Cheat Engine Code Injection

[Abbie Pilz]

Codeinjection is the act of injecting code and causing it to be executed, either automatically (with the CreateRemoteThread Windows function) or by jumping to there from the target process after modifying the code.

One use of code injection is for finding dynamic addresses that tend to change each time the game is run. By placing a code injection on a routine that accesses that address, like a user interface update routine, you can find the address of that specific variable.

CE supports AOB Injection and Code Injection in AA (auto-assemble) scripts. AOB Injection and Code Injection are really the same thing except in case of AOB Injection, the injection point is scanned and found in the code using a specific signature (AOB = array of byte) while Code Injection uses hard-coded addresses. Since AOB Injection performs a scan, it often takes some time to enable a script containing an AOB Injection. In contrast, Code Injection-based scripts can always be enabled instantly because the injection address is known.

CE also supports building custom injection templates using LUA extensions. mgr.inz.Player came up with a great set of such extensions and even added user-defined templates; the instructions and the LUA extensions are available at this location: Custom 'AOB Injection' Templates. Make use of them, these will save you a lot of time and headache.

so I am trying to protect my game from memory scanners without using a server the protection doesn't need to be 100% but I want to try and protect them from most of the cheats I have an idea to try and change the address of the variable once a few seconds or maybe even on the onUpdate method but I don't know how to do that on the code without breaking the game, I know that has to be possible since there are some add-ons in the unity store that gives you classes like ProtectedInt that are like the original data types but can't be detected by software like cheat engine I can buy the addons but I wanna try to do without buying it..

You might try using Windows Data Protection API exposed in .NET through System.Cryptography.ProtectedMemory, quick tutorial can be found here. Another writeup of the method includes a relevant note about copies of the unencrypted array being left in memory as a result of garbage collector defragmentation process.

General approach to protect different objects in your application would involve using binary de/serialization into an array, which you would then protect using the above method. Check out this answer to see how to do that. Once you have MemoryStream, use its method ToArray() to get the array.

I also use Cheat Engine 6.5 to make even more cheats that do not exist in my pnach files, but this is very annoying to cheat with Cheat Engine, because the memory locations are always changing and moving to another locations every time either I continue playing the game or restart the game or the pcsx2.

I also auto assemble and inject game's code to cheat, but whenever I load a state or restart pcsx2, all changes I made with my code injection are lost! Even pointer scan, level and reference of Cheat Engine don't work with pcsx2, because this is every complicated emulator.

This process is almost entirely based on both how emulators work, and how memory is used. I've not actually worked with memory editing with emulators, so there may be some twists and caveats I'm unaware of.

The main problem here, is that static pointers, and other static values, are dependent on games and applications that run in the OS. For most games an apps, Cheat Engine is pretty simple, because it's running in the exact same OS.

After all, what makes a value static, is that it always has the same offset to the process' base memory address. Since Cheat Engine attaches to the process, it always knows where that base address is.

However, when you're talking about an emulator - that emulator basically works as its own OS, with its own processes, that runs in its own memory. Cheat Engine can easily attach to the emulator's process, but as it can't attach to the game itself, it doesn't know where that game's base memory is. Even worse, since the base memory is stored in dynamic memory, even the game's static memory will change location, from Cheat Engine's perspective.

However, since the emulator obviously needs to know where that base address is, that address works no differently than any other value you use Cheat Engine for. In other words, pcsx2 should have a static pointer, that points to that address. Once you have that pointer to that base address, you're halfway there.

