cheatengine-mcp-bridge

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cheat Engine MCP Bridge

Skill by ara.so — MCP Skills collection.

Connect Claude, Cursor, Copilot and other AI agents directly to Cheat Engine via the Model Context Protocol. Automate reverse engineering, memory analysis, pointer scanning, and debugging using natural language queries instead of manual clicking through hex dumps.

由ara.so开发的Skill — MCP Skills合集。

通过模型上下文协议（Model Context Protocol）将Claude、Cursor、Copilot等AI Agent直接连接到Cheat Engine。无需手动浏览十六进制转储，只需通过自然语言查询即可实现逆向工程、内存分析、指针扫描与调试的自动化。

What This Does

功能介绍

The Cheat Engine MCP Bridge exposes ~180 Cheat Engine functions as MCP tools, allowing AI agents to:

Read/write memory (integers, floats, strings, pointers)
Follow pointer chains:
```
[[base+0x10]+0x20]+0x8
```
Scan for values and AOB (Array of Bytes) patterns
Disassemble and analyze functions
Set hardware breakpoints and debug invisibly with DBVM (Ring -1 hypervisor)
Identify C++ objects via RTTI
Auto-analyze memory structures
Generate update-resistant AOB signatures
Inject DLLs and execute shellcode

Architecture:

AI Agent (Claude/Cursor) 
  ↕ MCP Protocol (JSON-RPC over stdio)
Python MCP Server (mcp_cheatengine.py)
  ↕ Named Pipe (async)
Cheat Engine Lua Bridge (ce_mcp_bridge.lua)
  ↕ CE API
Target Process Memory

Cheat Engine MCP Bridge 将约180个Cheat Engine函数以MCP工具的形式暴露出来，允许AI Agent实现以下操作：

读取/写入内存（整数、浮点数、字符串、指针）
追踪指针链：
```
[[base+0x10]+0x20]+0x8
```
扫描数值与AOB（字节数组）模式
反汇编并分析函数
设置硬件断点，通过DBVM（Ring -1 虚拟机监控程序）实现隐形调试
通过RTTI识别C++对象
自动分析内存结构
生成可抵御版本更新的AOB签名
注入DLL并执行Shellcode

架构：

AI Agent (Claude/Cursor) 
  ↕ MCP Protocol (JSON-RPC over stdio)
Python MCP Server (mcp_cheatengine.py)
  ↕ Named Pipe (async)
Cheat Engine Lua Bridge (ce_mcp_bridge.lua)
  ↕ CE API
Target Process Memory

Installation

安装步骤

Prerequisites

前置要求

Windows only (uses Named Pipes via
```
pywin32
```
)
Cheat Engine 7.4+ installed
Python 3.10+

仅支持Windows系统（通过
```
pywin32
```
使用命名管道）
已安装Cheat Engine 7.4及以上版本
Python 3.10及以上版本

Python Dependencies

Python依赖安装

bash

cd MCP_Server
pip install -r requirements.txt

Or manually:

bash

pip install mcp pywin32

bash

cd MCP_Server
pip install -r requirements.txt

或手动安装：

bash

pip install mcp pywin32

Load Bridge in Cheat Engine

在Cheat Engine中加载桥接脚本

Enable DBVM (optional, for advanced debugging):
- Cheat Engine → Settings → Kernel → Enable DBVM
Critical: Disable Memory Query Routines (prevents BSODs):
- Settings → Extra → UNCHECK "Query memory region routines"

Load the Lua bridge:

Method A:

File

→

Execute Script

→ browse to

MCP_Server/ce_mcp_bridge.lua

→

Execute

Method B:
```
Table
```
→
```
Show Cheat Table Lua Script
```
→ paste:

lua

dofile([[C:\path\to\cheatengine-mcp-bridge\MCP_Server\ce_mcp_bridge.lua]])

