The Trainer will have the ability to:
- Determine whether the process is open.
- Change memory values.
- Cheat in a game.
Applications we will be using for this tutorial:
- Microsoft Visual Studio 2005.
- Cheat Engine 5.x.
- Microsoft 3D Pinball. (Comes with Windows XP).
Step 1: Finding the memory addresses.
When you want to cheat in a game, in most cases Memory Editing is the best way to go. Its clean, effective and requires no knowledge of ASM. To get these addresses however, it is important that you have the right tools. For this tutorial, we will be using Cheat Engine.
Finding memory addresses can be very time consuming, but as you learn, the faster it will get.
Watch out! - Some memory addresses are dynamic, and change their allocation every time the application is started. These addresses can be very hard to use.
a. Open MS Pinball and start a new game.
You should be able to see the score with the integer value of 0. This is the value we want to get.
b. Open Cheat Engine.
Press the glowing button in the top left hand corner of the program. A Process List Box will appear. Scroll down the list and find PINBALL.EXE, click on it and press ok.
c. Do an initial search.
Because we already know the exact value for the score (0), we can start a search for it. Press the First Scan button. You will see at the top left of the application the amount of memory addresses it found. It is normal for this to be a relatively high value, as the values could represent boolean values, unused variables, etc.
d. Get back into the game, and attempt to score change the value of the score.
This will make the value change in the memory address, and will make our search a hell of a lot easier. Score some points, and pause or kill yourself.
e. Do another search.
We can determine an actual value for the address, and I'll presume its pretty unique so do a Next Scan. If there is more than two addresses in the bar to the left, go back to step d.
f. Trial and Error.
When we only have a 50/50 chance of an address not working, and they both mimic the same value, why not test both? Double click on both of the values and they will be put into Cheat Engine's Memory Address list. Double click on the value on the value column and change it to whatever you like.
After doing this, you would have found out one memory address contains the literal score value (0xA90C62), and another address just copies it (0xA94D1C).
Once you have found the memory address that we need to edit, 0xA90C62, now lets create a C++ app to manipulate this value.
Step 2: Creating our C++ Application.
Here is the code we are going to use, I will explain it further down.
CODE
#include <windows.h>
#include <tlhelp32.h>
#include <conio.h>
#include <stdlib.h>
bool ChangeMemVal(const char * ProcessName, LPVOID MemAddress, int NewVal, int size);
void main()
{
printf("=== Pinball Trainer Example. Made by <your name here> ===\n\n");
if(ChangeMemVal("PINBALL.EXE", (void*) 0xA90C62, 100000000, 4))
printf("The score has been edited successfully.\n");
else
printf("An error occured while attempting edit the score.\n");
system("PAUSE");
return 0;
}
/* This function modifys a memory address according to its arguments.
Arguments :
ProcessName - the process we want to modify
MemAddress - the memory address we want to modify
NewVal - the value we want to change the memory address to
size - the size of the memory address
Returns :
the success of the edit.
*/
bool ChangeMemVal(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First(hProcessSnap, &pe32);
do
{
if(!strcmp(pe32.szExeFile, ProcessName))
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
break;
}
}
while(Process32Next(hProcessSnap, &pe32));
CloseHandle( hProcessSnap );
if(hProcess != NULL)
{
WriteProcessMemory(hProcess, MemAddress, &NewVal, size, NULL); // write the value
CloseHandle(hProcess);
return true;
}
return false;
}
This is a rather simple program. It displays a message, and informs the user if their action was successful. Looking at the arguments of ChangeMemVal(), ProcessName is the name of the process we were editing, if you are unsure of the exact way it is spelt, you can always ctrl+alt+del and see what the process names are. Remember, they are case sensitive. The (void*) typecast is to convert the value to the function can parse it. NewVal is obviously the new value we want the memory address to change to, and size is the size of the memory address. In this case, it is 4 bytes.
Have fun using it! Keep in mind that some anti-cheats may hide their process, and this will result in failure to edit the memory address. As always, your comments are appreciated.
