Speak of the Devil: I did my second talk
2026 Apr 09 (E: 2026 Apr 10)
- Q&A
- What do you mean by “attach”?
- What happens if you attach Cheat Engine to Cheat Engine?
- Regarding pointer paths and manipulating the same variables across restarts, different computers, and environments
- Cheat Engine dialect of x86 assembly
- Would the code injections you wrote in x86 assembly still work on ARM?
- What’s the difference between attaching a debugger from Linux and attaching a debugger within Wine?
- What’s the deal with VRAM?
- What games do you recommend for getting started with gamehacking?
- Can you spawn multiple bosses?
- Turn off gravity!
- Are you that person?
The slides (n=17) can be downloaded at /downloads/talk2.pdf.
shrinkydink.CEA was written for the demo.
You can also check out my previous talk for the same audience.
Q&A
- What do you mean by “attach”?
- What happens if you attach Cheat Engine to Cheat Engine?
- Regarding pointer paths and manipulating the same variables across restarts, different computers, and environments
- Cheat Engine dialect of x86 assembly
- Would the code injections you wrote in x86 assembly still work on ARM?
- What’s the difference between attaching a debugger from Linux and attaching a debugger within Wine?
- What’s the deal with VRAM?
- What games do you recommend for getting started with gamehacking?
- Can you spawn multiple bosses?
- Turn off gravity!
- Are you that person?
What do you mean by “attach”?
To open a process with a debugger, or have any other kind of program open a target process with an operating system’s debugging API.
For Linux (sys/ptrace.h)1
long ptrace(enum __ptrace_request op, pid_t pid,
void *addr, void *data);From Windows (windows.h)2
HANDLE OpenProcess(
[in] DWORD dwDesiredAccess,
[in] BOOL bInheritHandle,
[in] DWORD dwProcessId
);What happens if you attach Cheat Engine to Cheat Engine?
Attaching Cheat Engine to Cheat Engine starts the Cheat Engine tutorial.
Regarding pointer paths and manipulating the same variables across restarts, different computers, and environments
As long as there is a valid pointer path to the entry point
(0x400000 = “GameName.exe” = any executable), the same
variable can be targeted. This holds until the developer patches the
game or releases a new version. In that case, the base offset changes,
but generally every other higher level offset can be reused.
For example, a game has a variable at…
[[[0x400000 + 1133cc]+24]+1c1]+1b00
After a patch, the variable can not be targeted with the same path
anymore. But the gamehacker can still reuse offsets
[24, 1c1, 1b00].
Cheat Engine dialect of x86 assembly
What’s with the assembly code you wrote?
I don’t recognize the directives at the top.
The “Cheat Engine dialect” is specialized for code injection. For
example, a generic assembler will not understand the label
"GameName.exe"+123456. There are some Cheat Engine
specific operations such as registersymbol which aliases
allocated memory and makes it available to the table or Lua
interpreter.
Would the code injections you wrote in x86 assembly still work on ARM?
The game would need to be running on ARM computers to begin with. While I don’t know about running x86 binaries and games on ARM, at SCaLE 23x, Lutris managed to run Crysis on an ARM machine.
Since code injection is done at runtime, there is a fair chance that Cheat Engine will assemble opcodes for x86, but the bytes mean completely different things for ARM CPUs.
What’s the difference between attaching a debugger from Linux and attaching a debugger within Wine?
The debugger from Linux is PINCE, gdb with a Cheat Engine like GUI.
Within in the context of presentation itself, gdb output included 64-bit registers (r**) while Cheat Engine mainly stuck to 32-bit registers (e**).
Attaching gdb to Wine as opposed to running Cheat Engine within the same prefix has a general advantage when evading anti-cheat. See WINE for Video Game Hackers from LayerOne 2025.
What’s the deal with VRAM?
Memory scanning as featured operates only on system memory and not GPU memory.
VRAM is arranged and accessed differently from RAM as VRAM is designed for parallel access, which is needed in graphics processing. VRAM is also not directly accessed by the CPU.
Typically, messing with the game’s graphics involves graphics API interception rather than what’s featured in the talk.
What games do you recommend for getting started with gamehacking?
Legally, a free and open source game or a game without an anti-reverse engineering clause in its EULA.
To avoid getting account bans or being a d*ck to multiplayer communities, singleplayer or offline games.
For simplicity, games written entirely in a compiled language (C, C++) and do not operate a scripting engine.
Games with prolific reverse engineering and hacking communities include
- Pokemon
- Diablo II
- Resident Evil, Devil May Cry
- Silent Hill 2
Can you spawn multiple bosses?
Yes.
Turn off gravity!
At [[mediator]+24]+1204 is some variable associated
with velocity or acceleration on the y-axis. The opcode that wrote to
this variable was replaced with 5 nop during the talk but
disabled jumping.
Here is some hastily written code to attenuate changes to position on the y-axis.
https://codeberg.org/scuti/dmc4se-trainer/src/branch/gravity/CEAs/moonjump.CEA
Are you that person?
I use a separate alias on Steam.
https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess↩︎