CE Full Cheat Engine, mainly used for scanning and debugging software memory data, its function can be said to be very powerful, let's explain its functions one by one
(1) Download of CE
For CE download, it is recommended to download the latest version from the official website
Currently version 7.4
You can also download some versions with Chinese patches from Baidu, but it is better to use the original version after you are familiar with it
(2) The main interface of CE
After opening CE, we can see the following main interface. As for the pop-up windows when opening for the first time, all the windows can be canceled or closed.
In the upper left corner, we can see that the version of CE is 7.4, which is the latest version. Of course, when you use some special tools to open CE, you can hide this title or turn it into garbled characters, so as to hide the process and prevent anti-debugging
Below the title is a row of tabs, which we will talk about later.
Below these options there is a button with a magnifying glass
Click this button, we can see the applications, processes and windows that can be attached at present
Usually we only need to select the application in Applications
On the far left is the icon of the application, followed by its PID and process name
When we debug multiple windows with the same name at the same time, we can select the correct process according to the PID
After selecting the process, double-click or click open below to open the process and start scanning.
Of course, if you need to attach debugger to the program, you can choose Attach debugger to process, but it should be noted that after the CE attaches the program, you cannot use other programs to attach it repeatedly, because only one debugger can be used for a certain process at the same time. program for debugging. If we want to use other debuggers after CE attaches debugging, we can use CE to re-open this process or other processes, or we can simply close CE.
Next to the additional button there are 2 more buttons
These two buttons are to open the previously saved scan results and save the current scan results respectively. The file suffix is .CT
After successfully attaching the process, we will find that No process selected on the original interface has become the process to be debugged
There is a gray progress bar below this message to show the progress of the current scan
Below the progress bar is the main interface of CE scanning. The large blank space on the left (it seems that it should be called "empty black space") is the scanning result window, which shows Found: XXX indicates how many results are currently available, and the following are Address Address, Value value, Previous last result. When we arbitrarily scan a value, there will be an extra item First to indicate the initial scan result
When we lock some of the results, we can double-click to save them one by one in the storage window below
Of course, if there are many results that are suspected or confirmed to be useful, we can hold shift+left button to select batches by region, or press ctrl+left button to select batches one by one, and then click the red arrow on the right to store them together in the following in the window
Next we look at the scan options
For the first scan, we can click First Scan. When we scan for the first time, it will become New Scan. Click it again to start rescanning.
Next Scan on the right is the next scan, which can only be clicked after the first scan, while Undo Scan with changes returns to the previous scan, and can only be clicked after clicking the next scan. Note that returning the last scan result can only be returned once in a row. If you accidentally click Next Scan once, you can use this to return. If you click twice, then you may have no way to go back. Re-scan.
(3) First scan
Before the first scan, we can configure the conditions for the first scan through the following options. If the box on the left of Hex is selected, it means to scan in hexadecimal, otherwise the default is decimal. Scan Type indicates the type of scan. We have five options for the first scan, which are accurate scan, larger than..., smaller than..., between the two, unknown initial value.
It should be noted here that when choosing between the two, if it is an interval of two negative numbers, the smaller the absolute value, the larger the negative number, and it must not be written as greater than -10 and smaller than -20, which is a very low-level mistake .
Value Type indicates the scanned data type, we have 11 types to choose from
Since the smallest unit of operating memory is byte, the commonly used types are Byte to Array of byte. If we cannot determine the type, we can also choose All. If scanning a very large program, the scanning process may become very slow. , especially with an unknown initial value chosen.
Binary is not particularly used, because when a certain bit changes, it actually means that the byte where this bit is located has also changed
Grouped is group scanning, when two or more non-adjacent addresses change synchronously, we can use this scanning method
This means that we need to scan 2 values at the same time, one of which is a 4-byte 1 and the other is a float type 2
In fact, this method is just to more accurately locate the data we want. The previous data types have met all our scanning needs.
