1. main panel
1.1 scanner
icons upside: choose process, open trainer, save as.
middle: shows process name and process PID.
down here: First scan, next scan, Undo scan(works for 1 time only).
scan type: exact value, value between/lower/higher, unknown initial value
scan type(middle of scan): decreased/increased value [by:],changed/unchanged value(unchanged only check on value, not really changed or not), same as first scan(a shortcut, and it's not recent scan)
value type: 1/2/4/8 byte, float, double, binary(slow...), text(doesn't work on changing because it's read-only), array of bytes(use address value), all(hybrid-scan, new thing on 5.4), custom(also new, and I've no idea how to modify it)
right: settings(useful things)
middle: memory scan options, speedhack, etc.
down: address list, advanced options(useful also), comments(the ?, like notes or something)
2. prospecting the functions:
process list:
attach to process(to add it onto "created process", which you can swap processes easily, but make sure you remember the process's PID!)
create process(open a process, and attach it immediately)
open file(search/edit a file, I think this is a function that we don't know...)
process/window list: process list is default, but when some program are kernel(you can't find process name here) or invisible window, you choose window list and attach to that window.
process list(long): list all process a process have(what process viewer does, and it doesn't work a lot to find the real one)
scan type:
exact value: a=a. b=b. it must be the same.
bigger/smaller than: a>b, b
value between: 3 is between 1 to 16.
unknown initial value: no idea? use it!
scan type(middle of the scan):
increased/decreased value: check added/subtracted
increased/decreased value by: check added/subtracted by a value, at least xx% means >10% value changing.
changed/unchanged value: check value changed or not, but if it was changed and back to same value, it is identified as unchanged
same as first scan: do what you do at first, not recent.
value type:
binary: bits or decimal(matters on what kind of value you put in)
1/2/4/8 bytes: normal searching(1 byte can't do fast scan, and usually 32-bit system used up to 4byte, not 8byte)biggest value for 1/2/4/8 byte: 255/65535/4294967295/4294967295^2(too big...)
float/double: used when a dot is in here.(3 functions: rounded(default),rounded(extreme) and truncated(default is what it always do, extreme is to take lowest, and truncated is a cut value))
text: search text(you do it only in a file, not game, as in game they are read-only)(unicode: search unicode instead of letter(useful on searching symbols) and case sensitive(C and c are not same))
array of bytes: hex(using 0123456789ABCDEF, also with 1/2/4/8 bytes and all)
all: hex
memory scan options:
16/32-bit/all: choose memory region. 16-bit is for DOS, 32-bit is for windows, and all is for everything
also scan read-only memory: scan read-only memory also.(you don’t need it, as if you find it, you can’t change it unless with codes)
fast scan/hyper scan: speed up your scan(usually disabled)
pause the game while scanning: stop the game while scanning(useful when values may change and you can’t pause the game)
unrandomizer: freeze random value(useful when you play dice games, you can make all 6!)
enable speedhack: speedhack(CE doesn’t have a good one, though)
speed: the speed(notice: don’t set too fast, don’t set fast and slow, don’t set fast then untick, and it will be all ok)
sleeptime: how accurate it is(3 is really ok, just don’t change it)
arrow: add all selected addresses to select list
result window:
browse memory region: go to that place using memory viewer
disassemble memory region: just the same as above
delete current address: modify results
select all items: alt+a.
memory view: use memory viewer and go to last place you exited.
red circle with a line: delete all addresses
add address manually: add it manually(no result, pointer, offset, etc.)
address window:
frozen: freeze the address.(this can’t do +/- freeze)
description: let you know what is it
addresses: output address
type: how it shows
right-click commands:
change record: change things
smart edit address: use find and replace option on description, and adjust address by using positive/negative value.
browse this memory region: use memory editor with jumpinig to this address.
show as hex value: base10 to base16/base16 to base10
set a hotkey: change addresses without typing value(choosing decreased/increased will result as +/- freeze which is going 1 side only)
freeze address in this list: freeze them.
pointer scan: scan for pointers(injected can be launched once only, but normal can be launched unlimited times, and sometimes need relaunch to make it start working, and it doesn’t work always.)
find out what accesses/writes to/read from this address: find codes with relevance(access means breakpoint without stopping, writes to is for finding codes editing the address. and read from means find addresses execute based on this address, which causes a lot of lag)
recalculate address: just calculate it again.
force recheck symbols: I wonder what it does.
group: see your address easier if there are too much.
advanced options: below settings
settings: below
comments: nothing to tell
3.settings:
general:
show undo button: you can undo results.
show advanced options: see if you want to get even more useful skills.
update the list of found addresses even after scanning: you can see changes on result window.
center CE when bringing to front: each time you open, it's in center, isn't it?
hide some/all windows instead of trying to bring CE to front: if you disable it, you succeed to bring it to front! yay!
address list specific:
show values as if they are signed: negative/positive value. useful for reverse-engineering(values go reversed).
show and work with binaries as if they are decimals: change base2 if base10. recommended with no tick.
simple paste: let you paste the value.
configure hotkeys: easier scanning(not sure it works in game or not)
configure unrandomizer: you’d better don’t touch it, as it doesn’t do much if you edited it…
automatically attach to processes named [ ](used on trainer, and it can attach in critical time.)
even autoattach when another process has already been selected: e.g you choose auto-attach a, you are attaching b, and you run a, so it attaches of you tick it)
update/found addresses list update/freeze interval: update address value/update result value/freeze checker time.
scan settings:
size of scanbuffer: just like video buffer. smaller makes scan slower, but higher may make your result comes slower even all scanned.
fast scan by default: apply it all the time
enable hyperscan when possible: tick it, if it can be ticked.
Don’t scan memory that is protect with the No Cache option: don’t scan memory that has no cache.
keep low memory usage when doing an “unkown initial value†scan with hyper scan(wow the author spell unknown wrong!): let you scan all addresses without being too laggy.
MEM_PRIVATE/IMAGE/MAPPED: other memorys(you don’t need to change it)
run scan in separate thread: prevent errors like 5.3(cancel button is disable after 5 seconds)
file associations: make CE accept the file type.
plugins: let you use CE with more fun or easier.
code finder: address to code.
debug register/memory access exceptions: choose how do you find a code.
try to prevent detection of the debugger: for those CE-prevented games.
handle beakpoints not caused by CE:(OMG breakpoints spelled wrong) only if you use breakpoint, you need to know about it.
assembler: just disassembler.
show disassembler: show it or not.
use hardware/int3 instruction breakpoints: how to break.
replace incomplete opcodes with nops/ask for replace with nop: if opcode is smaller than the area, fill extra with nops. and it asks if you want to do so.
try to prevent detection of the debugger: same as the one in code finder, and even with same tick/untick condition.
extra:
use the following CE Kernel routines instead of the original windows version: use it if you think windows sucks.
undo changes to CE: if something changed, it will get back to unchanged.
enable use of the Process Watcher: watch processes/
use kernelmode debugger options when possible: use it if you want.
stealth mode(usermode/kernelmode): try to hide it from other processes.
4. advanced options
it is a reeeaaaaaally useful tool, with almost 20% of the functions here.
full list:
replace code that does nothing(instantly! and it is just nop)
replace with original code(good when you find errors after changed)
finding out what addresses this code read from(good for finding useful stuffs by the one you have, like hp/ap/money/etc.)
find code inside a file(patch a file with the modified code)
replace all(with nop, but the creator missed it obviously...)
these are those things which appears in disassembler, but we seldom use it.
pause process(the pause button above, and almost none of us know that)
directx-mass(used on directx games, which you can zoom, create lag, etc.)
these are those "forbidden" commands or just..."unknown" commands
5. disassembler
these are where the place having much more "forbidden" commands.
5.1 right-click commands
go to address: it's confusing that it is on the right-click list, but not on toolbar.
assemble: change opcodes instantly(like opening it and add nop). don't touch it if you don't know, as it would crash if you execute.
change register at this location: e.g a code writes mov [edx],[eax] and you can't change the code, so you use it to change(to stop it, choose toggle breakpoint on top of it, and it requires code finder, so you should stop finding out those codes.)
toggle breakpoint: a breakpoint is when a process runs this code, it stops here. breakpoint shows green, and it can't be used with other code-finder options.
break and trace instructions: when it get executed, it trace back automaticly, then let it go.
create jump and initialize code-wave: like making this address changed to another and make it all with something useless.
5.2 toolbar
file:
open window: open a new memory viewer.
save disassembled output: like what program does. save code, opcode, value.
set new symbol searchpath: no idea what it does.
save/load memory region: to save a region of memory(must be readable, and once there is a mistake, you need to repen it)
search:
find memory: a simpler version from main searcher.
find assembly code: find codes.
view:
stacktrace: no idea what it is
breakpoint list: show all breakpoints.
thread list: show all threads.
debug strings: no idea what it is.
memory regions: reference of unknown initial value.
heaplist: no idea what it is.
enumerate DLL’s: check what dll used.
bottom 5: about symbols and addresses. no need to change it.
debug:
run/step/step over/run till: about breakpoints.
toggle breakpoint: also on right-click options.
break: break threads.
allocate memory: make fresh memory.
scan for code-waves: find code-waves.
fill memory: fill a region with something.
create thread: make a thread.
dissect code/data/window/PE headers: prospect them and see what are they made of.
pointer scan: we have it on right-click options on address window already.
find static addresses: find green addresses, which won’t move.
inject DLL: make a dll to inject, to have a same result as using mem-editor.
auto assemble: do assemble with automatic helps.
script: for script users.
kernel tools: you can use it only if kernel mode is operated.
