Cheat Engine:Internals

From Cheat Engine
Revision as of 14:51, 23 April 2022 by Chris314 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Speedhack[edit]

CE has 2 different types of speedhack: the old one and the new one.

The old one is located in speedhack.pas of the cehook project (cehook.dll). When it gets activated, it uses a simple hook on those functions (just place with a hook and never even bother calling the original function). Then it injects and starts a very high priority thread in the open process (game) which will increase time counters for itself using timed sleeping. The speed the time increments with is determined by the speed variable.

When the open (target) process calls those functions, it just fetches the emulated timer functions and passes it to the caller.



The new one is a bit more complex, but less prone to bugs because of a too low sleeptime, or too high, and no thread that counts time for you.

The source for this is located in speedhack2.pas in the main program, and the separate speedhack project. The speedhack-i386.dll or speedhack-x86_64.dll gets injected into the target process and the dll itself has some exports, like speed, addresses of original functions, and an initialize speedhack routine.

Here the hooking and controlling takes place from CE's side and its auto assembler functions. What it does is it first uses the API hook template script on the to hook functions. This results in a script that can be used to hook the functions and fills in some predetermined addresses with the location to call if you want to call the original function (thats what the exports for the original functions are for).

After it's hooked, the export "speed" of the dll is modified to the wanted speed and CreateRemoteThread API is called with the address of the Initialize function to start the speedhack and set a base of reference (the current time).

When a timer function is called it will calculate the new time based on the initial time the speedhack got started, the current time, and the speed. So: returned_time = base_time + ((current_time - base_time) * speed) .

When the speed is modified, the basetime itself is modified as well to make sure the time doesn't go backwards.