Cheat Engine

Irrialite · Newbie cheater Reputation: 1 Joined: 10 May 2009 Posts: 13

How would I go about making a custom scan for variables that are XORed by the address they're stored at. For example:

eax = value
ebx = address of value

xor eax,ebx
mov [ebx],eax

I'd like to make a custom scan for that but I haven't had any success yet.

Dark Byte · Posted: Sat Apr 13, 2013 12:19 pm Post subject:

Currently not possible as custom types do not use addresses

Irrialite · Newbie cheater Reputation: 1 Joined: 10 May 2009 Posts: 13

Would it be possible to include that functionality in a future update?

Dark Byte · Posted: Sat Apr 13, 2013 12:30 pm Post subject:

Depends, how often do you need this?
No other variabletype needs to know the address so right no nowhere in ce where a variable is shown is the address provided

Irrialite · Newbie cheater Reputation: 1 Joined: 10 May 2009 Posts: 13

In a certain game nearly all the variables are obfuscated like that along with some other encryptions. While it is possible to find them by using changed/unchanged it's very tiresome and converting between them is effort as well. It would be mainly just for games like that.

Dark Byte · Posted: Sat Apr 13, 2013 1:32 pm Post subject:

Hmm, I probably won't add this to the next version. Perhaps the version after if more people have faster systems or popular non-multiplayer games store data like this, but not right now.

First it would decrease the scanspeed of all other scans as well. (the checkroutine needs to add the address parameter and every call the address must be recalculated, for every single address it checks)
And a LOT of code needs to be changed throughout cheat engine (addresslist, foundlist, dissect data, autoguess type, structure dissect, ...)

Gniarf · Posted: Sat Apr 13, 2013 3:16 pm Post subject:

Hmm...I vaguely remember seeing something like that in one or Relic's games (Space marine or one of their dawn of war series - don't remember). They xored dwords with their addresses IIRC. So from an user's perspective I'd interested in this feature too.

Actually, taking other encryptions schemes into account (like when the key is randomized, but accessible through a known pointer), I'm starting to think it'd be nice to have somekind of "injected AA custom types", executed in the target's address space, with a pointer to data as input.

Dark Byte · Posted: Sat Apr 13, 2013 4:13 pm Post subject:

Custom type inside the target process is possible but will require a very fast cpu and special windows version where cpu slices are extremely small, else the speed will be that of a memoryscanner that scans 1 byte at a time with readprocessmemory

A custom type inside the target will work as follows:
Ce wants to read an address so sets up the data and sets an event. Then it waits
Some time later the windows scheduler will wake the thread that controls custom scans in the target process and the type will be used to fill in a memory block.
It then triggers an event that the data is ready and the thread goes to sleep waiting for the next data command
A while later ce gets awakened and reads out the result value

It will do this for every single address
And sure, i guess i could query multiple addresses, but still, the times that you actually need this is after you already figured how it is stored

Also,space marine xor'ed it, but i don't think it was the address

Gniarf · Posted: Sat Apr 13, 2013 5:17 pm Post subject: