exe from windows in scientific mode to calculate)

Back to the tutorial, click OK and the address will be added, If all went right the address will show P->xxxxxxx, with xxxxxxx being the address of the value you found. If thats not right, you've done something wrong.
Now, change the value using the pointer you added in 5000 and freeze it. Then click Change pointer, and if all went
right the next button will become visible.

extra:
And you could also use the pointer scanner to find the pointer to this address

After you have the address. Move it to the bottom and right click. Click "Find out what writes to this address". You will then press change value on CE tutorial and will get some info in the popup screen.

Click on the first one. Mine is 00426562 - 89 02 - mov [edx],eax. Then press more information. You should get this.

Find where it says "The value of the pointer needed to find this address is probably XXXXXXXX" Mine is 001F65E8. Close that and close the data table to just show Cheat Engine. Now click new scan and check the hex button. Type in what you got for XXXXXXXX. Click "First Scan".

I got 1 addresses.

Press "Add address manually". Click the pointer checkbox. Now type in the address you got. I got 00645360. For offset, leave as 0. Press OK. (NOTE: YOU SHOULD GET THE SAME THING AS ME IF YOU'RE USING TUTORIAL VERSION 3.2)

The value should be the same as the other address. If you got "??" then you did it wrong. Try again. If you got this:

Then you did it right! Try pressing "Change Value" on the tutorial to mess around with it. Both values will change!
Now, change The value of the one with the address of "P -> XXXXXXXX" to 5000. Then check the "Active box" to freeze the value. Go back to the tutorial and press "Change Pointer". Wait for it to stop and the next button should unlock!

Press next and go to the next chapter.

Chapter 8: Tutorial 6

This is one of my FAVORITE parts of this tutorial!! This is because you get to create your own little code. Here is what Dark Byte wrote:

Dark Byte wrote:

Step 7: Code Injection: (PW=ULOSER)
Code injection is a technique where one injects a piece of code into the target process, and then reroute the execution of code to go through your own written code

In this tutorial you'll have a health value and a button that will decrease your health with 1 each time you click it.
Your task is to use code injection to increase the value of your health with 2 every time it is clicked

Start with finding the address and then find what writes to it.
then when you've found the code that decreases it browse to that address in the disassembler, and open the auto assembler window (ctrl+a)
There click on template and then code injection, and give it the address that decreases health (If it isn't already filled in correctly)
That will generate a basic auto assembler injection framework you can use for your code.

Notice the alloc, that will allocate a block of memory for your code cave, in the past, in the pre windows 2000 systems, people had to find code caves in the memory(regions of memory unused by the game), but that's luckily a thing of the past since windows 2000, and will these days cause errors when trying to be used, due to SP2 of XP and the NX bit of new CPU's

Also notice the line newmem: and originalcode: and the text "Place your code here"
As you guessed it, write your code here that will increase the health with 2.
An usefull assembler instruction in this case is the "ADD instruction"
here are a few examples:
"ADD [00901234],9" to increase the address at 00901234 with 9
"ADD [ESP+4],9" to increase the address pointed to by ESP+4 with 9
In this case, you'll have to use the same thing between the brackets as the original code has that decreases your health

Notice:
It is recommended to delete the line that decreases your health from the original code section, else you'll have to increase your health with 3 (you increase with 3, the original code decreases with 1, so the end result is increase with 2), which might become confusing. But it's all up to you and your programming.

Notice 2:
In some games the original code can exist out of multiple instructions, and sometimes, not always, it might happen that a code at another place jumps into your jump instruction end will then cause unknown behavior. If that happens, you should usually look near that instruction and see the jumps and fix it, or perhaps even choose to use a different address to do the code injection from. As long as you're able to figure out the address to change from inside your injected code.

To start out, delete all the addresses and restart the whole scan process. Find the address. After you find it, right click it after you took it to the bottom. Then, click "Find out what writes to this address". Click "Hit Me" and make the HP go down. Look at the data that was traced. I got 00426C40 - FF 8B 78040000 - dec [ebx+00000478]. Click "Show disassembler".

Now, press Ctrl + A to open Auto disassembler.

Now, click template and press "Code Injection". Press yes if a pop up shows.

See original code? You got dec [ebx+00000478]. Copy that. Then turn it into a comment so it doesn't interfere with our new code by adding "//" before it without the quotes. Delete the stuff next to // under newmem. paste the thing you copied under newmem and change dec to add. also, add ",2" to it. (The instructions tell you to add 2 to it every time you click "Hit me") You should get this:

Code:

add [ebx+00000478],2

Now, press Execute and you then go back to the CE tutorial. Press hit me to get +2 HP. Press next and go to the next chapter.
Again, this is my FAVORITE part. I love using code injection as it is EXTREMELY useful.

Chapter 9: Tutorial 7

This is the second to last tutorial!

Here is what Dark Byte wrote:

Dark Byte wrote:

Step 8: Multilevel pointers: (PW=HAHANO)
This step will explain how to use multi-level pointers.
In step 6 you had a simple level-1 pointer, with the first address found already being the real base address.
This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health.

You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address you'll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable instruction and offset, and use that.
and continue till you can't get any further (usually when the base address is a static address, shown up as green)

Click Change Value to let the tutorial access the health.
If you think you've found the pointer path click Change Register. The pointers and value will then change and you'll have 3 seconds to freeze the address to 5000

Extra: This problem can also be solved using a auto assembler script, or using the pointer scanner
Extra2: In some situations it is recommended to change ce's codefinder settings to Access violations when
Encountering instructions like mov eax,[eax] since debugregisters show it AFTER it was changed, making it hard to find out the the value of the pointer

Extra3: If you're still reading. You might notice that when looking at the assembler instructions that the pointer is being read and filled out in the same codeblock (same routine, if you know assembler, look up till the start of the routine). This doesn't always happen, but can be really useful in finding a pointer when debugging is troublesome

First, Find the address and move it to the lower part of CE like we always do. You should find the address pretty quickly. I am literally rewriting this tutorial because the last one sucked ass and it didn't really help. Also, it will help if you have notepad open. You'll see why later. Right click the address and follow what you did in Chapter 7. Find out what writes to the address. Click change value, and then when you get to this screen:

Write down in notepad "Offsets:" and under that, write "First offset: 18". Let me explain. An offset is what is used to find pointers. It makes the pointer look in the right direction. A house could be pointed in the direction West, however just saying "West" is never going to get you the house. Now, if you tell the pointer that it's the 18th house, then you have the exact house. a Multilevel pointer has multiple offsets. You'll see what I mean later. Basically, it's like "It's the west house, the the left of the 18th house, past the 1st house, going to the right of the 14th house, and then finally arriving at the house by 0C." Again, you'll see what I mean later.

Now again, do what you did in Chapter 7, scan in hex for the value of the pointer and then you'll get one-3 addresses. It's usually the first one. However, it's not green. Green addresses are static addresses that means that it's what everything is pointing to and basically, in the example from earlier, the house that you're getting. That means that it's pointing to another address.

Again, click "Add address manually", and then check the pointer box. ****NOTE, REMEMBER TO SET THE OFFSET TO 18!!. Then, write the address you got and press "OK".

At this point, you need to do it all over again. Right click that, but this time click "Find out what accesses this address". Then click "Find out what accesses this pointer". This is different because pointers don't write anything. They only access. It's pretty self explanatory. Click change value and you should get 2-10 things. I got two things. It's the same as before. Click more information. This time, notice there is no plus. That means the second offset is 0. Write down in the notepad "Second offset: 0".

We're writing this down because the more pointers we get, the more levels of offset we need to get to our direction. Basically, it's like giving cheat engine to find the direction of the value. Scan for the value of the pointer to find the address in hex like usual and you should get a few addresses. Again, it's usually the first one.

Still not green. Well, to do that again. Click "Add Address Manually", and click the pointer box. However, before you do anything, click "Add Offset". This will add two more textboxes. Now, this why we're keeping track of our offsets in notepad. So that we can use them there and not have to memorize them. Make sure the top one is 18 and the second is 0. Then, put the address you found.

All the values should be the same. If they're not, the offsets are either not correct or you messed something else up. Restart the tutorial.

Again, not green however. Keep doing this noting all the offsets until you finally get a green address..

Found it. I'll show you photos of my CE, the address', the offsets and everything.

So you see how multilevel pointers work or I hope you did when you saw the pictures.

Now, all there's left to do is the change the last one to "5000", check the active box and be done with that!! Click "Change pointer" and after 3 seconds, the next button should be clickable. There's the last one.

Chapter 10: Tutorial 8

Here's a hard one. a very hard tutorial. Honestly, I had a bit of studying to do as to why things were as they were. And I know now. It's IMPORTANT that you know at least a little bit about assembly and how it works for this part of the tutorial because we will be coding with it using code injection. Here's what Dark Byte wrote:

Dark Byte wrote:

Step 9: Shared code: (PW=INUDREAM)
This step will explain how to deal with code that is used for other object of the same type

Often when you've found health of a unit or your own player, you will find that if you remove the code, it affects enemies as well.
In these cases you must find out how to distinguish between your and the enemies objects.
Sometimes this is as easy as checking the first 4 bytes (Function pointer table) which often point to a unique location for the player, and sometimes it's a team number, or a pointer to a pointer to a pointer to a pointer to a pointer to a playername. It all depends on the complexity of the game, and your luck

The easiest method is finding what addresses the code you found writes to and then use the dissect data feature to compare against two structures. (Your unit(s)/player and the enemies) And then see if you can find out a way to distinguish between them.
When you have found out how to distinguish between you and the computer you can inject an assembler script that checks for the condition and then either do not execute the code or do something else. (One hit kills for example)
Alternatively, you can also use this to build a so called "Array of byte" string which you can use to search which will result in a list of all your or the enemies players
In this tutorial I have implemented the most amazing game you will ever play.
It has 4 players. 2 Players belong to your team, and 2 Players belong to the computer.
Your task is to find the code that writes the health and make it so you win the game WITHOUT freezing your health
To continue, press "Restart game and autoplay" to test that your code is correct

Tip: Health is a float
Tip2: There are multiple solutions

We already know that health is a float. That's great. Make sure you clear cheat engine from the last tutorial and then start scanning and looking for all the values, making sure you name them with the player names so that you don't get confused.

