Cheat Engine Tutorial: Tutorial v3 – Stage 5

Home / Cheat Engine Tutorial: Tutorial v3 – Stage 5

Cheat Engine Tutorial: Tutorial v3 – Stage 5

December 9, 2015 | Article, Labs | No Comments

We have seen Cheat Engine on previous introduction. As said on that article, Cheat Engine has provide a “cheat me” program to let us practice using Cheat Engine. Officially it is called Cheat Engine Tutorial. In this article we will use Cheat Engine and practice in “cheating” the program. Specifically, we will do the “fifth stage”.

In this article I use:

  1. Windows 8 64-bit
  2. Cheat Engine 6.3
  3. Cheat Engine Tutorial v3


At least you understand the basic layout of Cheat Engine. You should know how to load a running process to Cheat Engine. If you don’t, please refer back to the introduction.

Open the Cheat Engine Tutorial v3


If you get to this article after beat the fourth stage, make sure you clear the previous result by click on ‘New scan‘ and clear work area.

Some of this article will involve assembly language. Even though it is not a requirement, but knowing some assembly will ease you. You can learn assembly at my Assembly Language Tutorial page or watching Assembly Language Primer Video for Hackers.


Every stage can be accessed individually. To access this stage from Cheat Engine Tutorial’s main window, enter 098712 to password line edit.


Dark Byte (Cheat Engine creator) wrote this as hint:

In the previous step I explained how to use the Code finder to handle changing locations. But that method
alone makes it difficult to find the address to set the values you want.
That's why there are pointers:

At the bottom you'll find 2 buttons. One will change the value, and the other changes the value AND the
location of the value.
For this step you don't really need to know assembler, but it helps a lot if you do.

First find the address of the value. When you've found it use the function to find out what accesses this
address. Change the value again, and a item will show in the list. Double click that item. (or select
and click on more info) and a new window will open with detailed information on what happened when the
instruction ran.
If the assembler instruction doesn't have anything between a '[' and ']' then use another item in the list.
If it does it will say what it think will be the value of the pointer you need.
Go back to the main cheat engine window (you can keep this extra info window open if you want, but if you
close it, remember what is between the [ and ] ) and do a 4 byte scan in hexadecimal for the value
the extra info told you.
When done scanning it may return 1 or a few hundred addresses. Most of the time the address you need will
be the smallest one. Now click on manually add and select the pointer checkbox.

The window will change and allow you to type in the address of a pointer and a offset.
Fill in as address the address you just found.
If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that's
at the end. else leave it 0. If it was a more complicated instruction look at the calculation.

example of a more complicated instruction:
[EAX*2+EDX+00000310] eax=4C and edx=00801234.
In this case EDX would be the value the pointer has, and EAX*2+00000310 the offset, so the offset you'd
fill in
would be 2*4C+00000310=3A8.  (this is all in hex, use cal.exe from windows in scientific mode to

Back to the tutorial, click OK and the address will be added, If all went right the address will show
P->xxxxxxx, with xxxxxxx being the address of the value you found. If thats not right, you've done
something wrong. Now, change the value using the pointer you added in 5000 and freeze it. Then click
Change pointer, and if all went right the next button will become visible.

And you could also use the pointer scanner to find the pointer to this address

About Pointer

This section will discuss little thing about pointer. If you think you know what pointer is, you can skip this section and head to solution section.

An object in programming is instantiation of type or class. Generally, an object is a chunk of memory that can hold data. An object has a memory address (where its data begins). In C++ for example, we know various object like integer, character, floating point number, and also object instantiated from class.

An object that holds the memory address of another object is referred as a pointer. Therefore, pointer do not hold actual data, but it “point” to another object who has the data.

Accessing a pointer will indirectly accessing the variable or value pointed by the pointer. Pointer is commonly used when we do a pass by reference when calling a function.

