Cheat Engine: Pointer Scanning (tutorial 6, part 2) - Game Hacking Series
Vložit
- čas přidán 21. 07. 2024
- 🎮🕹 Learn the basics of Game Hacking. In this video, we'll apply the techniques we learnt from Cheat Engine tutorial step 6 (pointers), against a real game (cave crawler). Specifically, we'll try to manually identify the base pointer for our health, then use pointer maps and pointer scanning to automate the process. If you missed steps 1-6, be sure to check to full playlist! #BugBounty #GameHacking #CheatEngine #Tutorial
Check the full video playlist HERE: • Game Hacking
Overview:
0:00 Intro
0:50 Reasons for selecting this game
2:21 Try to find pointer manually
5:01 PointerMaps
8:54 Conclusion
A list of useful game hacking resources (bug bounty programs, key hunters, bug reports, tutorials/guides, video creators, related research, vulnerable games, tools, ctf writeups etc) - github.com/Crypto-Cat/CTF/tre...
🧑💻 Looking to try game hacking and score some bug bounties? check out the active programs @ go.intigriti.com/register 💜
👾 Join our Discord - go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out swag.intigriti.com
Bro I swear to all things holy thank you. I've been stuck on pointers for days and you just rescued me
Nice!! 👊
Man this was a lot easier then some other videos made this out to be, thanks!
No problem, glad it helped! 🥰
Yoo thx for the tuts man, it helped me pointerscan the money, points and other things on a modded C&C Generals Zero Hour
Awesome! 🔥
thank you so much for these tutorials!
Glad you like them! 💜
👏👏 nice lecture 👍❤️
Thank you! 💜
thank you so much
Very welcome! 💜
So get this: You're the third CZcamsr i watch that wants to explain Pointermaps to me and that's fantastic, but none of you guys explains what to do when the Pointer Scan shows 0 results. So what do i do? I'm not angry with you, it's neither your job to explain this to me nor do i have the right to demand an answer for you. I'm asking for help, should you read this, that's all. Cause nobody seems to be able to tell me how to proceed.
Edit: It worked after generating a pointer scan using 4 pointermaps. If there is any easier way, pls let me know. Otherwise, thanks for the video❤️
Hi mate! First question to try and narrow down the cause: are you experiencing this issue with the in-game tutorial and/or the cave crawler game, or is it some other (all?) games?
@@intigriti It‘s another game that is not running via browser or emulator, not online, and uses no real life money shop
Im having the same problem but with an emulator @@Jayco2855
OK yep, as I suspected 😁 What's happening in this specific game to stop you finding pointermaps? I don't know as I didn't develop the game - they are all different. Let's assume someone developing a game might assign the player object a health property and assign it a value. You want to use a pointer scan to find out the base value of the health, *but* the developer has decided to switch up the pointers every few seconds..
How will you find that pointer? Why would they do this? Maybe they just made some weird decisions when programming.. Maybe there is a bug in their code.. Maybe they specifically wanted to protect their game from "cheaters" who might try to scan for (then manipulate) pointers..
The latter option falls into the "anti-cheat" category, which is a huge industry in itself and very interesting to study: helda.helsinki.fi/bitstream/handle/10138/313587/Anti_cheat_for_video_games_final_07_03_2020.pdf
We get *a lot* of questions about why techniques in the cheat engine tutorials doesn't work on specific games. As mentioned in the tutorial itself (by the cheat engine developers), modern games are a lot more complex than many of the simplified examples features here. On top of that, most go out of their way to prevent cheating. That doesn't mean it's impossible, just that you need to have a greater level of understanding of how the game works, how reverse engineering, hacking (and anti-cheat) techniques work etc in order to exploit.
My advice would be either:
a) Pick a different, easier game. Accomplish your objective, then try again on a harder game. Eventually, you'll have enough knowledge and experience to find out what's going wrong in the current game you are focusing on.
b) Stick with this game; go on cheatengine/guidedhacking forums and look at all the possible reasons no pointers will be returned.. Has anyone in the forum looked at the same game? Are there any existing cheats/trainers that you can reverse/study to learn from?