Verify: Console shows

[MCP v12.0.0] MCP Server Listening on: CE_MCP_Bridge_v99

启用DBVM（可选，用于高级调试）：
- Cheat Engine → 设置 → 内核 → 启用DBVM
关键操作：禁用内存查询例程（防止蓝屏）：
- 设置 → 附加选项 → 取消勾选 "查询内存区域例程"
加载Lua桥接脚本：
- 方法A：
```
文件
```
  →
```
执行脚本
```
  → 浏览至
```
MCP_Server/ce_mcp_bridge.lua
```
  →
```
执行
```
- 方法B：
```
表格
```
  →
```
显示作弊表Lua脚本
```
  → 粘贴以下代码：

lua

dofile([[C:\path\to\cheatengine-mcp-bridge\MCP_Server\ce_mcp_bridge.lua]])

验证： 控制台显示

[MCP v12.0.0] MCP Server Listening on: CE_MCP_Bridge_v99

Configure MCP Client

配置MCP客户端

Add to your MCP configuration file:

Claude Desktop (

~/.config/claude/claude_desktop_config.json

json

{
  "mcpServers": {
    "cheatengine": {
      "command": "python",
      "args": ["C:/path/to/cheatengine-mcp-bridge/MCP_Server/mcp_cheatengine.py"]
    }
  }
}

Cursor (

.cursorrules

or workspace settings):

json

{
  "mcp": {
    "servers": {
      "cheatengine": {
        "command": "python",
        "args": ["C:/path/to/cheatengine-mcp-bridge/MCP_Server/mcp_cheatengine.py"]
      }
    }
  }
}

Codex (

~/.codex/config.toml

toml

[mcp_servers.cheatengine]
command = "python"
args = ['C:\path\to\cheatengine-mcp-bridge\MCP_Server\mcp_cheatengine.py']

Important: Use forward slashes or escaped backslashes in JSON. Use single quotes in TOML.

Restart your IDE to load the MCP server.

将以下配置添加到你的MCP配置文件中：

Claude Desktop（

~/.config/claude/claude_desktop_config.json

）：

json

{
  "mcpServers": {
    "cheatengine": {
      "command": "python",
      "args": ["C:/path/to/cheatengine-mcp-bridge/MCP_Server/mcp_cheatengine.py"]
    }
  }
}

Cursor（

.cursorrules

或工作区设置）：

json

{
  "mcp": {
    "servers": {
      "cheatengine": {
        "command": "python",
        "args": ["C:/path/to/cheatengine-mcp-bridge/MCP_Server/mcp_cheatengine.py"]
      }
    }
  }
}

Codex（

~/.codex/config.toml

）：

toml

[mcp_servers.cheatengine]
command = "python"
args = ['C:\path\to\cheatengine-mcp-bridge\MCP_Server\mcp_cheatengine.py']

注意： JSON配置中使用正斜杠或转义反斜杠，TOML配置中使用单引号。

重启IDE以加载MCP服务器。

Core MCP Tools

核心MCP工具

Process Management

进程管理

Attach to a process:

User: "Attach to notepad.exe"
Agent uses: open_process
Args: {"process_name": "notepad.exe"}

List running processes:

Tool: get_process_list
Returns: [{"pid": 1234, "name": "game.exe"}, ...]

Launch a new process:

Tool: create_process
Args: {"path": "C:\\Games\\game.exe"}

Get current process info:

Tool: get_process_info
Returns: {"pid": 5678, "name": "game.exe", "base_address": "0x400000"}

附加到进程：

用户："附加到notepad.exe"
Agent调用：open_process
参数：{"process_name": "notepad.exe"}

列出运行中的进程：

工具：get_process_list
返回：[{"pid": 1234, "name": "game.exe"}, ...]

启动新进程：

工具：create_process
参数：{"path": "C:\\Games\\game.exe"}

获取当前进程信息：

工具：get_process_info
返回：{"pid": 5678, "name": "game.exe", "base_address": "0x400000"}

Memory Reading

内存读取

Read integer (4 bytes):

Tool: read_integer
Args: {"address": "0x12345678"}
Returns: {"value": 15000}

Read float:

Tool: read_float
Args: {"address": "game.exe+0x1234", "is_double": false}
Returns: {"value": 100.5}

Read string:

Tool: read_string
Args: {"address": "0x400000", "length": 64}
Returns: {"value": "PlayerName"}

Read pointer chain:

Tool: read_pointer_chain
Args: {"base": "game.exe+0x1000", "offsets": [0x10, 0x20, 0x8]}
Returns: {"final_address": "0x789ABC", "value": 42}

Read bytes:

Tool: read_memory
Args: {"address": "0x400000", "size": 16}
Returns: {"hex": "4D5A90000300000004000000FFFF0000", "bytes": [77, 90, ...]}

读取整数（4字节）：

工具：read_integer
参数：{"address": "0x12345678"}
返回：{"value": 15000}

读取浮点数：

工具：read_float
参数：{"address": "game.exe+0x1234", "is_double": false}
返回：{"value": 100.5}

读取字符串：

工具：read_string
参数：{"address": "0x400000", "length": 64}
返回：{"value": "PlayerName"}

读取指针链：

工具：read_pointer_chain
参数：{"base": "game.exe+0x1000", "offsets": [0x10, 0x20, 0x8]}
返回：{"final_address": "0x789ABC", "value": 42}

读取字节：

工具：read_memory
参数：{"address": "0x400000", "size": 16}
返回：{"hex": "4D5A90000300000004000000FFFF0000", "bytes": [77, 90, ...]}

Memory Scanning

内存扫描

Scan for value:

Tool: scan_all
Args: {
  "value_type": "4byte",
  "scan_type": "exact",
  "value": "15000",
  "writable": true,
  "executable": false
}
Returns: {"count": 47, "addresses": ["0x123000", "0x456000", ...]}

Next scan (filter results):

Tool: next_scan
Args: {"value": "15100"}
Returns: {"count": 3, "addresses": ["0x123000", ...]}

AOB (Array of Bytes) scan:

Tool: aob_scan
Args: {
  "pattern": "48 8B 05 ?? ?? ?? ?? 48 85 C0",
  "writable": false,
  "executable": true
}
Returns: {"addresses": ["0x401000", "0x402500"]}

Pointer scan:

Tool: pointer_scan
Args: {
  "address": "0x789000",
  "max_level": 5,
  "max_offset": 4096
}
Returns: {"count": 12, "results": [{"base": "game.exe+0x1000", "offsets": [0x10, 0x8]}]}

扫描数值：

工具：scan_all
参数：{
  "value_type": "4byte",
  "scan_type": "exact",
  "value": "15000",
  "writable": true,
  "executable": false
}
返回：{"count": 47, "addresses": ["0x123000", "0x456000", ...]}

二次扫描（过滤结果）：

工具：next_scan
参数：{"value": "15100"}
返回：{"count": 3, "addresses": ["0x123000", ...]}

AOB（字节数组）扫描：

工具：aob_scan
参数：{
  "pattern": "48 8B 05 ?? ?? ?? ?? 48 85 C0",
  "writable": false,
  "executable": true
}
返回：{"addresses": ["0x401000", "0x402500"]}

指针扫描：

工具：pointer_scan
参数：{
  "address": "0x789000",
  "max_level": 5,
  "max_offset": 4096
}
返回：{"count": 12, "results": [{"base": "game.exe+0x1000", "offsets": [0x10, 0x8]}]}

Code Analysis

代码分析

Disassemble:

Tool: disassemble
Args: {"address": "0x401000", "count": 10}
Returns: {
  "instructions": [
    {"address": "0x401000", "bytes": "55", "disassembly": "push rbp"},
    {"address": "0x401001", "bytes": "4889E5", "disassembly": "mov rbp,rsp"}
  ]
}

Analyze function:

Tool: analyze_function
Args: {"address": "0x401000"}
Returns: {
  "prologue": "push rbp; mov rbp,rsp",
  "calls_count": 3,
  "references": ["0x402000", "0x403000"]
}

Get RTTI class name:

Tool: get_rtti_classname
Args: {"address": "0x500000"}
Returns: {"classname": "CPlayerInventory"}

Find references to address:

Tool: find_references
Args: {"address": "0x600000"}
Returns: {"count": 5, "references": ["0x401234", "0x402567"]}

反汇编：

工具：disassemble
参数：{"address": "0x401000", "count": 10}
返回：{
  "instructions": [
    {"address": "0x401000", "bytes": "55", "disassembly": "push rbp"},
    {"address": "0x401001", "bytes": "4889E5", "disassembly": "mov rbp,rsp"}
  ]
}

分析函数：

工具：analyze_function
参数：{"address": "0x401000"}
返回：{
  "prologue": "push rbp; mov rbp,rsp",
  "calls_count": 3,
  "references": ["0x402000", "0x403000"]
}

获取RTTI类名：

工具：get_rtti_classname
参数：{"address": "0x500000"}
返回：{"classname": "CPlayerInventory"}

查找地址引用：

工具：find_references
参数：{"address": "0x600000"}
返回：{"count": 5, "references": ["0x401234", "0x402567"]}

Structure Analysis

结构分析

Dissect structure:

Tool: dissect_structure
Args: {"address": "0x500000", "size": 256}
Returns: {
  "fields": [
    {"offset": "0x00", "type": "vtable", "value": "0x401000"},
    {"offset": "0x08", "type": "int32", "value": 15},
    {"offset": "0x10", "type": "pointer", "value": "0x600000"}
  ]
}

解析结构：

工具：dissect_structure
参数：{"address": "0x500000", "size": 256}
返回：{
  "fields": [
    {"offset": "0x00", "type": "vtable", "value": "0x401000"},
    {"offset": "0x08", "type": "int32", "value": 15},
    {"offset": "0x10", "type": "pointer", "value": "0x600000"}
  ]
}

Debugging

调试功能

Set breakpoint:

Tool: set_breakpoint
Args: {
  "address": "0x401000",
  "type": "hardware",
  "condition": "rax==5"
}

Set data breakpoint (watch memory writes):

Tool: set_data_breakpoint
Args: {"address": "0x789000", "size": 4, "type": "write"}

Start DBVM watch (invisible debugging):

Tool: start_dbvm_watch
Args: {"address": "0x401000"}

What writes to address:

Tool: what_writes
Args: {"address": "0x789000"}

What accesses address:

Tool: what_accesses
Args: {"address": "0x789000", "type": "read"}

设置断点：

工具：set_breakpoint
参数：{
  "address": "0x401000",
  "type": "hardware",
  "condition": "rax==5"
}

设置数据断点（监控内存写入）：

工具：set_data_breakpoint
参数：{"address": "0x789000", "size": 4, "type": "write"}

启动DBVM监控（隐形调试）：

工具：start_dbvm_watch
参数：{"address": "0x401000"}

查找写入指定地址的代码：

工具：what_writes
参数：{"address": "0x789000"}

查找访问指定地址的代码：

工具：what_accesses
参数：{"address": "0x789000", "type": "read"}

Memory Writing

内存写入

Write integer:

Tool: write_integer
Args: {"address": "0x123000", "value": 9999, "size": 4}

Write bytes:

Tool: write_memory
Args: {"address": "0x401000", "bytes": [0x90, 0x90, 0x90]}

Freeze value:

Tool: freeze_address
Args: {"address": "0x123000", "value": 1000, "description": "Player Health"}

写入整数：

工具：write_integer
参数：{"address": "0x123000", "value": 9999, "size": 4}

写入字节：

工具：write_memory
参数：{"address": "0x401000", "bytes": [0x90, 0x90, 0x90]}

冻结数值：

工具：freeze_address
参数：{"address": "0x123000", "value": 1000, "description": "Player Health"}

Code Injection

代码注入

Inject DLL:

Tool: inject_dll
Args: {"dll_path": "C:\\mods\\trainer.dll"}

Execute shellcode:

Tool: execute_code
Args: {
  "code": "mov rax, 1; ret",
  "address": "0x500000"
}

