Coding

How i used Cheat Engine to hack Metal Slug 3

Metal slug series is a fantastic game which i used to played when i was a child. I found that the Shotgun was so badass but also rare and…

Do Tran

5 min read
How i used Cheat Engine to hack Metal Slug 3
Put the metal slug zip file into ROMS folder

Metal slug series is a fantastic game which i used to played when i was a child. I found that the Shotgun was so badass but also rare and has a limited bullet (40) which couldn’t blast every enemy on my way.

Lately, i’ve got a chance to play the game again, so i decided to use Cheat Engine to scan the memory and modify it so we can get the Shotgun and blast everything on my way.

Setting up Neogeo on your PC

If you already have Neogeo, you can skip this step.

You can download Neoragex from here and ROMs from here. All you need to do is to put the metal slug file inside the ROMs folder just like the picture below.

Cheat Engine fuzzing

Open Neogeo and start the game first, then start Cheat Engine and select the progress to scan like this:

Select Neogeo in Process List

In the first mission, when you cut off the parachute and get your first H(eavy machine gun), pause the game by pressing Tab button then switch your process by pressing Alt + Tab to Cheat Engine and scan.

Get your first Heavy Machine Gun here

Because the game was written in 1990s, the thing is we didn’t have much memory back then, we cannot just scan using “200” as value and expect it to return the correct memory address. Furthermore, ammo be represented using only 2 bytes since the ammo never exceeded 1000 . Therefore, the “Unknow initial value” should be approriate in this scenario

Use Unknow intial value as First Scan

Then click First scan, the screen could still be blank, but don’t you worry. It’s just too many memory address found, just look at the left corner of Cheat Engine we can see found: Millions

First scan returns millions of value

Now, we start decreasing the ammo to distinct the ammo memory address from others. Every time you press the shoot button, H shall be decreased by 4, but since we didn’t sure and the ammo decreased could be decreased by some bytes (this will be obvious in the next section), just set the scan option to Decreased value.

Using decrease value option for next scan

Now click Scan again, the result should return less memory address count than the previous one. We keep repeating this process till be get just a few addresses left

If you keep doing the process above, one thing obvious that the ammo is not the only factor that decreased, so we add some jitter to the process by letting the character stand by and doing nothing, then we change the scan option to Unchanged value, now only 2 left

Scan with some jitter to get the correct memory address

2 is enough for us now. Let’s select those 2 addresses and add them to the memory table so we can deal with them.

Select 2 memory addresses and put them in the table

Let’s freeze the first memory address by clicking the checkbox to see if it’s indeed the ammo memory address we are dealing with

Freeze the memory address by clicking the checkbox

Now back to the game, if you shoot and the ammo doesn’t decrease, that’s where we got it right. If the ammo in the game decrease when we shoot, that one is not the ammo address, you should unfreeze it and try with the other one.

voila, got infinite ammo

Fuzzing weapon type

Ok, we are one step closer to the goal, let’s fuzzing the weapons as well. First, unfreeze the ammo memory address perform a new scan.

The weapon type is different than the ammo, we cannot just keep scanning using the decreasing option, but still we don’t know what is the initial. Hence, start with Unknow initial value is obvious in this case.

Now, shoot till the ammo of your H runs out then switching to Cheat Engine and change the scan option to Changed value and click Scan.

Scan for weapon type

The addresses decreased more almost 90% but still too much for us to deal with. Let’s add some jitter by scanning using Unchanged Value and Changed Value whenever you switch your weapon.

Only one address left

Keep repeating the process, now we have only the address for your weapon left. Let’s move it to the working memory table, get the next H and freeze the memory of weapon to see if the weapon changes when the ammo runs out

Here’s the tricky part, the don’t know the value of other guns type, but we can see how the value is represent in memory for handgun and H(eavy machine gun).

Handgun is 4278190080 could be represented in hex like this 0xFF000000

Heavy machine gun is 4278190080 which could be represented in hex as 0xFF050000

We can see the pattern here as the last 4 bits of the first byte changed as we change our weapon, let’s fuzzing the value for that 4 bits as well. The weapon changed variously base on the fuzzing value inputed, i’ve got the shotgun when changed the value to 0xFF070000.

If we freeze the value for weapon, we should get the infinite ammo + shotgun

Voila, infinite shotgun + ammo

Read more