Now i know there are more than a few guides/tuts on using CE around the net and these forums, but i still see people having trouble in a few places, especially when working with pointers, so i've decided to make this tutorial a 2-part series, with the first (this one) dedicated to using CE.
I apologise in advance for the quality of the screenshots, as i had to resize them from 1680x1050 for them to fit on page better
For this series we will be targetting the windows game Solitaire, many of you may think it's a bad choice, but minesweeper/pinball have been hacked to death over the years, and i feel i would just be re-writing another 1000 people's guides.
Our aim is to write a successfull hack, using DLL Injection (with a little GUI), now if you look around solitaire you will notice that there isnt much to 'hack' per se, so i will focus on the main 2 things in there:
- Your score decreases over time when not making moves - We will remove this
- Possibly find a way to optionally freeze the game timer, maybe a sort of on/off trigger
- Cheat Engine 5.5+ (I used 5.6)
- Your brain =)
A few things first, you may have to change your options in solitaire, as the defaults wont allow us to fins some things. First, you may have to check 'Timed Game', so that we can actually see the timer, and change the 'Scoring' Type to anything other than 'None'.
Now Lets Get Cracking
Finding The Pointer + Offstet For Score
Ok, first things first, load up Solitaire (usually found in C:\Windows\System23\sol.exe) and CE, attach CE to sol.exe, i assume youknow how to do this
Now, keep hitting F2 for a new deck in solitaire, until you get one you think should be easy to get a few points, and when you are ready, make 1 move to get some points
Switch over quickly to CE and do a 4-byte (exact value) search for your score, you will have to do this quickly because, as i said above, your score will gradually decrease over time, after your first search, just sit back and wait for your score to go down, then quickly search again for the next value, keep hitting next search (dont forget to change the value) every time your score goes down until you have just 1 address in the list, if you finish up with more than 1, and they wont go down, dont worry, you will just have to try them all in the next part.
Now add this address you just found to the list (double click it), now right click the address and select 'Find out what writes to this address', back over to solitaire and make another move to get points, immediately you should see that 1 entry has been added to the opcodes window in CE. If you double click on that entry a window will pop up and tell you what CE thinks the most probable pointer value is. If you dont get anything like in the screenshot below, and got more than 1 address to work with, then you should try the next address in your list until you get a result here.
This is what you should see now:
Now this is where most people go wrong, so i will try and explain the steps in detail, so you can follow along, first make a note of the address of the instruction in the opcodes window, you will need this in Part 2 when we start constructing the hack in Olly, also either make a mental note, or write down the offset given in the info window. The offset is what is added to ESI in the screenshot. (the part after the '+' in the code below)
MOV [ESI+30], EAX
You will also need to make a note of the pointer value the info window gives you.
Now feel free to close the opcodes window, and the info window, or you can keep it open for reference. Back to the main CE window, tick 'hex' and do a new search for the pointer value you were given in the info window, you should get a few addresses in the list, but only one of them should show up in green, that green one is the one we want. When CE finds a static address (meaning it wont change every time the game is run) it will show it in green.
Now you need to click 'Add Address Manually', and in the new window that pops up, tick 'Pointer', then enter the address (not the value) that CE found (the static one) as the address of the pointer, and enter the offset the info window gave you earlier as the offset, and hit ok to add the address, now if all went well, you should see the same value for both the non-static address, and the new pointer you just added.
Screenshot for clarity:
Now let me try and explain this a little, the offset that the info window, is what gets applied to the value this address points to, not this address itself, for example, in the screenshot above, we searched for the address $0x000AB0F8, which was found at the static address $0x010007170, so to get the value, CE grabs the value at address $0x010007170, which is the address we searched for, then adds the offset to this address, resulting in $0x000AB0F8 + $0x30 = $0x000AB128, which you will find above the offset box when you added the address, so now it has that address, it goes to there and grabs the 4-byte value stored there, and shows it. Were this a multi-level pointer, CE would repeat that step (adding offsets -> reading new address etc) until the end.
Now at this point we are done with CE, we have all the info we need, so make another note of the static address that hold the pointer value (the one that you added) for the next part.
Now i *did* mention the game timer at the start of this tut, but i decided its a LOT easier to deal with that hack directly within OllyDbg, so we will approach that in the next part, you can try and find something in CE if you like, but its not very easy
Just to make sure you have everything for the next part, lets run through what you should have written down, then there is less chance you will get stuck on the next part.
- Address of the instruction that changed the score
- Static Address that is the pointer to the score
- The offset we need to find the score after the pointer is dereferenced
And with that, ends the first part of this 2-Part series, see you in the next one, where we dive into OllyDbg and unveil all the secrets solitaire holds =)