In this tutorial I show how to scan for multilevel pointers using both the pointermap method, and the manual method using the debugger. www.cheatengine.org
I also want to point out: That little diagram with Game.exe at the beginning of video is very helpful to understand multilevel pointers. Thanks for that as well. I watched so many videos today and they didn't explained anything, of why and how.
Damn, the explanation text on the tutorial is so simplified, it basically says that we just need to do what we did on step 6. Don't remember using pointermap on step 6. Thanks for this!
Ty this was very helpful on the tutorial and understanding how pointers work. The diagrams explaining that there can be multiple paths was informative!
Thank you so much for making these! I learn better by watching something in action first and then following instructions. I was able to get through all of these (already did the next one, just jogging my memory on this one) in an afternoon! :)
Today I got the big aha-moment with this video. Basically multilevel pointers are programmatically: 1. Read baseAddress + staticAddress 2. Read from (baseAddress + staticAddress) into result 3. Add pointer to result. Read from (result + pointer) 4. Iterate till end of all multilevel pointers are consumed 5. Read the real value at the end as the end result. I needed to write a program in C# myself to understand all that. And it worked like a charm.
im stuck on this step, i dont understand which address to change the value on. i dont want to do it the pointerscan way because i dont have a saved pointerscan template or whatever for step 8 and when i do the scan and change the value to see which is the correct one then all of them change, ive never seen only once change. i can find all the pointers just fine the manual way but how do i know which one is the one that needs changed to 5000 before being froze. maybe its a dumb question lol but im not sure
"What accessess" when finding pointer in step 6 and first pointer in step 8 was like: mov [rsi+18],eax so when the second was: cmp qword ptr [rsi],00 I thought something is wrong already, video shows cmp is also ok.🐼 When scanning for next pointer, the 0x before hex value is required, Hex checkbox gives not a valid value scan error.
Hi, thanks for making it! i've gone through the tutorial, i'm wondering why we do the step at around 2:48 it seems we generate a list of pointers that use the address with our value, but then change pointers until one of those base addresses has a "points to" with your value? Also when doing the manual point method, we're going backwards right? so from the player object value, to the exe?
This just forces the pointer path to change a third time, so only pointers that are valid 3 times in a row are left. In this case just one (but there can be more valid one) When doing the manual method you go backwards yes, from player object to exe, but that is also how the pointerscan works. There's a lot less paths from destination to source then there is from source to any random address
Thanks. I got 4 offsets of points and added 4 offsets to 4 addresses separately, then freeze the 4 points by checkbox "Active". And I was trying to skip 3 middle points, rewrite the assembly to set the value of static address to the address of decimal value("5000"), but I failed and stuck for 10+ hrs.
Except the tutorials up to that point don't say squat about pointermaps. They just expect you to find the pointers one by one, which is kind of what I expected you to demonstrate since I don't see a way to find what accesses the 1st pointer you find without having the engine generate a map for you.
Thank you very much, this is awesome! I found more fun the second part of the exercise, as it helps to better understanding how it works more "barebones" but I understand how the first one is much faster. I would like to add to the tutorial that the user would need to add the 4 offsets manually in order to let you change the value to 5000 and freeze it and move forward on the game! Also it is satisfiying to keep adding the offsets as you find the pointers even if they are not the static one, as you will see the correct value in the column value. By the way, what is the value shown in the value column of the pointers if you don't add them the offset? does them have any meaning?
Thank you so much for showing both ways I learned to much. Do I have to restart the game as you restarted the tutorial or would a load game save be sufficient?
Loading a game save will help, but it's not as good as a restart of the game. E.g: you have game->gameEngine->player. On load game only player gets reallocated, but game->gameEngine are the same so the scanner will find that exact same part of the path again, which will result in more useless results
Likely an array which makes thing annoying to work with. But with luck it's always in the same offset. Look at the value of edx. if it's 0, the offset is 4, if it's 1, the offset is c, etc...
