How To Stealth A Program From A Game Cheat Engine

Additions and changes: Added support for il2cpp (mono) Added support for.NET dll plugins Change register on breakpoint now also affects FP and XMM registers Added CEShare, a way to share your tab.

  • Sponsor
    • Choose a tag to compare
    • Choose a tag to compare

    cheat-engine released this Apr 22, 2020 · 324 commits to master since this release

    Additions and changes:

    • Added support for il2cpp (mono)
    • Added support for .NET dll plugins
    • Change register on breakpoint now also affects FP and XMM registers
    • Added CEShare, a way to share your tables with other people
    • Improved disassembling
    • copy bytes+addresses now only does bytes+addresses
    • call filter can now use the unwind data for functions to get a decent list of instructions
    • structure dissect shows the pointerpath at the bottom
    • Follow register while stepping (rightclick the register to show the option)
    • registersymbol and label now support multiple definitions in one line
    • improved the speed of the structure list when getting data from a pdb
    • hexview: doubleclicking a non-byte value now shows in the type you set
    • added sorting to the found code dialog
    • added filtering to the changed addresses window
    • the debugger settings won't lock from changing anymore, still needs you to reopen a process to have an affect
    • added always hide children groupoption
    • group headers can act as address now
    • AA command createthreadandwait now has a timeout parameter
    • Assembler scanning improvement
    • Added an AVX2 version of CE, which will speed up all those floating point operations CE does so much...
    • Improved structure lookup for PDB files
    • Symbolhandler can now have the following types in front of pointers : (BYTE), (WORD), (DWORD), (QWORD), (CHAR), (SHORT), (INT), (INT64) to typecast the pointer to a value of that type
    • Structure dissect can detect vc++ and object pascal classnames now
    • Dissect code now also detects references to strings
    • Sorting the addresslist now sorts faster and more properly with regards to groups (depends on the level your current selection is)
    • Rightclick the addresslist header to bring up a menu which allows you to disable sorting
    • Improved the processlist responsiveness
    • The chosen floating point rounding type is now saved in the registry
    • You can now use (addresslist description) as an address
    • Improved autocomplete

    Changes:

    • DBVM doesn't activate the TSC hook by default. You can still activate it by using dbvm_enableTSCHook()

    Fixes:

    • Fixed memoryleak when opening a file for hexediting again
    • Fixed utf8 display of the dissect windows window
    • Clear the taskbar progress when using a custom scan
    • Hexview: Fixed changing the address when pressing a non char key
    • Hexview: Fixed changing the address when doubleclicking and then canceling
    • alloc with a prefered base is now more aggressive in getting the range you want
    • fixed mono symbol lookup while dlls are still being loaded
    • fixed the structure compare not giving a proper errormessage
    • fixed improper error messages in structure dissect
    • fixed opening process in XP
    • fixed potential deadlock with the symbolhander
    • fixed issue with using the process var as symbol
    • fixed default form size for some windows when using high DPI
    • fixed DBVM on systems that have the default MTRR set as 6 (e.g Asus systems)
    • fixed DBVM find what accesses with large datasets
      Lua
      New functions:
      function onTableLoad(before)
      sendMessageTimeout
      createTimer(delay,function())
      createStructureFromName()
      createSynEdit()
      changes:
      fixed executeCodeLocalEx with certain parameter definitions
      fixed openFileAsProcess
      checkSynchronize has a timeout now
      OnGetDisplayValue now also works on AA records(<script>)
    Recreating Geri's tutorials and articles before his site got wiped out. Wealth of information in it!
    -----
    UPDATE, 21th May, 2012: Cheat Engine 6.2 is released and if you use it already, you are able to use the new Stealthedit 2. Scroll down to the bottom of the original article to see the section about Stealthedit 2.
    This tutorial will cover how to use stealthedit plugin for Cheat Engine in order to bypass memory checks without any extra hassle.
    You will need:
    Cheat Engine 6.1 or higher (Created by Dark Byte)
    Stealthedit plugin (discussed below)
    32-bit version of the tutorial of CE 6.1 (Part of CE 6.1 but included here for your convenience, in case you have another version)
    What is stealthedit plugin:
    This plugin was made to deal with memory integrity checks that you may find in single player games sometimes. If a game has such protection, it will scan the game codes in the memory and in case it will find some difference compared to the original codes, it will usually just crash the game. Such a memory check was described already in the Dealing with Xlive and similar protections article. These memory checks are sometimes added to keep out crackers (which has nothing to do with the current topic as cracks are obviously working differently from trainers) and in some rare cases, they are added as an anti-cheat protection (which is already our concern if we want to make god mode or other cheat, or a simple modification that makes the game more fun). Also note that we are talking about single player games so if you plan to use this in a multiplayer game, you will most likely utterly fail as those games are using hackshields of all kind, most of them detecting Cheat Engine to start with, so don't even bother asking me about multiplayer usage of this plugin, because this is not the point of this article.
    The stealthedit plugin is NOT created by me, I write the documentation and tutorial only.
    Now if you are a beginner and you want to skip technical gibberish that is useful though not very neccessary to use this plugin, just download stealthedit ( Download link for stealthedit plugin ) and jump to the How to install and enable the plugin part.
    How is it working:
    The idea behind the stealthedit plugin is that we do not modify the original code at all, instead we make a copy of that code and re-route the program to use the copy instead of the original code. Since the memory check is scanning the unmodified original code only, we can do whatever we want with our copy, including code injections, which is the main method of creating cheats.
    Technical stuff:
    It is working on both 32 and 64 bit systems and it requires Cheat Engine 6.1 or higher. Here are some notes from the creator of this plugin:
    stealthedit should work on 64-bit systems as well (as long as the target is 32-bit, I haven't implemented the local page method yet which is required due to RIP addressing).
    If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.
    Then add the stealthedit plugin
    Compatibility notes:
    XP SP1 and before:Probably won't work
    XP SP2 and Vista NO SP: Enable DEP for ALL programs
    XP SP3+ and Vista SP1+: Should just work
    This plugin is using the SetProcessDEPPolicy API to let windows pass the no execute exception down to the target process and raise an exception. When the exception is raised, CE will re-direct the program to use the copy instead of the original code, so we can run our little script that we inject into the copy without being detected by the memory integrity check.
    Download link for the stealthedit plugin
    How to install and enable the plugin:
    Just download the plugin, copy it in some folder wherever you want (I recommend to create a folder in CE folder) and choose the plugin in the CE settings.
    1. Open Cheat Engine.
    2. Click on Settings.
    3. Choose Plugins.
    4. Click on Add new.
    5. Select the downloaded DLL file (i386 for 32-bit, x86_64 for 64-bit).
    6. Enable the checkbox.
    7. Click on OK.
    IMPORTANT for CE 6.1 users.
    If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.
    This bug has been fixed in CE 6.2.
    Here is a video to help you installing the plugin (note that I had the C plugin added already, this is why I deleted it to show how to add it again from start).
    Now that we have added our plugin, some new (and awesome) options will appear in Cheat Engine. Open the disassembler view, right-click on a code and choose the 'Stealthedit this page' option. As you will see (also shown on the video), the original code that you have copied is marked with blue color, and the copy is marked with green color. In the address column, you will see the address of the original code and the address of the copy too, thus you can jump from one to another. Obviously, we want to use the copy instead of the original code so whatever changes you do with the code, do it on the green codes. Also note that the code before and after the green part will not be used, so it is useless to fiddle with it. If you want to change a code, use stealthedit on it and modify the green codes only.
    Additionally, the plugin will enable a new auto-assemble instruction that you can use in your scripts. The new instruction is
    stealthedit(name, address, size)
    You will have to give a name to the memory address that you copy, you have to specify the address that you want to copy and also type in how much memory do you want to copy. If let's say the code you want to modify is 6 bytes, put in 6 for size, or any small number that you like.
    NOTE: Stealthedit will copy at least the whole page, even if you give a smaller size.
    How To Stealth A Program From A Game Cheat EngineStealthedit instruction tutorial:
    In this final part, you will learn how to use the stealthedit instruction with a small unofficial Cheat Engine tutorial that I have created for you. If you didn't get the 32-bit version of the CE 6.1 tutorial yet, download it now ( 32-bit version of the tutorial of CE 6.1 ).
    Additionally, you will need a cheat table that I have created for testing, learning and practicing. You can download the cheat table from here:
    Stealthedit tutorial CT
    Do not peek into the scripts or you will ruin the challenge of completing the steps by yourself. You will see 5 scripts in the table:
    Lame memory protection
    Solve tutorial step 2
    Solve tutorial step 2 with stealthedit
    Solve tutorial step 3
    Solve tutorial step 3 with stealthedit
    Start the CE 6.1 tutorial and enable 'Solve tutorial step 2'. Proceed to the second step of the tutorial, click on the Hit me button and guess what, the Next button will be available. Same goes to step 3. This can be done easily, just check which code is writing to the address of health, and make a small script such as:
    [ENABLE]
    //code from here to '[DISABLE]' will be used to enable the cheat
    alloc(newmem,2048) //2kb should be enough
    label(returnhere)
    label(originalcode)
    label(exit)
    newmem: //this is allocated memory, you have read,write,execute access
    originalcode:
    sub [ebx+00000458],eax
    mov [ebx+00000458],(int)1000
    exit:
    jmp returnhere
    'Tutorial-i386.exe'+20F3E:
    jmp newmem
    nop
    returnhere:
    [DISABLE]
    //code from here till the end of the code will be used to disable the cheat
    dealloc(newmem)
    'Tutorial-i386.exe'+20F3E:
    sub [ebx+00000458],eax
    //Alt: db 29 83 58 04 00 00
    I hope this is clear, it should be at this point, the very basics of code injection. If it is not clear, you should learn the basics of code injection first. This is how you make an easy cheat when there is no memory check. Smooth like a dream.
    Restart the tutorial and enable the 'Lame memory protection' option. (Before you even think about looking at this protection, this is in no way similar to a real life memory protection, it is just imitating it and checking a few codes only and as stupid as lame as it is, it will do it's job for this practice.) Now that the protection is enabled, try to enable the script that you used before to solve the tutorial, 'Solve tutorial step 2'. If I have done it right, you should experience a small problem, namely that the tutorial has just closed. That's what happens if you try to change a protected code. If you want, you can also try to replace the original code with a NOP at address at 00420F3E or 004213F7, but the same thing will happen, the tutorial will be closed. My lame check will detect if you try to change any of these codes that are writing to the value, so code injection is a no go. Sure you could go and find another code, but in a real life memory check, all codes are scanned so there are no alternative codes that you could use.
    What we did so far is that we have enabled a memory check and experienced what would happen in a real life situation. Now we try out stealthedit. Restart the tutorial, enable the memory check and enable the 'Solve tutorial step 2 with stealthedit' option. It should work like a charm, no crash, but a working cheat, that's how we want it. Here is the script that you would see in that option:
    [ENABLE]
    //code from here to '[DISABLE]' will be used to enable the cheat
    stealthedit(stealth_tut2,00420F3E,6) //name is stealth_tut2, the address that we copy is 00420F3E and the code is 6 bytes long
    alloc(newmem,2048) //2kb should be enough
    label(returnhere)
    label(originalcode)
    label(exit)
    How to stealth a program from a game cheat engineerregistersymbol(staddress) //we register a symbol and label that can be used in the DISABLE section to disable the script
    label(staddress)
    newmem: //this is allocated memory, you have read,write,execute access
    originalcode:
    sub [ebx+00000458],eax
    mov [ebx+00000458],(int)1000
    exit:
    jmp returnhere
    stealth_tut2: //this is where we change our hook from the original code to the copy, stealth_tut2 = the address of the copy of 00420F3E

