cheat engine.shp.svn-base

这是一段游戏修改工具的源代码.ring3功能由dephi开发,驱动是C开发.希望对大家有帮助

jmp 00410000
nop
nop
nop
mylabel:

00410000:
mov [00580120],esi
mov [esi+80],ebx
xor eax,eax
jmp mylabel

<b>Example using ALLOC</b>:
alloc(memloc1,4)

00451029:
jmp 00410000
nop
nop
nop

00410000:
mov [alloc1],esi
mov [esi+80],ebx
xor eax,eax
jmp 00451031

<b>Example using ALLOC and LABEL</b>
alloc(alloc1,4)
label(mylabel)

00451029:
jmp 00410000
nop
nop
nop
mylabel:

00410000:
mov [alloc1],esi
mov [esi+80],ebx
xor eax,eax
jmp mylabel


<b>Example using FULLACCESS</b>
FULLACCESS(00400800,4) //00400800 is usually read only non executable data, this makes it writable and executable
00451029:
jmp 00410000
nop
nop
nop

00410000:
mov [00400800],esi
mov [esi+80],ebx
xor eax,eax
jmp 00451031

<b>Example using DEFINE</b>
DEFINE(clear_eax,xor eax,eax)
00400500:
clear_eax

<b>ReadMem example</b>
alloc(x,16)
alloc(script,2048)

script:
mov eax,[x]
mov edx,[x+c]
ret

x:
readmem(00410000,16) //place the contents of address 00410000 at the address of X
----- SHM ---- page 18 ---- 
Cheat engine also has a script engine in which you can execute simple c-scripts.
You can run thos c-scripts inside CE, but you can also inject them into the target process and let it execute there. The scripts have access to the real memory.
Also, when running in the contectx of Cheat Engine using the normal execute button the script engine provides you with several extra commands that are not available when using the injected form.
They are:

<b>void ce_showmessage(char* message);</b>
Will popup a messagebox with the specified message
Usefull for showing the result of an operation.
e.g:
char result[100];
int x=123;
x=x+6;
sprintf(result,"123+6 = %d",x);
ce_showmessage(result);

<b>int ce_ChangeRegistersAtAddress(unsigned long addresstonbreakat, void *changeregstructure);</b>
This will use ce's "Change register at address" feature.
addresstonbreakat is the address to place the break at and changeregstructure is a pointer to the changereg structure.

Look at the plugin-system help or the changeregtest.CEC  example provided for the structure.

<b>int ce_AutoAssemble(char *script);</b>
Will autoassemble the script provided in script.
will return 0 if failure

<b>int ce_Assembler(unsigned int address, char *instruction, unsigned char *outputbuffer, int maxbuffersize, int *numberofbytes);</b>
Will assemble one specific instruction and return the bytes to a structure you've allocated


<b>int ce_Disassembler(unsigned int address, char *outputstring, int maxsizeofstring);</b>
Will disassemble a specific address of the currently selected process and fill it in outputstring.

<b>int ce_InjectDLL(char *pathtodll, char *optionalfunction);</b>
Will inject a dll and calls a function of that dll (No parameters) Optionalfunction can be 0

<b>unsigned int ce_GetAddressFromPointer(unsigned int baseaddress, int offsetcount, unsigned int *offsetlist);</b>
Will convert an address with offsets to the final address.
offsetcount is the number of offsets in the list (offsetlist)

<b>int ce_GetSelectedProcessHandle(void);</b>
Will return the current processhandle;

<b>int ce_ReadProcessMemory(unsigned int processhandle, void *baseaddress, void *buffer, unsigned long bytestoread, void *numberofbytesread);</b>
Will use the current ReadProcessMemory currently used by Cheat Engine

<b>int ce_WriteProcessMemory(unsigned int processhandle, void *baseaddress, void *buffer, unsigned long bytestowrite, void *numberofbyteswritten);</b>
Will use the current WriteProcessMemory currently used by Cheat Engine.
----- SHM ---- page 19 ---- 
Cheat Engine is filled with other features, try to find them and find out what they do, or send questions about them to dark_byte@hotmail.com
----- SHM ---- page 20 ---- 
This section contains a collection of all usefull tutorials originally posted on the cheat engine forum.
----- SHM ---- page 21 ---- 
Originally posted by Emperor:

Hope it's usefull ...after all i did much research on it. This guide written by me explains how to use CE for anti tab protected games. 
First you may wonder : 
<b>What does anti tab protected mean? </b>
It means if you minimize it, it will never come up again, it will kill itself. This happens if you use any kind of task switching or click on any other program. 
<b>What can be done about it? </b>
Possiblity 1: 
There is a program AAT that freezes the game and then brings your cheat-tool (of course we all use CE don't we?) to the front. Once a scan is done you can press another button to switch back to the game and resume it. Because it was frozen during that time it didn't notice it was not in the foreground. Altough being frozen CE can still attach itself to the game (although it may require you to switch to the game unfreeze it and then freeze again in order to make it work). With AAT however there's always the risc the game will crash anywaays or AAT will stop responding making it impossible to unfreeze the game. 
Possbility 2: 
Xunleashed. With it you can run directx programs in a normal window. 
Xunleashed has not been tried by me as it costs 20$ (after all i can still use AAT and CE network version). It should work, if you are unsure weather it works with your game or not look at the message board. 
Possiblity 3 
Use the CE network version. This of course requires 2 computers and you to switch between them. Also the functions in the network version are limited, but new features are being added. 
<b>What do game creators do against those? </b>
-Game guard. : The 4.4 Version of CE can cheat Anti Tab protected games. Therefore you can safely use the network version. AAT will not work with nProtected games but if you execute the game as a normal user and AAT as an administrator it will still work.
----- SHM ---- page 22 ---- 
Originally posted by emperor:

