Cheat Engine is an open source tool designed to help you with modifying single player games running under window so you can make them harder or easier depending on your preference(e.g: Find that 100hp is too easy, try playing a game with a max of 1 HP), but also contains other usefull tools to help debugging games and even normal applications.
It comes with a memory scanner to quickly scan for variables used within a game and allow you to change them, but it also comes with a debugger, disassembler, assembler, speedhack, trainer maker, direct 3D manipulation tools, system inspection tools and more.
For new users it is recommended to go through the tutorial(The one that comes with Cheat Engine, you can find it in your programs list after installing) and at least reach step 5 for basic understanding of the usage of Cheat Engine
FIRST DOWNLOAD THE PROGRAM
Tutorial
-------------------------------------
Table of contents:
1. Introduction
2. The tutorial introduction
3. Tutorial 1
4. Tutorial 2
5. Tutorial 3
6. Tutorial 4
7. Tutorial 5
8. Tutorial 6
9. Other related stuff
10. Credits
-------------------------------------
Chapter 1: Introduction
Welcome to YoungDragon's Cheat Engine tutorial. In this tutorial, there are 9 chapters. This will give you a basic and more advance chance to try CheatEngine! Cheat Engine is a program which allows you scan addresses, change values, search process memory, and allows you to edit stuff you wouldn't usually be able to edit. Cheat Engine was founded and invented by Dark Byte. It's a very powerful and well known program. Cheat Engine can be downloaded here: Click me to go to the url!. Most Anti-virus's think Cheat Engine is a virus. It is NOT a virus. I want to make that perfectly clear. It has some tools that Anti-Virus's think are dangerous like hacking tools. If you are too scared to download it, download the retarded idiot version(It's for retarded idiots who don't trust anybody, by the way). Cheat Engine is a completely SAFE program. Also,http://www.cheatengine.org is NOT responsible of any illegal use of Cheat Engine. If you get caught using it illegally, it's your problem. It was not intended for illegal use. Now, we will continue to the tutorial. Here is an image on what the program looks like(v6.1):
-------------------------------------
Chapter 2: The tutorial introduction
Cheat Engine comes with a FREE TUTORIAL! That's great! We will use that in this guide. To find it, click start, all programs, find the directory where Cheat Engine was installed(By default, it's Cheat Engine [version]), click Cheat Engine tutorial.
Here is what it looks like(v3)
This is where we will start the whole tutorial, which will help you with everything you need to know. Here is what Dark Byte wrote:
| Dark Byte wrote: |
| Welcome to the Cheat Engine Tutorial. (v3.1) This tutorial will try to explain the basics of cheating on games, and getting you more familiar with Cheat Engine. First open Cheat Engine if it hasn't been opened yet. Then click on the 'open process' icon. (top left icon, with the computer on it) When the process window is open find this tutorial. The process name is probably 'tutorial.exe' unless you renamed it. Select it, and click ok. Just ignore all the other buttons right now, but experiment with them later if you feel like it. When everything went right, the process window should be gone now and at the top of CE the processname is shown. Now, click NEXT to continue to the next step. (Or fill in the password to proceed to that particular step you want) |
Now, you will have to get the process of Cheat Engine Tutorial. On the top left of the screen, there is a glowing computer.
Click it to open the process menu.
Click the Cheat engine tutorial process.
Click Open and you have successfully gotten a process loaded in Cheat Engine!
Press "Next" to go to tutorial 1 and read Chapter 3.
Note: You can save the passwords it gives you so you can continue where you were. Thank Dark Byte! 