Let’s see some code for pointer, in C++

#include <iostream>
using namespace std;

int main() {
    int data = 10;
    int * pointer = & data;
    int data2 = 5;

    cout << "Memory location of data is " << &data << endl;
    cout << "Memory location of data2 is " << &data << endl;
    cout << "Pointer now point to " << pointer << endl;

    cout << endl;

    cout << "The data we have:" << endl;
    cout << "data:     " << data << endl;
    cout << "data2:    " << data2 << endl;
    cout << "*pointer: " << *pointer << endl;

    cout << endl;

    data = 20;

    cout << "The data now:" << endl;
    cout << "data:     " << data << endl;
    cout << "data2: " << data2 << endl;
    cout << "*pointer: " << *pointer << endl;

    cout << endl;

    *pointer = 30;

    cout << "After modification on *pointer:"<<endl;
    cout << "data:     " << data << endl;
    cout << "data2:    " << data2 << endl;
    cout << "*pointer: " << *pointer << endl;

    pointer = & data2;

    cout << "Memory location of data is " << &data << endl;
    cout << "Memory location of data2 is " << &data << endl;
    cout << "Pointer now point to " << pointer << endl;

    *pointer = 10;

    cout << "After modification on *pointer:"<<endl;
    cout << "data:     " << data << endl;
    cout << "data2:    " << data2 << endl;
    cout << "*pointer: " << *pointer << endl;

    return 0;

In C++, to get a memory address of an object we use operator & in front of the object. Pointer can be accessed in two different manner: accessing the address value and accessing the pointed object.

In above codes, we see pointer is initialized to point the address of data ( pointer = & data ). Remember that pointer is also an object which hold other memory location as its value. Therefore, the value of pointer is now the address of data. Accessing the address value means accessing the value of pointer. Operation means to change the address pointed by pointer ( pointer = & data2 ). After that operation, pointer point to data2, not data anymore. Another one is accessing the pointed object as if we are directly manipulate them. You can see by manipulating value of data and data2 from *pointer.

In application, pointer is used heavily, because pointer is flexible. One can use a single object or having necessary amount of object. When the object is needed, it can be manipulated by pointer in any side of memory segment.

Solution 1

Information we got from the hint:

  1. It use pointer, one level pointer
  2. Address of value can change each time we press button “Change pointer”

Like always, get the address of value. I think we have cover it everytime so let’s skip and assume you have found the address, add it to working area. Right-click on it and choose “Find out what writes to this address”.


Cheat Engine might ask your confirmation to attach a debugger, this is our intention so if it asks you just confirm agree. After pressing the button, you will see a debugger window.


Go to Cheat Engine Tutorial and press ‘Change value’. Here we have one or more entries. Choose the first one. As seen from this picture, my entry is an instruction 89 02 – mov [rdx], eax on address 10002F985.


Press ‘More information’ button. A new window appears. It will gives us more information about current address and, codes in assembly language for some lines around current breakpoint. This window also display current condition of CPU registers.

Find where it says “The value of the pointer needed to find this address is probably XXXXXXXX”. For my case, it is 01103380. Basically we will find a pointer which point to, in my case 01103380.


Now close the information window and or just move it to another area of your screen. Then go back to main Cheat Engine interface and start a new scan. This time, check Hex so we will find a hexadecimal value instead of decimal. Type in the value with XXXXXXXX, whatever you got previously.

I got 1 address, a memory address points to 01103380, which is 1002C7710. We will copy the address, but we do this manually (not double clicking the entry). Press “Add address manually” button.


A new window will appear. Type in the address we got. The address for my case is 1002C7710. For offset, leave it as 0.


Press OK to finish adding. Now see the working area, there should be a new entry there, our newly created entry. The value should be the same as the other address (see the above entry). If you got “??” then you did it wrong. Try it again until you got something like this:


Try pressing “Change value” on the Cheat Engine Tutorial. Both value on our working area will change. Now change the value of entry with address “P -> XXXXXXXX” to 5000. Then, check a checkbox on column “Active” to freeze the value. Go back to Cheat Engine Tutorial and press “Change pointer”. CET will count down. If you do it right, CET will stop and the next button should be unlocked.

, ,

About Author

about author


A man who is obsessed to low level technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Share Buttons and Icons powered by Ultimatelysocial