Hey, here is a good tutorial(Well, I think it’s pretty good) that Youngdragon made. Hope you like it.
————————————-
Table of contents:
1. Introduction
2. The tutorial introduction
3. Tutorial 1
4. Tutorial 2
5. Tutorial 3
6. Tutorial 4
7. Tutorial 5
8. Tutorial 6
9. Tutorial 7
10. Tutorial 8
11. Other related stuff
12. Credits
————————————-
Chapter 1: Introduction
Welcome to YoungDragon’s Cheat Engine tutorial, updated January 23, 2015. It needs some updating due to new tutorials in cheat engine, and because Imageshack really sucks. Pictures now on Imgur. In this tutorial, there are 12 chapters. Also, I recycled most of the old stuff, changing Chapter 9 to a way better method. Thid took me hours to make, and even more hours to update it. Anyways, this will give you a basic and more advance chance to try CheatEngine! Cheat Engine is a program which allows you scan addresses, change values, search process memory, and allows you to edit stuff you wouldn’t usually be able to edit. Cheat Engine was founded and invented by Dark Byte. It’s a very powerful and well known program. Cheat Engine can be downloaded here: Click me to go to the url!. Most Anti-virus’s think Cheat Engine is a virus. It is NOT a virus. I want to make that perfectly clear. It has some tools that Anti-Virus’s think are dangerous like hacking tools. If you are too scared to download it, download the retarded idiot version(It’s for retarded idiots who don’t trust anybody, by the way). Cheat Engine is a completely SAFE program. Also,http://www.cheatengine.org is NOT responsible of any illegal use of Cheat Engine. If you get caught using it illegally, it’s your problem. It was not intended for illegal use. Now, we will continue to the tutorial. Here is an image on what the program looks like(v6.4):
————————————-
Chapter 2: The tutorial introduction
Cheat Engine comes with a FREE TUTORIAL! That’s great! We will use that in this guide. To find it, click start, all programs, find the directory where Cheat Engine was installed(By default, it’s Cheat Engine [version]), click Cheat Engine tutorial.
Here is what it looks like(v3.2)
This is where we will start the whole tutorial, which will help you with everything you need to know. Here is what Dark Byte wrote:
Dark Byte wrote: |
Welcome to the Cheat Engine Tutorial. (v3.2)This tutorial will try to explain the basics of cheating on games, and getting you more familiar with Cheat Engine.
First open Cheat Engine if it hasn’t been opened yet. When the process window is open find this tutorial. The process name is probably ‘tutorial.exe’ unless yourenamed it. When everything went right, the process window should be gone now and at the top of CE the processname isshown. Now, click NEXT to continue to the next step. (Or fill in the password to proceed to that particular step you want) |
Now, you will have to get the process of Cheat Engine Tutorial. On the top left of the screen, there is a glowing computer.
Click it to open the process menu.
Click the Cheat engine tutorial process.
Click Open and you have successfully gotten a process loaded in Cheat Engine!
Press “Next” to go to tutorial 1 and read Chapter 3.
Note: You can save the passwords it gives you so you can continue where you were. Thank Dark Byte!
Chapter 3: Tutorial 1
This is the most BASIC tutorial you have! After you press next, this is what you will get:
Dark Byte wrote: |
Step 2: Exact Value scanning (PW=XXXXXX) Now that you have opened the tutorial with Cheat Engine lets get on with the next step.You see at the bottom of this window the text Health: xxx Each time you click ‘Hit me’ your health gets decreased. To get to the next step you have to find this value and change it to 1000 To find the value there are different ways, but I’ll tell you about the easiest, ‘Exact Value’: When the value type is set correctly, make sure the scantype is set to ‘Exact Value’ If you find more than 1 address and you don’t know for sure which address it is, click ‘Hit me’, fill in the newhealth value into the value box, and click ‘Next Scan’ Now double click the address in the list on the left. This makes the address pop-up in the list at the bottom,showing you the current value. If everything went ok the next button should become enabled, and you’re ready for the next step. Note: |
This tutorial stores your health using the 4 byte data value. Cheat Engine uses this by default. In this case, you are given the EXACT value of health you have (100). Go to Cheat Engine and in the Value box, type in 100. Click first scan.
