Cheat Engine

[Attack]

Hi,

I was for a while interested in gamehacking and am now getting back into it. I've found a decent game to practise on, DuckTales Remastered, since values are easy to find and manipulate.
What I really wanted to achieve was a ghost or coin mode. The former being after a hit you flash and cannot be hit again, the latter being the mode you are in from collecting an invincible coin.
I have found a trainer that does the former (the latter only available at cheat happens). What I would like to do is see what the trainer is doing so that I can learn from it and then apply that knowledge to other games.

[Krampus]

[atom0s]

It depends on the trainer and how it is coded. In some cases it can be something very simple, others it can be something a bit more involved.

A. Simple Trainers

In the case that the trainer is very simple and has no protection, you can set a breakpoint on WriteProcessMemory and ReadProcessMemory while debugging the trainer. Enable the option you want to find the information for and your debugger should hit one of the breakpoints. Dump the arguments from the stack to find the data being written/read and the size of the data etc.

However, not all trainers make use of these API and can sometimes go lower-level and use the NT calls instead to bypass typical trainer spying applications and methods.


B. Harder Trainers

Harder trainers may resort to DLL injection or protecting their work thoroughly through packers / protectors, anti-debugging tricks, use of non-common API (NT calls etc.) and so on. If this is the case then you are going to have to do a bit more work to find the data you want.

First, you can try unpacking the trainer out of whatever protection is being used, if any. Then try the above method I explained. Next, if the trainer is using dll injection, you can dump the dll being injected and then disassemble and analyze it in a disassembler like IDA.

Another method you can resort to if you fail to find what you need is load the game and Cheat Engine. In Cheat Engine pause the process fully so that the game does not alter any memory. Make a dump of the full process memory using your favorite dumping tool etc. Then enable the trainer option you want. Make another full dump of the process memory and compare the two dumps together. This will show you what was altered then you can find what you want.


Overall you should try to avoid just looking at others trainers / work and look into tutorials that show how to find things like this. However, referencing others work sometimes is a way for some to learn and understand what is happening. But if you land up stealing the option from the trainer and releasing it yourself, people will tend to check on other trainers and see if their work is being used etc to find rippers.

[Geri]

Ghost mode is usually achieved by searching for an increasing or decreasing timer, that stores how much time do you have until your ghost mode expires. If you freeze the timer, your ghost mode will last forever.

Eg the value may be 0, then you take a hit, it will "jump" to 200 and count down until 0. Once you reach 0, ghost mode ends. You freeze the value to 200 and you are a ghost forever.

Sometimes you can find a flag value, where the value is usually 1 if you are a ghost, 0 if you are not a ghost, but it may work the opposite way too, etc.

[Attack]

Ok, so the best approach is to start from 0. I usually just learn faster by analyzing code.

As for stealing someone's work, I am only interested in making trainers for myself, for fun. No interest in competing with cheathappens and the like.


Thanks for the advice guys.

[Pingo]

I have this game on my pc. I've never scanned it for anything but I could start.
Want to to PM you things to try if I find anything? Or is this something you would rather do on your own. I don't mind either way.