roll engine.shp

冒险岛吸怪源码ＵＣＥ的制作材料 用于冒险岛游戏的外挂

xor eax,eax
jmp 00451031

<b>Example using ALLOC and LABEL</b>
alloc(alloc1,4)
label(mylabel)

00451029:
jmp 00410000
nop
nop
nop
mylabel:

00410000:
mov [alloc1],esi
mov [esi+80],ebx
xor eax,eax
jmp mylabel


<b>Example using FULLACCESS</b>
FULLACCESS(00400800,4) //00400800 is usually read only non executable data, this makes it writable and executable
00451029:
jmp 00410000
nop
nop
nop

00410000:
mov [00400800],esi
mov [esi+80],ebx
xor eax,eax
jmp 00451031
----- SHM ---- page 18 ---- 
Cheat Engine is filled with other features, try to find them and find out what they do, or send questions about them to dark_byte@hotmail.com
----- SHM ---- page 19 ---- 
This section contains a collection of all usefull tutorials originally posted on the cheat engine forum.
----- SHM ---- page 20 ---- 
Originally posted by Emperor:

Hope it's usefull ...after all i did much research on it. This guide written by me explains how to use CE for anti tab protected games. 
First you may wonder : 
<b>What does anti tab protected mean? </b>
It means if you minimize it, it will never come up again, it will kill itself. This happens if you use any kind of task switching or click on any other program. 
<b>What can be done about it? </b>
Possiblity 1: 
There is a program AAT that freezes the game and then brings your cheat-tool (of course we all use CE don't we?) to the front. Once a scan is done you can press another button to switch back to the game and resume it. Because it was frozen during that time it didn't notice it was not in the foreground. Altough being frozen CE can still attach itself to the game (although it may require you to switch to the game unfreeze it and then freeze again in order to make it work). With AAT however there's always the risc the game will crash anywaays or AAT will stop responding making it impossible to unfreeze the game. 
Possbility 2: 
Xunleashed. With it you can run directx programs in a normal window. 
Xunleashed has not been tried by me as it costs 20$ (after all i can still use AAT and CE network version). It should work, if you are unsure weather it works with your game or not look at the message board. 
Possiblity 3 
Use the CE network version. This of course requires 2 computers and you to switch between them. Also the functions in the network version are limited, but new features are being added. 
<b>What do game creators do against those? </b>
-Game guard. : The 4.4 Version of CE can cheat Anti Tab protected games. Therefore you can safely use the network version. AAT will not work with nProtected games but if you execute the game as a normal user and AAT as an administrator it will still work.
----- SHM ---- page 21 ---- 
Originally posted by emperor:

2 Byte means: 00 00 to FF FF this allows only up to 65535, obviously. 
4 byte maens: 00 00 00 00 to FF FF FF FF (allows up to 4294967295). 
Now for example you can miss 2 byte values with 4 byte scans: 
example: value in game is 300 stored in game's memory as 012C 
If you search for 12C as 2 Byte it will be in your results. 
If you search for 12C as 4 byte the 2 Bytes before the 012C matter as well. 
For example the 012C would be after an FF FF. 
Meaning: FF FF 01 2C is in the memory 01 2C being what you are searching for. However seen as 4 Byte this is not 01 2C (300) but it's FF FF 01 2 C (4294902060) . 
To my mind for exact value scans you should use the smallest appopirate byte type (for ex if it doesn't rise over 65000 use 2 byte). However since most games multiply it with a certain factor exact value scans are hardly any useful...when doing an unknown value scan it's up to you to chose the correct bytesize...most commonly used is 4 byte after all. It's nothing new to me seeing games showing a stat up to like 2000-3000 as 4 Byte in a huge number over serveral hundret thousands..however how much a certain game multiplies,adds or substracts, or tries to hide it depends on the game, is therefore sort of unknown therefore i think in many cases the bytesize is also sort of unknown although 4 Byte is always likely. Note doing increase/decrease value scans wouldn't fail even if there were some other bytes before it: for ex 
FF FF 01 2C is increased by one... 
---> FF FF 01 2D increased would still be okay as unknown initial. 
But if the FF FF also changes 
to like FE FE then it would screw up the scan.
----- SHM ---- page 22 ---- 
Originally posted by me. (no not me, but the user called me)

this is to try answer the most common questions from people new to cheat engine 

using 3d pinball for windows space cadet as an example,,, 
it might be an idea to print this and other tuts so its easier to work through them,,, 

