A small Cheat Engine helper for live RTTI-based class lookup.
It scans for MSVC RTTI class names, lets you pick a class from a searchable list, resolves the class’s RTTI / COL / vtable chain, and then looks for candidate instances and possible static refs.
The goal is simple: go from "I know the class name" to "give me useful addresses" with as little friction as possible.
After you attach CE and run the script, you can choose a narrow or broad RTTI discovery scope, pick a class from the searchable list, and inspect the quick results first. If you want broader coverage, you can then run the full scan.
In practice, the quick pass is meant to give you useful hits early:
- likely object addresses
- likely static/image refs
- fast starting points for ReClass or more manual CE work
- process-only or broader RTTI discovery
- searchable custom class picker
- keyboard-friendly navigation
- owner-module-aware RTTI resolution
- x64-aware TypeDescriptor / CompleteObjectLocator handling
- dedupe for RTTI info, vtables, candidate instances, and refs
- quick pass over relevant writable image sections
- optional full scan fallback for broader coverage
- best-effort cancellation for longer scan phases
- formatted address output with module + offset where available
- best-effort x86 support, with x64 as the main target
Attach Cheat Engine to the target, run the script, choose the RTTI discovery scope, and pick a class from the searchable list.
From there:
- check the quick results first
- inspect candidate instances in ReClass / CE
- use static refs as possible stable entry points
- optionally run the full scan if you want wider coverage
The script reports candidate instance addresses and candidate static/image refs.
That means:
- some hits will be exactly what you want
- some hits may be subobjects or intermediate pointers
- some classes, especially with multiple inheritance, can produce addresses that are valid but not the start of the full object
So it is best used as a practical reverse-lookup helper, not as a guarantee that every hit is a perfect object base.
- CE_RTTI_Reverse_Lookup.CT - ready-to-use Cheat Engine table
- RTTI_Reverse_Lookup.lua - standalone Lua source version
The Lua file is the easier source form to read and edit; the table contains the CE-ready embedded version.
This script mainly grows out of Dark Byte’s Cheat Engine RTTI/forum/GitHub issue code/snippets and the later discussion around it.
It also borrows ideas from other RTTI / vtable-oriented tools and writeups while adapting them into a CE Lua workflow.
In particular, ideas were adapted from:
This project is still its own CE-script workflow rather than a direct port.
- cheat-engine/cheat-engine#1159
- https://www.cheatengine.org/forum/viewtopic.php?t=613639
- GrandpaGameHacker/ClassDumper
- https://florian0.wordpress.com/2017/12/21/using-runtime-type-information-rtti-to-extract-class-names-and-hierarchy
- https://www.framedsc.com/GeneralGuides/using_rtti.htm
- https://badecho.com/index.php/2020/09/25/hacking-dark-souls-iii-part-1
- r3sus/CE_RTTI_Scanner
This script targets Microsoft-style C++ RTTI layouts (.?AV..., CompleteObjectLocator / TypeDescriptor-style layouts).
A few practical limits to keep in mind:
- x64 is the main target
- x86 is best-effort only
- raw RTTI class lists can contain engine, library, template, or compiler-generated noise
- full scans can still be slow on large processes
- this is an interactive CE helper, not a full replacement for a dedicated injected native RTTI/vtable dumper