Look to the left. Find a table that shows “Address” and “Value”. An address is where the data is stored and the value is what the data is. The actual value.
Go to the tutorial and click “Hit me”. Your health should go down. My health got to 99. The health you got will be called “myHp”. Whenever I refer to myHp, you get the number you have as your health. Go back to Cheat Engine and then type myHp(The health number) you got into the value box. Then press next scan.
You should come up with ONE value. Now, my address is 01855F30. Your address will be different. If it’s different, don’t say “OMGZZZ, I DIDZ IT WRONGZZZZ. FUCKZZZ THIS TUTORIALZZZ!!!!!!!!” It will not be the same every time. Addresses change. Double click the address with the value of myHp(The health number. Mine is 95). It should then also be at the bottom.
Now, you see the “Next” button is grey and blocked so you can’t go to the next tutorial. ( ) Don’t worry, we will make it clickable now! To go to the next tutorial, the value has to be >1000(Greater then 1000). Double click the value section at bottom left side. You should get this:
Change the value to 1000 and press OK.
Go back to Cheat Engine tutorial and see that the Next button is unlocked! WAIT! Don’t click it. Click “Hit me” and your Health should go UP to 99x.(Change the value to 1000 and press Next to finish Tutorial 1)
You have now finished Tutorial 1!
Chapter 4: Tutorial 2
This tutorial will help you in finding unknown values, like if all you got is a loading bar. Here is what Dark Byte wrote.
Dark Byte wrote: |
Step 3: Unknown initial value (PW=SEXSEX) Ok, seeing that you’ve figured out how to find a value using exact value let’s move on to the next step.In the previous test we knew the initial value so we could do a exact value, but now we have a status bar where we don’t know the starting value. We only know that the value is between 0 and 500. And each time you click ‘hit me’ you lose some health. The amount you lose each time is shown above the status bar. Again there are several different ways to find the value. (like doing a decreased value by… scan), but I’ll only explain the easiest. “Unknown initial value”, and decreased value. When it is done click ‘hit me’. You’ll lose some of your health. (the amount you lost shows for a few seconds and then disappears, but you don’t need that) We know the value is between 0 and 500, so pick the one that is most likely the address we need, and add it to the list. |
Click new scan and the table with address/value should clear. Also, select the address we changed to 1000 and click the delete button on the keyboard. This should get rid of that to get rid of future confusion. Now, you see a full progress bar with a value you do not know. Every time you press Hit me, you will get “-(Random number)”. Here is what it looks like:
Go to cheat engine and find value type. By default, it’s 4 byte. Change 4 byte to “Unknown initial value” and click Scan.
Now, the think should go back to normal like nothing happened. It should go back to 4 byte. Now, go back to the tutorial app and click Hit me. You should see a thing that says “-(Random number)”. Click Hit me now.
As you can see, I lost 8 hp. Go to Cheat Engine, change value to type to “Decreased value by…”. Now put the number of HP you lost in the box. Then press Next scan.
Keep on doing this until you have less than 10 addresses. Now, I ended up with 4 addresses. 1 of them is 116. The others at 4,000,000,00+. You have to get at least 5000 for the “Next” button to unlock. Which one do you think is correct if the “Next” button is locked? Yes, it’s the address with the value of 116. Double click it to send it to the bottom. Change the value to 5020. Click “Hit me” and the progress bar should get full. If it didn’t, you did it wrong. Change the value to 5000 and click Next. This is how you get unknown values quickly. If you do not know what the value decreased by, change the value type to “decreased value” and hit “next scan”.
Chapter 5: Tutorial 3
In this tutorial, you will be dealing with different data types. We were dealing with 4 bytes. This time, we will deal with float and double. This is what Dark Byte wrote.
Dark Byte wrote: |
Step 4: Floating points (PW=890124) In the previous tutorial we used bytes to scan, but some games store information in so called ‘floating point’ notations. (probably to prevent simple memory scanners from finding it the easy way) a floating point is a value with some digits behind the point. (like 5.12 or 11321.1)Below you see your health and ammo. Both are stored as Floating point notations, but health is stored as a float and ammo is stored as a double. Click on hit me to lose some health, and on shoot to decrease your ammo with 0.5 You have to set BOTH values to 5000 or higher to proceed. Exact value scan will work fine here, but you may want to experiment with other types too. |
First, click New scan. Delete the address we changed to 5000. Keep scan type to Exact Value, but change Value type to Float.