Now, what you must do now is find a way to tell cheat engine that if the enemy hits you, you don't die. But if you hit the enemy, their HP goes down. This is actually pretty difficult because using all of the other methods from this tutorial will not work, especially because your hit function is the same is theirs so disabling it would disable all hitting. So we must code it. Yes, code it. First of all, how the hell are we going to tell from the enemy and us?? Well, pretty simple actually. Usually in games, there is its own way of telling what is an enemy team and what's a good team. Basically a team ID. To find that, we can use a dissect feature in Cheat Engine.

To do this, click "Memory view" and click "Tools" in the menu bar. From here, open "Dissect Data/Structure". It should look like:

If you click "Ctrl + A", you should get another field. Add enough so that there is 4 of them. Now, what will we do with that?? We will get the address' from the data we got in the main window and paste it into the text boxes. Like so:

We know Hal and Kitt are on different teams so put them in a different group. Do so by right clicking the address that Hal has and then click "Change Group". Double click new group and it doesn't matter what you name it. Do the same for Kitt, but put it in the same group Hal is in.

If we start with the creation of the structure now, we will have a few issues. This is because the address we put in the boxes is for the health, therefore will only give us stuff for the health. But we don't want only the health. We want stuff on the whole team. So what we can do is go back a "Word", 4 bytes. This way, you can see the entire structure. Just type -4 after everything in the boxes.

After that, you can click "Structures" in the menu bar and click "Define new structure". You don't have to name it anything. I don't anyway. Click "Yes" and "Ok" for anything that shows up. And you should get a long list of stuff. If you want to know what the color codes mean, look at "View", and click "Settings". What we're looking for is "Group Different". Basically, it's what is the same everyone in one group, but different for everyone in the other group. If you see the offset description, you should see 0010 is the one that is different.

Note that somewhere. You can close that now. Now, what we must do is find out where the code is that is making the health go down. Simple really, you must find what accesses the address. You can use whichever, but I use Dave. Find out what accesses it and see all the weird codes.

Different value types use different assembly codes. For example the code to lose health is "fsubr" meaning "Float subtract" or whatever. Click stop and click "Show dissassembler" when highlighting that one. (Mine says 00427D7D - D8 6B 04 - fsubr dword prt [ebx+04])

Now, what you must do is go to tools and you guessed it, auto assemble. Use the code injection template. Now, this is why I told you that you needed to know some assembly. Basically, we're going to do an if statement. It works like this. We use ebx because that's what's being subtracted.

The code for the if statement is "cmp". It means compare. And it works like this:

Code:

]cmp [ebx+10],1

The 10 is what we got before, remember?? The one is what it's checking for. Now, we need to figure out is what we want to do. We can use je to go to another function if the team id is 1, or jne to go to another function if the team id is other than 1. We will use jne because the function is already set up. (originalcode)

Delete the blue comment after newmem and put the code from earlier. The, in a new line, add

Code:

jne originalcode.

That means "Go to original code if the team ID is not equal to one. If it is, continue."

After that, copy the code from originalcode and paste it under that. Basically

Code:

fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]

However, change "fsubr" to "fadd" which means add instead of subtract. This will make your HP go up every time your hit.

Now, we must skip originalcode by going to exit, by using jmp. Put

Code:

jmp exit

after everything and your code should be done. It should look like this:

After that, click execute and if it's exactly like I did it, it should have no issues. Inject it. You can then hit the players and see if your team's HP goes down. It should go up!! If it crashes or it doesn't work, you did something wrong. Look at the code closely!! Now, go to the game and auto play it. It should end up like this:

Click next!!

Congrats, you are an advanced Cheat Engine user!!!!!!!

Chapter 11: Other related stuff

Cheat engine can be used from flash games, multiplayer games, up to hacking Windows itself! It's tool that scans memory too. It's similar to OllyDGB and some other stuff. It's the most known, though. Cheat Engine is a very good program. The tutorial was very good help too. I thought it was good at least. That last tutorial would be impossible without studying.

Chapter 12: Credits

3 credits.

Killor1 - Made me want to actually make this guide!
Me (YoungDragon) - I made the guide, didn't I? Too bad I was too lazy to update it until now, 2015.

Dark Byte - He made Cheat Engine and the tutorial. Without the tutorial, most people wouldn't know how to use Cheat Engine. That's a GREAT feature with CE!

-----------------------------

Yes, I know it's VERY long, but in my opinion, it's a good guide.

THERE ARE MORE COMMENTS at

http://forum.cheatengine.org/viewtopic.php?t=542093
{ the site don't work correctly for now due to DDos atack and other trouble stuff, hope it just temporary}

i just have some post that i have read and understand, hopefully other of you will post some more.
And please let me know where it is!
Thanks!
Forge By Games # ForgeByGames