Cheating Engine
Cheating Engine
1. Download
https://www.cheatengine.org/index.php
2. Tutorial
Step1
Step2
Exact value
Value
= vScan Type
= Exact valueValue Type
= 4/2 Bytes (1 Byte probably won’t work)First Scan
- Change the value v
- Choose proper Scan Type and
Next Scan
- Until there’s few left
- Choose the best suit (Or test them one by one)
- Choose proper Scan Type and
- Change the value v
Step3
Unknown initial value
Scan Type
= Unknown initial valueValue Type
= 4 Bytes (For most windows app, it will use 4-byte int as the value)
- Change the value v
- Choose proper Scan Type and
Next Scan
- Until there’s few left
- Choose the best suit (Or test them one by one)
- Choose proper Scan Type and
- Change the value v
Step4
Other
如果搜索不出来,表明可能不是用int/整数存储,将Value Type改为Double/Float重试
Hint: It is recommended to disable “Fast Scan” for type double
Step5 Code finder
查找代码
需求:锁定某个值,使其不能更改
按照 2.1 找到地址
右键
Find out what writes to this address
改变该值,窗口中会出现汇编代码 (改变了该值的汇编代码)
Step4:Replace it with nothing (n个nob)
Step6 Pointers
- 首先找到value的地址
- 再根据该地址找到存储该地址的指针
Add Address Manually
Step7 Code Injection
??
Step8 Multilevel pointers
方法一 pointer scanner
找到该值,右键
generate pointermap
,保存为step8.scandata重新开始tutorial (记得使用相同的PW)
找到该值,右键
Pointer scan for this address
Compare results with other
,选择之前保存的,选择AddressNote:对于实际游戏而言,
Max level
一般为8/9最后确认,保存结果
得到一个或多个结果,多个继续change value,直到只剩下一个
双击以添加到
Address list
中,change value to 5000,freeze it (选中地址左边的框),over
方法二 manual method
找到该值,Find out what assesses to this address
改变该值,发现
mov [rsi+18],eax
,表示偏移量为18搜索0x
value的地址
-0x18,找到该指针,循环进行以上操作,直到找到基址 (绿色)可打开Table Extra辅助记录信息,如
1
2
3
4
5
6Info about this table:
a+18->value
b+0->a
c+18->b
d+10->c
Tutorial-x86_64.exe+306B00->d最后Add address manually,输入基址Tutorial-x86_64.exe+306B00,Add offset,依次填入10 18 0 18,即可得到和上面一样的结果
Note:同样一个数据可能有多条访问到达它的路径
Step 9: Shared code
背景:Player和Monster都继承自Entity,如果让health的value不变,Monster的health也会不变
首先找到Player3的health
点击Find out what writes to this address,改变health值,show disassembler,stop and close unnecessary window
右键选择Find out what addresses this instruction accesses
依次Attack所有玩家
依次会出现四个地址,注意右下角选择Float显示
同时选择两个,右键Find xx->Mark as xx,把前两个编为group1,后两个编为group2
选择任意一个Find xx->Scan for commonalities
Double click to launch structure compare,勾选Only find matching groups
或者Open dissect xx,每个都来一遍
最后发现+8 是Float的health值,+14是队伍编号
在Memory Viewer中选择Auto Assemble添加脚本
选择Template,先添加Cheat Table framework code,再添加Code injection
1
2
3;注入核心代码
cmp [rbx+14],1
je short exit最后File -> Assign to current cheat table
最后Active激活即可
3. Tutorial Game
4. Anti-cheating
对于上面的Tutotial如果直接修改,exe文件会改变,导致触发反作弊系统
Cheating Engine