Step 6: Pointers: (PW=098712)
In the previous step I explained how to use the Code finder to handle changing locations. But that method alone
makes it difficult to find the address to set the values you want.
That\'s why there are pointers:

At the bottom you\'ll find 2 buttons. One will change the value, and the other changes the value AND the location of
the value.
For this step you don\'t really need to know assembler, but it helps a lot if you do.

First find the address of the value. When you\'ve found it use the function to find out what accesses this address.
Change the value again, and a item will show in the list. Double click that item. (or select and click on more info) and
a new window will open with detailed information on what happened when the instruction ran.
If the assembler instruction doesn\'t have anything between a \'[\' and \']\' then use another item in the list.
If it does it will say what it think will be the value of the pointer you need.
Go back to the main cheat engine window (you can keep this extra info window open if you want, but if you close it,
remember what is between the [ and ] ) and do a 4 byte scan in hexadecimal for the value the extra info told you.
When done scanning it may return 1 or a few hundred addresses. Most of the time the address you need will be the
smallest one. Now click on manually add and select the pointer checkbox.

The window will change and allow you to type in the address of a pointer and a offset.
Fill in as address the address you just found.
If the assembler instruction has a calculation (e.g: [esi+12]) at the end then type the value in that\'s at the end. else
leave it 0. If it was a more complicated instruction look at the calculation.

example of a more complicated instruction:
[EAX*2+EDX+00000310] eax=4C and edx=00801234.
In this case EDX would be the value the pointer has, and EAX*2+00000310 the offset, so the offset you\'d fill in
would be 2*4C+00000310=3A8.  (this is all in hex, use cal.exe from windows in scientific mode to calculate)

Back to the tutorial, click OK and the address will be added, If all went right the address will show P->xxxxxxx, with
xxxxxxx being the address of the value you found. If thats not right, you\'ve done something wrong.
Now, change the value using the pointer you added in 5000 and freeze it. Then click Change pointer, and if all went
right the next button will become visible.

extra:
And you could also use the pointer scanner to find the pointer to this address

-----------------------------------------------------------
Step 7: Code Injection: (PW=013370)
Code injection is a technique where one injects a piece of code into the target process, and then reroute the
execution of code to go through your own written code

In this tutorial you\'ll have a health value and a button that will decrease your health with 1 each time you click it.
Your task is to use code injection to increase the value of your health with 2 every time it is clicked

Start with finding the address and then find what writes to it.
then when you\'ve found the code that decreases it browse to that address in the disassembler, and open the auto
assembler window (ctrl+a)
There click on template and then code injection, and give it the address that decreases health (If it isn\'t already filled
in correctly)
That will generate a basic auto assembler injection framework you can use for your code.

Notice the alloc, that will allocate a block of memory for your code cave, in the past, in the pre windows 2000
systems, people had to find code caves in the memory(regions of memory unused by the game), but that\'s luckily a
thing of the past since windows 2000, and will these days cause errors when trying to be used, due to SP2 of XP
and the NX bit of new CPU\'s

Also notice the line newmem: and originalcode: and the text "Place your code here"
As you guessed it, write your code here that will increase the  health with 2.
a usefull assembler instruction in this case is the "ADD instruction"
here are a few examples:
"ADD [00901234],9" to increase the address at 00901234 with 9
"ADD [ESP+4],9" to increase the address pointed to by ESP+4 with 9
In this case, you\'ll have to use the same thing between the brackets as the original code has that decreases your
health

Notice:
It is recommended to delete the line that decreases your health from the original code section, else you\'ll have to
increase your health with 3 (you increase with 3, the original code decreases with 1, so the end result is increase
with 2), which might become confusing. But it\'s all up to you and your programming.

Notice 2:
In some games the original code can exist out of multiple instructions, and sometimes, not always, it might happen
that a code at another place jumps into your jump instruction end will then cause unknown behavior. If that
happens, you should usually look near that instruction and see the jumps and fix it, or perhaps even choose to use a
different address to do the code injection from. As long as you\'re able to figure out the address to change from inside
your injected code.
---------------------------------------------------------
Step 8: Multilevel pointers: (PW=525927)
This step will explain how to use multi-level pointers.
In step 6 you had a simple level-1 pointer, with the first address found already being the real base address.
This step however is a level-4 pointer. It has a pointer to a pointer to a pointer to a pointer to a pointer to the health.

You basicly do the same as in step 6. Find out what accesses the value, look at the instruction and what probably is
the base pointer value, and what is the offset, and already fill that in or write it down. But in this case the address
you\'ll find will also be a pointer. You just have to find out the pointer to that pointer exactly the same way as you did
with the value. Find out what accesses that address you found, look at the assembler instruction, note the probable
instruction and offset, and use that.
and continue till you can\'t get any further (usually when the base address is a static address, shown up as green)

Click Change Value to let the tutorial access the health.
If you think you\'ve found the pointer path click Change Register. The pointers and value will then change and you\'ll
have 3 seconds to freeze the address to 5000

Extra: This problem can also be solved using a auto assembler , or using the pointer scanner
Extra2: In some situations it is recommended to change ce\'s codefinder settings to Access violations when
encountering instructions like mov eax,[eax] since debugregisters show it AFTER it was changed, making it hard to
find out the the value of the pointer

Extra3: If you\'re still reading. You might notice that when looking at the assembler instructions that the pointer is
being read and filled out in the same codeblock (same routine, if you know assembler, look up till the start of the
routine). This doesn\'t always happen, but can be really useful in finding a
pointer when debugging is troublesome
--------------------------------------------------------
Step 9: Injection++: (PW=31337157)
In this step we\'ll do basically the same as in step 7(Code Injection) but now a little bit more difficult.
Now you have to edit the code that decreases health with a piece of code that sets the health to 1000 if the current
second is equal to or bigger than 30, and 2000 if it\'s smaller

This can be done using a auto assembler s that does some api calls to some routines to get the current time,
but it may be easier to use a C- injection here

Find the address of health and go to the  engine in Cheat Engine (ctrl+alt+a in memory view, or tools->
engine)

then opposed to the other tutorials I\'ll provide you with a big hint (in case you\'ve never coded in C)
----------------
#include <time.h>

struct tm *timep;
time_t c;
c=time(0);

timep=localtime(&c);

if (timep->tm_sec>=30)
  *(int *)addresstochange=1000;
else
  *(int *)addresstochange=2000;
-------------
Here change addresstochange with the address of health. Don\'t forget to add 0x in front of it. So if the address was
0012345 then fill in 0x0012345

Select inject->Inject into current process and it\'ll open an auto assembler  with a call inside it.
Now, just like in step 7 go to the address that decreases health and do autoassembler->template->code injection.
And fill in as code the call instruction you got. Note that the call will change the value of EAX and some flags may
change as well, so if you want to save them, push them before and pop them after.  And remove the original code,
it\'s not used and only makes things
harder.
Click Execute and then click "Hit me" in the trainer.
If all went right the clicking of the button caused your c- to be executed and changed the value of health
according to the current time.

Bonus:
As said before it can also be done with a normal assembler . CE allows you to fill in functionnames for call
instructions so that should make things easier
And you could also just use a dll injection with an aa . E.G:
injectdll(mydll.dll) //dll written in any languge you like

codecave:
call functionofmydll
jmp exit