There is a Lua formula and Not on the right. We will talk about the former later. Not represents a non-current condition. For example, we choose a value between 5 and 8. If you select Not, it becomes not between the two, that is, less than 5 or more than 8 data
Below the basic scan options there is a range of memory to scan
We can click the tab where All is located to select the module to scan
You can also customize the range to scan
There is an Unrandomizer function on the right, which means that the random number effect is disabled, but this function only takes effect in a few specific environments
There is also an acceleration function
This function seems to be powerful, but it is limited to some weak network or stand-alone programs. Using acceleration effects in programs with frequent network communications may cause devastating consequences, such as program crashes, account bans, and so on.
The following Writable indicates whether it is writable, most of the time we need to check this
When we scan a piece of data, we find that the value is stored in a certain address, but cannot be scanned. At this time, we can consider clicking this option, because the page attribute of this address may not be writable, such as the character of the XOX game base address.
The other two are fine by default, one is executable and the other is copy-on-write, which is of little help to our regular scans.
The Fast Scan option indicates that the scanned results are aligned according to a few bytes. When we scan a piece of data and get no results, we can consider removing the fast scan or changing it to 1. At this time, the results without memory alignment can also be scanned out
The last option means to pause the game during scanning, this function is used when the data changes very frequently
If scanning some large-scale programs, try not to use this function, because when the program is suspended, it will affect the network communication and cause problems such as disconnection.
In the lower left corner of our CE, you can see a button that says Advanced Options, this button can also realize the function of pausing the game, and it can be paused at any time
After clicking, we can see a new window. The small square in the upper left corner is the button to pause and resume the game. We will talk about other functions of this window later.
When we select string scanning, several options will appear to the right of the scanning options
Case sensitive indicates whether it is case-sensitive or not. This can be checked by default. If the above two options are not selected, it means that the scanned code is UTF-8. If Codepage is checked, it means that the ASCII code is scanned. If UTF-16 is checked, it is UTF -16, which is Unicode encoding. In addition, if you want to scan codes such as BIG5, you need to convert it into a byte set and scan it with the byte set, that is,
(4) Scan again
After the first scan, most of the options below will become unmodifiable
At this time, the scanning method will change
The options here are exact value, greater than..., smaller than..., between the two, increased value, increased by how much, decreased value, decreased by how much, changed value, unchanged value, Compare with initial scan. The increase and decrease can also be scanned by percentage.
Just filter the data literally.
When scanning, we will find that some values in the results are green. The meaning of the values pointed to by these addresses will not change with the restart of the program. They may be global variables, or near the global variables.
This result is expressed in different ways in different versions of CE. The new version of CE will display it in the form of module + offset, because the base address of some modules changes with the restart of the program.
Data Observation and Processing
After scanning the results, we can pull the results into the list below for observation and processing
On the far left of the list, Active indicates whether to lock the result, if clicked, the locked result will be frequently written to the locked result.
This method has certain limitations. If it frequently conflicts with the writing function in the program, it may cause problems such as crashes. For programs that frequently verify the network, problems such as disconnection or detection may also occur. Therefore, not all data can be locked. It is necessary to analyze the specific situation to determine whether it is feasible.
Description is an expression, a note, when there is a lot of data, it can be used to note that we have selected key data
Address Type Value is the address, data type, and value. These three are the keys we need to operate
Select an address and double-click, and a window for modifying and adding offsets will pop up
In Type, you can modify the data type to be viewed, and you can also double-click the Type in the list to achieve this function
The following Hexadecimal is whether to use hexadecimal to view, and this function can also be realized by right-clicking on the list
Signed indicates whether to use unsigned to view, this can be used is not very useful, the default is enough
Pointer is the key, click it to add a layer of offset, and buttons for increasing and decreasing offset will appear
The formula of the data in the figure is [[RNFCE2.exe+BDA38C]+C] and the result is float type 292.1288147
(5) Partial scan example
Quick scan
The quick scan is mainly aimed at the data without memory alignment. We use the DWORD type to scan b in the figure below normally, and find that a result can be obtained, but it is not a base address, and there is no effect after modification
We tried to scan with other data types, but found that we couldn't get the correct data. At this time, we suspect that the memory may not be aligned.
