MichaelCorleone
Youth Team
Cheat Engine Tutorial For Absolute Beginners
I’ll be sharing with you what I have learned about cheat engine and its possible uses in game modding. Just to list a few of the things that I have been able to edit in Fifa 13 in my less-than-a-week on and off messing around with cheat engine -
Ball Placement
Ball Velocity
Friction
Ball Stickiness
Air Thickness ( affects ball curve dramatically)
Ball spin
Number of players on field ( so far in practice match)
Camera movement ( complete up-down-left right, any angle)
List can go on a little longer but I’ll end it with saying that If you know how to use cheat engine and you can put your rational abilities into it , you can pretty much edit every single thing in Fifa ( or any game at that). If this sounds interesting then feel free to read on. The things I have just listed are just the tip of the iceberg as you may now see.
The good news is that you don’t need to be an expert in programming to achieve what you want with cheat engine ( though it helps no doubt). I am no expert myself. I don’t know a single computer language and know how to just operate a pc. What I listed above is a simple result of messing with it for just 4-5 days. All you need is being good at operating a pc. Leave the rest to me. Lets start.
Ok. So go to www.cheatengine.org and download cheat engine 6.2. Its completely free with no strings attached whatsoever. DarkByte is the creator. If you want to Honor his effort do this by making some donations. Make sure you download version 6.2 of the CE.
Before I ask you to open Cheat Engine. Let me make some points clear. As I said earlier I am no expert , so the terminology I will be using may range from noobish to elite. The meat of the tutorial is to make you able to use CE and not to debate over RAM or ROM, memory or address, this or that etc etc. The thread is not for this purpose.
Lets begin with the introduction to some important terms ( no debate over how I define them)
Address - “0016B454” this is an address. It’s a location in memory that stores a particular value.
Value – It’s the value that a particular address holds. For eg: the value of the address that holds ‘the number of players’ will be 11 ( in 4 byte, not in FLOAT because no. of players don’t require decimals, it can only be a whole number).
Types of values are Binary (1,0 – on,off), byte, 2byte, 4byte, Float, Double, String (text), Array of Bytes.
The disadvantage of byte values are –
1. Depicting values in negative (-) is not possible
2. Decimels are not possible ( i.e 2.2 cannot be written in 4 byte).
The advantage of bytes is that you don’t need to depict simple numbers such as 11 in decimals. The value of 11 in float will be 1.541428311E-44 :P. No point in translating it into float values.
Float and Double ( called ‘double float’ too) values support decimals. If you want to depict the position of ball on the field you would use float values simply because they let you go into detail regarding where EXACTLY the ball is . Byte values cannot go into such detail. A single addition in a byte can mean that the ball moves 50-60 meters.
So if you are searching for a a certain value within the memory. You can search better If you know what the value is possibly in. Common sense may tell you that ‘No of players’ will never be in float values because that much detail is simply not needed. And ball position, acceleration etc values will never be in bytes because ball position requires precision.
Almost all the values in FIFA are either in 4byte or float ( like all modern games). 4bytes for non-decimals. Float for values that require decimal level precision.
Now lets begin the practical part of the tutorial.
open your cheat engine. This is how it should look like -
There is an inbuilt tutorial within cheat engine which I recommend you do sometime. For now , be with me.
Add this line in the Product.ini file –
(FULLSCREEN=0
SCREEN_WIDTH=800
SCREEN_HEIGHT=600
This will make sure your game opens in windowed mode so that you don’t have to go in and out of the game the tough way.
Now START Fifa..
Start a match. And pause it there.
Now click the PC icon on the top left of CE to open the list of processes. Select FIFA 13 from the process. The CE has now attached itself to the game.
Now go the camera setting of the game and make sure it is set to custom instead of default. Set the slider value of height to 20. Now get back to cheat engine. We are now going to search for the address for the Cam Height. We know that the value presently is 20 and we also know that the value will be in 4bytes because the slider does not have any decimal point movements. We will be using this to begin searching for the Camera address.
Put the value 20 in Value text field on the CE main screen. Make sure that value type is 4byte and scan type is ‘Exact value’. Now press ‘First scan’ button. Here is what you should get when you do that.. A lot of results I know . Notice the ‘Found: 38,927’ on the left side. And notice the address row accompanied by the value row. This is how the CE window looks like now. If not then you’ve done something wrong.
