Results 1 to 1 of 1
  1. #1
    Inactive ArcaneAngel is on a distinguished road
    Join Date
    2010 Nov
    Usually At OEP
    Thanked 1 Time in 1 Post
    Rep Power

    [Tutorial] Part 1: Creating Hacks/Cheats With CE + Olly

    Hi all,

    Now i know there are more than a few guides/tuts on using CE around the net and these forums, but i still see people having trouble in a few places, especially when working with pointers, so i've decided to make this tutorial a 2-part series, with the first (this one) dedicated to using CE.
    I apologise in advance for the quality of the screenshots, as i had to resize them from 1680x1050 for them to fit on page better

    The Purpose
    For this series we will be targetting the windows game Solitaire, many of you may think it's a bad choice, but minesweeper/pinball have been hacked to death over the years, and i feel i would just be re-writing another 1000 people's guides.

    Our aim is to write a successfull hack, using DLL Injection (with a little GUI), now if you look around solitaire you will notice that there isnt much to 'hack' per se, so i will focus on the main 2 things in there:
    • Your score decreases over time when not making moves - We will remove this
    • Possibly find a way to optionally freeze the game timer, maybe a sort of on/off trigger

    Tools needed:
    • Cheat Engine 5.5+ (I used 5.6)
    • Your brain =)

    A few things first, you may have to change your options in solitaire, as the defaults wont allow us to fins some things. First, you may have to check 'Timed Game', so that we can actually see the timer, and change the 'Scoring' Type to anything other than 'None'.

    Now Lets Get Cracking

    Finding The Pointer + Offstet For Score
    Ok, first things first, load up Solitaire (usually found in C:\Windows\System23\sol.exe) and CE, attach CE to sol.exe, i assume youknow how to do this
    Now, keep hitting F2 for a new deck in solitaire, until you get one you think should be easy to get a few points, and when you are ready, make 1 move to get some points
    Switch over quickly to CE and do a 4-byte (exact value) search for your score, you will have to do this quickly because, as i said above, your score will gradually decrease over time, after your first search, just sit back and wait for your score to go down, then quickly search again for the next value, keep hitting next search (dont forget to change the value) every time your score goes down until you have just 1 address in the list, if you finish up with more than 1, and they wont go down, dont worry, you will just have to try them all in the next part.

    Now add this address you just found to the list (double click it), now right click the address and select 'Find out what writes to this address', back over to solitaire and make another move to get points, immediately you should see that 1 entry has been added to the opcodes window in CE. If you double click on that entry a window will pop up and tell you what CE thinks the most probable pointer value is. If you dont get anything like in the screenshot below, and got more than 1 address to work with, then you should try the next address in your list until you get a result here.

    This is what you should see now:

    Now this is where most people go wrong, so i will try and explain the steps in detail, so you can follow along, first make a note of the address of the instruction in the opcodes window, you will need this in Part 2 when we start constructing the hack in Olly, also either make a mental note, or write down the offset given in the info window. The offset is what is added to ESI in the screenshot. (the part after the '+' in the code below)

    MOV [ESI+30], EAX

    You will also need to make a note of the pointer value the info window gives you.
    Now feel free to close the opcodes window, and the info window, or you can keep it open for reference. Back to the main CE window, tick 'hex' and do a new search for the pointer value you were given in the info window, you should get a few addresses in the list, but only one of them should show up in green, that green one is the one we want. When CE finds a static address (meaning it wont change every time the game is run) it will show it in green.

    Now you need to click 'Add Address Manually', and in the new window that pops up, tick 'Pointer', then enter the address (not the value) that CE found (the static one) as the address of the pointer, and enter the offset the info window gave you earlier as the offset, and hit ok to add the address, now if all went well, you should see the same value for both the non-static address, and the new pointer you just added.

    Screenshot for clarity:

    Now let me try and explain this a little, the offset that the info window, is what gets applied to the value this address points to, not this address itself, for example, in the screenshot above, we searched for the address $0x000AB0F8, which was found at the static address $0x010007170, so to get the value, CE grabs the value at address $0x010007170, which is the address we searched for, then adds the offset to this address, resulting in $0x000AB0F8 + $0x30 = $0x000AB128, which you will find above the offset box when you added the address, so now it has that address, it goes to there and grabs the 4-byte value stored there, and shows it. Were this a multi-level pointer, CE would repeat that step (adding offsets -> reading new address etc) until the end.

    Now at this point we are done with CE, we have all the info we need, so make another note of the static address that hold the pointer value (the one that you added) for the next part.
    Now i *did* mention the game timer at the start of this tut, but i decided its a LOT easier to deal with that hack directly within OllyDbg, so we will approach that in the next part, you can try and find something in CE if you like, but its not very easy

    Just to make sure you have everything for the next part, lets run through what you should have written down, then there is less chance you will get stuck on the next part.
    • Address of the instruction that changed the score
    • Static Address that is the pointer to the score
    • The offset we need to find the score after the pointer is dereferenced

    And with that, ends the first part of this 2-Part series, see you in the next one, where we dive into OllyDbg and unveil all the secrets solitaire holds =)


Visitors found this page by searching for:

ollydbg find all static adresss

ollydbg find pointer

ollydbg game hacking tutorial

ollydbg hack tutorial

dll hack pointer multi offset

cheat engine multi pointer

ollydbg tutorial part 1

ce find only static addresses

ollydbg flash games

find pointer ollydbg

ollydbg multi level pointers

find a pointer with offset and make a dll

cheat engine multipointer

ollydbg windows ce

ollydbg multilevel pointer

how to find pointer ollydbg

solitaire ollydbg

how to create a dll hack for solitareollydbg hacking tutorialollydbg finding pointerswindows ce ollydbgCreateing hacks for games with olldbgollydbg tutorial part1cheat engine multipointer tutorollydbg game tuto


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts