Cheat Engine Tutorial探索之过关斩将（一）

如果你喜欢修改游戏，如果你希望写自己的专用游戏修改器，那来用用这个游戏修改器吧，保证不会让你失望。

虽然从使用金山游侠开始，到现在还是最习惯使用金山游侠，但是Cheat Engine还是有不少别树一帜的高级用法。当然，既然是高级，就不像金山这样一拿来就会用，所以Cheat Engine很贴心的做了一个Tutorial，你需要像玩游戏通关一样对这个Tutorial中指定的数值进行修改，当你玩完最后一关后，你对用Cheat Engine来修改游戏就掌握得差不多可以去“实战”了。当然，作者的期望是玩到第5关就可以对付普通的游戏了，但是我们是程序员，要求当然就要高些了，：），所以还是通关吧。

这里我就将“通关”的过程全部记录下来，算是一个特殊的“攻略”吧。从技术上面来讲，也是可以从中看到一些东西的，当然，主要是对进程，内存的一些东西。

一共有8关，分为两篇来介绍，前面比较简单，后面几关有些汇编的使用，在下一篇介绍。如果大家有兴趣，还可以介绍怎么编写一个实际的单机游戏修改器（呵呵，也是参考别人的写的）

在正式开始之前，大概介绍一点背景：

Cheat Engine是一个开源的游戏修改工具，恩，我们一般是将游戏修改得更容易些，但是作者在介绍的时候还提出可以修改得更难些，真是“不走寻常路”哈。其官方网站为http://www.cheatengine.org/，Cheat Engine的代码是使用Delphi来编写的，所以熟悉Delphi的同学可以研究研究。当然，除了修改游戏之外（这是最主要的功能），它还可以debug游戏甚至是普通程序。

除了金山游侠的功能—快速扫描内存，找到游戏中使用到的变量并修改其值，它还包括一个debugger（调试器），disassembler（反汇编器）, assembler（汇编器）, speedhack（加速器）, trainer maker, direct 3D manipulation tools, system inspection tools and more（这后面几个都不知道具体是做什么的，有用过的可以介绍看看）.

最后是作者的邮箱：dark_byte@hotmail.com，如果你有任何关于Cheat Engine的问题或者希望为开源代码做出贡献，你都可以直接联系作者。

安装启动

从官网上下载到安装文件后，就可以安装了。我使用的是5.5版的，也是现在看到的最新的版本。如果是第一次安装使用，Tutorial就会自动跳出来。而如果已经使用过了，也可以直接到其安装目录下面去找，因为我已经通关了，所以我就直接去安装目录下面去找到Tutorial.exe，然后直接运行即可。我的安装目录为“D:\Program Files\Cheat Engine\”

Tutorial打开之后，看到的是一个很“朴素”的对话框，Cheat Engine是一个很“朴素”的程序，所以要看漂亮界面的同学们要失望了。

下面来研究一下具体的内容。

从上往下，有一个只读的EditBox，一个Next按钮，一个Password的框。

只读的EditBox中就是对你具体如何进行操作的说明，我在过每一关的时候会针对性的解释一下这个说明，而Next则是通往下一关的“入口”，如果你没有成功达到这一关的目标，那这个按钮就是灰色的，Password下面对应的密码是到达某一关的“快速通道”，这个通了某一关后我们会得到的，这个在“攻略”中不会使用到。

操作说明：

Welcome to the Cheat Engine Tutorial. (v3.1)

This tutorial will try to explain the basics of cheating on games, and getting you more familiar with Cheat Engine.

First open Cheat Engine if it hasn't been opened yet.

Then click on the 'open process' icon. (top left icon, with the computer on it)

When the process window is open find this tutorial. The process name is probably 'tutorial.exe' unless you renamed it.

Select it, and click ok. Just ignore all the other buttons right now, but experiment with them later if you feel like it.

When everything went right, the process window should be gone now and at the top of CE the processname is shown.

Now, click NEXT to continue to the next step. (Or fill in the password to proceed to that particular step you want)

这里我不会写step by step的那种，而是挑一些关键点，主要是做一些截图，这样大家一看也就明白了。反正前面几关都很简单的~

首先打开Cheat Engine，其主程序界面如下（很朴素吧，不骗你们的）

打开对应进程

当准备都做好之后，我们按next进入第一关。

第一关固定值扫描

Step 2: Exact Value scanning (PW=090453)

Now that you have opened the tutorial with Cheat Engine lets get on with the next step.

You see at the bottom of this window the text Health: xxx

Each time you click 'Hit me' , your health gets decreased.

To get to the next step you have to find this value and change it to 1000

To find the value there are different ways, but I'll tell you about the easiest, 'Exact Value':

First make sure value type is set to at least 2 bytes or 4 bytes, 1 byte will also work, but you'll run into a (easy to fix) problem when you've found the address and want to change it. The 8-byte may perhaps works if the bytes after the address are 0, but I wouldn't take the bet.

Single, double, and the other scans just don't work, because they store the value in a different way.

