Cheat Engine

[MitchellKrenz]

Hello, I have used cheat engine before to bake memory base game bots where I'd first use cheat engine to find the pointers to relevant values and functions and then write my own program to be injected and based off of those values, potentially call those functions. I am now interested in attempting to do the same for Android games, and from my research it seems that the best way to do this would be to install the BlueStacks Android Emulator and run the game in the emulator and then use CE to find the pointers I need.

I have watched a few tutorials that show what settings to choose in order to expose the "Physical Memory" option in the process list and it also shows that the "MEM_MAPPED" setting must be checked.
I am not totally sure that my understanding of this is correct but it seems to me that "Physical Memory" makes it so that instead of scanning just one process CE scans through all allocated RAM. If that assumption is correct, then why do I have to do it this way for games running in the emulator, logically one would think that you would just attach CE to the BlueStacks process. and if I did find the pointers using "Physical Memory" would they actually stick around through system reboots? it seems like that wouldn't work the same way as with a normal process and how it allocates and loads itself into memory... I am just not understanding how even if I found the address, how I would inject a dll that I wrote into that process when I don't even know what process it is running in...

I know I am sort of rambling but lastly with the "MEM_MAPPED" option, there is a note next to it that says something to the effect of this may need to be checked if you're working with an emulator. What exactly is it that this option changes, why do I need to check this option when doing this and again, how does this affect what I'm trying to do with injecting a dll into the process in order to read/write values and execute functions.

This side of things, android, emulators, physical memory, memory mapped files, etc... is all so very new to me and I would honestly love to learn about it, unfortunately all of the tutorials I can find are just youtube videos that show you what settings to check in order to find an address one time, but don't come close to explaining the why of it all or talking about finding a pointer in this situation rather than just finding the address once off. So please, any help you can provide in the form of already written tutorials, your direct knowledge in the form of a reply, or a link to something that can get me started, etc.. would be greatly appreciated, I have done a lot of googleing and searching through the CE forums and I am at a loss, everything seems to just be a quick and dirty how to that is effectively useless if you want to actually learn something.
Thanks for reading my long rambling .


EDIT:
While waiting for a reply I've been looking at some other posts and saw something about a CE for android and a CEServer which suggests you run the server on android and the GUI on a windows box and connect to the server to control the scanning. Is this more recommended? I saw a lot of things that suggested thoe methods are basically alpha status and I wouldn't know where to begin to write my own program for dll injection and such, not that I have any idea with the other mentioned methods either... clearly I am at a total loss here and very much in need of some help lol.

[Dark Byte]

there is physical memory and virtual memory

normally you use virtual memory when scanning and using pointerd. it's made out of blocks of physical memory.
e.g virtual address 00400000 might be physical address 1000
and virtual address 00401000 might be physical address 2ffe00000
pointers in memory reference virtual addresses. so if a pointer points to 00401000 it has as bytes 00 10 40 00, not 00 00 e0 ff 02

therefore pointers are useless when using physical memory scans.

also, physical memory contains memory about all processes, not just the one belonging to the process you're interested in.

-
mem_mapped regions are memory regions that point to a file/page based object. Normal games never use those to store game variables in
but mem_mapped memory scanning is recommended for emulators because they often use a memory map object to hold the emulated physical memory of the emulated system they emulate (so forget about pointers there as well)
-

using ceserver or another 'native' method is recommended yes, but you will have to change your way of thinking. (dll injection is out of the question. at best do an .so injection if it's an android system being emulated)

[MitchellKrenz]

Thank you very much for your quick response, that helps clear up quite a bit, I am glad to hear (in a weird way) that I'll have to change my way of thinking. After all, it means I get to learn something totally new haha. Although, thinking about this more, it's starting to look like the easiest thing to do would potentially be to intercept the IP traffic in between the game and the server and reverse it such that I can essentially make my own version of the game with no GUI, perhaps if I'm lucky, it'll even be http based.

EDIT:
Also, is the source code available for your android version of CE? I saw various download links for the executable, but I didn't notice a specific, latest version repository type thing, and if available I would like to look through the code to see how it works because I figure that what it does is probably very similar to what I would want to do in order to control and automate another program running on an android OS.

[louisthach]

Hi MitchellKrenz,

Have you been successfully to find out how to find Base Address in any way? I'm stuck in how to find Base Address of a mobile Online game on BlueStack Emulator & CE, just want to create a bot doing some basic action such as using HP portion, MP portion, Attack NPC,...

When I found address of HP for sample, then Find out what accesses this address Always return empty. If you have known how to do it, please share, I really appriciate.

Thanks.
LouisThach.