Cheat Engine

ProjectEz

Hello, ok i'm here asking desperately, for i am now on my dead end, Its been 2 weeks and i havent got any progress,
What I want to do is make a debugger (the one that's like in the "Find out what writes to this address")
And I don't even have any lead on where to start and what to use, I've been talking with google for days, but I can't seem to find it, maybe I found it but didn't know that it is what i am looking for...
Desperately, I will do it either on C# or C++,
Also one more problem is to read/write memory on a hidden process,
I've tried SSDT Hooking, but i think there is other way,
Please help me, This is my first time learning memory hacking thats why Im having a hard time, and I dont want my hard works go to waste. Thank you very much guys...

atom0s · Posted: Sun May 18, 2014 2:06 pm Post subject:

Cheat Engine is open source. While it is written in Delphi, the underlying API that it relies on can be used in [nearly] any language.
https://code.google.com/p/cheat-engine/

ProjectEz · Posted: Tue May 20, 2014 10:33 am Post subject:

@atom0s
just last quick questions sir, to be sure if what i am doing it wrong or write
I can see cheat engine can still Scan for Address even the process is hidden,
I saw the source codes and on the DBKKernel, i browsed through that and saw the ntddk.h, which is used to make Kernel Drivers,
Is that what cheat engine used to continue scanning through a hidden process(hidden by a rootkit)
And to be clear, it uses Kernel Mode to use read/write memory on hidden process right?

Dark Byte · Posted: Tue May 20, 2014 11:23 am Post subject:

Yes, kernelmode is used to access the process.
Also, to find the process you may have to register a process creation callback in kernelmode, or open every possible process id till you find the one you are looking for

ProjectEz · Posted: Tue May 20, 2014 11:37 am Post subject:

wow. this is the first time Dark Byte replied to my thread, such privilege Smile

anyway, talking about opening every possible process id,
what can you say about this scenario:
I got the process name, got the process.id , that was before the rootkit attached to the process, but after the root kit attached, the process is now hidden, also preventing me to access its process id, in the opening every possible id, is there a chance that the hidden process will be on different process id?

and also just to clear things up, if i create a process in kernel mode, example the name of process is main.exe, then it hides, then if i create a process naming main.exe, will it be the hidden main.exe?

Dark Byte · Posted: Tue May 20, 2014 12:46 pm Post subject:

I doubt the ID will be different. And besides, you wish to get a EProcess address which is the actual process reference

I recommend getting the process handle from the ID as soon as you can. (again, a process creation callback in kernelmode would work great for that)

Also, if you create a new process called main.exe it will get a new processid.

Oh yes, what a LOT of protection systems fail to do is protecting the process' weird PID's
e.g if the PID is 1004, then you can also open it with 1005, 1006, and 1007

and try getting a 64-bit windows system. That makes things a bit easier as they shouldn't be able to hide the process in kernelmode (they can still block opening it, but hiding it will be a bit more difficult)

ProjectEz · Posted: Tue May 20, 2014 1:20 pm Post subject:

oh! So that's where I will use the Process' handle.Thank you Im getting confused with what handle, Thread ID and process ID is for, only I know process ID can be used in replace with the process name.

and about the creation of new process, if i get the handle from ID, i can create a new process ID for the process? example if main.exe is hidden, got it's process ID, then its handle, then rootkit hides it, after I create a new process main.exe using the handle, what will happen to the hidden main.exe? or will I be able to access memory of the hidden main.exe from the created main.exe?

also, running in kernel mode will require something like a driver(system module) i have read about it in SSDT hooking, am I on the track?

speaking of 64bit, I am actually programming in 64bit environment, and wow. thank you again, why didn't I tested it on this system, i am actually coding for 32bit systems, which are most of the user of the trainer would be on 32bit environment. I still need to do kernel mode, and really thank you, I didn't know the problem is already solved on 64bit...
*edit: on the different version of game, different anticheat is used, it hides the process, so it will be on kernelmode right?

now, whats left is me getting the offsets and pointers of the address, coz its not static, will this also be solved with kernel mode?
and also just sharing. CE is detected on the game, and I can't find a way to bypass it, (but other UCEs are not detected) so I cant use the kernel debug mode, or the VEH Debugger to get these...
So i think I would just make a Debugger myself, since my trainer is not detected