Cheat Engine

xeratal · Posted: Fri Dec 23, 2011 11:40 pm Post subject: Modifying the results of an API

Hi,

I've been attempting to hack a game for a while now and I got quite far with regards to a kind of speedhack (modifying code in the game which is linked to the speed of attack).

The problem is that the game uses an internal (client-sided) checksum. I have experimented a lot on the code, and I have come to the conclusion that the checksum is based on the API timeGetTime.

I am unable to modify the timeGetTime function itself (located in the 73000000+ range memory of the code). I don't know if it's because of an internal check of the game or because external API's simply can't be modified (this is the first time I'm doing something like this and everything is completely experimentational).

But I know this is the answer I'm looking for because I traced the code there and I tried NOP-ing the "call timeGetTime" method and the checksum is bypassed (as in the checksum bytes are giving correct data) so I can speedhack properly. The problem is that after about 10 minutes, the checksum screws up (I used a packet editor to verify that the checksum bytes were giving invalid data) and the only way to attack properly was to restore the "call timeGetTime" code. So to speedhack for long periods of time, the game would require me to still call timeGetTime, but have the results of it modified.

I have been thinking about it for a while now, and I think there are 2 ways to best defeat the checksum (at my level of skill), since I don't know and will be unlikely to figure out why the checksum is screwing up after 10 minutes when the call timeGetTime is nop-ed.
===
--- (Just theoretical, I don't think I can do this)
===
1) I think I will be able to copy the entire timeGetTime code elsewhere on allocated memory and modify how it works from there; the only problem is that I am not that skilled at assembler yet to understand everything that's going on there.
===
--- (I think this is better, and it's actually really easy)
===
2) I can simply make a jmp to allocated code instead of calling timeGetTime. From the allocated memory, call timeGetTime then play with the results from there and then jmp back to the original code. The problem for me is that I do not know where or what the API returns (I know from windows website how the API works in C++ or something, but not in assembler...)
***
So if anyone knows what timeGetTime modifies (e.g. in the stack, in the registers...) and could explain to me how I could modify the results AFTER the call, that would be totally awesome.

P.S. I can't simply play directly with the results of timeGetTime... I've tested with other programs etc and the moment the function is modified in any way, the game closes; also, the game uses gameguard so that's a bad idea - I have other ways of bypassing my own code, but I wouldn't be confident about code from elsewhere

P.P.S. Merry Christmas! Cool

Kavvman · Posted: Sat Dec 24, 2011 12:02 pm Post subject:

Debug the API and see what it returns. Telling you what registers the function uses, the stack and everything if one were to emulate it, it would still be useless to you because your data is completely different than what someone will give you. The stack addresses would be different, the values would be different and loads of other stuff.

Why don't you simply modify the game code after the return from the CALL to time function ?. Thats the easiest way if you are able to change code wihtout being detected or crashed.

xeratal