Best of luck! 💜
@@intigriti Thanks for the answer and your time. Seems like there‘s still alot i need to get into. However, i managed to get it done: I just used 6 - 16 pointermaps and finally got results. It never worked in that game by using 2 or 4 pointermaps only. I wonder why? Anyway, thanks for the advice and the video. Have a great day😊
So question. Say I do my first scan for my health but instead of narrowing down to 1 address holding that value, I have 2 addresses that hold the health value, does that mean Im looking for 2 pointers? Or would both addresses be getting the value from the 1 pointer?
I guess it could be either, depending on how the game was developed. Maybe those 2 addresses are being populated from another pointer or maybe the game is copying the health value to another address at some stage. This could be a basic anti-cheat protection, e.g. if player changes health, the 2 values will no longer match and the game can take action (restore health to correct value). It's more likely to be a benign reason, e.g. the health is used in some other function, but the value is copied to a new variable during this time. Maybe you can try modifying each value individually, then both at the same time to see what the effect is..
May I know why do you need to restart the game, get address of health and generate a second map to do the pointer scan that compares the 2 pointer maps, why not just use 1 pointer map? Also, why are there so many pointers showing up in the pointer scan pointing to the address of the health, isn't 1 enough?
Hey, great questions!
Let me answer the second one first. The game can have many pointers which point to the same address, e.g., our health. Many of those pointers will be reliable, i.e., stable across game reboots, but some won't.
That brings us to the first question! We reboot the game and/or kill our character before generating new pointermaps to find those stable, reliable pointers. For example, let's say we run a pointer scan, and it finds a pointer to our health. We restart the game and do the same again, but it doesn't see that specific pointer this time. Well then, it's unreliable - we want to find a stable offset we can use each time the game is booted.
Comparing those two pointermaps will help us filter out the unreliable ones. However, although our two pointermaps find the same pointer, it might not be found if we were to generate a third! That's why two pointermaps are the minimum recommended. Sometimes other "scan for pointer" settings will also need to be adjusted, depending on the game.
After multiple retries, for some weird reason none of my generated pointers end up pointing to Health after restart.
Even copying over every pointer over to see if I missed it.
I made sure to follow each and every step.
Most recent version of CE (7.5)
Could there be something I'm missing?
Hmmm following the steps in the video should be enough, I ran through it a good few times before making the video (and in later videos in the series) and it doesn't work every time but mostly successful. You could also try generating more than 2 pointermaps (comparing 3-4 for example) and just double check the settings are the same and you are correctly identifying the health value 🙂
I have the same issue. It actually seems random. Sometimes it works, sometimes not.
Found the issue. You need to attach the process when the game is at the start menu.
Hii you explanation is amazing👌❤ really learning a lot,
I have a question that I found the the pointer, but when I try to change the value it does not change in game when I restart the game the last decreased value is coming on that pointer, also even if I freeze the value it's not working so can you pls help me that what is exactly going on this case, what I'm missing here, please?
If I'm giving you a brief of the game I'm trying to change the value of the money, it's day based game so there are days in game once the day will finishes it's giving me the total profit or we can say total earning of the day and that will add on my current money.
Hey, thanks! Some games can be complicated, e.g. the addresses might change dynamically, so even if you find the right pointer - it's location will change shortly after. I would check out the cheat engine forums, see if they have any posts about the game you're working on, or at least posts about the issue you're describing.
As a person who was pretty used to pointers and code in general, I just got stomped by a small game lol.
In case ure curious, it's called turmoil. I'm trying to get some muny, but the game makes it difficult. This game is from 2016, so I expected some security. It also is 64bit, so it is even trickier. Then, the values are in unusual formats, so I can't find them as easily as I would in other games (for example, I heard the money is a double, but I failed to find it as a double, I also tried 2 4 and 8 bit, and no luck, float didn't work too. I think I might have the wrong value somehow.