Quick question: When you search for "what accesses this address" and get 2 instructions like: Mov rsi, [rsi+18] Cmp [rsi +18], 00 each having a different rsi value, is there a way to know beforehand which one to use or do you have to test it?
watch the first part of the video. in short you used find what accesses on a specific address, and find xxxx+18 is what leads to that address. thus address-18 is xxxx
register+offset == address register == address-offset For example if searched for what access address 017D2423 you get Mov rsi, [rsi+18]: rsi+18 == 017D2423 rsi == 017D2423-18 rsi == 017D240B
Is there ever a reason why there would be no reliable pointers from one instance of a game to the next, whether it be death or restarting the game? Oh also, is the single number in the '[ # ]' square brackets the offset or can the offset be something like [rdi+rax*8+28]
It's possible there is no reliable pointer if objects are created in a random order affected by things like internet speed etc... e.g the player character might be placed after a monster inside an array and then iterated over each time instead of using a handy pointer. It's unlikely but possible yes. with stuff like [rdi+rax*8+28] the rax*8+28 is the offset, so if rax is 1, then then offset is 28+8=30 . (If RAX is high, like 50+ then this is one of those examples where pointers may not work)
@@cheat_engine thanks for the help, so I've been looking for an alternative to static pointers and I think I found it. I've been able to single out the address I want by searching for array of bytes (might be 80+ bytes long lol), but I was wondering if there was a way to populate the addresses through a script on to the cheat table, since it's basically a scan then clicking on the one address that pops up. I'd also want to know if it were possible to automate a list of addresses using that address as a base, like for example that address would be the base address and then I'd need one thats 0x30 offset from that, then 0xb0, 0xc0, 0xd0 etc.
I can't get the manual method to work outside of the tutorial. Tried about 40+ games and not one has worked with the manual method while most have worked with the pointermap method. Not sure what I'm doing wrong since I'm following every step in the video.
Do you ever encounter static memory? E.g the game might have an anti cheat in which case CE will have trouble recognizing static memory (Which also affects the pointerscan)
@@cheat_engine I rarely get static addresses doing the pointerscan and never get them doing the manual method. I'll get a whole bunch of results (that the tutorial doesn't explain how to filter through) or no results at all when attempting the manual method.
This was helpful, seems like the manual method is simply exponentially faster the more pointers there are. It would take a computer far longer to go through 8 different layers than a human, I assume?
A great advantage of pointer scanning is that you can keep all the pointer routes you found and keep restarting and playing the game and little by little you may see some of the routes stop working, sometimes it can take a while for some of the routes to be revealed as unstable. In the video you can already see this happening to begin with when he first does the pointer map generation and then restarts the game and searches for pointers to match up against the first generated pointer map. Already here a huge number of invalid pointers are filtered away. So he only finds 183 paths possibly being a valid pointers. But then he changes the value in the game (the equivalent of playing the game some more) and many of those addresses stops being valid pointers to the value. Those routes should of course not be used; only keep the routes that persistently remain stable. Not only that when you find an address that COULD be a pointer, it may not actually be a pointer. Sometimes you find a tons of addresses that contains the same value as the address the register from the opcode contained, but many of those addresses wont actually be used as a pointer. And that can take quite a while to go through manually. Matching found pointers after a restart of the game against the originally generated pointer map automatically takes care of that.
The second method doesn't work, I tried it multiple times and I manage to get an static address but the pointer that it generates doesn't work. I compared it with the pointer gotten from the first method and they are not the same (the pointer from the first method does work). I followed the tutorial step by step and I even get the same offsets but it still doesn't work.
You add the offsets in the correct order? From base address at the bottom to offsets at the top? The last offset you found should be at the bottom. Anyhow, it's just showing the old way as an example, but the pointerscan is recommended
I got the second method to work by pasting in the static address again in the "add address manually" bar after ticking the pointer box, even if it's already listed in the bar. For some reason it didn't recognize the address name until I deleted the already filled in address or altered it in some way, like deleting the last digit then adding it back.
Greetings, I'm an user and a learner from Taiwan. I followed the first method you teach, but the pointer keep scaning more then 2 minutes. Results found is zero and can't find anything. So i used the second method you teach, I finally found the green address, and the value is ________ just like you. But the "Next" didn't light up. If I follow the tutorial which told me to activate that green address' value to 5000, the "Next" button still couldn't be click. I can't understand those videos or websites' tutorials, so even it's hard to ask in English, I have to. What mistake do i get into?