Now go into the game and slide down the height slider to 10. Come back to CE. Now we know that the address we are looking for has changed its value to 10. So we are now going to scan for the value 10 from the 38,000 addresses that came up after the first scan.
Now put 10 where you put 20 earlier. And click Next Scan. WARNING: (Don’t click New scan.) The moment you click it you are left with just 25 addresses. These were the addresses that changed to 10 when you moved the slider. TO narrow down further we are again going to move in-game slider. Lets move it to 7. Do it and come back. Now put 7 in value and do another ‘Next Scan’.
I am now left with just 3 addresses. Try changing each one of the address values one by one and see which affects the game. Change it to 100 to notice effect. Go into the game and move out of settings and resume the game. Did any of the address have an effect?. One surely will. Double click that address to add it to the address list below. Press CTRS+S to save your discovery. Every time you change the value of this address , the height value will change. I hope you understood the basics of finding an address that holds the value you want to change. In brief -
1. First scan initial Value
2. Change the value from the game and Next scan the next value.
3. Do step 2 until you are left with a few addresses
4. Change each one of them to see which actually has an effect.
SIMPLE.
If you are excited at your discovery of finding the address where FIFA stores its cam Height value then just wait till you close the game and restart it again. Do that. Close the game as well as CE. Make sure you have saved your discovery ( is saved as a .ct Cheat table file). Please close the game or you won’t be able to learn one of the most important skill I am about to teach you now.
Ok restart FIFA 13. Restart CE. Select FIFA process in CE. Load your saved table by pressing CTRL+0. Start match and pause the game.
What do you notice has changed in CE?.. Yup, the value of the address you saved has changed. This is because FIFA has now allocated that address to some other setting or factor. Its no longer the address that holds the value for Cam Height. This is known as Dynamic Memory Allocation Aka ‘DMA’. All the modern games use DMA to protect the game from being hacked so easily or at least permanently so easily. Every time a game is restarted the addresses move up or down to change where particular values are stored. That is what happened with your ‘discovery’, it got shifted somewhere else and this address that you had found and have now is holding the value of something else and not cam Height . Worry not, there are ways to discover permanency even in DMA. This is where ‘pointers’ come into picture… Pointers will help you to find a setting once and for all.
Before I begin to tell you the procedure to find pointers, this needs to be known -
There are two types of addresses. One are static addresses and other are dynamic ones. Static addresses are those addresses that do not change even when you restart the game or even the pc. They remain the same. Static addresses are shown in color green in CE and dynamic addresses are black always. Means green addresses will remain the same, the black addresses will change when the game restarts.
The address you found was a dynamic address and it can be a product of -
A Static Address’s Value + Offset1+ Offset2+ Offest 3 + and so on.. = the address you found. Don’t worry if this does not make much sense now. It will soon.
Our job is to find the static address from which the dynamic address we found emerged. The relation between the static address and dynamic address is known as Offset. If static address is 237827 and dynamic address is 273627 then offset = 273627-237827. Even the game itself needs a static address to get to its Dynamically allocated address. The game does this by referring to a certain static address and then adding offsets ( which too are always static i.e do not change when you restart the game) to it to come across a dynamic address valid for this session.
Now lets get to practical stuff. I’ll explain further as we go on. All this will make sense more than ever then.
Ok. So find the Cam Height Value again with the same procedure as earlier. I don’t need to tell you how to do that. If so then go back and do the earlier step again until you get it. Ok , So I am assuming that you have got an address again that holds the value of Cam Height for this session.
Notice how the last four letters of the new address are the same as earlier one . Only the first few letters have changed. Ok, Now were are going to find the pointers for the address. Before that change the value of the new address and make sure that it is the right address by checking the effect in-game. If done then carry on.
Now what we are going to do is find out what writes this address. Whatever writes this address is what that changes the address. If we can find that , we can go a little deeper and a little closer to the static address from which this address is calculated and allocated. WARNING: Before you carry on , go to (in CE) EDIT>SETTINGS>Debugger Options> and select ‘Use Kernelmode Debugger’ and tick ‘ability to step through kernel code’. If you don’t do this , your game will crash the very moment CE tries to read what accesses the address. Do this and carry on..
