Cheating Engine

1. Download

https://www.cheatengine.org/index.php

2. Tutorial

Step1

Step2

Exact value

1. • Value = v
     • Scan Type = Exact value
     • Value Type = 4/2 Bytes (1 Byte probably won’t work)
     • First Scan
2. • Change the value v
     • Choose proper Scan Type and Next Scan
     • Until there’s few left
     • Choose the best suit (Or test them one by one)

Step3

Unknown initial value

1. • Scan Type = Unknown initial value
     • Value Type = 4 Bytes (For most windows app, it will use 4-byte int as the value)
2. • Change the value v
     • Choose proper Scan Type and Next Scan
     • Until there’s few left
     • Choose the best suit (Or test them one by one)

Step4

Other

如果搜索不出来，表明可能不是用int/整数存储，将Value Type改为Double/Float重试

Hint: It is recommended to disable “Fast Scan” for type double

Step5 Code finder

查找代码

需求：锁定某个值，使其不能更改

• 按照 2.1 找到地址

• 右键Find out what writes to this address

• 改变该值，窗口中会出现汇编代码 (改变了该值的汇编代码)

• Step4：Replace it with nothing (n个nob)

Step6 Pointers

• 首先找到value的地址
• 再根据该地址找到存储该地址的指针
• Add Address Manually

Step7 Code Injection

？？

Step8 Multilevel pointers

方法一 pointer scanner

• 找到该值，右键generate pointermap，保存为step8.scandata

• 重新开始tutorial (记得使用相同的PW)

• 找到该值，右键Pointer scan for this address

  Compare results with other，选择之前保存的，选择Address

  Note：对于实际游戏而言，Max level一般为8/9

  最后确认，保存结果

• 得到一个或多个结果，多个继续change value，直到只剩下一个

• 双击以添加到Address list中，change value to 5000，freeze it (选中地址左边的框)，over

方法二 manual method

• 找到该值，Find out what assesses to this address

• 改变该值，发现mov [rsi+18],eax，表示偏移量为18

• 搜索0xvalue的地址-0x18，找到该指针，循环进行以上操作，直到找到基址 (绿色)

• 可打开Table Extra辅助记录信息，如

  Info about this table:
  a+18->value
  b+0->a
  c+18->b
  d+10->c
  Tutorial-x86_64.exe+306B00->d

• 最后Add address manually，输入基址Tutorial-x86_64.exe+306B00，Add offset，依次填入10 18 0 18，即可得到和上面一样的结果

Note：同样一个数据可能有多条访问到达它的路径

Step 9: Shared code

背景：Player和Monster都继承自Entity，如果让health的value不变，Monster的health也会不变

• 首先找到Player3的health

• 点击Find out what writes to this address，改变health值，show disassembler，stop and close unnecessary window

• 右键选择Find out what addresses this instruction accesses

• 依次Attack所有玩家

  依次会出现四个地址，注意右下角选择Float显示

• 同时选择两个，右键Find xx->Mark as xx，把前两个编为group1，后两个编为group2

  • 选择任意一个Find xx->Scan for commonalities

    Double click to launch structure compare，勾选Only find matching groups

  • 或者Open dissect xx，每个都来一遍

• 最后发现+8 是Float的health值，+14是队伍编号

• 在Memory Viewer中选择Auto Assemble添加脚本

  选择Template，先添加Cheat Table framework code,再添加Code injection

  ;注入核心代码
  cmp [rbx+14],1
  je short exit

  最后File -> Assign to current cheat table

• 最后Active激活即可

3. Tutorial Game

4. Anti-cheating

对于上面的Tutotial如果直接修改，exe文件会改变，导致触发反作弊系统