I know what I miss now., I won't delet this message because someone may need this. So the answer is that I have to add Offset to the green address, make sure the green one can link to the final one which we search in the begining. We see +18>>>+0>>>+18>>>+10 We search -18>>>-0>>>-18>>>-10>>>what we need now we add offset +10>>>+18>>>+0>>>+18 Finally The pointer's value is the health value instead of another pointer. Because they link.......fuck yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Did you miss the part where you have to use 2 different pointermaps from different gameruns? Anyhow, close and reopen the game , find the value again, and then do a rescan with the new address If you still have 2 million then just pick any of them, they seem to stay valid on different runs. (I usually sort from highest offset to lowest and pick the result with lowest amount of offsets)
@@cheat_engine no I did not miss the part where you showed to use 2 different pointer maps, i actually tried using 4 and still got like 1.8m results. So then I just tried the other things you said and I found it so thank you!
I am also following the same tutorial app, however after finding the first offset which is 18, I am subtracting from the value (x0100575DD8-x018), however I am not getting a search result but getting a scan error, invalid value.. please help
@@cheat_engine Thank you for replying, I am just trying again and again, this time the values I got is 0x100575CD8-0x18 , I have also corrected the 0x syntax however its producing the same error again and again.. please help me
@@cheat_engine thank you so much for replying again.. actually I am on mac and I am using version 6.2 .. I have tried running the latest version but it does not runs so I am using an older version
@@cheat_engine and yes, I have been trying for many hours to learn it however I am getting the same error, scan error: thread 0:0x100575D58-0x18 is an invalid value
Somehow I am stuck on this - I find the Address with the value, change value to test, then create of Address1 - I then generate a Pointermap of That Var - I close and reopen the tutorial and select it as active - Change Value a few times and change pointer and then change value again - Create a new scan and search for the new value and find the address - Take then This Var and pointerscan for this address - Check Box: Compare Results, take the File of the Pointermap and select That Var as adress - Kept the "default options" (Different: max different offsets per node on at 3 & changed nr of threads scanning from 4) Then either: version1 - Get one Result, changed value and pointer - value did not change at all Version2: - Get multiple resutls, change pointer, value changed accordingly - Freeze pointer and change value to 5000 - Change Pointer - Failed somehow I am also now trying it out a few more times, looking if I somehow did something wrong
Virtualization based security = disabled Hyper V = disabled uninstalled bluestacks intel vt is enabled dont have avast disabled signature enforcement anyone help? and my cpu is supported. i7 9700 cpu (at least i think lol)
I also want to point out: That little diagram with Game.exe at the beginning of video is very helpful to understand multilevel pointers. Thanks for that as well. I watched so many videos today and they didn't explained anything, of why and how.
Damn, the explanation text on the tutorial is so simplified, it basically says that we just need to do what we did on step 6. Don't remember using pointermap on step 6.
Thanks for this!
Ty this was very helpful on the tutorial and understanding how pointers work. The diagrams explaining that there can be multiple paths was informative!
this has got to be the best tutorial on multilevel pointers in CE I've ever seen, kudos mate
Thank you so much for making these! I learn better by watching something in action first and then following instructions. I was able to get through all of these (already did the next one, just jogging my memory on this one) in an afternoon! :)
Thank you for this tutorial. I had really hard time with this step.
Thank you so much for showing both methods! Truly an informative video.
You're the man, thanks a lot, looking for more of you
Today I got the big aha-moment with this video. Basically multilevel pointers are programmatically: 1. Read baseAddress + staticAddress 2. Read from (baseAddress + staticAddress) into result 3. Add pointer to result. Read from (result + pointer) 4. Iterate till end of all multilevel pointers are consumed 5. Read the real value at the end as the end result. I needed to write a program in C# myself to understand all that. And it worked like a charm.
Excelent tutorial. Thank you very much for all the work you have put out for millions of users!
Feels good to have a tutorial by the man himself :-)
"millions of users"
*looks at the views*
"651"
*looks at this comment again*
Okay... :D
But it really was helpful :)
MeisterJohnny007 he didn’t say millions of CZcams views. He meant the people using the “ cheat engine “
Nice..I have learned second method from this video to search for multilevel ptr 😊
thanks a lot champ ! been struggling with this one
great explanation with video! This was a hard concept ty!