When the value type is set correctly, make sure the scantype is set to 'Exact Value'

Then fill in the number your health is in the value box. And click 'First Scan'

After a while (if you have a extremly slow pc) the scan is done and the results are shown in the list on the left

If you find more than 1 address and you dont know for sure wich address it is, click 'Hit me', fill in the new health value into the value box, and click 'Next Scan' repeat this until you're sure you've found it. (that includes that there's only 1 address in the list.....)

Now double click the address in the list on the left. This makes the address pop-up in the list at the bottom, showing you the current value.

Double click the value, (or select it and press enter), and change the value to 1000.

If everything went ok the next button should become enabled, and you're ready for the next step.

Note:

If you did anything wrong while scanning, click "New Scan" and repeat the scanning again.

Also, try playing around with the value and click 'hit me'

这里从step2开始才是第一关，所以一共8关，但是是到step9。

第一关就没什么说的了，太简单了，直接看截图。

先扫描100，再继续扫描改变之后的值

之后设置即可。完成后进入下一关。

第二关非固定值

Step 3: Unknown initial value (PW=419482)

Ok, seeing that you've figured out how to find a value using exact value let's move on to the next step.

In the previous test we knew the initial value so we could do a exact value, but now we have a status bar where we don't know the starting value.

We only know that the value is between 0 and 500. And each time you click 'hit me' you lose some health. The amount you lose each time is shown above the status bar.

Again there are several different ways to find the value. (like doing a decreased value by... scan), but I'll only explain the easiest. "Unknown initial value", and decreased value.

Because you don't know the value it is right now, a exact value wont do any good, so choose as scantype 'Unknown initial value', again, the value type is 4-bytes. (most windows apps use 4-bytes) click first scan and wait till it's done.

When it is done click 'hit me'. You'll lose some of your health. (the amount you lost shows for a few seconds and then disappears, but you don't need that)

Now go to Cheat Engine, and choose 'Decreased Value' and click 'Next Scan'

When that scan is done, click hit me again, and repeat the above till you only find a few.

We know the value is between 0 and 500, so pick the one that is most likely the address we need, and add it to the list.

Now change the health to 5000, to proceed to the next step.

这里对应的是不确定的初始值，在游戏中，有可能遇到只是一个状态的显示，比如是否满血等，而不知道具体的值，此时就可以用下面的方法来找到其地址。

首先在Scan type中选择"Unknown initial value"，然后点击"First Scan"

在初次扫描之后，选择"Scan type"为你需要的，这里是值在减少，所以选择Decreased Value，具体情况下，根据自己的需要进行选择。

之后不断重复上面的过程，直到你得到最后的确定地址，这里条件是值在0到500之间。这里就不重复了，最后修改为5000，完成后进入下一关。

第三关浮点数

Step 4: Floating points (PW=890124)

In the previous tutorial we used bytes to scan, but some games store information in so called 'floating point' notations.

(probably to prevent simple memory scanners from finding it the easy way)

a floating point is a value with some digits behind the point. (like 5.12 or 11321.1)

Below you see your health and ammo. Both are stored as Floating point notations, but health is stored as a float and ammo is stored as a double.

Click on hit me to lose some health, and on shoot to decrease your ammo with 0.5

You have to set BOTH values to 5000 or higher to proceed.

Exact value scan will work fine here, but you may want to experiment with other types too.

Hint: It is recommended to disable "Fast Scan" for type double

尽管对于Hint中提到的不是很理解（如果有谁知道告诉我一下），不过不影响我们通关。大家都知道，浮点数在内存中的存储方式和整数不同，所以这里查找的时候，对float和double做了不同的处理。

这里和第二关差不多，只不过是对"Value type"选择了"float"或者"Double"

找到需要修改的地址后，进行修改，完成后进入第四关。

第四关 Code Finder

Step 5: Code finder (PW=888899)

Sometimes the location something is stored at changes when you restart the game, or even while you're playing.. In that case you can use 2 things to still make a table that works.

In this step I'll try to describe how to use the Code Finder function.

The value down here will be at a different location each time you start the tutorial, so a normal entry in the address list wouldn't work.

First try to find the address. (you've got to this point so I assume you know how to)

When you've found the address, right-click the address in Cheat Engine and choose "Find out what writes to this address". A window will pop up with an empty list.

Then click on the Change value button in this tutorial, and go back to Cheat Engine. If everything went right there should be an address with assembler code there now.

Click it and choose the replace option to replace it with code that does nothing. That will also add the code address to the code list in the advanced options window. (Which gets saved if you save your table)

Click on stop, so the game will start running normal again, and close to close the window.

Now, click on Change value, and if everything went right the Next button should become enabled.

Note: When you're freezing the address with a high enough speed it may happen that next becomes visible anyhow

学习过C语言的同学，大概一看就明白大概了。其实第四关和第五关放在一起介绍比较好，不过为了分割得对称，就把第五关放在第二篇了。

一般游戏中会遇到，游戏中找到的内存地址，下次重启游戏后地址改变了，第四关就是来对这个进行修改的。

首先还是同样找到内存地址。之后见下图