The next half is using "what accesses this address" and "what writes to this address", along with the disassembler to trace the value you want to track, back to a static pointer within the game. Unfortunately this will require a fair bit of trial and error, because the only way you'll know if that pointer is static, is if its offset to the game's base address never changes. The only way you'll be able to check that is by closing and reopening the emulator a few times. Thankfully, by this point - you'll at least have the pointer to that base address.

in Disassembler, there is "Tools - Dissect Code" (Ctrl-J), which analyzes the source code of the game. After running that, the normal disassembler displays more informations, for example which addresses are calling a function. Double-clicking on one of these addresses lets the Disassembler jump to this location.

if your address list contains an adress resulting from some pointers, you cannot directly copy the address itself. Make a right-click on this address and invoke "Pointer Scan for this address. In the pointer scanner window you can easily copy the address and close the pointer scanner.

as you most likely now, pressing Ctrl-H on a table entry lets you set Hotkeys. Default is to check/uncheck the freeze-Box. But you can also set the hotkey to increase/decrease the value by a specific amount. So "get 1000$ ingame" does not require any scripting.

sometimes you have a table entry "full health" and an entry "current health". Of course you want to copy full to current. Instead of writing a script, you can freeze current health and set the value(!) of current health to (full health). Now the content of "full health" is copied to current health. Got this hint from DarkByte/Eric himself on the forums which shall not be named in a thread which has been deleted there.

well I discovered that when you try to break and trace vcruntime140 like with unreal games you have to leave the skip system

modules box unchecked or it won't work! Also leave stay inside initial module unchecked as well to capture everything or you will only get a few instructions captured! (Info by JoseFaction)

Another thing that's handy but many people don't know: If you use "find out what addresses this code accesses" on a 'ret' instruction, it'll return the addresses of the functions that called the function you're in (Info by Eric/DarkByte)

after copying an address with a code injection and save the wanted address as "playerbase", do not use [playerbase] in the address entries which use it. Instead, make a pointer-entry with the address playerbase and the offset 0. The effective addresses in the table are still the same, but are updated much faster - with the "wrong" way, it will take 4-5 seconds for values to get updated. (Thanks to Eric/DarkByte for pointing that out)

Whenever you try to refer a PID from a task manager back to cheat engine, r.click on the process list, convert PID to decimal. Somehow, I been missing this for years and been using calculator to convert the PID dec to hex back to CE.

If CE sort of pseudo-crash on you, where you cannot save your work but still can move around in cheat engine , error like out of memory, exception error, etc. Most of the time this happen to unity/mono game while mono features is on. You can copy paste your script/address to another cheat engine instance and save it without any error.

If some script didn't work as a user but you 100% sure you have the same game version with the cheat maker, try a different cheat engine version. Go up a version or down. I have at least 5 people that struggled to make cheat work, while 3 users literally took hours of finding root cause without avail. Changing to a different version solved their problem. Got 7.1,7.2,7.3,7.4 in my pc just for testing purposes.

This should be basic, but for beginner, If you're not sure why your script crash, pause the game by cheat engine pause hotkey, put a breakpoint around the injection point, resume the game. Step in to your script until you find the exact code before it crash.

creating cheat for a hobby, not obligated for requests or update.

my ct will always be free to be shared without removing the credit or where it originally came from.

anyone can update in case I'm not doing this anymore.

Did you know there is no globalDealloc? Each time you do a globalalloc and the name doesn't exist yet, it gets added to a memoyblock allocated in the target.

So, do not use unregisterSymbol these, unless the process has changed

globalalloc allocates the memory in a completely different part of the target program, and a label is just an address in the current block of memory.

Also, every script that uses globalalloc with the same name, gets the same address. So if script A uses globalloc(name,xxx) and script B use globalloc(name,yyy) then both will see name as the same address.

since not everyone knows:

code executing in $luacode runs in a different thread than the main(GUI) thread. That means it can not access GUI controls, like the addresslist and memoryrecords, unless you synchronize() the code first so it runs on the main thread

I just never really learned how Cheat Engine worked at all and just suffered through my failures to learn lol.

I did start by watching some very helpful tutorial videos from Sn34kyMofo Stephen Chapman on YouTube, but he didn't have any Mono hacking guides at that time so RIP.

Overall, the best guide is to read code and techniques from smart people who actually know what they're doing. I'm honestly still a novice compared to everyone else.

Oh, and also, the Cheat Engine Wiki is a super nice resource for learning.

3a8082e126