Topic: [Guide] Modding with Cheat Engine  (Read 585 times)


Night

« on: December 04, 2019, 12:07:30 PM »
Overview:
Hello all, this is going to be a guide on modifying the game with cheat engine, its a pretty common guide found among other games but I figured I'd give my go at it for URW seeing as there isn't much activity in regards to finding new addresses for the game, maybe we can spark up someones imagination! We'll be nose diving straight into it so make sure you've got your head ready for the use of good'ol numbers (yuck!) and the motivation to imagine what treasures hide within :).

note: this guide based on Windows, Linux and ios users experience may differ.

The Guide:

~ removed table of contents, anchors were buggy.

Setting up Cheat Engine:

Step 1: Required files
Make sure you have the required files installed and administrative permission, essential to completing this guide successfully:
note: You can choose to use another memory editor, there are many other options available aside from cheat engine, but in this guide I will be using cheat engine, features in cheat engine may or may not exist in alternatives, I will be using Cheat engine v6.7, most versions are identical but if you have any issues following along, post below.


Step 2: Run
If you haven't done so already after acquiring the required files, run both the game and cheat engine with administrative privileges
(we don't want annoying permission troubles)

This is what your screen should look like: (resize cheat engine to be comfortable)
Spoiler: Image 1 • show



Step 3: Select target
Now that we have both programs open, we need to select what program cheat engine is targeting. This applies for any program you are attempting to modify with cheat engine.

Directions for the labeled figures in the image below:
  • Click this button, this will open the process list of target-able applications
  • This indicates the type of process you are trying to target, luckily for us unreal world should be located under the default applications tab.
  • Select UnReal World from the process list
  • Click 'Open'
Spoiler: Image 2 • show


Result:
If you followed the instructions correctly, cheat engine should be attached to the game and we are ready to start using it.
This is what you should see on cheat engine to indicate you have attached to a process: (the handle, 000021FC, is run-time dependent and will not be identical)
Spoiler: Image 3 • show

Using Cheat Engine:

Step 1: Understanding what the tool does
It's important to understand what exactly you're looking at when you use this tool, so I'm going to try to give you a short description over each feature we will be using and its function. I am not a grandmaster when it comes to this stuff, so there are many advanced features I have no qualification in covering, we won't be going over these, but there are many powerful features that can improve and speed up the process of using cheat engine successfully.
  • The search bar
    Spoiler: show
    This is where the hunt begins, this is where you're going to hypothesize, scan, sort, and mathematically eliminate addresses through the games data to find what you're trying to edit. Anything you put in this box, cheat engine is going to give you every instance of that data point within the game. If you scan for a value of 1, you're going to get every single address that contains the value 1. This will occur on every "First Scan", as you are looking for addresses with an initial starting value, when using "Next Scan", the addresses from the last scan you did will have all of their previous values from the time of that scan, compared to the values they currently hold. Depending on your sorting condition, (which will be explained in B.) your list of addresses will filter certain addresses out of the list, leaving you with less and less addresses. Eventually the idea is, you can isolate the address that represents the specific value for the specific feature you are trying to change, and then use it. When you think you've found your address, or potentially think the address is not located within your current list of addresses, you can click the "New Scan" button, which will clear your current table of search addresses and start you from a fresh first scan, you will likely do this when you are unable to find the address you are looking for from the table, which can occur for a number of sorting-related reasons, or by just simply not searching for the right number.

    note: The checkbox labeled "hex" indicates what format of numeral you're scanning as, if you enable this the values you input will be based on the hexadecimal system, rather than the decimal system. It's useful to know hexadecimal so you should read more about it here: https://en.wikipedia.org/wiki/Hexadecimal there will probably be a mention of it later when we get to using addresses.
     
  • Scan Type & Value Type
    Spoiler: show
    In short, scan type and value type are going to determine how your address's are presented to you and read by cheat engine, and how they're going to be sorted between each scan.

    For the scan type, there are several different values you can choose from depending on what stage of the scanning process you're in and the value type:
    Spoiler: show

    The value type however is the type of data you are trying to find, to your best knowledge. Often values are reduced to their smallest value type by developers to reduce size, and increase the efficiency of the code:
    Spoiler: show
    To get the best results, you want to try to reduce your value type to the lowest type possible based on the information you know about your target address, this will ensure your scan picks up the address correctly when it makes the comparison, instead of potentially reading too many bytes. Here is a short list of the value types, their minimum and maximum values in hex and decimal, and some examples, but you should probably read up more on these if you want to have a good understanding of their uses and what to expect from the address you're trying to find:
    • Byte: Hex: 0x00, 0xFF   Dec: 0, 255   Examples: Attribute level, Skill level, State variables (running, jogging, walking, crawling), etc.
    • Word (2 Bytes): Hex: 0x0000, 0xFFFF   Dec: 0, 65535   Examples: Object IDs, Object Quantities, Ammunition, Network ping, etc
    • Dword (4 Bytes): Hex: 0x00000000, 0xFFFFFFFF  Dec: 0, 4294967295  Examples: Score, Object Quantities, Currency, ARGBColor, Idle Games
    • Float: Float: 1.175494351 E-38, 3.402823466 E+38   Examples: Weight, Physics variables (Gravity, multipliers), Vehicle speed, % based variables
    • String: Text: 0, Buffer Length   Examples: Player Name, NPC Name, Object Name, Month, Day, etc.
    • Array of Byte: Bytes: 0, Buffer Length   Examples: Groups of stats, Object structs, Signatures
       
  • Addresses found when scanning
    Spoiler: show
    After successfully completing a scan for a value (labeled A.), addresses from the game are appended to a listbox on the left side of Cheat Engine (labeled B.) for you to inspect and select from, once you have selected addresses you would like to further modify or inspect, you can click on the arrow button (labeled C.) to append them to the listbox located on the bottom of Cheat Engine:
    Spoiler: show
    From this list, you will have better access to editing the address to suit your needs. An Address, simply put, is a storage location for memory to live, you can think of it as a labeled container. Addresses are usually displayed in hexadecimal, and while this may look intimidating, it is a much cleaner structure when dealing with data (remember, hexadecimal and decimal values are convertable between each other, so these are technically just numbers). We already went over what value type is, but when we have an address in our listbox, we also have the ability to change the value type of the address we're viewing, this is useful in the event we want to see the value as a different type, for example, if we change our current type to string: 
    Spoiler: show
    We can see the value has changed to the character represenation of the value "123". This does not mean we've edited the actual data there, this is just allowing us to view that data in several different ways that will allow us to piece together what we're looking at.

    The "Active" check box on the left side of the address indicates whether Cheat Engine is freezing the address's value to the value displayed or not (meaning if the game tries to edit this value, and its frozen, cheat engine will overwrite the value)

    Description is used to label addresses according to what you see fit, mostly a way to indicate what the address is.

    note: It is important to remember that addresses may change when an application is updated, as such it is important to know what version of the application you are working with so that you can update your addresses if they change when an update is released.
This is pretty much the bare minimum understanding required to use Cheat Engine, so if you have any questions or trouble, now is the time to make a post below and ask.

Step 2: Finding a target
This is where the fun of imagination begins, deciding what we want to edit and figuring out what the representation of what we're trying to edit in the data is going to be. There are many many many potential target addresses across all applications, in video games, we mostly target values that are going to allow some sort of unnatural advantage or effect to create a sense of satisfaction we could not obtain normally, some prime examples include health, currency and resources, attack damage, points. It's important to remember, that not all values you're attempting to look for will be in plain sight, some values you will need to make a hypothesis and filtration method to find effectively. The diagram below will show some potential targets I have indicated, we will be targeting one in particular.
Spoiler: show
I have indicated several nice targets, some are obvious such as hunger, thirst, warmth, and energy, others like what item you're wielding, the location of that rock near my character, the direction I'm facing, may be less obvious and hard to grasp numerically, but if you can hypothesis what the data for these addresses might be, you are likely to find the address you are looking for. I have indicated the target address we'll be looking for with a green arrow and box, Time of day

To begin with the process of finding this address, we need to consider all possible values that could encompass what "time of day" represents in the data, this means we need knowledge of the concept of time itself, (seconds, minutes, hours, days, months, years) and we need to hypothesize what the game is most likely doing with the data (does the game have 1 address for total elapsed seconds and then coverts it with math to its date representation? does the game have multiple addresses representing seconds, minutes, hours, days? does the game "skip" sections of time?) a hypothesize that can filter through as many of these potential options as possible will allow you to get the best results, for example, we may not know how the game has setup the time system, but we do know that we can increase the amount of time passed by making our character wait, and therefor create a filtration method that will eventually leave us with the address and data responsible for controlling time, once we have this address we can infer how the code uses it in relation to its display data.

