Cheat Engine

booingthetroll

Hi, recently, a game I play started to detect runtime memory modifications, and it does a hash check when you first open it. For that reason, I'd like to know a few common memory edit detection functions(preferably Microsoft). Could you list a few, please?

Innovation · Posted: Thu Mar 21, 2013 7:58 pm Post subject:

The game might have an internal CRC (cyclic redundancy check) where it compares the code against what it should be.

SteveAndrew · Posted: Thu Mar 21, 2013 8:22 pm Post subject:

As Innovation pointed out, if it only does the check when it starts up then there's no problem you just modify the game while its running after it's already started up and done it's 'check'

However if it has a CRC check that runs constantly while the game is running, and you've found that an address you've attempted to modify crashes the game, instead of modifying it, add that address to your CT and do a 'find what accesses this address' and wait a little bit...

You should find the CRC check, if the game doesn't also have some anti-debugger tricks that is (try the veh debugger if the windows one crashes when doing this, if that one doesn't work either you'll first have to bypass the debugger to even get to the find the CRC check Wink

)

Once the CRC check is found though, it's relatively easy to bypass!

Cryoma · Posted: Thu Mar 21, 2013 8:48 pm Post subject:

What do you do with the CRC if/when you find it?
Asking out of general curiosity and for any stray googlers.

atom0s · Posted: Thu Mar 21, 2013 10:02 pm Post subject:

SteveAndrew · Posted: Fri Mar 22, 2013 12:28 am Post subject:

booingthetroll · Posted: Fri Mar 22, 2013 9:28 am Post subject:

:S
I don't think it could be a CRC, since... well... it's a huge program with very little lag and from what I can tell, everything except their .data section and runtime allocated memory is detected. My friend thinks it could be hashing the entire data section... would this be possible?

jucce · Posted: Wed Apr 03, 2013 9:39 pm Post subject:

TsTg · Posted: Thu Apr 04, 2013 8:36 am Post subject:

@SteveAndrews: yes Crysis 3 was possible to eliminate the check with hooking the main bypass routine, that gives the many of 'mini checks' thier correct hashes to check for, right ?, that happens because the main routine is the one controlling the whole thing.

Some other games(like Sleeping dogs, and the first 2 versions of Hitman absolution), uses a main routine too, but that routine doesn't give the hashes to the others like in crysis 3, here's a mini check sample i took(this one inclined with the game saving routine):

push ebp
mov ebp,esp
push FF
push HKShip.AK::MusicEngine::Init+1A6B7C
mov eax,fs:[00000000]
push eax
mov fs:[00000000],esp
sub esp,0C
push ebx
push esi
push edi

-This Part will calculate the memory area to be checked and it's size (it's here from 400000 to 405000), notice all those contants
mov eax,838D209A
mov edi,3BF86F57 : [DEDEDEDE]
mov [ebp-14],eax
mov [ebp-10],edi
mov esi,[ebp-14]
mov edi,[ebp-10]
mov edx,esi
shr edx,06
xor edx,esi
and edx,3F
mov eax,edx
shl eax,06
or eax,edx
xor eax,esi
xor eax,29D46CFB
mov ecx,edi
shr ecx,0A
xor ecx,edi
shr ecx,10
and ecx,0F
ror eax,0D
sub eax,530D2766 : [DEDEDEDE]
rol eax,1F
mov edx,eax
shr edx,09
xor edx,eax
shr edx,08
and edx,1F
mov esi,edx
shl esi,09
or esi,edx
shl esi,08
xor esi,eax
mov eax,ecx
shl eax,0A
or eax,ecx
shl eax,10
xor eax,edi
add eax,480DDC73 : [DEDEDEDE]
rol eax,0A
sub eax,3112CBB0 : [DEDEDEDE]
ror eax,16
mov ecx,eax
shr ecx,12
xor ecx,eax
and ecx,00003FFF
mov edx,ecx
shl edx,12
or edx,ecx
xor edx,eax
mov [ebp-14],esi
mov [ebp-10],edx
mov edi,[ebp-10]
add edi,[ebp-14]
mov [ebp-10],edi
mov eax,[ebp+10]
mov ecx,[ebp+08]
push eax
push ecx
push HKShip.AK::MusicEngine::Init+3C8094
xor esi,esi
call HKShip.AK::MemoryMgr::GetPoolName
mov edx,[ebp-10]
mov eax,[ebp-14]
mov ecx,[ebp-10]
sub edx,eax
mov eax,[ebp-10]
mov edi,[ebp-10]
add esp,0C
sub ecx,eax
mov [ebp-18],05D3E4E7 <----Correct CRC value
cmp ebx,ecx
mov eax,9307FA73
lea ebx,[esi+01]
cmp ecx,edx
je HKShip.AK::MemoryMgr::SetMonitoring+9D856