I found a static address the second way, and how do I change its value ? Help
How do I find the pointer of the mouse. I want to be able to look an object in game and see on CE what the object value is.
im stuck on this step, i dont understand which address to change the value on. i dont want to do it the pointerscan way because i dont have a saved pointerscan template or whatever for step 8 and when i do the scan and change the value to see which is the correct one then all of them change, ive never seen only once change. i can find all the pointers just fine the manual way but how do i know which one is the one that needs changed to 5000 before being froze. maybe its a dumb question lol but im not sure
Thanks for the lessons, now i feel like i am granduated from cheat engine university
WHY so' few people watch this awesome video
dude that's awesome vedio, thanks a lot.
"What accessess" when finding pointer in step 6 and first pointer in step 8 was like: mov [rsi+18],eax
so when the second was: cmp qword ptr [rsi],00
I thought something is wrong already, video shows cmp is also ok.🐼
When scanning for next pointer, the 0x before hex value is required, Hex checkbox gives not a valid value scan error.
Hi, thanks for making it!
i've gone through the tutorial, i'm wondering why we do the step at around 2:48
it seems we generate a list of pointers that use the address with our value, but then change pointers until one of those base addresses has a "points to" with your value?
Also when doing the manual point method, we're going backwards right? so from the player object value, to the exe?
This just forces the pointer path to change a third time, so only pointers that are valid 3 times in a row are left. In this case just one (but there can be more valid one)
When doing the manual method you go backwards yes, from player object to exe, but that is also how the pointerscan works. There's a lot less paths from destination to source then there is from source to any random address
Thanks.
I got 4 offsets of points and added 4 offsets to 4 addresses separately, then freeze the 4 points by checkbox "Active".
And I was trying to skip 3 middle points, rewrite the assembly to set the value of static address to the address of decimal value("5000"), but I failed and stuck for 10+ hrs.
how to find correct address from a bunch of addresses ..please help
Pointer map scan gave me 1Byte result (it was displaying wrong value) had to change it into 4 Bytes.
Except the tutorials up to that point don't say squat about pointermaps. They just expect you to find the pointers one by one, which is kind of what I expected you to demonstrate since I don't see a way to find what accesses the 1st pointer you find without having the engine generate a map for you.
Bedankt Eric!
can we view the source code with CE?
Thank you very much, this is awesome! I found more fun the second part of the exercise, as it helps to better understanding how it works more "barebones" but I understand how the first one is much faster. I would like to add to the tutorial that the user would need to add the 4 offsets manually in order to let you change the value to 5000 and freeze it and move forward on the game! Also it is satisfiying to keep adding the offsets as you find the pointers even if they are not the static one, as you will see the correct value in the column value. By the way, what is the value shown in the value column of the pointers if you don't add them the offset? does them have any meaning?
Have you found the answer to your question ?
It is work with Float value type? I tried multiple times using this method, but I can't find the static address of my game
While the final address can be of type float, pointers are always integers of either 4 or 8 byte long depending on if it's a 32- bit or 64-bit target
thank you for this video
Thank you so much for showing both ways I learned to much. Do I have to restart the game as you restarted the tutorial or would a load game save be sufficient?
Loading a game save will help, but it's not as good as a restart of the game. E.g: you have game->gameEngine->player. On load game only player gets reallocated, but game->gameEngine are the same so the scanner will find that exact same part of the path again, which will result in more useless results
How about the offset if (edi+edx*8+04) what shoul i write in ce?
Likely an array which makes thing annoying to work with. But with luck it's always in the same offset. Look at the value of edx. if it's 0, the offset is 4, if it's 1, the offset is c, etc...
Thank you!