So to begin the search, we'll be searching for a value over 0 (time is moving forward, negative value unlikely) albeit currently unknown, and we're going to search for a type of byte (value between 0 and 255) since it is likely the game will be increasing the data in small amounts as time progresses, this will give us addresses that are increasing even if their data representation is larger than a byte, allowing us to also determine if the address we're looking for is a larger type than a byte. This is what your first scan should look like:
Spoiler: show
After completing your first scan, we need to modify the game time address so we can apply a filtration method to the address list, so alt tab back into your game and pass time with the - key for only as much as necessary to indicate to you that time has definitely passed, then pause the game again and alt tab back to cheat engine. Your next scan is going to be a search for an increased value, as time has almost definitely increased in value (we're not sure how much) This should look like this: (Make sure to use NEXT SCAN, not new scan when filtering)
Spoiler: show
Once you complete this first filter, you're going to see a list of addresses with values on the left side, some of them are changing and highlighted red. This is an indication that the particular address that is changing, does not have any correlation between the address we're looking for and its value, as we have not passed any time since our previous scan, our address should have an Unchanged value, so in cheat engine we're going to filter out the addresses that have had their values changed by doing this:
Spoiler: show
This is going to filter our list of addresses unrelated to what we're looking for, so now we need to let time pass some more to indicate an increase in the value, allowing us to filter for such an increase again:
Spoiler: show
with each effective filter, you're going to notice the amount of addresses found decreasing in the top right, we need to keep filtering until we can get the amount of addresses we're looking at as low as possible, as this will give us the best chance to identify our target address. It is important to make sure when filtering you are following a pattern with the expected data you are trying to locate, one wrong filter can easily remove the address you're looking for from the list you're filtering, resulting in frustration. Continue filtering until you reach a small list:
Spoiler: show
When your filters stop removing addresses, its time to take a look at the addresses and data and try to interpret what you're looking at. In my case, I have filtered the addresses to a list of 54 addresses, just by looking at the list and thinking about what kind of address we're trying to find, we can eliminate some of these addresses through the process of representational likely-hood, and by this I mean do the addresses and values I'm looking at make any sense in relation to a system of time? Thinking through this I can already figure there's probably not 54 addresses that determine time, maybe closer to 4 or 5 at max? How do we know which of the addresses we should eliminate from the list? There are a variety of "probability" methods we can employ, so the first thing we're gonna do is move all the addresses with green text in the search listbox to the editing list box so we can see what we're doing easier (green addresses aren't runtime dependant and will not change, and are the ones we will be using):
Spoiler: show
From my particular group of found addresses, I have noticed about 20~ of them with the same value and roughly in the same area of memory, these are not likely to contain the address I'm looking for, so I remove them from the list and am now left with the remaining addresses to experiment with:
Spoiler: show
There are indications that some of these addresses are related to some sort of variable, the addresses i have boxed are very close together in memory, and are seperated by 4 bytes (basically neighbors), likely meaning the value they represent is actually 4 bytes and not 1, we will be changing the address type to 4 bytes to further observe the data between these groups of addresses as they indicate the maximum value to be higher than 1 byte, there are also two addresses relatively close to these addresses i have marked with arrows, they could be related but its less likely (notice this is all guess work, this is the process of documenting addresses from memory from scratch). Now that I have an extremely small list of addresses to work with, we can watch the values change in real time and effectively make guesses. So what you're going to do is make sure you have cheat engine and your game setup like so:
Spoiler: show
When you pass time in the game, you're going to see the values of your addresses change in cheat engine, these are the addresses we are most interested in testing, as any value that is not changing while time is passing is probably not the address in control of time. I delete all addresses that aren't changing as time is passing and am left with the following:
Spoiler: show
« Last Edit: December 04, 2019, 12:20:21 PM by Night »
URW Character Menu - Cheating menu by a player, for the players.

