Game trainers are programs made to modify memory of a computer game thereby modifying its behavior using addresses and values, in order to allow cheating. It can 'freeze' a memory address disallowing the game from lowering or changing the information stored at that memory address (e.g. health meter, ammo counter, etc.) or manipulate the data at the memory addresses specified to suit the needs of the person cheating at the game.

Okay I am probably still a noob but i can use cheat engine to get all the basic attributes like health or money. Now I tried to somehow figure out how random encounters with monsters are triggered. I was able to find values for steps walked, time passed and check the memory region around those. Game trainers are programs made to modify memory of a computer game thereby modifying its behavior using addresses and values, in order to allow cheating. It can 'freeze' a memory address disallowing the game from lowering or changing the information stored at that memory address (e.g. Health meter, ammo counter, etc.) or manipulate the data at the memory addresses specified to suit the needs.

Download Cheat Engine 7.1. All you need is Cheat Engine (link above) and the game you want to hack on your computer. Cheat Engine is a free piece of software and the hacking process used is very simple, so don’t get discouraged. This tutorial is for newbies, so we will make the process slow and use really simple cheating techniques. Learn how Cheat Engine works. Cheat Engine can access pieces of data stored in your Any game which has some form of cheat protection or online multiplayer functionality won't work with If you're attempting to use Cheat Engine on a Mac, click the Download Cheat Engine 6.2 For Mac link instead. Now go into Cheat Engine and enter 11000 into the Value box, then press enter. Almost immediately you will see some address values popup on the left which is all the 11000 values in the game’s memory. Go back to the Steampunk game and buy a gun such. Game Engine For Cheat PS 2 Game engines are tools available for game designers to code and plan out a game quickly and easily without building one from the ground up. Cheat Engine or commonly also called CE is a memory scanner or hexsa editor created by Eric Heijen for the Windows Operating System / OS. Cheat Engine is used to cheat in various games on a computer.

History[edit]

In the 1980s and 1990s, trainers were generally integrated straight into the actual game by cracking groups. When the game was first started, the trainer loaded first, asking the player if they wished to cheat and which cheats would like to be enabled. Then the code would proceed to the actual game. These embedded trainers came with intros about the groups releasing the game and the trainer often used to showcase the skills of the cracking group demo coding skills,^[1] some of these groups focus entirely on their Demoscene today^[2] In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option or cheat in the trainer, for example: 'the Mega Krew presents: Ms. Astro Chicken++'. Modern trainers append their titles with a single + or writing 'plus' and a number, as many have several functions. The number used represents the number of modifications the trainer has available, e.g. 'infinite health' or 'one hit kills'. Another difference is the inclusion of game version or digital download source of game. For example: 'Hitman: Absolution Steam +11 Trainer',^[3] 'F.E.A.R 3 v 1.3 PLUS 9 Trainer' etc.^[4][5]

Modern trainers also come as separately downloaded programs. Instead of modifying the game's programming directly, they modify values stored in memory. In fact, this has become so common that trainers today, by definition, only modify memory; modification to the game's executable is frowned upon and such programs are not considered true trainers but patches instead.

With object-oriented programming the memory objects are often stored dynamically on the heap but modern operating systems use address space layout randomization (ASLR). Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires reverse engineering methods like API hooking of malloc() and free(), code injection or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed.

Modern operating systems also come with position-independent executables (PIE) for security. Together with ASLR, the binaries are loaded to a different virtual memory address each code execution. This makes the reliable modification of static memory values more complex. The load address has to be determined and subtracted from a found memory address to obtain a static memory offset. This offset is often exactly the address of the static variable within the PIE binary. E.g. the Linux tool scanmem supports PIE this way.^[6] For the configured memory offset the game trainer determines the load address as well and adds it back during run-time. The same method can be used for dynamic libraries as well.

Static access pointers vs. API hooking[edit]

Searching and following access pointers reverse to pointers on static memory can be cumbersome. It doesn't provide the size of the object and if there are multiple objects of the same class, these often can't be handled correctly as there can be e.g. vectors or lists in between on the heap. But the advantage is that this method can be used to attach to an already running process if it works.The DMA (Dynamic Memory Allocation) support in Cheat Engine is an example for that.