    How To Stealth A Program From A Game Cheat Engine 6.6


    staddress: //and we make sure that the address of the copy is stored on staddress too
    jmp newmem
    nop
    returnhere:
    [DISABLE]
    //code from here till the end of the code will be used to disable the cheat
    dealloc(newmem)
    staddress: //we restore the copy to it's original state to disable the cheat
    sub [ebx+00000458],eax
    //Alt: db 29 83 58 04 00 00
    Compare the 2 scripts for step 2 (DO NOT look into the script for step 3), standard and stealthedit, see the differencies and read the comments. Hopefully it will clear up how is this instruction used. Also note that the stealthedit instruction can be used only once on a memory region and because of this, you can enable this cheat only once. If you disable it after that, you have to restart the game to use the cheat again.
    Alternatively, you could just right-click on this code,
    00420F3E - 29 83 58040000 - sub [ebx+00000458],eax
    create a copy and replace the green code with a NOP. This would make sure that your health will not decrease but you are not catched by the memory check since the original code is unchanged.
    Here is a video to summarize this part:
    1. Solve tutorial step 2-3 without protection is working fine.
    2. Solve tutorial step 2-3 with protection is working crashing.
    3. Using NOP on the proteced code is causing a crash.
    4. Using Solve tutorial step 2-3 with stealthedit is working even when the protection is enabled.
    5. Using NOP on the green copy is working fine, using NOP on the blue original code is causing a crash (just as it should be).
    Exercise:
    Now that you have seen how to solve step 2, it is time to make your own script. To complete the exercise, you need to create a script with stealthedit to solve step 3 of the tutorial while the memory check is enabled.
    There is a restriction: Your code should change the health to 5000 when you press the Hit me button. The code that is writing to the health is 004213F7 - 29 B3 5C040000 - sub [ebx+0000045C],esi
    For the sake of this exercise, you are not allowed to use any other code to create your cheat and it should work exactly as I have described. You have to use stealthedit on this code. The solution is available in the CT, but if you want to learn how to do it yourself, do not peek into the script, do it completely by yourself.
    If your cheat is working even when the lame memory integrity check is enabled, you have successfully learned how to use stealthedit and you will be able to use it the same way on properly protected single player games, be it protected by Xlive or other memory check.
    This concluded the lame stealthedit tutorial.
    Stealthedit 2
    I have updated this article to add a new version of stealthedit that can be used with CE 6.2 and above. Stealthedit 2 has all the features of the previous version and scripting is working the same way, so the scripts that you have made for Stealthedit will work without any problem with Stealthedit 2 too.
    New feature of SE2:
    The new feature in Stealthedit 2 is 'Find integrity scan routine(s)'. As the name suggests, this version is not just able to avoid memory integrity checks, but it can also find them and display where they are. Pretty cool feature, especially for beginners, but even experts could find it interesting that SE2 is not using any debugger to find the checks, so it will not interfere with debugger protections.
    Let's check it out, first you need to download it so click on:
    Stealthedit 2 download link