To top it all, the addresses that contain the assembly code is also dynamic, it changes everytime I restart the game, so everytime I restart it, the code that changes the Adress changes place and I need to refind it, the addresses have no module assossiate with them, so I can't use a aobscanmodule script, and instead am forced to use the normal aobscan, wich makes the game read all the memory instead of only the specific module, wich is substantially slower. This game has managed to stop me completely to the point I asked chatgpt for solutions 💀 💀 💀
Sounds interesting! I noticed cave crawler is quite a bit more difficult than older/smaller games I've tried, e.g. tracing back pointers manually wasn't possible at all. I'll check out "turmoil" if I get chance as I'm interested to see how different game dev approaches effect their "hackability".
@@intigriti I have searched a bit more turmoil, and I think I figured out the reason for the difficulty. Well u see, the devs used a game engine called (I think) gamebuild or something close, wich works very differently from the normal games we see. The most noticeable change is dynamic adress codes for code, everytime the game restarts, and maybe during gameplay, the addresses of the code change. That alone makes it harder to work with.
For sure, that will be harder to work with! I suspect cave crawler was doing something similar with pointers, i.e. periodically changing the location of the pointers, making it difficult/impossible to trace manually.
Hello brother! when i tried things told in this video, it worked. but when I tried it in PPSSPP with a very simple game 'Cave Story' then I did not at all. one thing i noticed, was that it had 11 digits in its address when you try to find any variable's address (health, ammo ETC) . while in others it's 7 or 8 digits. help me! And because of your second method i am able to find pointers easily. and help me find pointers of emulator based games.
Hmmm cheat engine may not work well with emulators but I think you should be able to do similar things with the ppsspp debugger: www.cheatengine.org/forum/viewtopic.php?p=5543519
I found it extremely frustrating that I was not getting any useable pointer results that would return a health value, until I noticed that in CE 7.5 the 'Nr of threads scanning' is set to '6' in the video at 6:58 whereas the default value in CE 7.5 is set at 9. After changing that setting, I started getting useable pointers, but they were inconsistent across restarts, sometimes getting a health value, other times getting no health value at all.
Interesting! Honestly I never played around with many settings in the pointerscans, there's so many options there and I feel like it would take a long time of research and experimenting to find out the best options, for whatever specific task you are doing, on whatever game. There is some useful posts around the cheat engine forum though.
I'm trying to do this with a blackjack game made a while ago. The issue I'm running into is that each time a hand is dealt the address for the card value always changes. Though I can readily find it as I know what addresses it's between (18250000 -18260000) and that it's a double value. With 1 scan I can easily get only like 10 results but i was wondering if there was a way to secure that base or static address so I don't have to do the scans.
Maybe some of the other videos on code injection will help for this 👀
@@intigriti thanks. I'll give them a look XD
yo bro, my pc detects CH as a virus what and i dont want any bloatware or open candy in my pc. what do i do?
OK, first make sure you downloaded from the offficial source and then a couple of things:
1) Read each step of the installation carefully, making sure to decline any additional software. You can check the first video in this series where I run through the installation. If you install some bloatware by mistake, you can just remove it anyway.
2) Some of the functionality of cheat engine will look malicious to security software, especially if you are in a sensitive environment, e.g. on a school/work device. Because of this, it may flag as "malware" but is just a false positive.
Hi!, I have a question, if I cant get less than 1402 pointers and I wanna try to put all of them to CE, how can I do it in one click instead of clicking one by one?
Hey, you should just be able to drag to select (or ctrl + A) and then hit enter.
@@intigriti Mmm I mean from the window called Pointer scan pass all the pointer paths to CE, thanks :D
Pls could you recommend low sized pc games to pratice hacking... Preferably less than 1 gb
Check out the cheat engine forums, you'll probably find some recommendations. For < 1gb it will be an old game, or small/independent. That's good, since it will likely be easier to practice on 😊
@@intigriti alright will do
Bro, please, i need your tutorial for the game : Project Igi
You transfer the game hacking techniques from these videos to other games, that's a great part of the learning process! Just remember that some games with anti-cheat mitigations and it's very important to avoid damaging the experience of other players in multiplayer games 👍
Great video but I have to ask is it possible to use cheat engine on online games?