Now right-Click the address you have found ( hope you’ve already added it to the address list ) and select ‘find out what writes this address’, a new window will open. CE is now spying on what accesses and writes to this address. All you have to do now is go into the game and change the cam height value. The moment you do it , a line should pop-up in Scan window. Here is the line that comes up for me once I do that.
Click stop and double click the line. This window should show up now. ( note: The numbers will be different for you. Don’t get confused).
1a8 is the offset here. 17034500 is the value you’ll need to search for to find the address to which 1a8 will apply as offset to produce the address that presently holds the value for cam Height. Don’t close this window
Do this. Put the value (17034500) in value search and and an address will come up with the value you just put. Please tick the ‘HEX’ on the left side before you fill the value. If more than one addresses come up then its usually the one that is higher in the search. Usually not more than two address will come up. Now click the add address manually button in the bottom right above the address list.
A new window pops-up. Tick the pointer (5). Fill the address that the value had . Fill the offset ( 1a8 in my case)(7). Now notice how the faded out address above in the box shows exactly the value of Cam Height. This is a sign that your combination of address and offset have managed to sum up into the required address.
CLICK OK…
The pointer is now added to your address list . Notice how there is a ‘P>’ there. It means ‘pointer points to’. What is written after the P> is the address it is presently pointing to. This pointer will always recalculate the correct address even of you restart the game. At least that is what it should do. But there is another twist here. Did you notice that when you searched for the value 17034500 ( or what came up in your case), the address that came up was not green color but black. This means there is a high chance that the next time you turn the game on, this address too may have changed. See -
170346a8 ( Address for cam value for this session) = 0d2befa4 ( too a dynamic address) + 1a8 ( the offset)..
But the next time you turn the game on the address ‘0d2befa4’ may be replaced by something else ( remember DMA) which would not return the address of cam value when added with offset 1a8. It could be something like this ..
Pointer = od2fc347 +1a8 = whatever comes here will not be the address you wanted because the very address on which 1a8 is being applied has shifted.
So it becomes very important to be able to find static addresses. We know that neither the static address shifts position , nor does the offsets to be applied on it do. The only thing that changes is that the value that static address has. This is a trick that DMA applies. The value of the static address is actually not a value but yet another address. From the static address the game finds what the address is to which offsets are to be applied . Otherwise there is no way for even the Game itself to know where its storing what . So in simple words, If you can figure out the static address. All that is needed are the offsets to be applied on it. Whatever address then comes up is the true address for cam height for this session. When you close the game and restart. The pointer from the staic address will itself recalculate the value of the newly allocated address for cam value. Hope this makes some sense .I am trying my best. This will become crystal clear once you start messing around on your own.
The best way to find static addresses is to use the pointer scanner function. The method applied above has its own uses which will be discussed later on. But as I said the pointer scanner is the most time saving and efficient way to find static addresses with offsets pointing to the address you want.
Lets begin…
Right click the address for cam value and select ‘pointer scan for this address’. This screen should come up.
0. This is the value for which a static address wil be searched for ( Static address + offsets = this address)
1. Makes sure this is ticked. You know why.
2. Make use of the offset you found. You can leave it blank if you want to. No big deal. Pointer scanner will still come up with good results.
3. 3 is often enough in case of Fifa 13. There are games though that have 11 level deep pointers. Means you have to go down 11 offsets to arrive at a static address. Even 2 level is enough in FIFA 13. But just to make sure select one more i.e 3 levels.
OK> click OK, save scan file ( give it a name) and wait for the scan operation to finish. It can take some times but is worth it. This is what I get -
3 -- Base Address – These are the static addresses that potentially point to out Cam-height Address. These are green addresses that will never change whatever happens. These will be there doing the same job.
4 – Offsets that need to be applied to base address to calculate Cam-Height Address. Applying Offset simply means adding offsets as +.
1- This is a two level pointer with static address. Means Base Address + Offset 0 + offset 1 = 170346a8.
2. A 3 level pointer . Means Base Address + Offset 0 + offset 1 + Offset 2 = 170346a8. The rest too are 3 level pointers.