Now, type 100 into the value textbox and click First Scan.
I got 2 addresses! That’s good. Now, click Hit me. I got 97.4. Go to cheat Engine and type 97.4 (Or whatever you got) into the textbox and click Next Scan. I came up with 1 address. We will do what we did in the other tutorials, we will double click and change the value.
Change it to 5000.
Click New Scan and do NOT delete the float address change. Change the value type to Double. Scan 100.
I came up with 1 value. Click “Fire” on the tutorial to see if it is the value. If you get 99.5 in Cheat Engine. That’s it! Double click and change the value to 5000. The “Next button” should unlock. Click next to Continue.
Congrats! You just finished the “BASICS!” Yes, the basics. If you thought that was hard, try doing to tutorial again and again until you get it right. Now, we will go to Medium. Then Hard.
This is Medium.
Chapter 6: Tutorial 4
This is a harder tutorial. We will find out how to use the Code Finder.
Here is what Dark Byte wrote:
Dark Byte wrote: |
Step 5: Code finder (PW=NOPW4U) Sometimes the location something is stored at changes when you restart the game, or even while you’re playing.. In that case you can use 2 things to still make a table that works. In this step I’ll try to describe how to use the Code Finder function.The value down here will be at a different location each time you start the tutorial, so a normal entry in the address list wouldn’t work. First try to find the address. (you’ve got to this point so I assume you know how to) When you’ve found the address, right-click the address in Cheat Engine and choose “Find out what writes to this address”. A window will pop up with an empty list. Then click on the Change value button in this tutorial, and go back to Cheat Engine. If everything went right there should be an address with assembler code there now. Click it and choose the replace option to replace it with code that does nothing. That will also add the code address to the code list in the advanced options window. (Which gets saved if you save your table) Click on stop, so the game will start running normal again, and close to close the window. Note: When you’re freezing the address with a high enough speed it may happen that next becomes visible anyhow |
First, find the address. All the previous tutorials found out the address. So now, you know how to do it. Use 4 bytes.
I have found the address. Here is what I got:
Now, double click it to make it go down. Right click the address(After you put it at the very bottom) and press “Find out what writes to this address”. A new window should pop up.(If it ask you about a debugger, press yes)
Click “Change Value” where the tutorial is and then go back to Cheat Engine. Now, you should see something new. A bunch of stuff like “eax”, “ebx”, “ebp”, “xxx”, “sex”, ect, ect might pop up, but in our case, only one thing shows up.
Select it and click the replace button. ANOTHER window should pop up. Remove everything that was in it.
to
Press OK.
Now, Click “Stop” and then “Close”. Go to the tutorial and click Change Value. It should stay the same and then the “Next” button should be unlocked!!! As Charlie Sheen would say, Winning.
Chapter 7: Tutorial 5
Now, this is more advanced then the last tutorial. Still in the medium section, BUT it’s a little bit hard. This one uses pointers. Ok, first, get the address with the value of 100. At this point, you should know how to get an address.
Here is what Dark Byte wrote:
Dark Byte wrote: |
Step 6: Pointers: (PW=XXXXXX) In the previous step I explained how to use the Code finder to handle changing locations. But that method alone makes it difficult to find the address to set the values you want. That’s why there are pointers:At the bottom you’ll find 2 buttons. One will change the value, and the other changes the value AND the location of the value. For this step you don’t really need to know assembler, but it helps a lot if you do. First find the address of the value. When you’ve found it use the function to find out what accesses this address. The window will change and allow you to type in the address of a pointer and a offset. example of a more complicated instruction: Back to the tutorial, click OK and the address will be added, If all went right the address will show P->xxxxxxx, with xxxxxxx being the address of the value you found. If thats not right, you’ve done something wrong. extra: |
After you have the address. Move it to the bottom and right click. Click “Find out what writes to this address”. You will then press change value on CE tutorial and will get some info in the popup screen.
Click on the first one. Mine is 00426562 – 89 02 – mov [edx],eax. Then press more information. You should get this.
