Search K
Appearance
Appearance
Other ways to support HackTricks:
Cheat Engine is a useful program to find where important values are saved inside the memory of a running game and change them.
When you download and run it, you are presented with a tutorial of how to use the tool. If you want to learn how to use the tool it's highly recommended to complete it.
This tool is very useful to find where some value (usually a number) is stored in the memory of a program.
Usually numbers are stored in 4bytes form, but you could also find them in double or float formats, or you may want to look for something different from a number. For that reason you need to be sure you select what you want to search for:
Also you can indicate different types of searches:
You can also check the box to stop the game while scanning the memory:
In Edit --> Settings --> Hotkeys you can set different hotkeys for different purposes like stopping the game (which is quiet useful if at some point you want to scan the memory). Other options are available:
Once you found where is the value you are looking for (more about this in the following steps) you can modify it double clicking it, then double clicking its value:
And finally marking the check to get the modification done in the memory:
The change to the memory will be immediately applied (note that until the game doesn't use this value again the value won't be updated in the game).
So, we are going to suppose that there is an important value (like the life of your user) that you want to improve, and you are looking for this value in the memory)
Supposing you are looking for the value 100, you perform a scan searching for that value and you find a lot of coincidences:
Then, you do something so that value changes, and you stop the game and perform a next scan:
Cheat Engine will search for the values that went from 100 to the new value. Congrats, you found the address of the value you were looking for, you can now modify it.
If you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses.
In the scenario you don't know the value but you know how to make it change (and even the value of the change) you can look for your number.
So, start by performing a scan of type "Unknown initial value":
Then, make the value change, indicate how the value changed (in my case it was decreased by 1) and perform a next scan:
You will be presented all the values that were modified in the selected way:
Once you have found your value, you can modify it.
Note that there are a lot of possible changes and you can do these steps as much as you want to filter the results:
Until know we learnt how to find an address storing a value, but it's highly probably that in different executions of the game that address is in different places of the memory. So lets find out how to always find that address.
Using some of the mentioned tricks, find the address where your current game is storing the important value. Then (stopping the game if you whish) do a right click on the found address and select "Find out what accesses this address" or "Find out what writes to this address":
The first option is useful to know which parts of the code are using this address (which is useful for more things like knowing where you can modify the code of the game).
The second option is more specific, and will be more helpful in this case as we are interested in knowing from where this value is being written.
Once you have selected one of those options, the debugger will be attached to the program and a new empty window will appear. Now, play the game and modify that value (without restarting the game). The window should be filled with the addresses that are modifying the value:
Now that you found the address it's modifying the value you can modify the code at your pleasure (Cheat Engine allows you to modify it for NOPs real quick):
So, you can now modify it so the code won't affect your number, or will always affect in a positive way.
Following the previous steps, find where the value you are interested is. Then, using "Find out what writes to this address" find out which address writes this value and double click on it to get the disassembly view:
Then, perform a new scan searching for the hex value between "[]" (the value of $edx in this case):
(If several appear you usually need the smallest address one)
Now, we have found the pointer that will be modifying the value we are interested in.
Click on "Add Address Manually":
Now, click on the "Pointer" check box and add the found address in the text box (in this scenario, the found address in the previous image was "Tutorial-i386.exe"+2426B0):
(Note how the first "Address" is automatically populated from the pointer address you introduce)
Click OK and a new pointer will be created:
Now, every time you modifies that value you are modifying the important value even if the memory address where the value is is different.
Code injection is a technique where you inject a piece of code into the target process, and then reroute the execution of code to go through your own written code (like giving you points instead of resting them).
So, imagine you have found the address that is subtracting 1 to the life of your player:
Click on Show disassembler to get the disassemble code.
Then, click CTRL+a to invoke the Auto assemble window and select Template --> Code Injection
Fill the address of the instruction you want to modify (this is usually autofilled):
A template will be generated:
So, insert your new assembly code in the "newmem" section and remove the original code from the "originalcode" if you don't want it to be executed**.** In this example the injected code will add 2 points instead of substracting 1:
Click on execute and so on and your code should be injected in the program changing the behaviour of the functionality!
Other ways to support HackTricks: