Cheat Engine

[Destrod16]

Hello, this is my first post here on CE Forums, and I need some help with writing a C++ speedhack. Just to make it clear, I am not a noob wanting to get spoonfed, but C++ is not my best language. I have wrote many game hacks before altering memory but I have never made a speedhack, so I don't know how it works. I have looked at the original speedhack source for cheat engine, but it only told me to hook timeGetTime, GetTickCount and QueryPerformanceCounter. I tried to convert the delphi source into C++ but it just ended up crashing the program.

Could somebody please help me write a speedhack?

[Deltron Z]

Try debugging your game after setting your speed hack and find out why it crashes?

[Slugsnack]

wrote one in ASM, want it ?

[Dark Byte]

CE has 2 different types of speedhack.
The old one and the new one.

The old one is located in speedhack.pas of the cehook project (cehook.dll)
When it gets activated it uses a simple hook on those functions (just place with a hook and never even bother calling the original function)
It then starts a very high priority thread in the game which will increase time counters for itself using timed sleeping. The speed the time increments with is determined by the speed variable

When the game then calls those functions, it just fetches the emulated timer functions and passes it to the caller.

---

The new one is a bit more complex, but less prone to bugs because of a too low sleeptime, or too high, and no thread that counts time for you.

The source for this is located in speedhack2.pas in the main program, and the separate speedhack project
The speedhack.dll gets injected into the target process and the dll itself has some exports, like speed, addresses of original functions, and an initialize speedhack routine

Here the hooking and controlling takes place from CE's side and it's auto assembler functions.
What it does is it first uses the API hook template script on the to hook functions. This results in a script that can be used to hook the functions and fills in some predetermined addresses with the location to call if you want to call the original function (thats what the exports for the original functions are for)

After it's hooked the export "speed" of the dll is modified to the wanted speed and CreateRemoteThread is called with the address of the Initialize function to start start the speedhack and set a base of reference (the current time)

Then when a timer function is called it will calculate the new time based on the initial time the speedhack got started , the current time, and the speed. returned time = basetime+((currenttime-basetime)*speed)

When speed is modified the basetime itself is modified as well to make sure the time doesn't go backwards

---

I recommend trying the old method first though, it's not as effective as the speedhack in CE5.5, but at least you have something to work with.
Or you could probably do a full hook in your own code, and hardcode it. (the default of mov edi,edi/push ebp/mov ebp,esp won't work for gettickcount)

[Slugsnack]

this is my method of speed hack. let's say the game were to use poll gettickcount to do a certain event.

so it goes like this :

1 ) get an initial tick count

2 ) wait a while
3 ) get tick count
4 ) get difference between this tick count and initial
5 ) if difference > x then continue, else go to 2 )

so once my hook is installed it calls a trampolined gettickcount which returns a correct current tick count of the system. so let's say we want it to be 2x as fast. then that means every time the game checks the tick count we want it to have gone past twice as fast as it actually has

so what my hook does is that everytime the game calls the function my hook intercepts it, gets the real tick count and then the difference between MY initial tick count and this real one is the actual elapsed time. to make it seem to have gone past twice as fast i would bit shift to left once, add to my initial tick count and return that value

for slowing down it's much the same but you sleep by the difference then return the trampolined return ; )

also if you don't feel like hardcoding first 5 bytes that your hook replaces for gettickcount and also don't want to include some sort of disasembler library for determining where the next instruction boundary is, you could do an IAT hook assuming the game is not getting the function address dynamically via getprocaddress or similar. i have an example of that if you are interested ( also in asm )

[Destrod16]

Thanks guys for all the help, and sure I'd like to see an example. If that speedhack you were talking about bypasses GameGuard then I'd like to have it.

EDIT: I didn't really understand your fifth step. Mind giving an example? If you know C++ that would be preferred, otherwise you can use ASM.

[Slugsnack]

5th step is checking whether elapsed time is greater than a given value x

so the game would be polling gettickcount and checking return until the elapsed time was greater than a certain value. say.. 5000 or something. so to make it go twice as fast, when real elapsed time is at 2500 say, then you would return a time that made the computer think it's actually 5000 elapsed ticks

you'll understand better when i show you my source.. just wait about 10 hours and i'll be home

oh.. just read the source. i coded it like a year ago and i just realised what a horrible coder i was back then. it was originally for pinball btw :
http://pastebin.com/m573093ae

tell me if there is anything you don't understand there.. i could probably recode it and make it nice code actually. wonder if it's worth it..

btw if you were doing it properly you'd also hook queryperformancecounter

oh i didn't even know how to multithread properly back then.. cute

[Destrod16]

Lol I just don't get it... I'm sorry for being a bit of a noob when it comes to speedhacking, since it's something I've never even looked at before. Could you maybe look at this code and tell me why it won't work? I found it online then added some and I can't see what's wrong with it.

[Slugsnack]

that's because it's coded with MASM32 not NASM. also you'd need to assemble it as a DLL not a regular executable. anyway if i get the time over the next few days, i'll translate that into C for you. need to practice hooking in C anyway..

here's some pseudocode for a gettickcount hook though :

[Destrod16]

Thanks for trying to help, but there are multiple errors. Firstly, writehookfxn() is not identified, dword should be DWORD but that's an easy fix, currentRealTickCount should have an = sign and gettickcounttrampoline() is not identified.

I understand you don't usually write hooks in C/C++, so it's ok. I'm still sorry be being such a noob the area of speedhacking lol.

[Slugsnack]

OMG !!!!! i said pseudo code rofl

maybe you should learn how to write hooks yourself. i thought you were just having problems with what to put in your hook function but it looks like you don't have the basics down yet..

but yes, i did miss a = sign

[Destrod16]

I truly am sorry for being a noob lol, my main language is C# anyway. I only use C++ to write my hacks, which I have not been doing for a long time. And yes it is true, I have never even wrote any type of hook...

[Slugsnack]

so um.. do you know what a hook is and how to place one ? better to understand it than mindlessly copy and paste code

[Destrod16]

Yes I know what a hook is lol, I hate copy pasting, it makes me feel like such a noob. When I do, I carefully read through the code and try to understand what it does.

[Slugsnack]

so wait, do you still have a problem now that i told you how to do the speedhack ?