Find where it says “The value of the pointer needed to find this address is probably XXXXXXXX” Mine is 001F65E8. Close that and close the data table to just show Cheat Engine. Now click new scan and check the hex button. Type in what you got for XXXXXXXX. Click “First Scan”.
I got 1 addresses.
Press “Add address manually”. Click the pointer checkbox. Now type in the address you got. I got 00645360. For offset, leave as 0. Press OK. (NOTE: YOU SHOULD GET THE SAME THING AS ME IF YOU’RE USING TUTORIAL VERSION 3.2)
The value should be the same as the other address. If you got “??” then you did it wrong. Try again. If you got this:
Then you did it right! Try pressing “Change Value” on the tutorial to mess around with it. Both values will change!
Now, change The value of the one with the address of “P -> XXXXXXXX” to 5000. Then check the “Active box” to freeze the value. Go back to the tutorial and press “Change Pointer”. Wait for it to stop and the next button should unlock!
Press next and go to the next chapter.
Chapter 8: Tutorial 6
This is one of my FAVORITE parts of this tutorial!! This is because you get to create your own little code. Here is what Dark Byte wrote:
Dark Byte wrote: |
Step 7: Code Injection: (PW=ULOSER) Code injection is a technique where one injects a piece of code into the target process, and then reroute the execution of code to go through your own written codeIn this tutorial you’ll have a health value and a button that will decrease your health with 1 each time you click it. Your task is to use code injection to increase the value of your health with 2 every time it is clicked Start with finding the address and then find what writes to it. Notice the alloc, that will allocate a block of memory for your code cave, in the past, in the pre windows 2000 systems, people had to find code caves in the memory(regions of memory unused by the game), but that’s luckily a thing of the past since windows 2000, and will these days cause errors when trying to be used, due to SP2 of XP and the NX bit of new CPU’s Also notice the line newmem: and originalcode: and the text “Place your code here” Notice: Notice 2: |
To start out, delete all the addresses and restart the whole scan process. Find the address. After you find it, right click it after you took it to the bottom. Then, click “Find out what writes to this address”. Click “Hit Me” and make the HP go down. Look at the data that was traced. I got 00426C40 – FF 8B 78040000 – dec [ebx+00000478]. Click “Show disassembler”.
Now, press Ctrl + A to open Auto disassembler.
Now, click template and press “Code Injection”. Press yes if a pop up shows.
See original code? You got dec [ebx+00000478]. Copy that. Then turn it into a comment so it doesn’t interfere with our new code by adding “//” before it without the quotes. Delete the stuff next to // under newmem. paste the thing you copied under newmem and change dec to add. also, add “,2” to it. (The instructions tell you to add 2 to it every time you click “Hit me”) You should get this:
Code: |
add [ebx+00000478],2 |
Now, press Execute and you then go back to the CE tutorial. Press hit me to get +2 HP. Press next and go to the next chapter.
Again, this is my FAVORITE part. I love using code injection as it is EXTREMELY useful.
Chapter 9: Tutorial 7
This is the second to last tutorial!
Here is what Dark Byte wrote:
Dark Byte wrote: |
Step 8: Multilevel pointers: (PW=HAHANO) This step will explain how to use multi-level pointers. In step 6 you had a simple level-1 pointer, with the first address found already being the real base address. This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health.You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address you’ll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable instruction and offset, and use that. and continue till you can’t get any further (usually when the base address is a static address, shown up as green) Click Change Value to let the tutorial access the health. Extra: This problem can also be solved using a auto assembler script, or using the pointer scanner Extra3: If you’re still reading. You might notice that when looking at the assembler instructions that the pointer is being read and filled out in the same codeblock (same routine, if you know assembler, look up till the start of the routine). This doesn’t always happen, but can be really useful in finding a pointer when debugging is troublesome |
First, Find the address and move it to the lower part of CE like we always do. You should find the address pretty quickly. I am literally rewriting this tutorial because the last one sucked ass and it didn’t really help. Also, it will help if you have notepad open. You’ll see why later. Right click the address and follow what you did in Chapter 7. Find out what writes to the address. Click change value, and then when you get to this screen:
Write down in notepad “Offsets:” and under that, write “First offset: 18”. Let me explain. An offset is what is used to find pointers. It makes the pointer look in the right direction. A house could be pointed in the direction West, however just saying “West” is never going to get you the house. Now, if you tell the pointer that it’s the 18th house, then you have the exact house. a Multilevel pointer has multiple offsets. You’ll see what I mean later. Basically, it’s like “It’s the west house, the the left of the 18th house, past the 1st house, going to the right of the 14th house, and then finally arriving at the house by 0C.” Again, you’ll see what I mean later.