-The integrity calculation part
lea ecx,[ecx+00]
imul esi,esi,00000097
mov eax,edi
sub eax,ecx
movzx eax,byte ptr [eax-01]
add ecx,ebx
add esi,eax
cmp ecx,edx
jne HKShip.AK::MemoryMgr::SetMonitoring+9D840

cmp dword ptr [ebp+08],00
jne HKShip.AK::MemoryMgr::SetMonitoring+9D89B
test [HKShip.g_LEngineDefaultPoolId+82BAC],bl
jne HKShip.AK::MemoryMgr::SetMonitoring+9D88F
or [HKShip.g_LEngineDefaultPoolId+82BAC],ebx
mov [ebp-04],00000000
mov ecx,HKShip.g_LEngineDefaultPoolId+828EC
call HKShip.AK::MemoryMgr::GetPoolName+1EFF70
push HKShip.AK::MusicEngine::Init+2D6D40
call HKShip.AK::MusicEngine::Init+618C1
add esp,04
mov [ebp-04],FFFFFFFF
mov [HKShip.g_LEngineDefaultPoolId+828EC],00000002
jmp HKShip.AK::MemoryMgr::SetMonitoring+9D8D4
test [HKShip.g_LEngineDefaultPoolId+82BAC],bl
jne HKShip.AK::MemoryMgr::SetMonitoring+9D8CA
or [HKShip.g_LEngineDefaultPoolId+82BAC],ebx
mov [ebp-04],ebx
mov ecx,HKShip.g_LEngineDefaultPoolId+828EC
call HKShip.AK::MemoryMgr::GetPoolName+1EFF70
push HKShip.AK::MusicEngine::Init+2D6D40
call HKShip.AK::MusicEngine::Init+618C1
add esp,04
mov [ebp-04],FFFFFFFF
mov [HKShip.g_LEngineDefaultPoolId+828EC],00000003
lea ecx,[esi+esi*8]
mov eax,ecx
shr eax,0B
xor eax,ecx

mov ecx,[ebp-18] <-----at the begnning of the routine, [ebp-18] was given the value 05D3E4E7
imul eax,eax,00008001
sub eax,ecx <-----if the subtraction result is zero(meaning eax equals ecx, equals 05D3E4E7), then the jump is not taken to bad boy routine
jne HKShip.AK::MemoryMgr::SetMonitoring+9D9ED

-Normal game code here (good boy)
mov ecx,[ebp+10]
lea eax,[ecx-02]
cmp eax,03
ja HKShip.AK::MemoryMgr::SetMonitoring+9DA29
jmp dword ptr [eax*4+HKShip.AK::MemoryMgr::SetMonitoring+9DA3C]
mov edx,[ebp+08]
sub esp,0C
mov eax,esp
mov [eax],edx
mov edx,[ebp+0C]
mov [eax+04],edx
mov [eax+08],ecx
call HKShip.exe+151850
mov ecx,eax
call HKShip.exe+63E30
mov ecx,[ebp-0C]
mov fs:[00000000],ecx
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
call HKShip.exe+151850
sub esp,0C
cmp [eax+04],ebx
mov eax,esp
jne HKShip.AK::MemoryMgr::SetMonitoring+9D972
mov ecx,[ebp+08]
mov edx,[ebp+0C]
mov [eax],ecx
mov ecx,[ebp+10]
mov [eax+04],edx
mov [eax+08],ecx
call HKShip.exe+151850
mov ecx,eax
call HKShip.AK::MemoryMgr::GetPoolName+133A40
mov ecx,[ebp-0C]
mov fs:[00000000],ecx
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
mov edx,[ebp+08]
mov ecx,[ebp+0C]
mov [eax],edx
mov edx,[ebp+10]
mov [eax+04],ecx
mov [eax+08],edx
call HKShip.exe+151850
mov ecx,eax
call HKShip.AK::MemoryMgr::SetMonitoring+E0440
mov ecx,[ebp-0C]
mov fs:[00000000],ecx
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
call HKShip.exe+151850
mov ecx,eax
call HKShip.exe+2EE720
mov ecx,[ebp-0C]
mov fs:[00000000],ecx
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret
mov edx,[ebp+08]
sub esp,0C
mov eax,esp
mov [eax],edx
mov edx,[ebp+0C]
mov [eax+04],edx
mov [eax+08],ecx
call HKShip.exe+151850
mov ecx,eax
call HKShip.AK::MemoryMgr::GetPoolName+184790
mov ecx,[ebp-0C]
mov fs:[00000000],ecx
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret

-Error sub routine(bad boy)
mov ebp,esp
mov [ebp+04],HKShip.exe+21638
lea ebx,[ebx+05]
mov ebp,esp
add ebp,0C
mov [ebp+00],HKShip.exe+F8D8
lea ebp,[ebp+04]
dec ebx
jne HKShip.AK::MemoryMgr::SetMonitoring+9D9FE
mov eax,00000002
mov esi,FFB26D7F
mov eax,000FF440
call HKShip.AK::MemoryMgr::SetMonitoring+9DA1F
pop edx
xor esi,eax
sub edx,0E
add esi,edx
jmp esi <---ESI here jumps to the 'corrupt' message routine
mov ecx,[ebp-0C]
pop edi
pop esi
mov fs:[00000000],ecx
pop ebx
mov esp,ebp
pop ebp
ret

___________________________________________________
so what i'm saying here that some games has the checks already containing thier values (statically), at the same time, the routine above is checked by others within the same way with other values that are also static, and of course if you tried to change one, you will get caught with other routines, so either eliminate them all or do code\execution redirection, as this one has no way to patch integrity with just 2 bytes.