CONTINUED
I’ll be sharing with you what I have learned about cheat engine and its possible uses in game modding. Just to list a few of the things that I have been able to edit in Fifa 13 in my less-than-a-week on and off messing around with cheat engine -
Ball Placement
Ball Velocity
Friction
Ball Stickiness
Air Thickness ( affects ball curve dramatically)
Ball spin
Number of players on field ( so far in practice match)
Camera movement ( complete up-down-left right, any angle)
List can go on a little longer but I’ll end it with saying that If you know how to use cheat engine and you can put your rational abilities into it , you can pretty much edit every single thing in Fifa ( or any game at that). If this sounds interesting then feel free to read on. The things I have just listed are just the tip of the iceberg as you may now see.
The good news is that you don’t need to be an expert in programming to achieve what you want with cheat engine ( though it helps no doubt). I am no expert myself. I don’t know a single computer language and know how to just operate a pc. What I listed above is a simple result of messing with it for just 4-5 days. All you need is being good at operating a pc. Leave the rest to me. Lets start.
LETS START
Ok. So go to www.cheatengine.org and download cheat engine 6.2. Its completely free with no strings attached whatsoever. DarkByte is the creator. If you want to Honor his effort do this by making some donations. Make sure you download version 6.2 of the CE.
Before I ask you to open Cheat Engine. Let me make some points clear. As I said earlier I am no expert , so the terminology I will be using may range from noobish to elite. The meat of the tutorial is to make you able to use CE and not to debate over RAM or ROM, memory or address, this or that etc etc. The thread is not for this purpose.
Lets begin with the introduction to some important terms ( no debate over how I define them)
Address - “0016B454” this is an address. It’s a location in memory that stores a particular value.
Value – It’s the value that a particular address holds. For eg: the value of the address that holds ‘the number of players’ will be 11 ( in 4 byte, not in FLOAT because no. of players don’t require decimals, it can only be a whole number).
Types of values are Binary (1,0 – on,off), byte, 2byte, 4byte, Float, Double, String (text), Array of Bytes.
The disadvantage of byte values are –
1. Depicting values in negative (-) is not possible
2. Decimels are not possible ( i.e 2.2 cannot be written in 4 byte).
The advantage of bytes is that you don’t need to depict simple numbers such as 11 in decimals. The value of 11 in float will be 1.541428311E-44 :P. No point in translating it into float values.
Float and Double ( called ‘double float’ too) values support decimals. If you want to depict the position of ball on the field you would use float values simply because they let you go into detail regarding where EXACTLY the ball is . Byte values cannot go into such detail. A single addition in a byte can mean that the ball moves 50-60 meters.
So if you are searching for a a certain value within the memory. You can search better If you know what the value is possibly in. Common sense may tell you that ‘No of players’ will never be in float values because that much detail is simply not needed. And ball position, acceleration etc values will never be in bytes because ball position requires precision.
Almost all the values in FIFA are either in 4byte or float ( like all modern games). 4bytes for non-decimals. Float for values that require decimal level precision.
Now lets begin the practical part of the tutorial.
open your cheat engine. This is how it should look like -
There is an inbuilt tutorial within cheat engine which I recommend you do sometime. For now , be with me.
Add this line in the Product.ini file –
(FULLSCREEN=0
SCREEN_WIDTH=800
SCREEN_HEIGHT=600
This will make sure your game opens in windowed mode so that you don’t have to go in and out of the game the tough way.
Now START Fifa..
Start a match. And pause it there.
Now click the PC icon on the top left of CE to open the list of processes. Select FIFA 13 from the process. The CE has now attached itself to the game.
Now go the camera setting of the game and make sure it is set to custom instead of default. Set the slider value of height to 20. Now get back to cheat engine. We are now going to search for the address for the Cam Height. We know that the value presently is 20 and we also know that the value will be in 4bytes because the slider does not have any decimal point movements. We will be using this to begin searching for the Camera address.
Put the value 20 in Value text field on the CE main screen. Make sure that value type is 4byte and scan type is ‘Exact value’. Now press ‘First scan’ button. Here is what you should get when you do that.. A lot of results I know . Notice the ‘Found: 38,927’ on the left side. And notice the address row accompanied by the value row. This is how the CE window looks like now. If not then you’ve done something wrong.
Now go into the game and slide down the height slider to 10. Come back to CE. Now we know that the address we are looking for has changed its value to 10. So we are now going to scan for the value 10 from the 38,000 addresses that came up after the first scan.
Now put 10 where you put 20 earlier. And click Next Scan. WARNING: (Don’t click New scan.) The moment you click it you are left with just 25 addresses. These were the addresses that changed to 10 when you moved the slider. TO narrow down further we are again going to move in-game slider. Lets move it to 7. Do it and come back. Now put 7 in value and do another ‘Next Scan’.
I am now left with just 3 addresses. Try changing each one of the address values one by one and see which affects the game. Change it to 100 to notice effect. Go into the game and move out of settings and resume the game. Did any of the address have an effect?. One surely will. Double click that address to add it to the address list below. Press CTRS+S to save your discovery. Every time you change the value of this address , the height value will change. I hope you understood the basics of finding an address that holds the value you want to change. In brief -
1. First scan initial Value
2. Change the value from the game and Next scan the next value.
3. Do step 2 until you are left with a few addresses
4. Change each one of them to see which actually has an effect.
SIMPLE.
Chapter 2 – Pointers -
If you are excited at your discovery of finding the address where FIFA stores its cam Height value then just wait till you close the game and restart it again. Do that. Close the game as well as CE. Make sure you have saved your discovery ( is saved as a .ct Cheat table file). Please close the game or you won’t be able to learn one of the most important skill I am about to teach you now.
Ok restart FIFA 13. Restart CE. Select FIFA process in CE. Load your saved table by pressing CTRL+0. Start match and pause the game.
What do you notice has changed in CE?.. Yup, the value of the address you saved has changed. This is because FIFA has now allocated that address to some other setting or factor. Its no longer the address that holds the value for Cam Height. This is known as Dynamic Memory Allocation Aka ‘DMA’. All the modern games use DMA to protect the game from being hacked so easily or at least permanently so easily. Every time a game is restarted the addresses move up or down to change where particular values are stored. That is what happened with your ‘discovery’, it got shifted somewhere else and this address that you had found and have now is holding the value of something else and not cam Height . Worry not, there are ways to discover permanency even in DMA. This is where ‘pointers’ come into picture… Pointers will help you to find a setting once and for all.
Before I begin to tell you the procedure to find pointers, this needs to be known -
There are two types of addresses. One are static addresses and other are dynamic ones. Static addresses are those addresses that do not change even when you restart the game or even the pc. They remain the same. Static addresses are shown in color green in CE and dynamic addresses are black always. Means green addresses will remain the same, the black addresses will change when the game restarts.
The address you found was a dynamic address and it can be a product of -
A Static Address’s Value + Offset1+ Offset2+ Offest 3 + and so on.. = the address you found. Don’t worry if this does not make much sense now. It will soon.
Our job is to find the static address from which the dynamic address we found emerged. The relation between the static address and dynamic address is known as Offset. If static address is 237827 and dynamic address is 273627 then offset = 273627-237827. Even the game itself needs a static address to get to its Dynamically allocated address. The game does this by referring to a certain static address and then adding offsets ( which too are always static i.e do not change when you restart the game) to it to come across a dynamic address valid for this session.
Now lets get to practical stuff. I’ll explain further as we go on. All this will make sense more than ever then.
Ok. So find the Cam Height Value again with the same procedure as earlier. I don’t need to tell you how to do that. If so then go back and do the earlier step again until you get it. Ok , So I am assuming that you have got an address again that holds the value of Cam Height for this session.
Notice how the last four letters of the new address are the same as earlier one . Only the first few letters have changed. Ok, Now were are going to find the pointers for the address. Before that change the value of the new address and make sure that it is the right address by checking the effect in-game. If done then carry on.
Now what we are going to do is find out what writes this address. Whatever writes this address is what that changes the address. If we can find that , we can go a little deeper and a little closer to the static address from which this address is calculated and allocated. WARNING: Before you carry on , go to (in CE) EDIT>SETTINGS>Debugger Options> and select ‘Use Kernelmode Debugger’ and tick ‘ability to step through kernel code’. If you don’t do this , your game will crash the very moment CE tries to read what accesses the address. Do this and carry on..