Now again, do what you did in Chapter 7, scan in hex for the value of the pointer and then you’ll get one-3 addresses. It’s usually the first one. However, it’s not green. Green addresses are static addresses that means that it’s what everything is pointing to and basically, in the example from earlier, the house that you’re getting. That means that it’s pointing to another address.
Again, click “Add address manually”, and then check the pointer box. ****NOTE, REMEMBER TO SET THE OFFSET TO 18!!. Then, write the address you got and press “OK”.
At this point, you need to do it all over again. Right click that, but this time click “Find out what accesses this address”. Then click “Find out what accesses this pointer”. This is different because pointers don’t write anything. They only access. It’s pretty self explanatory. Click change value and you should get 2-10 things. I got two things. It’s the same as before. Click more information. This time, notice there is no plus. That means the second offset is 0. Write down in the notepad “Second offset: 0”.
We’re writing this down because the more pointers we get, the more levels of offset we need to get to our direction. Basically, it’s like giving cheat engine to find the direction of the value. Scan for the value of the pointer to find the address in hex like usual and you should get a few addresses. Again, it’s usually the first one.
Still not green. Well, to do that again. Click “Add Address Manually”, and click the pointer box. However, before you do anything, click “Add Offset”. This will add two more textboxes. Now, this why we’re keeping track of our offsets in notepad. So that we can use them there and not have to memorize them. Make sure the top one is 18 and the second is 0. Then, put the address you found.
All the values should be the same. If they’re not, the offsets are either not correct or you messed something else up. Restart the tutorial.
Again, not green however. Keep doing this noting all the offsets until you finally get a green address..
Found it. I’ll show you photos of my CE, the address’, the offsets and everything.
So you see how multilevel pointers work or I hope you did when you saw the pictures.
Now, all there’s left to do is the change the last one to “5000”, check the active box and be done with that!! Click “Change pointer” and after 3 seconds, the next button should be clickable. There’s the last one.
Chapter 10: Tutorial 8
Here’s a hard one. a very hard tutorial. Honestly, I had a bit of studying to do as to why things were as they were. And I know now. It’s IMPORTANT that you know at least a little bit about assembly and how it works for this part of the tutorial because we will be coding with it using code injection. Here’s what Dark Byte wrote:
Dark Byte wrote: |
Step 9: Shared code: (PW=INUDREAM) This step will explain how to deal with code that is used for other object of the same typeOften when you’ve found health of a unit or your own player, you will find that if you remove the code, it affects enemies as well. In these cases you must find out how to distinguish between your and the enemies objects. Sometimes this is as easy as checking the first 4 bytes (Function pointer table) which often point to a unique location for the player, and sometimes it’s a team number, or a pointer to a pointer to a pointer to a pointer to a pointer to a playername. It all depends on the complexity of the game, and your luck The easiest method is finding what addresses the code you found writes to and then use the dissect data feature to compare against two structures. (Your unit(s)/player and the enemies) And then see if you can find out a way to distinguish between them. Tip: Health is a float |
We already know that health is a float. That’s great. Make sure you clear cheat engine from the last tutorial and then start scanning and looking for all the values, making sure you name them with the player names so that you don’t get confused.
Now, what you must do now is find a way to tell cheat engine that if the enemy hits you, you don’t die. But if you hit the enemy, their HP goes down. This is actually pretty difficult because using all of the other methods from this tutorial will not work, especially because your hit function is the same is theirs so disabling it would disable all hitting. So we must code it. Yes, code it. First of all, how the hell are we going to tell from the enemy and us?? Well, pretty simple actually. Usually in games, there is its own way of telling what is an enemy team and what’s a good team. Basically a team ID. To find that, we can use a dissect feature in Cheat Engine.