So we remove the memory scan and repeat the above operation again, and finally get a float type address
After scanning out a, change a and b to 0 at the same time, jump out of the loop, and the program ends
suspend program
In the following program, because the value is refreshed very quickly, we cannot accurately obtain the value to be scanned
The program randomly prints a value every 0.1s. In order to scan accurately, we can click the pause button mentioned above to pause the program, and then run the program after scanning
After running, the value will be displayed on the scanned result in real time
lock memory
In the following program, the value is refreshed very quickly, and we need to change the value to 0 a hundred times to break out of the loop
At this point, we first need to scan to the correct address by suspending the program
After running, after we changed the value to 0, the number increased by 1
If you want to jump out quickly, it is unrealistic to change it 100 times, but we can use the locking method to lock the value to 0, so that the program can run itself to jump out of the loop
We will find that when we lock 0, the program will not output 100 consecutive successes, but there will be many failures between each two successes
This is because the principle of locking is actually like continuously writing values in the memory, and the writing speed of our locking is not as fast as the writing speed of the program (10ms/time), so the number of failures will be many. In fact, it succeeds after locking 100 times only takes a few seconds.
(6) View access and write code
Since the result we scan is not necessarily the base address, we need to obtain the offset of each layer of data by accessing the code, and finally get the base address
So what about getting an access code?
We can right click on the result and find that there are many options to choose from
The functions of the F5 and F6 shortcut keys here are to view the code for accessing the current address and view the code for writing the current address
For the choice of access or write, it is necessary to analyze according to the specific situation. For example, we have determined that a certain address is the address we want, and there is no need to analyze its writing process, so we can use the access code at this time.
If the address we get is only a temporary address, it is the desired result only in a specific operation, and we need to use a write breakpoint at this time. For example, there is an address, which stores the ID of the item used each time, but after the item is used, this address will no longer be accessed, or other values will be written when doing other operations, then we can check this address Write the code, and analyze the source of the writing when using the item again, so that there is a high chance of getting the offset address of the item ID in the object.
When we scanned the small program we wrote, we got a result that can change the actual value
The address at this time is not green, so every time the program is restarted, this address will change. In order to get the base address, we need to check the code that accesses it.
Right click, view access code, a window will pop up
This window is the same as the window where we first attached the debugger. That is to say, when we click Yes, the program will be debugged by CE. If we want to use other programs to debug it, CE needs to be reattached. program or close CE.
After clicking Yes, the access code window pops up
When not doing any operation, there is no code here, that is to say, this address is not accessed by any code at this time. When we click the "click to modify" button on the program, several codes appear in the window
1 is displayed on the left of each code, which indicates that the current code only accesses this address once, and the address on the right indicates the address of this code in memory
Then to the right, you can see a small set of bytes, which represents the machine code of this code, that is, the storage form of the rightmost assembly code in memory.
Choose a code, select it with the left button, and the option on the right will be activated, and the 5 codes around this code and the value of the register at the time of access will be displayed in the window below
The first option on the right, Replace, is to modify the code. If it is just to find the data source, this function is useless, but if we want to invalidate this code or implement other functions, we can use this function appropriately to to modify. For example, the second result is obviously like writing data in this address. If it is changed to nop, then no matter how we click the button, the value in this memory will not be changed.
Show disassembler is to display the disassembly window, which we will talk about later
Add to the codelist means to add the selected code to the Code list list, that is, the window where we click the game to pause
This list is used to save key codes. After all, the access window cannot be kept open. If you want to operate this code later, you can go to this list to operate it.
Next we look at the last item
The information that pops up after clicking is consistent with the content displayed in the small window below the code window, but it looks more convenient
For this access code, the source we need to continue to analyze is the register eax, the offset is +C, we can directly scan eax in CE, which is 0x0994B50, and we can get the base address
You can also analyze directly upwards along the code, because the previous line of this code is the source of eax
We can right click on this window and click
You can also directly copy the information of the entire window by pressing Ctrl+C.