Now right-Click the address you have found ( hope you’ve already added it to the address list ) and select ‘find out what writes this address’, a new window will open. CE is now spying on what accesses and writes to this address. All you have to do now is go into the game and change the cam height value. The moment you do it , a line should pop-up in Scan window. Here is the line that comes up for me once I do that.
Click stop and double click the line. This window should show up now. ( note: The numbers will be different for you. Don’t get confused).
1a8 is the offset here. 17034500 is the value you’ll need to search for to find the address to which 1a8 will apply as offset to produce the address that presently holds the value for cam Height. Don’t close this window
Do this. Put the value (17034500) in value search and and an address will come up with the value you just put. Please tick the ‘HEX’ on the left side before you fill the value. If more than one addresses come up then its usually the one that is higher in the search. Usually not more than two address will come up. Now click the add address manually button in the bottom right above the address list.
A new window pops-up. Tick the pointer (5). Fill the address that the value had . Fill the offset ( 1a8 in my case)(7). Now notice how the faded out address above in the box shows exactly the value of Cam Height. This is a sign that your combination of address and offset have managed to sum up into the required address.
CLICK OK…
The pointer is now added to your address list . Notice how there is a ‘P>’ there. It means ‘pointer points to’. What is written after the P> is the address it is presently pointing to. This pointer will always recalculate the correct address even of you restart the game. At least that is what it should do. But there is another twist here. Did you notice that when you searched for the value 17034500 ( or what came up in your case), the address that came up was not green color but black. This means there is a high chance that the next time you turn the game on, this address too may have changed. See -
170346a8 ( Address for cam value for this session) = 0d2befa4 ( too a dynamic address) + 1a8 ( the offset)..
But the next time you turn the game on the address ‘0d2befa4’ may be replaced by something else ( remember DMA) which would not return the address of cam value when added with offset 1a8. It could be something like this ..
Pointer = od2fc347 +1a8 = whatever comes here will not be the address you wanted because the very address on which 1a8 is being applied has shifted.
So it becomes very important to be able to find static addresses. We know that neither the static address shifts position , nor does the offsets to be applied on it do. The only thing that changes is that the value that static address has. This is a trick that DMA applies. The value of the static address is actually not a value but yet another address. From the static address the game finds what the address is to which offsets are to be applied . Otherwise there is no way for even the Game itself to know where its storing what . So in simple words, If you can figure out the static address. All that is needed are the offsets to be applied on it. Whatever address then comes up is the true address for cam height for this session. When you close the game and restart. The pointer from the staic address will itself recalculate the value of the newly allocated address for cam value. Hope this makes some sense .I am trying my best. This will become crystal clear once you start messing around on your own.
The best way to find static addresses is to use the pointer scanner function. The method applied above has its own uses which will be discussed later on. But as I said the pointer scanner is the most time saving and efficient way to find static addresses with offsets pointing to the address you want.
Lets begin…
Right click the address for cam value and select ‘pointer scan for this address’. This screen should come up.
0. This is the value for which a static address wil be searched for ( Static address + offsets = this address)
1. Makes sure this is ticked. You know why.
2. Make use of the offset you found. You can leave it blank if you want to. No big deal. Pointer scanner will still come up with good results.
3. 3 is often enough in case of Fifa 13. There are games though that have 11 level deep pointers. Means you have to go down 11 offsets to arrive at a static address. Even 2 level is enough in FIFA 13. But just to make sure select one more i.e 3 levels.
OK> click OK, save scan file ( give it a name) and wait for the scan operation to finish. It can take some times but is worth it. This is what I get -
3 -- Base Address – These are the static addresses that potentially point to out Cam-height Address. These are green addresses that will never change whatever happens. These will be there doing the same job.
4 – Offsets that need to be applied to base address to calculate Cam-Height Address. Applying Offset simply means adding offsets as +.
1- This is a two level pointer with static address. Means Base Address + Offset 0 + offset 1 = 170346a8.
2. A 3 level pointer . Means Base Address + Offset 0 + offset 1 + Offset 2 = 170346a8. The rest too are 3 level pointers.
CONTINUED