    How To Stealth A Program From A Game Cheat Engine 6.4


    Enable it the same way as you do with the previous version. Notice that there was a bug in CE 6.1 with plugin selections, but this is fixed in CE 6.2 so skip this part:
    IMPORTANT for CE 6.1 users.
    If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.
    This bug has been fixed in CE 6.2.
    Now in CE 6.2, you should see a 'Plugins' option in the main menu. Click on it and choose 'Stealthedit settings'. You will see a new window where you can select 'Find integrity scan routine(s)'. Enable it and click on 'Apply settings'. Remember that when you start Cheat Engine, this option is turned off by default, but you will rarely have to use it, so it is good this way.
    You can test it on some game, but for my example, I will use the same tutorial and memory check that I have made for the Stealthedit tutorial. So start the Cheat Engine 6.1 tutorial and load the Stealthedit tutorial CT that you can find above. First, enable the 'Lame memory protection' option, then activate the 'Solve tutorial step 2 with stealthedit' option. In just a few milliseconds, Cheat Engine will show you a new window, called 'Integrity scan routines'. In the window, you will find an address, which is the address of the code that is checking the memory. Double-click on the address and the disassembler will jump to the code, which is in this case
    cmp [Tutorial-i386.exe+20F3C],832940FF
    Yes, this is my lame memory check so you are at the right address. A real memory check code would look differently of course, but the important thing is that this plugin can find the code for you. From this point, it is up to you to disable the memory check if you want to disable it at all, or just use the stealthedit plugin to make a script that will not be found by this check.
    Rewatch page after set time:
    This is a setting for the integrity scan finder. The default value for it is 100 ms but on my computer, setting it to 1 ms did not cause any problems. The lower the better. If CE is scanning the page more frequently, there is a higher chance that it will find the integrity check. Setting this value to as low as possible has a major impact on the time that you need to find that check. In some cases, I needed 5-10 minutes to find a check with 100 ms scanning time, but I have found it almost immediately with 1 ms scanning time. So if your computer can handle it, set it to as low as you can. Of course if the check itself is slow and it is rarely scanning the stealthedited memory region, it will still take some time to find it. Patience is a virtue.
    A few things to mention regarding this feature.
    1. Normal memory integrity checks are not so incredibly fast like my memory check. My check is fast because it is checking a few bytes only, but normal memory checks are scanning much larger areas. It can take minutes or in some cases even 10 or 20 minutes for a memory check to scan the area.
    2. This feature will find memory checks that are scanning the stealthedited area, not all memory checks in the game. If a memory integrity check is not scanning the stealthedited memory region, it will not be found.
    3. A side effect of this feature is that it will interfere with the disassembler. When you stealthedit a page, the disassembler will show only ?? or some random values in that area. Keep in mind that the memory region didn't change and if you turn off the option, the disassembler will work again and it will show the correct codes.
    4. As I said, this feature is not using the debugger so if the game is crashing as soon as you attach a debugger to it and you want to find a memory check, this is a good way to do it.

    How To Stealth A Program From A Game Cheat Engines

    Ok as usually, here is a video to show how it works. You can see how to turn on the feature, then I activate the memory check and as I said, it will not be found until a memory region is stealthedited. You can do this by using the stealthedit instruction in an AA script, or doing it manually in the disassembler window. It also shows that the disassembler will be messed up a bit, but as you turn off the feature, it will work normally again.
    Peace!

    How To Stealth A Program From A Game Cheat Engineer


    Geri