We have seen Cheat Engine on previous introduction. As said on that article, Cheat Engine has provide a “cheat me” program to let us practice using Cheat Engine. Officially it is called Cheat Engine Tutorial. In this article we will use Cheat Engine and practice in “cheating” the program. Specifically, we will do the “sixth stage”.
In this article I use:
- Windows 8 64-bit
- Cheat Engine 6.3
- Cheat Engine Tutorial v3
At least you understand the basic layout of Cheat Engine. You should know how to load a running process to Cheat Engine. If you don’t, please refer back to the introduction.
Open the Cheat Engine Tutorial v3
If you get to this article after beat the fifth stage, make sure you clear the previous result by click on ‘New scan‘ and clear work area.
Some of this article will involve assembly language. Even though it is not a requirement, but knowing some assembly will ease you. You can learn assembly at my Assembly Language Tutorial page or watching Assembly Language Primer Video for Hackers.
Every stage can be accessed individually. To access this stage from Cheat Engine Tutorial’s main window, enter 013370 to password line edit.
Dark Byte (Cheat Engine creator) wrote this as hint:
Code injection is a technique where one injects a piece of code into the target process, and then reroute the execution of code to go through your own written code In this tutorial you'll have a health value and a button that will decrease your health with 1 each time you click it. Your task is to use code injection to increase the value of your health with 2 every time it is clicked Start with finding the address and then find what writes to it. then when you've found the code that decreases it browse to that address in the disassembler, and open the auto assembler window (ctrl+a) There click on template and then code injection, and give it the address that decreases health (If it isn't already filled in correctly) That will generate a basic auto assembler injection framework you can use for your code. Notice the alloc, that will allocate a block of memory for your code cave, in the past, in the pre windows 2000 systems, people had to find code caves in the memory(regions of memory unused by the game), but that's luckily a thing of the past since windows 2000, and will these days cause errors when trying to be used, due to SP2 of XP and the NX bit of new CPU's Also notice the line newmem: and originalcode: and the text "Place your code here" As you guessed it, write your code here that will increase the health with 2. a usefull assembler instruction in this case is the "ADD instruction" here are a few examples: "ADD ,9" to increase the address at 00901234 with 9 "ADD [ESP+4],9" to increase the address pointed to by ESP+4 with 9 In this case, you'll have to use the same thing between the brackets as the original code has that decreases your health Notice: It is recommended to delete the line that decreases your health from the original code section, else you'll have to increase your health with 3 (you increase with 3, the original code decreases with 1, so the end result is increase with 2), which might become confusing. But it's all up to you and your programming. Notice 2: In some games the original code can exist out of multiple instructions, and sometimes, not always, it might happen that a code at another place jumps into your jump instruction end will then cause unknown behavior. If that happens, you should usually look near that instruction and see the jumps and fix it, or perhaps even choose to use a different address to do the code injection from. As long as you're able to figure out the address to change from inside your injected code.
Information we got from the hint:
- We can change game logic
- objective: everytime the button clicked, our HP is increased by 2 instead of decreased
Like always, get the address of value. I think we have cover it everytime so let’s skip and assume you have found the address, add it to working area. Right-click on it and choose “Find out what writes to this address”.
Cheat Engine might ask your confirmation to attach a debugger, this is our intention so if it asks you just confirm agree. After pressing the button, you will see a debugger window.
Go to Cheat Engine Tutorial and press ‘Hit me’. Go back to Cheat Engine debugger and find whether our list has been populated. Here we have one or more entries. Choose the first one. As seen from this picture, my entry is an instruction FF 8B 88070000 – dec [rbx+00000788] on address 100030142.
Press ‘Show disassembler’ button. A new window appears. It will gives us a window full of assembly language program and hexadecimal code. The first table is disassembler, list every operation in assembly language. We are now stop at the top instruction. Following it is a hex dumping, viewing the memory in hexadecimal format.
Make sure you highlight the code for decrement (it should be highlighted by default).
Now click Tools and then click Auto assemble. Alternatively you can press Ctrl +A. A new window appear, something like a simple editor.
Now, click Template and click “Code Injection”. Code Injection is operation allow us alter the program logic by reroute the flow control. Cheat Engine can inject a new jump to the running application when the execution reach certain address. In the destination address, we will then create a chunk of instruction which will be executed when the flow arrive.
When a confirmation dialog shown, just press OK. Basically it will ask you where we will jump when the execution reach this address. Any code is find, Cheat Engine will take care the job for creating a code for memory allocation etc. Now we have something like this:
Now we have some section here. The first block is allocation and initialization, done by Cheat Engine. Don’t touch this, I highly warn you. The next is a label newmem. This will be the place where we place our code. The next is originalcode, it has function like implied by name. Later is exit, when the execution of this chunk end. And the final block is taken care by Cheat Engine.
Copy the line after label original code.
Now there is two different path we can take but both accomplice the same objective. Let’s see the first path.
We know that in assembly language, opcode dec is used to decrease the operand (register / memory address) by 1. What should we do if we want the resultant is increased by 2 instead of decreased by one? OK, we have opcode add which can use. Now let’s do some math here. X – 1 = 2, what is X? Yes, it’s three. So we should add 3 first before the code is subtracted by 1. Replace line started by // with following code:
add [rbx+00000788], 3
OK, where do I find magic number 00000788? See the dec line, you got what you need.
OK, it’s fun doing some math, but there is an easier way. Now let’s find out the second method.
Delete the line started with dec opcode. Now, instead of adding 3, you can add only 2.
add [rbx+00000788], 2
Any path you choose, it should give the same result.
Now press Execute and then go back to Cheat engine Tutorial. Press ‘Hit me’ and see your HP is raised by 2. You will also see the ‘Next’ button is now enabled. Cheers, you beat this stage!challenges, cheat engine, memory