API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spies on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to a unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through inter-process communication (IPC).The disadvantage is: This can be detected as malware. But it is possible to find more values within objects by dumping and comparing them. Also adaptation to other game and compiler versions becomes simple as all it takes is to look for a library function call with known parameter (the object size) in the disassembly.E.g. the free and open-source (FOSS) universal game trainer 'ugtrain' shows this method completely legal with FOSS games as examples.^[7]

Automated Tools used in trainer making[edit]

In the past, trainers were often coded in assembly language or any of the high level language available at the time. Today, trainers can also be made with automated trainer making tools that just require basic information about cheats such as address and injection code, the program then compiles the trainer using pre-defined values and settings requiring no programming skill from the end-user. The most popular trainer making tool used today is Cheat Engine which supports wide variety of injection types and pointers, other tools that were used in past but are no longer as applicable are Trainer Maker Kit, Game Trainer Studio and Trainer Creation Kit etc.^[8] Some of the advanced techniques that Cheat Engine trainers supports include code injection, code shifting and the flexibility and versatility provided by its Lua scripting^[9][10] which has phased out other trainer making tools which lacked the support for some of these features.

See also[edit]

References[edit]

1. ^'Defacto2 Group Information Page for Fairlight'. Contains information about their old demos and releases and stats. Archived from the original on 6 October 2011. Retrieved 14 February 2014.
2. ^'Razor1911 group demos'. Razor1911 demoscene division which coded impressive demos back in the early days of embedded trainers. Retrieved 14 February 2014.
3. ^'Hitman Trainer'. Naming of Trainers by Modern trainer groups. 21 November 2012. Retrieved 14 February 2014.
4. ^'GCW list of trainers'. Retrieved 14 February 2014.
5. ^'Listing by the famous scene trainer making group DVT'. Retrieved 5 June 2015.
6. ^'Scanmem: introduce region type and load address support'. Retrieved 5 June 2015.
7. ^'universal game trainer 'ugtrain''. Retrieved 25 December 2015.
8. ^'Trainer Making Tools'. Retrieved 14 February 2014.
9. ^'FearlessRevolution'. Community dedicated to cheat engine trainers and tables. 2020-03-25. Retrieved 2020-03-25.
10. ^'Lua'. Cheat Engine Lua Wiki explaining some of the scripting functions available in CE. 2013-06-11. Retrieved 2014-02-14.

TL;DR

We will find the player's coordinates and also find the camera's position. This should help us to create a proper fly hack!

Introduction

I want to be able to fly around in the Pwn Adventure 3 especially because my first attempt at flying was not so great. I was only able to jumping high and float down slowly, or I could also somewhat freeze myself in mid-air, but it was very glitchy because of gravity. Call of duty 3 ps2 game cheats. Hence it wasn't a great experience like you would imagine flying to be. So let's try this again on Windows.

Finding height

To fly around we need to find where the position of the player is stored in memory. To do that we need to use the incremental scanning option provided by Cheat Engine to find the address. But we don't know exactly what we are looking for.

1. We don't know how the x, y & z coordinates are stored.
2. Also, we don't know much about the orientation of the coordinate system to see if walking in a specific direction will increase or decrease the coordinate values.

It's absolutely fine to do some trial and error with assumptions, but then I was watching a guided hacking video, and they were scanning for the height position - and that makes perfect sense because it's very likely that when you are higher or lower, the value would increase or decrease.

So let's start our value scan with a first scan set to an unknown initial value, and we find about 168 million. Now we want to increase the height coordinate value, so we switch back into the game and walk up to a higher elevation and rescan. Now we have ~800k left. For good measure, we can scan for an unchanged value, and we have moved down to about ~400k possible addresses.

Hopefully, we can bring the number of possible addresses further down with the process we have already been doing a few times. Eventually, we reach a point where we have a lot of similar values that seem to be connected to the position.

To filter out the last few dozens or hundred of addresses, we can try to freeze the address' values. This will be an indicator for us to see if we have the correct value. Freezing all the suspected values will not let us jump properly, and that's exactly what we are looking for. You can freeze the values with the checkbox in the table, or pressing [space].