Night

« Reply #1 on: December 04, 2019, 12:07:53 PM »
Using Cheat Engine: (Continued)

Step 3: Confirming your target

Now that I have a reasonable amount of addresses to test for actual effects with, I want to document these addresses in a separate file offhand so I don't lose them in the event I give the game invalid data to work with and cause a crash, so double click the address and copy the information to a notepad so you can add the address back manually, or even save the cheat table so you can load them again. Green addresses have the following format: urw.exe+A2EC404 where urw.exe represents the games base handle (runtime dependant), and A2EC404 represents the offset of the address, this equates to B2AC404 when combined together.

After backing up my addresses, I am now ready to effectively modify them and see what they actually represent in the game. To do this, I need to effectively represent the numerical value of the address to a direct result on the game. A good way to easily test values that change over time, is to simply freeze them and record if they change over time, if they do not, chances are you are freezing the variable that effects that aspect of the game... I freeze all four of my addresses and pass time twice for a total of 8 hours, the indicator I was originally searching for does not change (Early evening, wait 8 hours, still Early evening, you also notice the sun graphics in the top left stuttering and lacking movement), almost definitely meaning one of the four addresses I have frozen controls the time of day. So now that we know we have the address, its important to document what the values represent for that address so we can effectively use it to our will. To begin, we're going to isolate the time of day address to one single address, by changing each address to different value and refreshing the game by passing time, I should be able to determine which of the four addresses directly edits time.

I have Isolated the time of day offset to 0B2AC4B5, as it is the only address I am editing and having a direct impact on the time of day, I however notice strange effects when editing this address making it act irregular to what you'd expect the data to do. This generally means you are looking at the right spot, but are interpreting the data wrong. In my case, our search results yielded the address for the "minute" address, meaning 0B2AC4B5 determines the minute of the hour, representing a value of 0-60 (you can watch the address cycle from 1-60 when passing time and resetting). Knowing this is what the address is, and that time is stored in this fashion in the game (each representation of time has an address) I can now predict what addresses such as "day", "hour", and "month" will represent value wise for a particular address. Meaning we can use exact numbers in our filtration methods in relation to the data, for example, if we wanted to search for the address that contains our month, we would be looking for a value between 0-12 (sometimes code will use 0 as an index representation). We can also assume that the Hour of the day address, is a value between 0-24, finding this address will be easier because we can now set the minute of the hour address to 59, pass a tiny bit of time, and filter for an increase in the hour value when the minute value resets, as that would indicate the hour has passed. We can repeat this process until we have every address for determining the current world time, using minutes to get the address for hours, hours to get the address for current day, days to determine the passing of the month, and then using the passing of months to find an address that indicates the year. Once you have each of these addresses, you will be able to essentially control anything that relies on time. This includes the weather/season based on month, daylight/night based on hour (also has an effect on animal activity), plant growth / hide working times can effectively be "skipped" by adding time to the current world time.


Concluding notes:

This is effectively, the basis for finding addresses and modifying the games memory. there are many techniques that I did not cover in this guide that can be helpful in finding and documenting addresses, but this effectively covers the basics of what you need to know in order to produce any kind of modification. The address I decided to target wasn't a particularly easy one to search for, but I think it gives you a good amount of perspective on the type of thinking required in order to get the results you're looking for, especially for addresses that aren't self evident (like stats that show you the actual number so you can just do an exact value filter) For getting a feel of using cheat engine, I would recommend searching for values you can actually see so you're not using abstract thinking to effectively predict what the value is going to be.

If you're having trouble following this guide or are simply stuck, feel free to reply to the thread and ask questions or PM me directly, I can also provide much easier examples for people to find if they get lost. Hopefully you or someone else reading this thread finds educational value, if not at least a good read on how I find modifications to use.
URW Character Menu - Cheating menu by a player, for the players.