Cheat Engine

[Dark Byte]

You may know some games that use it (e.g mount and blade, ww2, and some other games)
In those games it's almost impossible to debug, because the IDT entries for int1 and int3 get overwritten.(even the kernel debugger of ce will often crash, or the game will crash)
But if you are DESPERATE and want to find out what code accesses or modifies a address then download this modified version of dbk32.dll

this will rewrite the interrupt descripter a lot faster than starforce does, but it will cause Cheat engine AND the game to start taking up 100% cpu, even on dual core cpu's. It'll even affect the mouse, it'll start skipping, BUT the code list will start to get filled with code (most of the time)

Here's how to use it:
first download this file and replace your old dbk32.dll with this one (I recommend backing up the old one as this is a really terrible to use on normal games)

enable the kerneldebugger in settings->extra
start the ce tutorial and go to step 2
find the address of health , rightclick the address and choose "find out what accesses this address" (keep in mind that for the kernel debugger you may not attach the normal debugger)

now close cheat engine and the tutorial.
(If you're wonderign why you did this: This way the driver gets the original int1 handler, and already makes a link it will use to overwrite the idt of int1 till the computer gets rebooted)

Start CE again
start the game
get INTO the game, start playing

make sure that in settings->extra the query memory regions and read/write memory options are enabled
open the process of the game (preferably using the processwatcher)
now scan the memory for the value you want to find the code for.
once you've found it, get a pen and paper to write on...
rightclick and choose "find out what accesses this address" or "find out what writes to this address"
now try to go into the game (see if you can get it into windowed mode, or on dual display before doign this, because tabbing back will be a hell)
change the address inside the game (e.g buy, sell, get hit, fire, jump, etc...)
and hope you dont crash at once.
now if the code list gets filled write down the addresses as fast as possible, and if you still have some time before your cpu has melted, doubleclick those entries to get the state of the registers and write them down as well.
Hopefully this'll give you enough information to get you further with hacking in the game.

[ungabunga]

I've tried this and it didn't work:( The game was The Suffering 2, i've found the adresses but when i did the "Find out what acceses " it didn't worked! Pls tell me what to do.
P.S.: i've folowed all the steps you've described here, on ce 5.11
Pls help, i really need help whit this game.

[Dark Byte]

well, for one this was used for ce 5.0

and this was only tested for the first starforce version (used in mount&blade) where starforce just overwrote the int1 handler to point to ffffffff, and this patch just made it so it pointed to ce's handler every time it could.

the game would become very unstable, and the chance of blue screens are very high.
BUT, every now and then it would give you 1 or 2 results before crashing the system.

no idea if it still works or not, it all depends on luck though. (also 5.0 has a horrible problem with the kernel debugger regardign threads, so no idea how usefull this thing is anymore)

[ungabunga]

Thanx DarkByte.
I was also astoinished by the fact my computer didn't crash, thougt i only have an xp2000+ with 256 megs of ram and an ati 9550 gu inf od. I made all the steps again and miracle! one adress apeared even if i didn't tabed back to the game to change some values.it was something like 00456f27 - b552. But i'm not sure if it is right... i've tried to search for the pointer but i think i am just dum... it didn;t work ... again.
So there still is hope

[SunBeam]

Tested, not working...I mean the .dll not working...

Here's what I did :

* uninstalled all my CEs
* deleted all CE related reg keys
* rebooted
* installed ce 5.0
* replaced the dbk32.dll
* now when i try enabling the kernel debugger, it says the driver isn't loaded or something like that; if i ignore that, it says 'failed to load the debugger'

Am I missing something ? Cause as I recall, in order to use the kernel debugger as you said, you need to pass the callretriever test, which in the case of replacing the dbk32.dll doesn't work...

I'll post some pics when I have time...Still @ university and @ iCafe...

So, till I test if this wether works with SF3 or not, I can't seem to make it work in the first place [like really make it work]...

Any tips ?...

[SunBeam]

Not wanted replies from Dark Byte :

- use the unloader - did, it's not loaded [the driver]
- edit registry - did, same thing

With the normal dbk32.dll all works fine, with this modified .dll doesn't work...

[Dark Byte]

sorry, my mistake, it's for 5.1

[SunBeam]

Umm kinda works for 5.1.1 [i dun have 5.1]. But :

- i dun get the command that accesses the address i debug on
- i get just a line like : 4257B7 - ff

That's all...Entered the game, alt-tabed and nada, just that...

Any ideas ?

[Dark Byte]

no, it all depends on luck, there is a 1% chance it finds something instead of 0.00001%
but try to investigate that instruction.
it starts with ff, but I think the disasembler doesn't know that instruction. Send those bytes (16 of them) to me and i'll see if I can disassembhle it, and fix it in ce.

[SunBeam]

Umm that ff comes from a call to a sound function [?] : SND_fvectorxxxxxx [I dun remember the name exactly]

I know that I'd get better chances if I ran in windowed mode, cause that way the game would be active...but can't make PoP2T run in windowed mode. Plus you have to run PrinceOfPersia.exe which will start POP3.exe. So what I need windowed is POP3.exe...and that seems to not work...

Back @ home next week. Catch you on MSN. I found some more bugs...bad news, eh ?......

[Human]

that dll doesnt work with ce5.2,db can you work more on starforce support, today everything that comes out is protected with that crap