Chapter 3: Tutorial 1
This is the most BASIC tutorial you have! After you press next, this is what you will get:
| Dark Byte wrote: |
| Step 2: Exact Value scanning (PW=XXXXXX) Now that you have opened the tutorial with Cheat Engine lets get on with the next step. You see at the bottom of this window the text Health: xxx Each time you click 'Hit me' your health gets decreased. To get to the next step you have to find this value and change it to 1000 To find the value there are different ways, but I'll tell you about the easiest, 'Exact Value': First make sure value type is set to at least 2 bytes or 4 bytes, 1 byte will also work, but you'll run into a (easy to fix) problem when you've found the address and want to change it. The 8-byte may perhaps works if the bytes after the address are 0, but I wouldn't take the bet. Single, double, and the other scans just don't work, because they store the value in a different way. When the value type is set correctly, make sure the scantype is set to 'Exact Value' Then fill in the number your health is in the value box. And click 'First Scan' After a while (if you have a extremely slow pc) the scan is done and the results are shown in the list on the left If you find more than 1 address and you don't know for sure which address it is, click 'Hit me', fill in the new health value into the value box, and click 'Next Scan' repeat this until you're sure you've found it. (that includes that there's only 1 address in the list.....) Now double click the address in the list on the left. This makes the address pop-up in the list at the bottom, showing you the current value. Double click the value, (or select it and press enter), and change the value to 1000. If everything went ok the next button should become enabled, and you're ready for the next step. Note: If you did anything wrong while scanning, click "New Scan" and repeat the scanning again. Also, try playing around with the value and click 'hit me' |
This tutorial stores your health using the 4 byte data value. Cheat Engine uses this by default. In this case, you are given the EXACT value of health you have (100). Go to Cheat Engine and in the Value box, type in 100. Click first scan.
Look to the left. Find a table that shows "Address" and "Value". An address is where the data is stored and the value is what the data is. The actual value.
Go to the tutorial and click "Hit me". Your health should go down. My health got to 99. The health you got will be called "myHp". Whenever I refer to myHp, you get the number you have as your health. Go back to Cheat Engine and then type myHp(The health number) you got into the value box. Then press next scan.
You should come up with ONE value. Now, my address is 00259FF0. Your address will be different. If it's different, don't say "OMGZZZ, I DIDZ IT WRONGZZZZ. FUCKZZZ THIS TUTORIALZZZ!!!!!!!!" It will not be the same every time. Addresses change. Double click the address with the value of myHp(The health number. Mine is 99). It should then also be at the bottom.
Now, you see the "Next" button is grey and blocked so you can't go to the next tutorial. (
) Don't worry, we will make it clickable now! To go to the next tutorial, the value has to be >1000(Greater then 1000). Double click the value section at bottom left side. You should get this:
) Don't worry, we will make it clickable now! To go to the next tutorial, the value has to be >1000(Greater then 1000). Double click the value section at bottom left side. You should get this: 
Change the value to 1000 and press OK.
Go back to Cheat Engine tutorial and see that the Next button is unlocked! WAIT! Don't click it. Click "Hit me" and your Health should go UP to 99x.(Change the value to 1000 and press Next to finish Tutorial 1)
You have now finished Tutorial 1!
Chapter 4: Tutorial 2
This tutorial will help you in finding unknown values, like if all you got is a loading bar. Here is what Dark Byte wrote.
| Dark Byte wrote: |
Step 3: Unknown initial value (PW=XXXXXX) Ok, seeing that you've figured out how to find a value using exact value let's move on to the next step. In the previous test we knew the initial value so we could do a exact value, but now we have a status bar where we don't know the starting value. We only know that the value is between 0 and 500. And each time you click 'hit me' you lose some health. The amount you lose each time is shown above the status bar. Again there are several different ways to find the value. (like doing a decreased value by... scan), but I'll only explain the easiest. "Unknown initial value", and decreased value. Because you don't know the value it is right now, a exact value wont do any good, so choose as scantype 'Unknown initial value', again, the value type is 4-bytes. (most windows apps use 4-bytes) click first scan and wait till it's done. When it is done click 'hit me'. You'll lose some of your health. (the amount you lost shows for a few seconds and then disappears, but you don't need that) Now go to Cheat Engine, and choose 'Decreased Value' and click 'Next Scan' When that scan is done, click hit me again, and repeat the above till you only find a few. We know the value is between 0 and 500, so pick the one that is most likely the address we need, and add it to the list. Now change the health to 5000, to proceed to the next step. |
Click new scan and the table with address/value should clear. Also, select the address we changed to 1000 and click the delete button on the keyboard. This should get rid of that to get rid of future confusion. Now, you see a full progress bar with a value you do not know. Every time you press Hit me, you will get "-(Random number)". Here is what it looks like:
Go to cheat engine and find value type. By default, it's 4 byte. Change 4 byte to "Unknown initial value" and click Scan.
Now, the think should go back to normal like nothing happened. It should go back to 4 byte. Now, go back to the tutorial app and click Hit me. You should see a thing that says "-(Random number)". Click Hit me now.
