Spelunky v1.1 Game Cheating Tutorial

For my first tutorial I wanted a game that allowed creation of multiple cheats, was freeware so everyone could download it, and was worth playing beyond the tutorial. I tested many games before I decided on Spelunky.

This game is a fun platform game that has a great replay value as each level seems to be created randomly. Things are always different, and even though I have beat the game several times I keep finding something new.

I saw several requests for cheats, help creating pointers, and such for this game as well and it seems there are not any trainers currently available. So after reading this tutorial you will be able to create your own.

I included lots of screenshots, and explained everything no matter how simple at least once, to help everyone follow along with this tutorial.

Spelunky Tutorial - Part 1 of 5
  1. Game Cheating Tutorial
  2. GTS Trainer Tutorial
  3. Cheat Engine Trainer Tutorial
  4. AutoIt Trainer Tutorial
  5. FreeBASIC Trainer Tutorial

Programs Needed
To do this tutorial you will need --

Getting Started
Start the game Spelunky and start the tutorial level by guiding the character into the cave, and press ESCape to pause the game. Then load Cheat Engine for 32-bit games (Cheat Engine.exe).


In CE (Cheat Engine) select the game process, Spelunky.exe, from the process list. This is done by clicking the computer icon with a magnifying glass. Scroll to the game process click it, and then click the open button.

We are ready to start scanning for cheats. Now set the Value Type to All (Byte to Double) unless you know what type the game uses. Typical games use 4 bytes, or Floats as the type; however, if you want to save time this game (Spelunky) uses the Double type.

The first cheat we'll make will be for health. So set the CE value to 4, and click First Scan.
Switch back to the game and un-pause it and get hit once (by the snake) to get 3 health (the hearts). Pause the game (ESC) and go back to CE. In the CE Value, change it 3 and click Next Scan.

Go back to the game and get hit once to get 2 health, pause, and switch to CE. Change the Value to 2 and click Next Scan.

The found addresses should be shrinking to a smaller number. Switch to the game and this time move around without getting hit or injured. Go back to CE and simply click Next Scan. This should leave you with two found addresses - if not go back to the game and move around some more and do a Next Scan in CE.

Add the two addresses to the Cheat List in CE. To do this you can double-click each address - or hold CTRL and click both addresses once, then click and hold the mouse button and drag to to the Cheat List and let go.

Now let's check which one is the address we need for the health cheat. The easiest way is to enter a new value for each address. Double-click the value in the cheat list, enter the new value, and click Ok. I used the values 5 and 7 to see which one makes the change.

Switch to the game once more and see what your health value now reads. Mine was 5 so the first address is the once we need, the second is trash and needs to be removed. Click the 2nd address once, and hit the DEL keyboard key, or right-click and select Delete this record - click Ok.

Some details to save some time..
  • If you want to NOP the code that changes the value you can't, as it updates nearly *everything* in the game. (You could by using code injection with Lua - that's another tutorial)
  • Yes, this game uses DMA (Direct Memory Access) - the cheat addresses are changed each time the game is loaded, and some codes change on each level.
  • A valid pointer can be found for the health code by using, Pointer scan for this address, and changing the settings. The typical pointer finding method, as mention in the CE help, will not work with Spelunky.

Double-click the Value for the remaining address in the Cheat List and enter the value 99. Lastly click the Active checkbox to freeze the health value.

This will let us continue making cheats without worrying about the player getting killed.






Pointer Scanning
As mentioned we need to find the pointer for this cheat as the game changes it each time the game is loaded. So right click the cheat address and select Pointer scan for this address.










A pointer scan window will open. From trial and error I found the correct pointer, and settings. If you use the default settings in CE for Spelunky it will never find the pointer. You will need to update the settings to match those of my image.

Change the Maximum offset value to 10048 and Max level to 10. Then click the Ok button to start the scan. When asked where to save the file simply select a name you will know what it is, I used spelunky-health.PTR, and click the button Save.


CE will start scanning, and will for eternity most times, so click Stop once you think you have enough results. I stop around 70 million Pointer paths found. On the message box that says, "Only the first 1000000 results.." just click Ok.

Now in the pointer scan window change the display from 4 bytes to Double, the is the combo box list on the top left. This is to show the value type that is used in Spelunky which is Double - also used as the type of pointer to add to the Cheat List.