But pay attention when right-clicking, if we right-click on the middle row of small characters, only the address of eax will be copied
In this way, we have completed an offset analysis and successfully obtained the base address and offset expression [[RNFCE2.exe+BDA38C]+C]
If a piece of data has multiple offsets, we can repeat the access operation on the scanned address, and finally get the base address
The offset expression can be obtained by accessing the code and CE scanning, but if we set a write breakpoint and want to find the source of the write, this method will not work, because the write code does not have the offset we want . Therefore, in this case, the analysis can only be continued by analyzing the assembly code. At least the first offset must be analyzed before continuing to analyze in the previous way.
(7) Memory Viewer
Since there are only 5 assembly codes that can be viewed by accessing and writing codes, sometimes it does not meet our needs, because not all data can be completed with simple access and scanning, so we need to use the memory viewer window to for a deeper analysis
At the top left of the scan result window, there is a Memory view button, click it to open the memory viewer
Also in the window for viewing access codes, we can also click
This button to open the memory viewer and follow the code to this code
This window has many functions. Although it may not be as convenient to use as xllydbg, it can basically meet all needs.
First, let's look at the File button at the top, click to open a tab
The first option is to open a new memory viewing window, we can observe multiple pieces of code and memory at the same time
The second option is to save the disassembly output, which means we can batch select and save the disassembly code into a text file
We will not use other options temporarily, and we will explain them later
Next, look at the second Search button, there are 2 options in the tab after clicking
The first option is to find memory, the second is to find code
Let's first look at the memory
After clicking open, there is a small window where you can set the memory and range to be searched
Here you can also set the byte set or text to be searched. This function can be used when searching for a certain value in an object. For example, if we want to search for a string 123, it will directly transfer to the first Where 123 appears
It is easy to understand the search code. We write one or a piece of assembly code, and it will find all the matching codes in the range.
If the scanning range is large, the speed will be slower. Of course, generally speaking, we scan according to the module
On the right side of the scan button is the view button, and after clicking it, all the views that can be set are displayed.
The ones in the above area are mainly used for debugging. The first one is the stack trace. We can randomly find a code that is being executed, and click F5 to break it. At this time, there are more buttons in the window.
These buttons are the functions that will be used during break debugging. The red dot on the left is equivalent to F5 to set a breakpoint, and then run, step into, step over, execute to return, and execute to.
At this point, the stack trace option is activated, and you can see the return information of the stack after clicking Open
Below the stack trace at a time is the watch list, breakpoint list, thread list, debug strings, debug events and user write logs
In fact, what we mainly use here is the breakpoint list, which is used to operate the breakpoints set by the user
For example, if we set a write breakpoint on a certain data, and set an F5 breakpoint on a certain code, it will be displayed in the breakpoint list
Right click on the option with delete to delete the breakpoint
Below the first area, there is an All string all strings and Memory regions memory area, these two are more important
First, after all the strings are clicked, a small window will pop up
We first click Generate string map on the upper right to generate a string map, and then click show list below to display all strings
The main function of the memory area is to observe the functions and page attributes of different areas in the memory, which is not used temporarily, and will be discussed later
The next two options are to enumerate the DLL and symbol table, and the graphical memory view, which is less useful
Enumerating DLL and symbol table can help us quickly find the base address and function information of some modules
The bottom area of the view window is mainly for the display of some windows and information, usually by default, the last one sets the font color, etc., you can translate it yourself and customize it
On the right side of the view is the debugging option, which is consistent with the functions such as switching breakpoints mentioned above. We can see the shortcut keys in the tab, which is convenient for us to quickly operate the disassembly window
The Tools on the right are tool options, we will use them later
Let's take a look at the information and functions in the disassembly window.