It is possible and researchers have secured bounties using cheat engine in multiplayer games. *However*, just like web bug bounty, it's important to have permission before attempting such things. Luckily, game hacking programs are becoming more popular and there's lots to choose from. Another consideration is anti-cheat, which will often prevent (or hinder) a lot of the techniques covered in this series. In future, we'll explore different tools and methods but cheat engine is a great starting point for learning game hacking 🙂
Yep, every game has cheat engines bruh
@@intigriti Thanks for the answer! I'm looking forward to future episodes!
🙏🥰
I tried but after saving pointermap always pointer scan result came up zero no matter what even if I put the offset. This game that I am trying to find the offset for is an very old game, and Im a old man it is very challenging for me, had spent past 6 hours going through every video I can find but doesn't help at all.. If anyone willing to provide help pls lmk, willing to compensate a little for ur spare time. T_T
Hey, out of interest.. what's the game and what are you trying to accomplish?
@@intigriti helbreath, mmorpg, actually nth crazy, just the default of each attack speed. Each weapon have its own max attack speed by default. I’m swapping to another weapon and I want to use that weap max attack speed as I nv not enough stats for it.
Currently it is very easy for me however tedious. Game use byte, I just have to search 0 then swap weap search next 1 in a byte and repeat. Maybe a min or two thing however it is very tedious. Just wanna find this offset so I can just change to 0 each time I login lol.
The result is basically shared. 0-16 0 is max and 16 is slowest. No matter what weapon I change the attack speed is base on this address.
is process same with floats?
Hmm each pointer is just a memory address, which we don't present as floats
Recently I want to build trainer on very old game called cultures 8th wonder of the world. Currently I want to pointer scan on 5 specific character health(heroes), only 1 of them has static pointer. The others doesn't have static pointer no matter how much I scan compare. It's like this game doesn't have static pointer for most character, just a base non static pointer that generate everything. Manual find the pointer by find out what write or access is impossible bcoz the process will crash when try find 2nd level above pointer.
I like play games with cheats & trainer bcoz I don't want to suffer hardship for just a video game. Sadly this game of my childhood can't be fully hack. I hope some1 generate cheat table or trainer on it. Currently there's 1, but it just freezes health for all, including enemies,which quite disappointing. Btw, don't download that trainer bcoz it contain viruses.
Some games can be very difficult! I don't have any experience with this one but maybe you could check the cheatengine or guidedhacking forums to see if anyone else has worked on cheats for the game, and which problems they might of come across.
What if the health is healing after waiting?
Try and freeze the value. If that fails, try and find out which code is responsible for the healing and patch it 😉
The problem is i cant find the value, because its increasing like a second after i get hit, i also tried the full health, then die and from 125full hp to 0 and i got 0 results from the scan@@intigriti
Hmmmm OK, I wonder if you could slow down the speed with cheat engine.. take some damage and then quickly pause before your health recharges? If not, remember you don't have to scan an exact value - let's say you have 100% health and take some damage and your health begins to recharge.. so long as you have time to pause the game and set "value decreased" and do "next scan", it should be enough.
@@intigriti haha, now the real problem begins, i cant pause the game so basically its plants vs zombies gw 2 and its impossible to freeze the game. I know its possible to change the health but a lil bit difficult, still thanks for ur answer, keep up the good work!
It looks like it's going to be more complicated for Dying Light 2 😅
It will more complicated for *a lot* of games 😆 That's one of the reasons we picked cave crawler; it's small/indie, single player, non-competitive, no payment/rewards system etc. Less likely to have [strong] anti-cheat protections, and less chance of annoying any game devs 😅
@@intigriti It's really harder than I think, but I love this kind of hacking (hacking games)