As you can see, I lost 2 hp. Go to Cheat Engine, change value to type to "Decreased value by...". Now put the number of HP you lost in the box. Then press Next scan.
Now, I ended up with 4 addresses. 1 of them is 88. The others at 4,000,000,00+. You have to get at least 5000 for the "Next" button to unlock. Which one do you think is correct if the "Next" button is locked? Yes, it's the address with the value of 88. Double click it to send it to the bottom. Change the value to 5020. Click "Hit me" and the progress bar should get full. If it didn't, you did it wrong. Change the value to 5000 and click Next. This is how you get unknown values quickly. If you do not know what the value decreased by, change the value type to "decreased value" and hit "next scan".
Chapter 5: Tutorial 3
In this tutorial, you will be dealing with different data types. We were dealing with 4 bytes. This time, we will deal with float and double. This is what Dark Byte wrote.
| Dark Byte wrote: |
| Step 4: Floating points (PW=XXXXXX) In the previous tutorial we used bytes to scan, but some games store information in so called 'floating point' notations. (probably to prevent simple memory scanners from finding it the easy way) a floating point is a value with some digits behind the point. (like 5.12 or 11321.1) Below you see your health and ammo. Both are stored as Floating point notations, but health is stored as a float and ammo is stored as a double. Click on hit me to lose some health, and on shoot to decrease your ammo with 0.5 You have to set BOTH values to 5000 or higher to proceed. Exact value scan will work fine here, but you may want to experiment with other types too. |
First, click New scan. Delete the address we changed to 5000. Keep scan type to Exact Value, but change Value type to Float.
Now, type 100 into the value textbox and click First Scan.
I got 2 addresses! That's good. Now, click Hit me. I got 95.4. Go to cheat Engine and type 95.4 into the textbox and click Next Scan. I came up with 1 address. We will do what we did in the other tutorials, we will double click and change the value.
Change it to 5000.
Click New Scan and do NOT delete the float address change. Change the value type to Double. Scan 100.
I came up with 1 value. Click "Fire" on the tutorial to see if it is the value. If you get 99.5 in Cheat Engine. That's it! Double click and change the value to 5000. The "Next button" should unlock. Click next to Continue.
Congrats! You just finished the "BASICS!" Yes, the basics. If you thought that was hard, try doing to tutorial again and again until you get it right. Now, we will go to Medium. Then Hard.
This is Medium.
Chapter 6: Tutorial 4
This is a harder tutorial. We will find out how to use the Code Finder.
Here is what Dark Byte wrote:
| Dark Byte wrote: |
Step 5: Code finder (PW=XXXXXX) Sometimes the location something is stored at changes when you restart the game, or even while you're playing.. In that case you can use 2 things to still make a table that works. In this step I'll try to describe how to use the Code Finder function. The value down here will be at a different location each time you start the tutorial, so a normal entry in the address list wouldn't work. First try to find the address. (you've got to this point so I assume you know how to) When you've found the address, right-click the address in Cheat Engine and choose "Find out what writes to this address". A window will pop up with an empty list. Then click on the Change value button in this tutorial, and go back to Cheat Engine. If everything went right there should be an address with assembler code there now. Click it and choose the replace option to replace it with code that does nothing. That will also add the code address to the code list in the advanced options window. (Which gets saved if you save your table) Click on stop, so the game will start running normal again, and close to close the window. Now, click on Change value, and if everything went right the Next button should become enabled. Note: When you're freezing the address with a high enough speed it may happen that next becomes visible anyhow |
First, find the address. All the previous tutorials found out the address. So now, you know how to do it. Use 4 bytes.
I have found the address. Here is what I got:
Now, double click it to make it go down. Right click the address(After you put it at the very bottom) and press "Find out what writes to this address". A new window should pop up.(If it ask you about a debugger, press yes)
Click "Change Value" where the tutorial is and then go back to Cheat Engine. Now, you should see something new. A bunch of shit nobody but a computer understands.
Select it and click the replace button. ANOTHER window should pop up. Remove everything that was in it.
to
Press OK.
Now, Click "Stop" and then "Close". Go to the tutorial and click Change Value. It should stay the same and then the "Next" button should be unlocked!!! As Charlie Sheen would say, Winning.