(8) Disassembly window
The disassembly window is the main area in the middle of the memory viewer, which displays the assembly code of the program
The area on the left is the address, usually in the form of module + offset, then machine code, assembly code and comments
We can click ctrl+g to jump to the code at any address, of course, we must ensure that this address is in the code segment
Click the space on call and jump to jump to the pointed address, and you can also use the delete key to go back
Right click on any code to see, the top 3 options are the three functions mentioned above
The following two options are to set bookmarks and jump to bookmarks. Since CE cannot use and find comments as flexibly as xdbg, the function of bookmarks is to find the code we recorded last time when we reopen CE. Although CE can also set comments, it does not have the function of going to comments
Other functions are not commonly used in actual applications, except F5 to set breakpoints, which we have already talked about before
(9) Data break access breakpoint analysis data
The lower left corner of the memory window is the data window. When we scan an address and want to access it or write a breakpoint, we can select this address and press ctrl+F2. At this time, the memory window will be opened and the data will be broken. go to this address
Right click on an address in the data window, you can pop up many functions
The 4 functions of the first part are edit, go to address, search memory and search accessible string
EDIT We can achieve this by double clicking
Go to the address is actually the same as ctrl+g in the assembly window, and it is applicable to all windows
The search memory has been mentioned before, but it appears here again. As for the strings that can be accessed by searching, this is of no use for the time being
The two functions of the second part are copy and paste, select a part of the memory, and then operate it to understand
The third area is more important. The first option is the type of data to be viewed. Usually we choose 4-byte HEX. Of course, specific data should be viewed in a specific way.
The second option is text encoding, you can choose according to your needs
The third option separator, can be ignored
The fourth option is a custom alignment method, the most practical and convenient way to observe is to use 4 alignment
The fifth option is the relative address, that is, the offset, which can be realized by double-clicking the address in xdbg, but it is more troublesome in CE
Then let's look at the last function of the last part, data breakpoint
After expanding the options, we will find that there are many ways and types of breakpoints to be set
The bottom part is to set the type of breakpoint. Generally, we choose the first hardware breakpoint, and the second is the memory breakpoint, that is, the exception breakpoint. After setting this breakpoint, it will be very stuck, and may even crash , so it is rarely used. The last one is a DBVM breakpoint, which will be used in specific cases
The top part is the way of breakpoints, which are writing and accessing breakpoints respectively, which should be set according to the analysis requirements
The last two in the middle part are to find the access code and write the code. As mentioned above, the first break and trace is to interrupt and trace. This is temporarily unusable, and I will talk about it later
Then we will use hardware access and write breakpoints to analyze the data
First of all, we set a hardware access breakpoint on the address we just found. Since this data is being written and accessed continuously, we will break it immediately
After setting, we can delete the breakpoint in the breakpoint window mentioned above, or right click on the data, and the bottom option will change to delete breakpoint
We habitually delete breakpoints before analyzing
Observing the access code, we found that this access code actually compares the value in the base address with 0
We can directly change the next jump to jmp, so that there is no need to lock out of the loop
(10) pointer scan
Since CE analysis of offset expressions is not as convenient as xllydbg, we rarely use it to find the base address, but it has a very powerful function, which can find the base address without analysis. This function is pointer scanning.
Then we scan an address arbitrarily, try not to use green, first get the first layer offset + C by looking up the access code
Then right click on this address and select point scan for this address
In this window, we need to make some settings. First of all, we need to fill in the value after the checked Max different offsets per node. We need to fill in 4, which means that the offset of each node differs by a maximum of 4, because the address of a 32-bit program is 4 words section, and then check the following pointers must end with specific offsets, and fill in C for the value, indicating that the expression must end with a +C offset
The following part is to set the scanning thread 9, and the maximum allowed offset 4095, and the maximum offset level 7
Of course, these numbers can be modified according to the specific situation to ensure the efficiency and accuracy of the scan. Here I change it to 5, 2047 and 5, and then click OK to save a file for the scan result
Due to the small size of the program I wrote myself, I only got one result
If the program is large and you get more results, we can import the results of the last scan (pointer mapping set) through the above Use saved pointermap, and compare with other saved mapping sets to get accurate results. After all, there are Many results are invalid after the program is restarted.
There are many other black technologies in CE that we haven't mentioned. Here we only explain some of the more basic functions. In the next CE article, we will explain other functions of CE. Welcome to pay attention to the public: Ren Niaofei reverse technology exchange and learning!