We can select only half of them, so that we can do a binary search for the value that froze our position. When we freeze a value, Cheat Engine will continuously set the value to the original one, and this should kinda freeze the player's height. Now based on the results of the first half, we continue making binary search decisions.

In my case, the first half did not work, so I selected the other half of the remaining addresses, and when I tried to jump, I was immediately pulled back to our current position this means that one of these addresses control the character's position. So I deleted the addresses that I didn't select and repeated this process. Eventually we get it down to just a few addresses in the list and find the real value.

So to quickly test this, let's see what happens when we modify the value by setting it 2000.

And we teleport! A little bit into the air, and felling back down.

Find other Coordinates

Now that we have a way to modify the position of the character along the up/down axis, it's time for us to find the other coordinates. But how?

Well, typically, we store a coordinate or a position value in a simple struct or array like (x,y,z), which means the other values should be right next to each other. So to find out the adjacent values, let's open up the memory view and observe. When we look around in the game, we see multiple values being updated. So these values seem to relate to the camera view direction. And when we don't change the camera's position but simply walk around, we see three packs of three values being updated. They could be X, Y, and Z.

The height value that we could modify is right next to the other coordinates! Now let's add these addresses to the list and try modifying them. Let's set X it to 0. We teleported to somewhere under the map! We are actually below Blocky's Revenge challenge room.

While playing around with the teleportation, the game crashed, which means all the values we had before are useless now. We have to do it all over again. As you can see, it can be tedious from time to time.

Pointer Scan

After finding the values by doing it all over again, it's time to do some pointer scans so that we don't lose the correct values. For finding the pointer, I want to do something special for the base address. We set the From and To range like shown below.

Cheat Engine supports strings as the address of a module. From last video we already found pointers based on this module, so I assume this could be a good reliable start for pointers. After the scan, we find about 99 different pointers from the base address. Our original offset from last video for the selected skill was at 0x0097e48 - let's see if we find that in the list.

So let's add a few of those to the address list, and then we kill the game, restart it, login, select a character and attach the Cheat Engine to the new Pwn Adventure process. Now if we look at the list, it points to some actual values. This looks good.

How Are Time Values Usually Stored In Games Cheat Engine 6.4

If we check out the pointer scan results from earlier, we see that some of them point to the correct values, but also many don't. Cheat game dragon ball z ps2. But now that we have the right value, we can rescan the pointer list for only valid chains.

After the scan we have about 18 left and all of these should work. As you can see, they are just some kind of variation from another. This gives us confidence that the pointer path we found is reliable.

The Interesting Address

How Are Time Values Usually Stored In Games Cheat Engine 6.6

When I was doing all of this, to look for the player's position, I found another address that has an interesting behavior. It doesn't teleport the player but instead teleports the camera.

If we change the value of this address, we teleport, but we stay in mid-air. Gravity doesn't seem to apply to this change - because it's the player's camera, not the player. However, as soon as we move the camera it gets updated and we are back down.

Looking around the vicinity of the address, we can find the other coordinates as we did before and we can see it update when we move around. Also, we can find some other values that seem to be connected to the view direction, and when changing them, we also seem to control the camera tilt.

When I saw that I had an idea. I always wanted to fly around properly but the gravity in-game was always a problem. But it looks like we can fly freely without being affected by the gravity if we used the camera instead of the player.

We need to find a way not to update the camera view once the real character is moved. To do that first we can, of course, check what updates this variable or what writes to this memory location. We can use that cool Cheat Engine feature 'Find out what writes to this address - F6' and then we go into the game, move the camera and we see the instruction in the assembly that writes to that address. We can override this assembly instruction with nops (No Operation) - doing this will simply do nothing anymore.

Now if we go into the game and move the mouse, nothing happens.

We can also freeze the position of the camera by doing the same thing. We find out which instructions write to the variable and replace the instruction with nops. Now we can't move at all, but we can update the values from Cheat Engine, and it updates in the game. This means we should be able to create a 'game hack' that allows us to fly around the map as we like. However, that's for the next blog post, stay tuned!

Resources