( this game gives you some free balls so be on the look out for that during this tut ) 

start 3D PINBALL FOR WINDOWS ,, and wait for the first ball to deploy 
start cheat engine 
click on the flashing icon in the top left of cheat engine 
in the bottom of process list window 
double click on PINBALL.EXE to attache the game to cheat engine 
in the value box type in 3 
go into the pinball game and lose a ball 
wait for the next ball to be deployed 
go back into cheat engine 
type 2 into the value box 
click on the next scan button 
I got the address A9FEE6 yours may be different 

ok 

I'll double click on the found address A9FEE6 to add it to the bottom pane 
click on the checkbox to freeze this address 
go back into the PINBALL GAME 
lose some balls to see if its the right address 
if you have got it right you'll have infinite balls 

------------------------------------------------------------------------------- 
now to find the code that changes the number of balls 
------------------------------------------------------------------------------- 

go back into cheat engine 
(if you want you can double click on the value part of the address in the bottom pane and change it back to 3 or 4 balls) 
In the bottom pane again right click on the address A9FEE6 and choose 
FIND OUT WHAT WRITES TO THIS ADDRESS 

you will then get the debugger window 
go back into pinball and lose another ball 
in the debugger window you should see the address of the code that changes the number of balls 

I got 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax 
click on this to highlight the code,, and click on the ADD TO CODELIST button 
a box called CHEAT ENGINE CODE will pop up 
name balls 
and hit the OK button 

a window called ADVANCED OPTIONS WILL pop up with balls in it 
you can right click it and choose REPLACE WITH CODE THAT DOES NOTHING 
to show that the code has been nopped out the name will turn red 
you can hit the ok button to close the advanced options window then the stop and close button to exit the debugger 
then save your table,,,, but for now 
just hit the ok button to close the advanced options window 

in the debugger window look at the code 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax 
now with the code highlighted click on the MORE INFORMATION button 
the EXTRA INFO box will pop up 
in this box under copy memory you will see the sentance 

THE VALUE OF THE POINTER NEEDED TO FIND THIS ADDRESS IS PROBABLY 00A9FDA0 

this is the address held in the ESI register below this you can see all the values that the registers held at the instant you lost a ball,, 
as you can see ESI=00A9FDA0 
and highlighted in red you can see 

01015F02 - mov [ esi + 00000146 ],eax 

this is all in hexadecimal 
so the ESI register holds 00A9FDA0 therefore 
[esi + 00000146] = [ 00A9FDA0 + 00000146 ] 
00A9FDA0 + 146 = 00A9EEF6 

the first address I found when I started scanning at the start of the game 

so note down the address 00A9FDA0 
and the offset 146 

close the EXTRA INFO window 
in the main cheat engine window ,,,hit the new scan button 
next to the value box theres a hex checkbox ,, check it so you can enter a hex value 
put in our address without the zeros in front of it A9FDAO 
and hit the first scan button 

you will get a couple of hundred results 
i'll try the first address on the list 009A4356 

click on the add address manually button 
click on the poiter checkbox and you will see the ADD ADDRESS window change 

where it says ADDRESS OF POINTER type in our address 9A4356 
and in the OFFSET [HEX] box type in 146 ,,,,,,,,, remember [esi + 00000146] 
and hit the ok button 

hopefully a new address with should look like this in the bottom pane 
No description P->00A9FEE6 4 bytes 0x00000003 
or how ever many balls you got left 
you can freeze the number of balls from this pointer now,,,,, 
in games that use Dynamic Memory Allocation ,,, DMA 
and use the same code to change things for you and the enemies,, 
pointers are usfull 