In order to change those millions of results to something we can use there are a few methods. Continue scanning on another computer, close Spelunky and restart it, or restart your computer. These methods are to allow enough change of the game loaded in memory to help with the pointer scanning.

The easiest method is to simply restart Spelunky for now. So switch back to Spelunky and close/exit the Spelunky game. Leave CE alone, closing it will not help anything (just slow you down).

Start the Spelunky game, and go to the tutorial cave again. Pause the game and switch back to CE.

As the game was closed, you will need to load the Spelunky.exe process again. Click the computer icon with the magnifying glass in CE, select Spelunky, and click Open. On the message box that says, "Keep the current address list/code list?" - click Yes.

The old cheat address is invalid so un-click the Active box on it (Freeze). We now have to find the correct health code again. Start by clicking New Scan at the top of the main CE window.

We know the game uses the type Double so set the Value Type to Double. Enter the Value of your health, 4, and click First Scan. This is the same as before, get hit in the game, scan for the new health, move in the game without getting hit, click Next Scan, which should leave you with two addresses.

Add the addresses to your Cheat List, and change the values to 5 and 7. Check in the game what your health is, and delete the incorrect address (the 2nd address again for me).









Now you should have the new health cheat address. Double-click the new health address, and in the pop-up box copy the address. Click the Cancel button so the address is not changed, just copied.










Go to the CE Pointer Scan window. Click the menu item Pointer Scanner, and click Rescan memory - Removes pointers not pointing to the right address.








In the pop-up box type/paste the new health code address. Ensure it is the correct address, and click Ok. A save window will open type a filename, I used spelunky-health2.PTR, and click Save.

CE will scan for the new pointer address, and this may take awhile depending on your computer speed and the number of pointers left. Just sit and let it scan. Once it is done if you see the message, "Only the first 100..." simply click Ok.


Some tips on pointer scanning..
  • Often the top most pointers, especially the shortest, are valid pointers.
  • To test pointers simply double-click the pointer from the list in the Pointer window and it will be added to your Cheat List.
  • To scan pointers on another computer you will need the other computer to have the game installed, CE installed, and copy over the all the pointer scan files (often 5 GB in size or larger in scan files).
  • Easier method to test pointers is to add them to your Cheat List and save the Cheat Table. Load the Cheat Table on another computer in CE and test them. (CE and the game must be installed on the other computer as well)

If there are 0 pointers left there is a problem. The most likely cause it that you did a Pointer Rescan with a incorrectly typed address. Just Open the previous file spelunky-health.PTR and Rescan with the current health address.

Another common problem is CE did not run long enough when it was building the original pointer list. If this is the case, you will have to rebuild the pointer list. Click the current health address, right-click and select Pointer scan for this address. Use the same instructions as above.

If you did everything right, you will still have a large list of possible pointers. Keep repeating the steps of closing Spelunky, starting Spelunky, setting the CE process for the game, finding the new health address, then rescan the pointers with the current address. This will make the list the much shorter in time.

I however tried the tip mentioned above of adding the top most pointer addresses and found a valid pointer. I tested it on several other computers with my CE Cheat Table. You should have a pointer that starts with "Spelunky.exe"+0018F124 on your list - this is a valid pointer that I use.


Double-click the pointer from the Pointer window to add it to your Cheat List. Delete the other two addresses from your Cheat List leaving only the pointer. Double-click the Description to change it. I recommend you now close the Pointer window, as you are done with it, and save your Cheat Table.

Save your Cheat Table by clicking the Save button, the Save menu option, or pressing CTRL+S. Select a file name, I use the default Spelunky.CT so it loads when I am playing the game, and click Save.

More Cheats - Pointer Offsets
Finding other cheats for Spelunky is much easier and faster as you already have a pointer, which we can use for them too.

The next cheat is for how many ropes the character has. Switch to your game and look at how many you have, which is 2 if you just started the tutorial cave. So in CE start a New Scan, Value Type Double, and Value 2.

Go to the game, unpause it, and press the button C (it puts a rope in his hands and decreases the rope value). Pause the game and switch to CE. Do a Next Scan with a Value of 1.

Look at the found addresses and scroll to the bottom. There should be only one address with the value of 1, and it should match all but the last two characters of the health code. Add the address to your Cheat List.