Quick question: When you search for "what accesses this address" and get 2 instructions like:
Mov rsi, [rsi+18]
Cmp [rsi +18], 00
each having a different rsi value, is there a way to know beforehand which one to use or do you have to test it?
watch the first part of the video. in short you used find what accesses on a specific address, and find xxxx+18 is what leads to that address.
thus address-18 is xxxx
register+offset == address
register == address-offset
For example if searched for what access address 017D2423 you get Mov rsi, [rsi+18]:
rsi+18 == 017D2423
rsi == 017D2423-18
rsi == 017D240B
Hey quick question,
How to i change the pointer in a "real" game ? obviously there is no "change pointer" button in a real game
restart the game or load a savegame
Is there ever a reason why there would be no reliable pointers from one instance of a game to the next, whether it be death or restarting the game? Oh also, is the single number in the '[ # ]' square brackets the offset or can the offset be something like [rdi+rax*8+28]
It's possible there is no reliable pointer if objects are created in a random order affected by things like internet speed etc... e.g the player character might be placed after a monster inside an array and then iterated over each time instead of using a handy pointer. It's unlikely but possible yes. with stuff like [rdi+rax*8+28] the rax*8+28 is the offset, so if rax is 1, then then offset is 28+8=30 . (If RAX is high, like 50+ then this is one of those examples where pointers may not work)
@@cheat_engine yes, the value of rax is 0x24306ac4080
@@cheat_engine thanks for the help, so I've been looking for an alternative to static pointers and I think I found it. I've been able to single out the address I want by searching for array of bytes (might be 80+ bytes long lol), but I was wondering if there was a way to populate the addresses through a script on to the cheat table, since it's basically a scan then clicking on the one address that pops up. I'd also want to know if it were possible to automate a list of addresses using that address as a base, like for example that address would be the base address and then I'd need one thats 0x30 offset from that, then 0xb0, 0xc0, 0xd0 etc.
@@papacitoloko1117 you can use groupscan or aobscan using Lua Memscan objects and then use the results to add addresses to the addresslist
I can't get the manual method to work outside of the tutorial. Tried about 40+ games and not one has worked with the manual method while most have worked with the pointermap method. Not sure what I'm doing wrong since I'm following every step in the video.
Do you ever encounter static memory? E.g the game might have an anti cheat in which case CE will have trouble recognizing static memory (Which also affects the pointerscan)
@@cheat_engine I rarely get static addresses doing the pointerscan and never get them doing the manual method. I'll get a whole bunch of results (that the tutorial doesn't explain how to filter through) or no results at all when attempting the manual method.
my brain is dying
This was helpful, seems like the manual method is simply exponentially faster the more pointers there are. It would take a computer far longer to go through 8 different layers than a human, I assume?
A great advantage of pointer scanning is that you can keep all the pointer routes you found and keep restarting and playing the game and little by little you may see some of the routes stop working, sometimes it can take a while for some of the routes to be revealed as unstable. In the video you can already see this happening to begin with when he first does the pointer map generation and then restarts the game and searches for pointers to match up against the first generated pointer map. Already here a huge number of invalid pointers are filtered away. So he only finds 183 paths possibly being a valid pointers. But then he changes the value in the game (the equivalent of playing the game some more) and many of those addresses stops being valid pointers to the value. Those routes should of course not be used; only keep the routes that persistently remain stable.
Not only that when you find an address that COULD be a pointer, it may not actually be a pointer. Sometimes you find a tons of addresses that contains the same value as the address the register from the opcode contained, but many of those addresses wont actually be used as a pointer. And that can take quite a while to go through manually. Matching found pointers after a restart of the game against the originally generated pointer map automatically takes care of that.
The second method doesn't work, I tried it multiple times and I manage to get an static address but the pointer that it generates doesn't work. I compared it with the pointer gotten from the first method and they are not the same (the pointer from the first method does work). I followed the tutorial step by step and I even get the same offsets but it still doesn't work.
You add the offsets in the correct order? From base address at the bottom to offsets at the top? The last offset you found should be at the bottom.
Anyhow, it's just showing the old way as an example, but the pointerscan is recommended
I got the second method to work by pasting in the static address again in the "add address manually" bar after ticking the pointer box, even if it's already listed in the bar. For some reason it didn't recognize the address name until I deleted the already filled in address or altered it in some way, like deleting the last digit then adding it back.
Greetings, I'm an user and a learner from Taiwan.
I followed the first method you teach, but the pointer keep scaning more then 2 minutes. Results found is zero and can't find anything.