Auto-assembler:

Tool: auto_assemble
Args: {
  "script": "[ENABLE]\nalloc(hook,128)\nhook:\n  mov [health],#999\n  ret"
}

注入DLL：

工具：inject_dll
参数：{"dll_path": "C:\\mods\\trainer.dll"}

执行Shellcode：

工具：execute_code
参数：{
  "code": "mov rax, 1; ret",
  "address": "0x500000"
}

自动汇编：

工具：auto_assemble
参数：{
  "script": "[ENABLE]\nalloc(hook,128)\nhook:\n  mov [health],#999\n  ret"
}

Symbol Management

符号管理

Register symbol:

Tool: register_symbol
Args: {"name": "PlayerHealth", "address": "0x789000"}

Get symbol info:

Tool: get_symbol_info
Args: {"symbol": "PlayerHealth"}
Returns: {"address": "0x789000", "type": "int32"}

Enable Windows symbols (PDB):

Tool: enable_windows_symbols
Args: {"enable": true}

注册符号：

工具：register_symbol
参数：{"name": "PlayerHealth", "address": "0x789000"}

获取符号信息：

工具：get_symbol_info
参数：{"symbol": "PlayerHealth"}
返回：{"address": "0x789000", "type": "int32"}

启用Windows符号（PDB）：

工具：enable_windows_symbols
参数：{"enable": true}

Cheat Table Operations

作弊表操作

Load cheat table:

Tool: load_table
Args: {"path": "C:\\cheats\\game.CT"}

Save cheat table:

Tool: save_table
Args: {"path": "C:\\cheats\\backup.CT"}

Get address list:

Tool: get_address_list
Returns: [
  {"description": "Health", "address": "0x789000", "value": 100},
  {"description": "Gold", "address": "0x789100", "value": 5000}
]

加载作弊表：

工具：load_table
参数：{"path": "C:\\cheats\\game.CT"}

保存作弊表：

工具：save_table
参数：{"path": "C:\\cheats\\backup.CT"}

获取地址列表：

工具：get_address_list
返回：[
  {"description": "Health", "address": "0x789000", "value": 100},
  {"description": "Gold", "address": "0x789100", "value": 5000}
]

Common Workflows

常见工作流

Finding a Dynamic Value

查找动态数值

User: "Find my gold amount, it's currently 15000"

Agent workflow:
1. scan_all(value_type="4byte", value="15000")
   → Returns 47 addresses

User: "I bought something, gold is now 14750"

2. next_scan(value="14750")
   → Filters to 3 addresses

User: "What writes to the first one?"

3. set_data_breakpoint(address=results[0], type="write")
4. [User triggers gold change in game]
5. get_debug_info()
   → Returns instruction that modified gold

User: "Disassemble that function"

6. disassemble(address=breakpoint_address, count=50)
   → Shows full AddGold/SubtractGold logic

用户："找到我的金币数量，当前是15000"

Agent工作流：
1. scan_all(value_type="4byte", value="15000")
   → 返回47个地址

用户："我买了东西，现在金币是14750"

2. next_scan(value="14750")
   → 过滤到3个地址

用户："第一个地址是被什么代码写入的？"

3. set_data_breakpoint(address=results[0], type="write")
4. [用户在游戏中触发金币变化]
5. get_debug_info()
   → 返回修改金币的指令

用户："反汇编这个函数"

6. disassemble(address=breakpoint_address, count=50)
   → 显示完整的增减金币逻辑

Reverse Engineering a Pointer Chain

逆向工程指针链

User: "Find the player's coordinates"

Agent workflow:
1. scan_all(value_type="float", value="125.5")  # Current X position
2. next_scan(value="126.3")  # After moving
3. pointer_scan(address=result_address, max_level=5)
   → Finds: [[game.exe+0x1234]+0x18]+0x30

User: "Verify that pointer is stable"

4. read_pointer_chain(base="game.exe+0x1234", offsets=[0x18, 0x30])
5. register_symbol(name="PlayerX", address=final_address)