------------------------------------ 
ok a couple of things 

1) this game don't use dma ,, but its an easy game to practice on 
2) Its free and most people have it 
3) so for newcomers it gives an idea of how to use the basic search / pointer / and advanced options 

well as they say thats my two cents 
----- SHM ---- page 23 ---- 
Originaly posted by Dark Byte
If you want to use the directx-mess functions in a game but the game detects the debugger (or crashes because of it) then before clicking on OK to run the game select another process, or simpley close Cheat Engine.
This will detach the debugger from Cheat Engine.
----- SHM ---- page 24 ---- 
Originally posted by Dark Byte

Sometimes when you've found a address and the code to change that address is also used to change other addresses (like that of the enemy) the following function will be usefull: 

When you've found the code that accesses the address you've found you can save that and use it to find the address you are looking for, so you don't have to go through the slow scanning routine again. (unless of course scanning for it is a lot faster than this, like finding a piece of text and then recalculating the rest) 

Go to the advanced window, rightclick the code and choose "Find out what addresses this code writes to" (or reads from depending on what kind of code it is, and can sometimes be a write instead of a read but that doesn't matter) and play the game. after a while the list will be filled up with all the addresses that that code used. (enemy's energy including if it is also used to handle the enemy) 

Only downside is that this (currently) only works for instructions that have a [...] part. So instructions like "rep movsb" won't work, but that is a instruction thats useless to cheating anyhow)
----- SHM ---- page 25 ---- 
Originally posted by Dark Byte + addition by Smidge204

Most people think assembler is very difficult, but in fact it's very easy. 
In this tutorial i'll try to explain how some basic assembler works 

The processor works with memory and registers. The registers are like memory but a lot faster than memory. Registers are EAX,EBX,ECX,EDX,ESP,EBP,ESI,EDI, and the segment registers. (There's also EIP, wich is the Instruction Pointer. It points to the instruction that is about to be executed) 

Some examples: 

<u>sub ebx,eax</u> (ebx=00000005,eax=00000002) 
Lets take it apart in it's most basic elements: 
opcode param1,param2 

The opcode is the instruction telling the processor what to do, in this case decrease the value stored in register ebx with the value stored in register eax. 

In this case ebx=5 and eax=2 so ebx would be after this instruction 3. (5-3) 

Also note that whever you see a opcode with 2 parameters: The first parameter is the target of the instruction. The 2nd is the source 

<u>sub [esi+13],ebx</u> (ebx=00000003,esi=008AB100) 
In this case you see the first parameter is between brackets. This indicates that instead of registers a memorylocation is being used. 
The memorylocation is pointed at by whats in between the brackets, in this case esi+13 (Note that the 13 is in hexadecimal) 

ESI=008AB100 so the address pointed at is 008AB113. 
This instruction would decrease the value stored at location 008AB113 with the value stored in ebx(wich is 3). 

If the value at location 008AB113 was 100 then the value stored at 008AB113 after this instruction would be 97. 

<u>sub [esi+13],63</u> (esi=008AB100) 
This is almost the same as above but instead of using a register it uses a direct value. 

Note that 63 is actually 99 because the instruction is always written using hexadecimal. 

Lets say the value at 008ab113 is 100 (wich is 64 in hexadecimal) then the value at 008ab113 after execution would be 1 (100-99) 

<u>sub ebx,[esi+13]</u> (ebx=00000064 esi=008ab100) 
This instruction decreases the value stored in ebx with the value stored at location 008ab113. (esi+13=008ab100+13=008ab113, in case you forgot) 


Up until now i've only used SUB as instruction, but there are lots and lots of other instructions the procesor knows. 

Lets take a look at MOV, one of the most often used instructions 
although it's name sugests that it moves data, it just COPYs data from one spot to another. 

MOV works exactly the same as sub. first parameter is the destination, and second parameter is the source. 

examples: 
<u>MOV eax,ebx</u> eax=5,ebx=12 
Copies the value stored in ebx into eax 

So, if this instruction would be executed eax would be 12. (and ebx would stay 12) 

<u>MOV [edi+16],eax</u> eax=00000064, edi=008cd200) 
This instruction will place the value of eax(64hex=100 decimal) at the location of edi+16 (008cd200+16=008cd216). 
So after instruction the value stored at 008cd216 will be 100 (64 hex)