Step 6: Pointer scanning

In the previous step I explained how to use the Code finder to handle changing locations. But that method alone makes it difficult to find the address to set the values you want. That's why there are pointers:

At the bottom you'll find 2 buttons. One will change the value, and the other changes the value AND the location of the value. For this step you don't really need to know assembler, but it helps a lot if you do.

First find the address of the value. When you've found it use the function to find out what accesses this address. Change the value again, and an item will show up in the list. Double click that item. (or select and click on more info) and a new window will open with detailed information on what happened when the instruction ran. If the assembler instruction doesn't have anything between a '[' and ']' then use another item in the list. If it does it will say what it think will be the value of the pointer you need. Go back to the main cheat engine window (you can keep this extra info window open if you want, but if you close it, remember what is between the '[' and ']' ) and do a 4 byte scan in hexadecimal for the value the extra info told you. When done scanning it may return 1 or a few hundred addresses. Most of the time the address you need will be the smallest one. Now click on the "Add Address Manually" button and select the pointer checkbox.

The window will change and allow you to type in the address of a pointer and an offset. Fill in the address you just found. It can be in the form: "Tutorial-i386.exe"+xxxxxx (relative to the process), or you can double click the address to add it to the address list and use the absolute address which appears there. If the assembler instruction has a calculation (e.g.: [esi+12]) at the end then type the value in that's at the end above the address field. This is the offset. Otherwise leave it 0. If it was a more complicated instruction look at the following calculation.

Example of a more complicated instruction: [EAX2+EDX+00000310] eax=4C and edx=00801234. In this case EDX would be the value the pointer has, and EAX2+00000310 the offset, so the offset you'd fill in would be 2*4C+00000310=3A8. (This is all in hex, use calc.exe from Windows in Programmer mode to calculate hex values.)

Back to the tutorial, click OK and the address will be added. If all went right the address will show P->xxxxxxx, with xxxxxxx being the address of the value you found. If that's not right, you've done something wrong. Now, change the value using the pointer you added in to 5000 and click in the 'Active' column to freeze it. Then click Change pointer, and if all went right the Next button will become visible.

extra: You could also use the pointer scanner to find the pointer to this address. https://cheatengine.org/help/pointer-scan.htm