To do this, click “Memory view” and click “Tools” in the menu bar. From here, open “Dissect Data/Structure”. It should look like:
If you click “Ctrl + A”, you should get another field. Add enough so that there is 4 of them. Now, what will we do with that?? We will get the address’ from the data we got in the main window and paste it into the text boxes. Like so:
We know Hal and Kitt are on different teams so put them in a different group. Do so by right clicking the address that Hal has and then click “Change Group”. Double click new group and it doesn’t matter what you name it. Do the same for Kitt, but put it in the same group Hal is in.
If we start with the creation of the structure now, we will have a few issues. This is because the address we put in the boxes is for the health, therefore will only give us stuff for the health. But we don’t want only the health. We want stuff on the whole team. So what we can do is go back a “Word”, 4 bytes. This way, you can see the entire structure. Just type -4 after everything in the boxes.
After that, you can click “Structures” in the menu bar and click “Define new structure”. You don’t have to name it anything. I don’t anyway. Click “Yes” and “Ok” for anything that shows up. And you should get a long list of stuff. If you want to know what the color codes mean, look at “View”, and click “Settings”. What we’re looking for is “Group Different”. Basically, it’s what is the same everyone in one group, but different for everyone in the other group. If you see the offset description, you should see 0010 is the one that is different.
Note that somewhere. You can close that now. Now, what we must do is find out where the code is that is making the health go down. Simple really, you must find what accesses the address. You can use whichever, but I use Dave. Find out what accesses it and see all the weird codes.
Different value types use different assembly codes. For example the code to lose health is “fsubr” meaning “Float subtract” or whatever. Click stop and click “Show dissassembler” when highlighting that one. (Mine says 00427D7D – D8 6B 04 – fsubr dword prt [ebx+04])
Now, what you must do is go to tools and you guessed it, auto assemble. Use the code injection template. Now, this is why I told you that you needed to know some assembly. Basically, we’re going to do an if statement. It works like this. We use ebx because that’s what’s being subtracted.
The code for the if statement is “cmp”. It means compare. And it works like this:
Code: |
]cmp [ebx+10],1 |
The 10 is what we got before, remember?? The one is what it’s checking for. Now, we need to figure out is what we want to do. We can use je to go to another function if the team id is 1, or jne to go to another function if the team id is other than 1. We will use jne because the function is already set up. (originalcode)
Delete the blue comment after newmem and put the code from earlier. The, in a new line, add
Code: |
jne originalcode. |
That means “Go to original code if the team ID is not equal to one. If it is, continue.”
After that, copy the code from originalcode and paste it under that. Basically
Code: |
fsubr dword ptr [ebx+04] fstp dword ptr [ebp-30] |
However, change “fsubr” to “fadd” which means add instead of subtract. This will make your HP go up every time your hit.
Now, we must skip originalcode by going to exit, by using jmp. Put
Code: |
jmp exit |
after everything and your code should be done. It should look like this:
After that, click execute and if it’s exactly like I did it, it should have no issues. Inject it. You can then hit the players and see if your team’s HP goes down. It should go up!! If it crashes or it doesn’t work, you did something wrong. Look at the code closely!! Now, go to the game and auto play it. It should end up like this:
Click next!!
Congrats, you are an advanced Cheat Engine user!!!!!!!
Chapter 11: Other related stuff
Cheat engine can be used from flash games, multiplayer games, up to hacking Windows itself! It’s tool that scans memory too. It’s similar to OllyDGB and some other stuff. It’s the most known, though. Cheat Engine is a very good program. The tutorial was very good help too. I thought it was good at least. That last tutorial would be impossible without studying.
Chapter 12: Credits
3 credits.
Killor1 – Made me want to actually make this guide!
Me – I made the guide, didn’t I? Too bad I was too lazy to update it until now, 2015.
Dark Byte – He made Cheat Engine and the tutorial. Without the tutorial, most people wouldn’t know how to use Cheat Engine. That’s a GREAT feature with CE!
Video:
Link
—————————–
Yes, I know it’s VERY long, but in my opinion, it’s a good guide. This will be updated frequently with new updates Dark Byte has made. See you.
UPDATED!! JANUARY 24, 2015.