Help File:Menus and Features
The File menu gives you access to some simple save/load-type options:
New Window will allow you to create multiple disassembly view instances; good for viewing many spots of code at once. You can access the same menus from these new windows with the exception of the Debug menu which is exclusive to the original window.
Save disassembled output allows you to save a range of memory in this format, which is good for using as code-snippets to post online or illustrate certain concepts to others. It outputs as a plain text .txt file.
Save/Load memory region gives you the ability to dump a memory region to file and then load it back in later. It saves as a Cheat Engine memory file (with an optional CE header). Not an option for standard users.
The Search menu will reveal two options for traversing through a program:
Find memory will allow you to run a scan for either text (ASCII or Unicode) or an array of bytes, between a memory region of your choosing.
Find assembly code is similar to the above, but will allow you to specifically chose a game instruction to locate. For example I could search for:
All of the results (if any) will be displayed in the box. You can then double-click these entries to go to that spot in memory. This is a great feature for quickly updating cheats to a new version of a game. You have to be fairly specific or you could end up with several hundred results to trawl through depending on the target.
The View menu will give you a bunch of options relating to how you 'see into' the game:
You can view a list of breakpoints, process threads and debug strings here. You can also view the heaplist and a memory region window, which allows you to quickly see details about areas in memory (such as location, protection, size and type).
You can click on Enumerate DLLs and Symbols to show a list of loaded modules and their respective symbol names.
You can toggle the display of user-mode, kernel-mode and user-defined symbols here, which can be very useful for creating game hacks from, because you can easily locate and manipulate certain structures. See the website tables section for some examples of this. A good example of a symbol-fanatic in game-training is the user: Recifense :-)
Show module addresses will toggle how the address column is displayed in the memory viewer. Instead of showing an exact virtual address, it will display the location in base+offset notation. This is especially useful in games that code-shift; that is when game's allocate their modules (.dll's etc) to different spots in memory on a new restart or level load. This will allow you to find the right spot every time despite this 'shifting' process. You can use the base+offset notation in a cheat engine script. It will parse it fine, so long as the game (and module) is loaded and you have picked the process in CE.
An example could be as follows (the number is hex):
20468042 => client.dll+468042
From this we can deduce that client.dll is actually loaded at 0x20000000 by performing a simple subtraction. You can also see this information in the hex view windows however, which is tagged along to the bottom of the memory view pane. Along with 'AllocationBase' you will also find 'Image Protection', 'Image Size' and (optionally) 'Physical Address'.
The next time the game is ran, client.dll may be mapped to 0x32000000 and so by taking this address and adding our previous offset of 0x468042 we can arrive at the right code spot.
The Debug menu gives us access to our debugging controls:
If you haven't yet attached the debugger to the target, then you will be prompted to do so when you try to use any of these options. You can toggle a breakpoint (F5) at a certain point in code and break on a chosen program thread (you will be prompted for which thread; main thread or otherwise if there are more).
With the former option, a few more options open up once you have 'broke' on an opcode. You can simply choose to run (F9) and continue execution, or you can step in (F7) or step over (F8) certain instructions. For quick code tracing you would generally use step over (F8), but stepping in can be great for investigation certain CALL's should the need arise. Finally you have the option to run till (F4) user return, which is handy for breaking on certain message boxes, prompts and other events which are tricky to reach using other methods.
The Tools menu gives us access to the main powerful features of CE:
Allocate Memory allows the user to add a custom amount of extra memory to the current process (in KB).
Scan for codecaves helps to find (likely) unused areas of memory to use as a code cave for cheats. You can specific the range of memory to search within and whether or not to include read-only memory (not advised).
Fill Memory can be used to fill a specific region of memory with a certain byte value or sequence (hex).
Create Thread will allow you to create a remote program thread which runs independently of the main program thread/execution but still has access to the target processes memory space. (Advanced)
The Dissect options allow you to map out various structures in memory and make them easier to interpret. For example the class of TPlayer could contain a pointer to TWeapon which could then be expanded further like a tree. You can also dissect windows and change caption text (which can be useful for simple anti-cheat evasion) and you can view basic PE Info of a file.
Pointer Scan will reveal CE's pscan engine interface, which allows you to automatically find a 'path' through memory to a specific variable. You can then use this resultant path or 'pointer' in the future, as it's end location will always be the same; your variable! It's used extensively as a method of bypassing DMA (dynamic memory allocation) in more difficult games, or cheat-protected games, or by beginner users who aren't accustomed to code-injection methods.
Find static addresses will get CE to trawl through memory (of your choice) in an attempt to locate all static addresses residing in that memory space. This can be useful for locating static base pointers for your otherwise broken pointer paths. It is also useful when hacking emulated game targets when there is no obvious base address.
Inject DLL is a generic DLL injection feature (surprise, surprise) which will prompt you for the DLL to inject and then do so into the current process.
Auto Assemble is one of the most powerful and frequently used features of CE. It will allow you to create your own code injection scripts and then make the modifications to memory at the click of a button. Scripts created here will be added to the main cheat list, which can then be named. Scripts can also be saved from this box.
LUA Console will reveal an interface into the lua-script engine, allowing to create lua-scripts and run them.
The Kernel tools menu is only available if you have chosen to use kernelmode debugging routines instead of the original windows versions (see the settings). It contains a selection of advanced and specialized features which are beyond the scope of this help file, and will never be utilized by most users.