Ok, i don't need a step by step instruction, i just need a hint or a simple explanation. You are all so nice to answer so many questions already so i dont want to abuse either.

I use Cheat Engine to find the adress to nop and all but sometime, i dont want to nope but change the value instead. So i want to find out where i can find every time the value of the pointer.

That how i did it. First i searched and found the value at 0A1823C1.

i found: sub ecx, [edx+35]
edx = 01A8238C

01A8238C + 35 = 0A1823C1

so i looked in the memory dump (at the adress of the instruction) hoping to find something like 8C 23 A8 01 or C1 23 A8 01 somewhere so i can retreive it whithin my trainer and use it to change the value with it (like money or something else)

but there is only 2b 4a 34 (wierd)...

how i can find the code segment that store the adress value? pretty please with sugar and chocolat sprinkles on top..

thanx in advance.

You could use code injection.


Find a code cave, free space to have your own code, 10abf is always a good addy if you cant find one.

Then I would write this at the code cave


mov ecx , xxxxxx whatever value you want here in hex
jmp xxxxxxx (whatever addy you will jump from in the game)


And at the game coding, where the sub is


jump 10abf (and say yes to nop extra)

Any coding apart from the sub op code that is destroyed here will have to be replaced in your code cave. jumps take 5 bytes so bear that in mind.

Thank you for you prompt reply :) . I will study this further. Now i know where to look.

10abf is always a good addy if you cant find one.


hope thats baseless - otherwise its a heap area, and if the program hasn't initialised heaps then ur buggered....
wonder why people dont use virtualallocex and inject their code that way....

Actualy, i saw something like that about code injecting in the CE tutorial but now i know what it does so i think i am ready to advance to that next level. :)

I found that learning to do trainer and all it is as fun (and frustrating sometime) as a game itself. :p

As usual, Thank for you priceless(the good way!) advices :) . I hope i will be able to give back anytime soon . ;)

hope thats baseless - otherwise its a heap area, and if the program hasn't initialised heaps then ur buggered....
wonder why people dont use virtualallocex and inject their code that way....

Its a safe area, ive used it for many a trainer myself.

I use 10abf myself now and allways filled with 0, i wonder if it was something from an old legacy thing from another windows version or something.

Usually, first section of an .exe has tons of 00s at the end of it...

that very much depends on the code size
the 00's come from file / section alignment
if the code is exactly the size of alignment,
you will find no zeroes.....

Yeah, that's also true. Encountered that issue a lot in Delphi applications. Not to mention that if you open your app in Olly, you may see 00s at an address found at the end of the first section, but once you run the app, that memory gets written at :D And you're screwed. Gotta love Delphi...