2 Byte means: 00 00 to FF FF this allows only up to 65535, obviously. 
4 byte maens: 00 00 00 00 to FF FF FF FF (allows up to 4294967295). 
Now for example you can miss 2 byte values with 4 byte scans: 
example: value in game is 300 stored in game's memory as 012C 
If you search for 12C as 2 Byte it will be in your results. 
If you search for 12C as 4 byte the 2 Bytes before the 012C matter as well. 
For example the 012C would be after an FF FF. 
Meaning: FF FF 01 2C is in the memory 01 2C being what you are searching for. However seen as 4 Byte this is not 01 2C (300) but it's FF FF 01 2 C (4294902060) . 
To my mind for exact value scans you should use the smallest appopirate byte type (for ex if it doesn't rise over 65000 use 2 byte). However since most games multiply it with a certain factor exact value scans are hardly any useful...when doing an unknown value scan it's up to you to chose the correct bytesize...most commonly used is 4 byte after all. It's nothing new to me seeing games showing a stat up to like 2000-3000 as 4 Byte in a huge number over serveral hundret thousands..however how much a certain game multiplies,adds or substracts, or tries to hide it depends on the game, is therefore sort of unknown therefore i think in many cases the bytesize is also sort of unknown although 4 Byte is always likely. Note doing increase/decrease value scans wouldn't fail even if there were some other bytes before it: for ex 
FF FF 01 2C is increased by one... 
---> FF FF 01 2D increased would still be okay as unknown initial. 
But if the FF FF also changes 
to like FE FE then it would screw up the scan.
----- SHM ---- page 23 ---- 
Originally posted by me. (no not me, but the user called me)

this is to try answer the most common questions from people new to cheat engine 

using 3d pinball for windows space cadet as an example,,, 
it might be an idea to print this and other tuts so its easier to work through them,,, 

( this game gives you some free balls so be on the look out for that during this tut ) 

start 3D PINBALL FOR WINDOWS ,, and wait for the first ball to deploy 
start cheat engine 
click on the flashing icon in the top left of cheat engine 
in the bottom of process list window 
double click on PINBALL.EXE to attache the game to cheat engine 
in the value box type in 3 
go into the pinball game and lose a ball 
wait for the next ball to be deployed 
go back into cheat engine 
type 2 into the value box 
click on the next scan button 
I got the address A9FEE6 yours may be different 

ok 

I'll double click on the found address A9FEE6 to add it to the bottom pane 
click on the checkbox to freeze this address 
go back into the PINBALL GAME 
lose some balls to see if its the right address 
if you have got it right you'll have infinite balls 

------------------------------------------------------------------------------- 
now to find the code that changes the number of balls 
------------------------------------------------------------------------------- 

go back into cheat engine 
(if you want you can double click on the value part of the address in the bottom pane and change it back to 3 or 4 balls) 
In the bottom pane again right click on the address A9FEE6 and choose 
FIND OUT WHAT WRITES TO THIS ADDRESS 

you will then get the debugger window 
go back into pinball and lose another ball 
in the debugger window you should see the address of the code that changes the number of balls 

I got 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax 
click on this to highlight the code,, and click on the ADD TO CODELIST button 
a box called CHEAT ENGINE CODE will pop up 
name balls 
and hit the OK button 

a window called ADVANCED OPTIONS WILL pop up with balls in it 
you can right click it and choose REPLACE WITH CODE THAT DOES NOTHING 
to show that the code has been nopped out the name will turn red 
you can hit the ok button to close the advanced options window then the stop and close button to exit the debugger 
then save your table,,,, but for now 
just hit the ok button to close the advanced options window 

in the debugger window look at the code 01015f02 - 89 86 46 01 00 00 - mov [esi+00000146],eax 
now with the code highlighted click on the MORE INFORMATION button 
the EXTRA INFO box will pop up 
in this box under copy memory you will see the sentance 

THE VALUE OF THE POINTER NEEDED TO FIND THIS ADDRESS IS PROBABLY 00A9FDA0 

this is the address held in the ESI register below this you can see all the values that the registers held at the instant you lost a ball,, 
as you can see ESI=00A9FDA0 
and highlighted in red you can see 

01015F02 - mov [ esi + 00000146 ],eax 

this is all in hexadecimal 
so the ESI register holds 00A9FDA0 therefore 
[esi + 00000146] = [ 00A9FDA0 + 00000146 ] 
00A9FDA0 + 146 = 00A9EEF6 

the first address I found when I started scanning at the start of the game 

so note down the address 00A9FDA0 
and the offset 146 

close the EXTRA INFO window 
in the main cheat engine window ,,,hit the new scan button 
next to the value box theres a hex checkbox ,, check it so you can enter a hex value 
put in our address without the zeros in front of it A9FDAO 
and hit the first scan button 

you will get a couple of hundred results 
i'll try the first address on the list 009A4356 

click on the add address manually button 
click on the poiter checkbox and you will see the ADD ADDRESS window change 

where it says ADDRESS OF POINTER type in our address 9A4356 
and in the OFFSET [HEX] box type in 146 ,,,,,,,,, remember [esi + 00000146] 
and hit the ok button 

hopefully a new address with should look like this in the bottom pane 
No description P->00A9FEE6 4 bytes 0x00000003 
or how ever many balls you got left 
you can freeze the number of balls from this pointer now,,,,, 
in games that use Dynamic Memory Allocation ,,, DMA