Have you wondered how to write a bot for a game to automate an action. I wondered, when I had to travel a lot from one city to another when I was moving goods around. The concept is quite simple for a such traveling bot, you just need couple of things. The first thing - find where you are on the map, second - decide where you want to go, third - just go there. Lucky me, all this things are very easy to do and the required information is available in memory, only thing what is left is to find where the information is stored in memory. Well, it is not that difficult and there are many tools to help you if you don’t want to write your own memory searcher. In this case I will be using Cheat Engine, as it has couple neat features that are very useful in this case.

So I will start with the first required information piece - location of the player object. It is not that tricky to find it, there are different techniques how to achieve that, for today I will cover one. In memory information is stored in structures, so it is easier to find and access memory locations. If I am searching for a location of the player I can search for a specific player attribute and then browse that memory region to find additional information. Usually you will select an attribute what you can manipulate. A good attribute is player health, because you can manipulate the value by changing your armor or doing any kind of self harm, etc. This is what I did to find my health value in memory. I started with a full health and search for the value with Cheat Engine, afterwards I removed one piece of my armor to reduce my health and search for the new value. Had to do this couple times to reduce amount of results.

You may need to change your search setting if you can’t find anything. Try to search for float, int, double, etc. The game could be using some type of offsets. In that case try looking for increased and decreased values.

Next thing is to open the memory viewer and point it to the address where you have found your health value. You will need to change the display type to have a proper representation, otherwise you will not recognize the values. Switch between, bytes, float, double, etc.

To recognize my location values, I change the display type to float and walked around, then in no time those three values made sense.

You can restart the game and check if memory addresses have changed, I am pretty sure that memory will be allocated on a different memory region. There are many workarounds for this problem. In this case I will describe pointers. Quite often code of the game will not change and some parts of the code will have pointers that points to our desired location. We just need to find the address of the code that has a pointer to our value. In many cases that address will remain unchanged, till the game gets recompiled and updated.

Cheat Engine has a very nice feature for finding pointers. When you have found your value what you are looking for, send it to the bottom list by double clicking on the memory address. When you have it down there, right click on it and select “Pointer Scan for this address”. This will open a new window. You can leave the depth to five and max offset value to 1024. This settings control the max dept of pointers, which can be used to find the desired location in memory. This feature uses files for scanning, so when Cheat Engine opens save dialog, store it somewhere where you can find it.

You will need to do this couple times. Restart the game, find your value in the memory, do a pointer scan. When you are searching for pointers, don’t start from beginning, reuse previous file. When you open pointer searcher, close the first window and go to the File menu, to open previous file. Then go to “Pointer Scan” and rescan the memory. It will ask you then the new address, use the address what you found in the last memory search. As more you repeat this, as more you will reduce the size of pointers. It is find, when you have multiple results left

This gives as an address and how to browse through the memory to find out desired value. We will use this information in the second part of the writeup.