So i used the second method you teach, I finally found the green address, and the value is ________ just like you.
But the "Next" didn't light up.
If I follow the tutorial which told me to activate that green address' value to 5000, the "Next" button still couldn't be click.
I can't understand those videos or websites' tutorials, so even it's hard to ask in English, I have to.
What mistake do i get into?
I know what I miss now., I won't delet this message because someone may need this.
So the answer is that I have to add Offset to the green address, make sure the green one can link to the final one which we search in the begining.
We see +18>>>+0>>>+18>>>+10
We search -18>>>-0>>>-18>>>-10>>>what we need
now we add offset +10>>>+18>>>+0>>>+18
Finally The pointer's value is the health value instead of another pointer. Because they link.......fuck yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
I repeated 1st method, but it doesn't work. I just don't have pointers in that table at all. Where can be the problem?
Make sure the folder you save the pointerfile to has ascii characters only and no spaces(not sure about the spaces but best do it without)
I have same problem too.
what if i get like 2 million pointer paths, then how am i supposed to find the right one?
Did you miss the part where you have to use 2 different pointermaps from different gameruns?
Anyhow, close and reopen the game , find the value again, and then do a rescan with the new address
If you still have 2 million then just pick any of them, they seem to stay valid on different runs. (I usually sort from highest offset to lowest and pick the result with lowest amount of offsets)
@@cheat_engine no I did not miss the part where you showed to use 2 different pointer maps, i actually tried using 4 and still got like 1.8m results. So then I just tried the other things you said and I found it so thank you!
I am also following the same tutorial app, however after finding the first offset which is 18, I am subtracting from the value (x0100575DD8-x018), however I am not getting a search result but getting a scan error, invalid value.. please help
it's 0x not, x0. So 0x100575dd8-0x18
@@cheat_engine Thank you for replying, I am just trying again and again, this time the values I got is 0x100575CD8-0x18 , I have also corrected the 0x syntax however its producing the same error again and again.. please help me
@@strikerhits You are using Cheat Engine 7.0 or 7.1 ? And are you sure it is the "Invalid value" error and not something else ?
@@cheat_engine thank you so much for replying again.. actually I am on mac and I am using version 6.2 .. I have tried running the latest version but it does not runs so I am using an older version
@@cheat_engine and yes, I have been trying for many hours to learn it however I am getting the same error, scan error: thread 0:0x100575D58-0x18 is an invalid value
bro pleas how to get base address on emulator android 😓
Why my pointer scan duration is 3:56:07 now? (its still growing)
Maybe a too high levell
@@cheat_engine maybe, thnx
Somehow I am stuck on this
- I find the Address with the value, change value to test, then create of Address1
- I then generate a Pointermap of That Var
- I close and reopen the tutorial and select it as active
- Change Value a few times and change pointer and then change value again
- Create a new scan and search for the new value and find the address
- Take then This Var and pointerscan for this address
- Check Box: Compare Results, take the File of the Pointermap and select That Var as adress
- Kept the "default options" (Different: max different offsets per node on at 3 & changed nr of threads scanning from 4)
Then either:
version1
- Get one Result, changed value and pointer
- value did not change at all
Version2:
- Get multiple resutls, change pointer, value changed accordingly
- Freeze pointer and change value to 5000
- Change Pointer
- Failed somehow
I am also now trying it out a few more times, looking if I somehow did something wrong
Okay, after trying it ONE MORE TIME
it somehow worked now
I am heavily confused
whyt do you close the tutorial to reopen it ?? please explain all your actions it doesnt make any sense
Closing the tutorial will cause all memory allocations to be randomized so that way it's easier to see which pointers are valid
Virtualization based security = disabled
Hyper V = disabled
uninstalled bluestacks
intel vt is enabled
dont have avast
disabled signature enforcement
anyone help?
and my cpu is supported. i7 9700 cpu (at least i think lol)
not working
You don't explain what you're doing. Why did you restart the tutorial? Was it necessary, or did you just randomly feel like doing it?
The second pointerscan/pointermap generation should be done on a new instance so that the addresses are at a different location
Cheat engine gives the worse instructions 😂