用户："找到玩家的坐标"

Agent工作流：
1. scan_all(value_type="float", value="125.5")  # 当前X坐标
2. next_scan(value="126.3")  # 移动后的值
3. pointer_scan(address=result_address, max_level=5)
   → 找到：[[game.exe+0x1234]+0x18]+0x30

用户："验证这个指针是否稳定"

4. read_pointer_chain(base="game.exe+0x1234", offsets=[0x18, 0x30])
5. register_symbol(name="PlayerX", address=final_address)

Creating an AOB Signature (Update-Proof)

创建可抵御版本更新的AOB签名

User: "I found the health function at 0x401000, make it update-resistant"

Agent workflow:
1. disassemble(address="0x401000", count=20)
2. analyze_function(address="0x401000")
3. Identify unique byte pattern with wildcards:
   "48 8B 05 ?? ?? ?? ?? 48 85 C0 74 ?? 8B 40 ??"
4. aob_scan(pattern=generated_pattern)
   → Verify only 1 result
5. Returns AOB for use in trainer scripts

用户："我在0x401000找到生命值函数，生成一个能抵御版本更新的签名"

Agent工作流：
1. disassemble(address="0x401000", count=20)
2. analyze_function(address="0x401000")
3. 识别带通配符的唯一字节模式：
   "48 8B 05 ?? ?? ?? ?? 48 85 C0 74 ?? 8B 40 ??"
4. aob_scan(pattern=generated_pattern)
   → 验证仅返回1个结果
5. 返回可用于修改器脚本的AOB签名

Understanding a C++ Object

分析C++对象

User: "What's at address 0x500000?"

Agent workflow:
1. get_rtti_classname(address="0x500000")
   → "CPlayerInventory"
2. dissect_structure(address="0x500000", size=256)
   → 0x00: vtable
   → 0x08: itemCount (int32) = 15
   → 0x10: itemArray (pointer) = 0x600000
3. read_pointer_chain(base="0x500000", offsets=[0x10])
4. dissect_structure(address="0x600000", size=64)
   → Array of CItem objects

用户："0x500000地址是什么内容？"

Agent工作流：
1. get_rtti_classname(address="0x500000")
   → "CPlayerInventory"
2. dissect_structure(address="0x500000", size=256)
   → 0x00: vtable
   → 0x08: itemCount (int32) = 15
   → 0x10: itemArray (pointer) = 0x600000
3. read_pointer_chain(base="0x500000", offsets=[0x10])
4. dissect_structure(address="0x600000", size=64)
   → CItem对象数组

Configuration

配置选项

Environment Variables

环境变量

Set before starting the MCP client:

bash

undefined

启动MCP客户端前设置：

bash

undefined

Timeout for MCP tool calls (default: 30 seconds)

MCP工具调用超时时间（默认：30秒）

set CE_MCP_TIMEOUT=60

Enable shell execution tools (DANGEROUS - arbitrary code execution)

启用Shell执行工具（危险 - 允许任意代码执行）

set CE_MCP_ALLOW_SHELL=1

undefined

set CE_MCP_ALLOW_SHELL=1

undefined

Lua Bridge Customization

Lua桥接脚本自定义

Edit

ce_mcp_bridge.lua

to customize:

lua

-- Change named pipe (if multiple instances needed)
local PIPE_NAME = "\\\\.\\pipe\\CE_MCP_Bridge_v99"

-- Adjust worker thread wait time
local WORKER_WAIT_MS = 10

-- Enable verbose logging
DEBUG_MODE = true

编辑

ce_mcp_bridge.lua

进行自定义：

lua

-- 修改命名管道（需要多实例时使用）
local PIPE_NAME = "\\\\.\\pipe\\CE_MCP_Bridge_v99"

-- 调整工作线程等待时间
local WORKER_WAIT_MS = 10

-- 启用详细日志
DEBUG_MODE = true

Troubleshooting

故障排查

"Too many local variables" error

"Too many local variables" 错误

Problem: Cheat Engine Lua compiler limit (200 locals per chunk).