Chapter 7: Tutorial 5
Now, this is more advanced then the last tutorial. Still in the medium section, BUT it's a little bit hard. This one uses pointers. Ok, first, get the address with the value of 100. At this point, you should know how to get an address.
Here is what Dark Byte wrote:
| Dark Byte wrote: |
Step 6: Pointers: (PW=098712) In the previous step I explained how to use the Code finder to handle changing locations. But that method alone makes it difficult to find the address to set the values you want. That's why there are pointers: At the bottom you'll find 2 buttons. One will change the value, and the other changes the value AND the location of the value. For this step you don't really need to know assembler, but it helps a lot if you do. First find the address of the value. When you've found it use the function to find out what accesses this address. Change the value again, and a item will show in the list. Double click that item. (or select and click on more info) and a new window will open with detailed information on what happened when the instruction ran. If the assembler instruction doesn't have anything between a '[' and ']' then use another item in the list. If it does it will say what it think will be the value of the pointer you need. Go back to the main cheat engine window (you can keep this extra info window open if you want, but if you close it, remember what is between the [ and ] ) and do a 4 byte scan in hexadecimal for the value the extra info told you. When done scanning it may return 1 or a few hundred addresses. Most of the time the address you need will be the smallest one. Now click on manually add and select the pointer checkbox. The window will change and allow you to type in the address of a pointer and a offset. Fill in as address the address you just found. If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that's at the end. else leave it 0. If it was a more complicated instruction look at the calculation. example of a more complicated instruction: [EAX*2+EDX+00000310] eax=4C and edx=00801234. In this case EDX would be the value the pointer has, and EAX*2+00000310 the offset, so the offset you'd fill in would be 2*4C+00000310=3A8. (this is all in hex, use cal.exe from windows in scientific mode to calculate) Back to the tutorial, click OK and the address will be added, If all went right the address will show P->xxxxxxx, with xxxxxxx being the address of the value you found. If thats not right, you've done something wrong. Now, change the value using the pointer you added in 5000 and freeze it. Then click Change pointer, and if all went right the next button will become visible. extra: And you could also use the pointer scanner to find the pointer to this address |
After you have the address. Move it to the bottom and right click. Click "Find out what writes to this address". You will then press change value on CE tutorial and will get some info in the popup screen.
Click on the first one. Mine is 00422173 - 89 02 - mov [edx],eax. Then press more information. You should get this.
Find where it says "The value of the pointer needed to find this address is probably XXXXXXXX" Mine is 00247A28. Close that and close the data table to just show Cheat Engine. Now click new scan and check the hex button. Type in what you got for XXXXXXXX. Click "First Scan".
I got 1 addresses.
Press "Add address manually". Click the pointer checkbox. Now type in the address you got. I got 0057C370. For offset, leave as 0. Press OK.
The value should be the same as the other address. If you got "??" then you did it wrong. Try again. If you got this:
Then you did it right! Try pressing "Change Value" on the tutorial to mess around with it. Both values will change!
Now, change The value of the one with the address of "P -> XXXXXXXX" to 5000. Then check the "Active box" to freeze the value. Go back to the tutorial and press "Change Pointer". Wait for it to stop and the next button should unlock!
Press next and go to the next chapter.