We need to turn this address into a pointer so the rope cheat will work no matter when we play the game (as it uses DMA). We do this by using the health pointer we made earlier. Select the health cheat, right-click and select Copy. Right-click on a empty area in the Cheat List and click Paste. A new box will open with some options, leave them blank and click Paste. 

To make the pointer for the rope cheat you will have to do some simple Hex math, so open the Windows Calculator.

In the calculator click the View menu, and click Programmer. You need to click the word Hex in the middle on the far left - this puts the calculator in Hex mode.





With the calculator ready to use go back to CE and double-click the address of the pasted health code.

You will see a Change Address window. You need the top right offset input that should have the value 23B0 inside it, click there.

Switch to and drag the calculator off to the side for you can see the CE windows. Type the rope address into the calculator and click the subtract - (as the rope address is larger than the health address). Next type the health address and then click the equals = button.

You should have the answer of 50 (hex), this is the difference in the pointer offset. Write that number down as you will need it in a moment.

Clear the calculator value by pressing ESCape a few times. Enter the offset value that is in the input you clicked on in CE, which is 23B0. As the rope address is larger we add, (if it was smaller we would subtract) so press the add + key, and type the number we got before which is 50. Click the equals = button.

The answer should be 2400. This is the new Hex offset for the pointer, so enter this value into the pointer offset we clicked in CE, and click Ok.

The address should now point to the rope address. Double-click the description and enter a new one for the rope. Also delete the other rope address as we no longer need it.

Save your CE Cheat Table again, now with your two new cheats.

Third Cheat
The last cheat to make is for the bombs. This is done exactly the same as the rope cheat. Find the bomb address, and add it to your Cheat List. Then in the calculator take the bomb address and subtract it from the health address, and you should get 28 (hex).

Copy and Paste the health cheat pointer. Double-click the address and enter the top right offset into the calculator, which is 23B0 and add the previous value 28 then put the answer into the CE offset which is 23D8.

Then once again save your CE Cheat Table cheats.

The health cheat you now have works for damage from enemies and falling - it does not work if the player falls on spikes. Also if the player is touched by the Ghost the player will disappear but can still finish the level (use the whip to see where the player is) - once the level is beat everything is back to normal.

Other Cheats
If you want to make cheats for the shop items like the Spiked Boots, Climbing Gloves, etc. or the other items like Kapala, Udjat Eye, etc. these are easy to do. To make the cheat you have to find the store with the item, go to CE and do a New Scan for value 0. Pick-up the item from the store and do a Next Scan for 1.

If needed simply drop the item, do a Next Scan for 0, and pick it back up and do a Next Scan for 1. This can be done as many times as needed from the store without having to even buy it.

I will tell you the Jetpack Fuel and the High Falling causes no injury cheats use a different pointer than the others cheats mentioned/created already. Find the cheat and scan for the pointer yourself just like the health pointer. The new pointer can have the last offset changed to work with both codes.

Cheating the various weapons (items the game character holds) is different. Multiple things are changed - character sprite, weapon sprite drawn, etc. I haven't had much time to play with these cheats yet but seems easy enough to make, it will just take a few addresses to work properly.

Finished Cheats
For anyone stuck creating the Health, Rope, or Bomb codes here are the cheat pointers --
Bombs
"Spelunky.exe"+0018F124 Offset 4 Offset 23D8

Health
"Spelunky.exe"+0018F124 Offset 4 Offset 23B0

Rope
"Spelunky.exe"+0018F124 Offset 4 Offset 2400

I also have put the finished CE Cheat Table of the three Spelunky cheats on my site. Once my trainer is finished, I will put it on my blog as well, at the moment it has 21 cheats.

I have put the tutorials on my site on how to put these three cheats into a trainer, using different trainer creation programs such as Game Trainer Studio (GTS 2.00), Cheat Engine v6.1, and AutoIt. They are identical finished trainers, as much as possible, and show how to create the trainer in the program you are most interested in using.

View the Spelunky Tutorial section at the top of this page for the links to the trainer tutorials.

I will not be able to create a tutorial for Trainer Maker Kit (TMK), as it does not handle pointers and offsets. After much testing and searching online I found one article that hinted at pointers, but did not work whatsoever.

If anyone has gotten multi-level pointers with offsets to work with TMK let me know how you did, and I will make a tutorial for TMK as well.

0 comments:

Post a Comment