Solution: Use

dofile()

to load from disk instead of pasting script into cheat table:

lua

dofile([[C:\path\to\ce_mcp_bridge.lua]])

问题： Cheat Engine Lua编译器限制（每个代码块最多200个局部变量）。

解决方案： 使用

dofile()

从磁盘加载脚本，而非粘贴到作弊表中：

lua

dofile([[C:\path\to\ce_mcp_bridge.lua]])

MCP client cannot connect

MCP客户端无法连接

Checklist:

Cheat Engine shows

MCP Server Listening on: CE_MCP_Bridge_v99

MCP client was restarted after adding server config
Python path in config is correct and uses forward slashes
```
pip install mcp pywin32
```
completed successfully

Test with

ping

tool - should return

{"success": true, "version": "12.0.0"}

检查清单：

Cheat Engine控制台显示

MCP Server Listening on: CE_MCP_Bridge_v99

添加服务器配置后已重启MCP客户端
配置中的Python路径正确且使用正斜杠
```
pip install mcp pywin32
```
安装成功

使用

ping

工具测试 - 应返回

{"success": true, "version": "12.0.0"}

BSOD (CLOCK_WATCHDOG_TIMEOUT)

蓝屏（CLOCK_WATCHDOG_TIMEOUT）

Problem: Conflict between DBVM and "Query memory region routines" when scanning protected memory.

Solution: MUST disable in Cheat Engine:

Settings → Extra → UNCHECK "Query memory region routines"

问题： 扫描受保护内存时，DBVM与"查询内存区域例程"冲突。

解决方案： 必须在Cheat Engine中禁用：

设置 → 附加选项 → 取消勾选 "查询内存区域例程"

Process attach fails

进程附加失败

Tool: get_process_list
→ Find exact process name

Tool: open_process
Args: {"process_name": "exact_name.exe"}  # Case-sensitive, include .exe

工具：get_process_list
→ 找到精确的进程名称

工具：open_process
参数：{"process_name": "exact_name.exe"}  # 区分大小写，需包含.exe

Pointer scan returns no results

指针扫描无结果

Increase scan parameters:

Tool: pointer_scan
Args: {
  "address": "0x789000",
  "max_level": 7,        # Increase depth
  "max_offset": 8192     # Increase offset range
}

增大扫描参数：

工具：pointer_scan
参数：{
  "address": "0x789000",
  "max_level": 7,        # 增加扫描深度
  "max_offset": 8192     # 增加偏移范围
}

AOB scan finds too many results

AOB扫描结果过多

Add context bytes:

undefined

添加上下文字节：

undefined

Too generic:

过于通用：

"89 45 ??"

More specific (add surrounding instructions):

更具体（添加周围指令）：

"48 8B 05 ?? ?? ?? ?? 48 85 C0 74 ?? 89 45 ?? C3"


**Limit search scope:**

Tool: aob_scan Args: { "pattern": "...", "writable": false, "executable": true, # Only search code sections "start_address": "game.exe", "end_address": "game.exe+0x500000" }

undefined

"48 8B 05 ?? ?? ?? ?? 48 85 C0 74 ?? 89 45 ?? C3"


**限制搜索范围：**

工具：aob_scan 参数：{ "pattern": "...", "writable": false, "executable": true, # 仅搜索代码段 "start_address": "game.exe", "end_address": "game.exe+0x500000" }

undefined

Testing

测试

Run the test suite to verify installation:

bash

cd MCP_Server
python test_mcp.py

Expected output:

✅ Memory Reading: 6/6 tests passed
✅ Process Info: 4/4 tests passed  
✅ Code Analysis: 8/8 tests passed
✅ Breakpoints: 4/4 tests passed
✅ DBVM Functions: 3/3 tests passed
✅ Utility Commands: 11/11 tests passed
────────────────────────────────────
Total: 36/37 PASSED (100% success)