Chapter 8: Tutorial 6
This is one of my FAVORITE parts of this tutorial! Here is what Dark Byte wrote:
| Dark Byte wrote: |
| Step 7: Code Injection: (PW=013370) Code injection is a technique where one injects a piece of code into the target process, and then reroute the execution of code to go through your own written code In this tutorial you'll have a health value and a button that will decrease your health with 1 each time you click it. Your task is to use code injection to increase the value of your health with 2 every time it is clicked Start with finding the address and then find what writes to it. then when you've found the code that decreases it browse to that address in the disassembler, and open the auto assembler window (ctrl+a) There click on template and then code injection, and give it the address that decreases health (If it isn't already filled in correctly) That will generate a basic auto assembler injection framework you can use for your code. Notice the alloc, that will allocate a block of memory for your code cave, in the past, in the pre windows 2000 systems, people had to find code caves in the memory(regions of memory unused by the game), but that's luckily a thing of the past since windows 2000, and will these days cause errors when trying to be used, due to SP2 of XP and the NX bit of new CPU's Also notice the line newmem: and originalcode: and the text "Place your code here" As you guessed it, write your code here that will increase the health with 2. a usefull assembler instruction in this case is the "ADD instruction" here are a few examples: "ADD [00901234],9" to increase the address at 00901234 with 9 "ADD [ESP+4],9" to increase the address pointed to by ESP+4 with 9 In this case, you'll have to use the same thing between the brackets as the original code has that decreases your health Notice: It is recommended to delete the line that decreases your health from the original code section, else you'll have to increase your health with 3 (you increase with 3, the original code decreases with 1, so the end result is increase with 2), which might become confusing. But it's all up to you and your programming. Notice 2: In some games the original code can exist out of multiple instructions, and sometimes, not always, it might happen that a code at another place jumps into your jump instruction end will then cause unknown behavior. If that happens, you should usually look near that instruction and see the jumps and fix it, or perhaps even choose to use a different address to do the code injection from. As long as you're able to figure out the address to change from inside your injected code. |
To start out, delete all the addresses and restart the whole scan process. Find the address. After you find it, right click it after you took it to the bottom. Then, click "Find out what writes to this address". Click "Hit Me" and make the HP go down. Look at the data that was traced. I got 004226BC - FF 8B 54040000 - dec [ebx+00000454]. Click "Show disassembler".
Now, press Ctrl + A to open Auto disassembler.
Now, click template and press "Code Injection". Press yes if a pop up shows.
See original code? You got dec [ebx+00000454]. Copy that. Delete the stuff next to //. paste that under newmem and change dec to add. also, add ",3" to it. You should get this:
| Code: |
| add [ebx+00000454],3 |
Now, press Execute and you then go back to the CE tutorial. Press hit me to get +2 HP. Press next and go to the next chapter.
Again, this is my FAVORITE part. I love using code injection as it is EXTREMELY useful.
Chapter 8: Tutorial 6
This is the last tutorial!
Here is what Dark Byte wrote:
| Dark Byte wrote: |
| Step 8: Multilevel pointers: (PW=525927) This step will explain how to use multi-level pointers. In step 6 you had a simple level-1 pointer, with the first address found already being the real base address. This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health. You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address you'll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable instruction and offset, and use that. and continue till you can't get any further (usually when the base address is a static address, shown up as green) Click Change Value to let the tutorial access the health. If you think you've found the pointer path click Change Register. The pointers and value will then change and you'll have 3 seconds to freeze the address to 5000 Extra: This problem can also be solved using a auto assembler script, or using the pointer scanner Extra2: In some situations it is recommended to change ce's codefinder settings to Access violations when encountering instructions like mov eax,[eax] since debugregisters show it AFTER it was changed, making it hard to find out the the value of the pointer Extra3: If you're still reading. You might notice that when looking at the assembler instructions that the pointer is being read and filled out in the same codeblock (same routine, if you know assembler, look up till the start of the routine). This doesn't always happen, but can be really useful in finding a pointer when debugging is troublesome |
First, Find the address and move it to the lower part of CE like we always do. You should find the address pretty quickly. Then, right click it and click "pointer scan for this address".
Press OK. Then save it to the default place with the name of "pointers". Now, wait for it to load and you should get something like this.
Now, go to the cheat engine tutorial and click "Change Pointer". Notice, the old address value will go to 0. Now, go back to the pointer scanner and click "Pointer Scanner" tab at the top. You will get a couple of options. Select rescan pointer. Put in the new address you have found(The one in the main CE window that does NOT have the value of 0). You should come up with 1 thing and only 1 thing. That's good!(If it ask you to overwrite the save, press yes)
Double click it to send to the CE main panel. Click change pointer over and over and the number value will never hit 0 like the first and second addresses did! Change it to 5000 and freeze it. Then press Change Pointer again. The next button should unlock. Click it and your done!
Congrats, you are an advanced Cheat Engine user!!!!!!!
Chapter 9: Other related stuff
Cheat engine can be used from flash games, multiplayer games, up to hacking Windows itself! It's tool that scans memory too. It's similar to OllyDGB and some other stuff. It's the most known, though. Cheat Engine is a very good program. The tutorial was very good help too. I thought it was good. The only flaw I see in CE is that whenever you place a debugger, if you close it without stopping it, then you can't trace data anymore. Dark Byte should fix that.
Credits
YoungDragon
from cheat engine forum