We have seen Cheat Engine on previous introduction. As said on that article, Cheat Engine has provide a “cheat me” program to let us practice using Cheat Engine. Officially it is called Cheat Engine Tutorial. In this article we will use Cheat Engine and practice in “cheating” the program. Specifically, we will do the “seventh stage”.
In this article I use:
- Windows 8 64-bit
- Cheat Engine 6.3
- Cheat Engine Tutorial v3
At least you understand the basic layout of Cheat Engine. You should know how to load a running process to Cheat Engine. If you don’t, please refer back to the introduction.
Open the Cheat Engine Tutorial v3
If you get to this article after beat the sixth stage, make sure you clear the previous result by click on ‘New scan‘ and clear work area.
Some of this article will involve assembly language. Even though it is not a requirement, but knowing some assembly will ease you. You can learn assembly at my Assembly Language Tutorial page or watching Assembly Language Primer Video for Hackers.
Every stage can be accessed individually. To access this stage from Cheat Engine Tutorial’s main window, enter 525927 to password line edit.
Dark Byte (Cheat Engine creator) wrote this as hint:
This step will explain how to use multi-level pointers. In step 6 you had a simple level-1 pointer, with the first address found already being the real base address. This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health. You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address you'll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable instruction and offset, and use that. and continue till you can't get any further (usually when the base address is a static address, shown up as green) Click Change Value to let the tutorial access the health. If you think you've found the pointer path click Change Register. The pointers and value will then change and you'll have 3 seconds to freeze the address to 5000 Extra: This problem can also be solved using a auto assembler script, or using the pointer scanner Extra2: In some situations it is recommended to change ce's codefinder settings to Access violations when encountering instructions like mov eax,[eax] since debugregisters show it AFTER it was changed, making it hard to find out the the value of the pointer
OK, in fifth stage we face Level 1 pointer, it means:
Pointer -> data
In this stage we face Level 4 pointer. Let P1, P2, P3, P4 are pointers, we can define level 4 pointer as:
P1 -> P2 -> P3 -> P4 -> data
Like always, get the address of value. I think we have cover it everytime so let’s skip and assume you have found the address, add it to working area. For example, here is my working area. Pay attention to the addresses we found along the way as we will play with address a lot. Of course, my result can be different to yours, so adjust it to yours.
Right-click on it and choose “Pointer scan for this address”.
Two new window appears. In the first window there are all options we can choose to do pointer scan. It ask what address will pointer scanner scans to. It will search the whole attached process pointed to address specified. Well, just accept and click OK. When it ask you to save the result, just do what it says.
Wait for it to load and the second window will list all scanned and filtered pointer. It may take a couple of minutes, depend on your system.
Now go to Cheat Engine Tutorial and click “Change Pointer”. Notice, the old address value will go to 0. Now initiate a new search for new value displayed on Cheat Engine Tutorial. Like always, when you find it, add it to working area. Here is what mine looks like.
Look at the address of our new found entry (the one with red underline). You can write down, or just copy the address. If you want to copy the address, double-click on the address and you will have a new dialog. Just copy the text (see the red circle below).
Now go back to the pointer scanner and click “Pointer Scanner” menu on menubar. Click on “Rescan memory – Removes pointers not pointing to the right address”.
You will have another window appear. Now write or paste the address we have copied before. See the red circle below. Next, press OK.
Depend on the situation, you may have one or more result. If you found one, you are lucky. On several attempts, I have found more than one result because I do this stage marathon from stage one (I don’t know if this is the cause). If this is the case, just pick one. I pick the first entry.
Double click the entry you choose. It will be added to our working area. Here is what my working area looks like.
Now to make sure we have the correct address, go to Cheat Engine Tutorial and click ‘Change pointer’. If our address display the correct / same value, we got what we want. Change the value and freeze it. You can go to next (last) stage by clicking ‘Change pointer’ once more.
This solution will search address manually. Therefore, it will heavily use low level / assembly language representation like we did in fifth stage.
I remind you, I use 64-bit Windows and 64-bit version of both Cheat Engine and Cheat Engine Tutorial. Windows 64-bit and 32-bit differs in ABI (Application Binary Interface), set of protocol which manages what each register, memory layout, stack, etc are used for. The 64-bit OS make use of 64-bit capability processor, addressing at most 2^64 (two power to 64) memory address. The register name also different, for example: EAX is 32-bit register, the 64-bit counterpart is RAX. Therefore, you should adjust the result written here to your environment. It should not be hard, I will explain it from ground up. If you have beat the fifth stage (you should have), you can easily beat seventh stage using this solution.
First, get the address of value. I think we have cover it everytime so let’s skip and assume you have found the address, add it to working area. Pay extra attention to the every address written in working area, I will show you why. Now, my working area is like this:
Right click on the entry, and choose “Find out what writes to this address”.
A debugger will be attached. Now go back to Cheat Engine Tutorial and click ‘Change value’. Then go back to our debugger. See the following picture (you can open it in new tab if you can see the image clearly).
We find instruction which write to our address. The above code is written in Intel assembly language style (as opposed to AT&T representation). The destination is memory location pointed by RSI + 18 or 18 byte from RSI. So let’s find out what value in RSI, see the red circle. Now copy the value and close the debugger window. If you are in 32-bit windows, I believe it’s on general purpose register EAX, or EBX.
Oh, and remember or write down that the offset is 18. We will refer this as offset1.
Now back to Cheat Engine. Initiate a new scan, the value we want to search is Hexadecimal so tick the Hex. Enter the value we got before, the RSI. Add the result entry to work area, there should be only one result. Here is mine:
Now right-click the 2nd entry and choose “Find out what accesses this address”. Go back to Cheat Engine Tutorial, click ‘Change value’. Go back to debugger and see what happens.
I got 2 results, so which one. Well, both use the address of [rsi] so the offset is 0. Refer this to offset2. But the first result move the value to RAX. Let’s pick this one. Copy the value of RSI then close the debugger.
Do a new search with hex value the latest content of RSI we get. Add the result to work area.
“Find out what accesses this address”, again. You know what next, right? Now the offset (offset3) I got is 18.
Initiate new search, add the result to work area. “Find out what access this address”. Now I got the offset (offset4) 10.
Before we go, let’s recap what we have so far.
And also our offsets: 18, 0, 18, 10
Now initiate a new search. This time you will see one result with green colored address.
Good! Now add it to our work area, manually. On Cheat Engine, click ‘Add address manually’ button. A new window will appear. Tick the pointer. Click ‘Add Offset’ button until we have FOUR offset text box. Write the offset with the offsets we collect so far (see table above). For the address, write it with the address of the result (in my example: 1002C7740). Here is what I do:
If you do this correctly, you will see the value. Click OK.
Click on the latest entry on our work area. Double-click it to change the value. Change the value to 5000 and froze it. On Cheat Engine Tutorial, click ‘Change pointer’. If you do all steps like in this article, you will unlocked the Next button. Congratulation!