Cheat Engine

Dark Byte · Posted: Tue Aug 24, 2004 7:04 am Post subject:

The hide option you've tried is another one than I'm talking about (If you're still using the beta I gave you).
That old one did allow nprotect to open up CE and modify it's code.
The new hide/protect (actually 2nd hide/protect function) prevents CE from getting opened by any other process than itself. (in a way thats a lot better than nprotect's own method)

Also, hypermode should be working in the beta of 4.4 you have (unless the method it uses to load the code into the game failed). The only difference you'd see is that it shows a new window with a random title. (In the final version it wont show it)

emperor · Posted: Tue Aug 24, 2004 7:08 am Post subject:

Wow hypermode really does seem to work, just not on Nprotected games (with the newest 4.4 it gives "hypermode did not respond" with the older one using admin/non admin trick i think it gives "failed to initialize" error).

Dark Byte · Posted: Tue Aug 24, 2004 7:32 am Post subject:

Yes, hypermode propably won't work with the admin/non admin trick.
The hypermode option will only start to respond when there is a window in the game that is still handling messages. (It receives my initialization message and then executes the rest of the initialization inside itself)

My gues is that if you're on another account all windows become suspended in the other account till you return. (You could try switching to the other account WITHIN 5 SECONDS)

emperor · Posted: Tue Aug 24, 2004 9:15 am Post subject:

I am not switching accounts...it must be AAT's doing but even if i unfreeze it within less than 5 secs (about 1 sec) it still won't work...

stomperz · Posted: Wed Aug 25, 2004 3:58 am Post subject:

Dark Byte · Posted: Wed Aug 25, 2004 4:09 am Post subject:

You need to have the CEkernel mode read/write processmemory enabled to see that option in 4.4 (rightclick the region)

and about the address you gave as example:
77Ed385f is propably the address you want to make writable
so
(0x77ed385f/0x1000*4)+0xc0000000=C01DFB4C (I take it you understand 0x means hexadecimal)

you need to add that address as a binary. And make sure you can edit the 2nd bit. (my favourite method would be giving it a length of 1 and set as startbit 1, instead of 0 (if you do choose 0 then at least give it a length of 2)

then change the bit to 1 and the memory at 77ED385F will be writable

You'll also need the kernel mode read/write process memory for this
And it's best if you disable the option "Show and work with binaries as if they are decimals" else you'll see the decimal representation of the binary you've selected, wich is not what you want in this case

emperor · Posted: Wed Aug 25, 2004 9:20 am Post subject:

Sorry to post here again but Dark Byte you left my comment uncommented. I don't wanna hurry you or anything, just that I think you might not be aware of the fact that it does not work like you think it does. You said the game needs to be running within 5 secs after the order to CE to start hypermode.
Here is what I did:
Started the latest CE beta with "run as..." Administrator (entered password and confirmed).
Started AAT with "run as..." Administrator (entered password and confirmed).
Started Game, nProtect starts, checks for updates, starts game.
Now i press key to get out of the game with AAT. After selecing the target game I click on Hyperscan or enable speedhack in order to use hyper mode. At the same time i click i also press button to get back in game, this happens in about 1 second. After a while I AAT out again to see the message that the hypermode did not respond. Therefore if you think it works, it does not. Just to point that out...take your time, I don't wanna hurry anything I just wanted to tell you that it's not capable of it. If i understood anything wrong then i am truely sorry.

Dark Byte · Posted: Wed Aug 25, 2004 9:44 am Post subject:

I know it doesn't work on your version of CE. that is because that version doesn't have the option to protect itself from modifications (and hypermode propably only works on programs from the same user)

Nprotect also modifies the hooking api's and sendmessage so it'll fail.

Edit: But thanks anyhow for getting me to take a closer look at hypermode. It seems that SetWindowsHookEx is present in user32.dll wich wasn't in my UndoMemoryChange routine. (It only had kernel32 and ntdll) Of course not really a big problem if you run cheat engine with protection BEFORE you run the game, but would cause a problem if you ran it after the game started.

stomperz · Posted: Wed Aug 25, 2004 4:07 pm Post subject:

Finely figured out the "((addressyouwanttochange/0x1000*4)+0xc0000000)"
You can only change individual API's like you said.

Dark Byte · Posted: Wed Aug 25, 2004 4:23 pm Post subject:

No, 3th bit from the left is correct. (reserved for os uses according to the x86 specifications) That bit is used by windows to determine if the memory is copy-on-write or not. It requires the write-bit for that page to be set to read-only. (from what I understand the memory manager gets a write-access violation for that page, it then checks the copy-on-write bit, and if it's present it wont raise a exception, but copies the memory to a free physical address and changes the page file entry to point to there and sets the page to writable)

And the 2nd bit from right is the write-enabled bit.

Oh yes, one thing that might have caused confusion is that I didn't call it force writable in the memory regions window, but I called it "Set selected regions to be writable".

Another thing, if you deleted 4.4, how could you enable the kernel mode routines? Anyhow, as soon as I get time to compile and upload a beta i'll pm a link to you.

There are actually 3 other methods I know of that I can use to make memory writable:
1: disabling interupts (instruction cli) and then writing to the memory (requires the memory to be present though)
2: disabling the write protection bit from control register 3 when going to write and put it back after.
3: Changing the memory in physical memory.

option 1 and 2 will not be available to you in next CE version, (unless you manage to rewrite the permission table for the process allowing it to execute priviledged instructions like cli,sti,in,out, mov cr3.....)
Option 3 will be available because I've added a extra fake process to the process list called [Physical Memory] wich replaces all normal read/write process instructions with instructions to read/write physical memory. (Don't know if anyone will ever use it, but it may come in handy one day)

stomperz · Posted: Thu Aug 26, 2004 5:51 am Post subject:

Dark Byte · Posted: Thu Aug 26, 2004 8:55 am Post subject:

If you add the address you get with that formula and add it as a 12 bits binary it may look like this: (this is actually for address 00400000 of ce)
000000100101

12 bits
ba9876543210

some of the usefull bits:
bit 0=present, meaning that it is in ram memory
bit 1=Allow Write
bit 5=Accessed
bit 9=copy On Write. If enabled set bit 1 to false. When you write to the memory then bit 1 is enabled automatically and wont screw up the system.

To make this page copy-on-write change it to:
001000100101

To make it just writable:
000000100111

But the link I pm'ed you should have a working function in the region list to make the memory writable, asking you if you want to use the copy-on-write it, or read/write bit

emperor · Posted: Thu Sep 02, 2004 11:37 am Post subject:

stomperz · Posted: Sat Sep 04, 2004 1:44 pm Post subject:

stomperz · Posted: Sat Sep 04, 2004 9:29 pm Post subject:

The "Create Code Cave" seems not to work.
I disabled the write protection but get a Access Violation

I tried to allocate memory it works but the game crashed after a few min. I will try to hex the code directly.
That way maybe I can tell if its bad coding.