运行测试套件验证安装：

bash

cd MCP_Server
python test_mcp.py

预期输出：

✅ Memory Reading: 6/6 tests passed
✅ Process Info: 4/4 tests passed  
✅ Code Analysis: 8/8 tests passed
✅ Breakpoints: 4/4 tests passed
✅ DBVM Functions: 3/3 tests passed
✅ Utility Commands: 11/11 tests passed
────────────────────────────────────
Total: 36/37 PASSED (100% success)

Example: Complete Trainer Creation

示例：完整修改器创建

User: "Create a health trainer for game.exe"

Agent executes:
1. open_process(process_name="game.exe")
2. scan_all(value_type="4byte", value="100")  # Current health
3. [User takes damage]
4. next_scan(value="85")
5. [Repeat until 1-3 addresses remain]
6. set_data_breakpoint(address=result[0], type="write")
7. [User takes damage again]
8. disassemble(address=breakpoint_hit, count=30)
9. Identify health variable and function
10. generate_api_hook_script(address=health_function)
11. auto_assemble(script=hook_script)
12. freeze_address(address=health_addr, value=999, description="Infinite Health")
13. save_table(path="C:\\trainers\\game_trainer.CT")

Result: Cheat table with working infinite health

用户："为game.exe创建一个生命值修改器"

Agent执行步骤：
1. open_process(process_name="game.exe")
2. scan_all(value_type="4byte", value="100")  # 当前生命值
3. [用户受到伤害]
4. next_scan(value="85")
5. [重复直到剩余1-3个地址]
6. set_data_breakpoint(address=result[0], type="write")
7. [用户再次受到伤害]
8. disassemble(address=breakpoint_hit, count=30)
9. 识别生命值变量与函数
10. generate_api_hook_script(address=health_function)
11. auto_assemble(script=hook_script)
12. freeze_address(address=health_addr, value=999, description="无限生命值")
13. save_table(path="C:\\trainers\\game_trainer.CT")

结果：生成带有可用无限生命值功能的作弊表

Key Documentation Files

核心文档文件

AI_Context/MCP_Bridge_Command_Reference.md - All 180+ MCP tools documented
AI_Context/CE_LUA_Documentation.md - Full Cheat Engine 7.6 Lua API reference
AI_Context/AI_Guide_MCP_Server_Implementation.md - Technical architecture details

AI_Context/MCP_Bridge_Command_Reference.md - 所有180+个MCP工具的文档
AI_Context/CE_LUA_Documentation.md - 完整的Cheat Engine 7.6 Lua API参考
AI_Context/AI_Guide_MCP_Server_Implementation.md - 技术架构细节

Best Practices

最佳实践

Always verify process attachment before memory operations
Use symbols instead of hardcoded addresses for maintainability
Test AOB signatures after game updates to ensure reliability
Prefer hardware breakpoints over software breakpoints (no code modification)
Use DBVM for anti-cheat evasion when targeting protected games
Save cheat tables frequently during development
Document pointer chains with register_symbol for reuse

内存操作前务必验证进程附加状态
使用符号而非硬编码地址以提升可维护性
游戏更新后测试AOB签名确保可靠性
优先使用硬件断点而非软件断点（无需修改代码）
针对受保护游戏时使用DBVM规避反作弊
开发过程中频繁保存作弊表
使用register_symbol记录指针链以便复用

Security Notes

安全注意事项

⚠️ This tool enables:

Reading/writing arbitrary process memory
Code injection and execution
DLL injection
System-level debugging (DBVM)

Use only for:

Educational purposes
Single-player games/mods
Security research
Authorized penetration testing

Do NOT use for:

Multiplayer cheating (violates TOS, illegal in some jurisdictions)
Malware development
Unauthorized access to protected software

⚠️ 本工具支持以下操作：

读取/写入任意进程内存
代码注入与执行
DLL注入
系统级调试（DBVM）

仅可用于：

教育目的
单机游戏/模组开发
安全研究
授权渗透测试

禁止用于：

多人游戏作弊（违反服务条款，部分地区属非法行为）
恶意软件开发
未经授权访问受保护软件