Cheat Engine

XaneXXXX

So, City Car Driving, (32 bit game) When i try to change any opcode in any way the game crashes. Some opcodes takes longer than others to make the game crash. (Between 1 - 4 seconds)

I've tried using stealthedit but same problem occurs. And yes the opcodes i was trying to modify only accesses the thing i want so ONE address only.

I also tried using the Brake and trace function to find the root of (In this case the game timer) and change that instruction but that didn't work either.

The only thing that works is if i use the injectioncopy/globalalloc function that I've seen in one of Rydians tutorials. That works if i enable the script and then deactivating it really fast. It points to the right address and the game doesn't crash. If i leave it on for more than 3 seconds it eventually crash.

So right now I'm thinking that the game might have some memory integrity check. It's pretty much a "shitty" game so to speak. Not any big developers have made it, It is also 100% offline so i really don't know why they would put in such a check but still.

I've never dealt with memory checks before and i don't know where to start. Does anyone know any good tutorial that shows how i can look for it/change it? I understand that it is different in every game but i just need someplace to start.

Any tips are appreciated what might cause this.

Edit: "Change Register at this location" Does work. But i can't put that in a script.

Thanks! Smile

++METHOS · Posted: Mon Dec 14, 2015 11:52 pm Post subject:

Not likely to be a memory check, in my opinion. I would let the debugger run to see if something else is actually being accessed when the game crashes. If letting the debugger run is not practical, then create a breakpoint inside a segment of code that only gets accessed if the address of the register is not the address for your timer.

To verify if the problem is being caused by a memory integrity check routine, you can simply write a script at that injection point that doesn't change anything, and leave it enabled for an extended period of time while having nothing else enabled and while making no other modifications to any values during that time.

XaneXXXX · Posted: Tue Dec 15, 2015 9:11 am Post subject:

++METHOS · Posted: Tue Dec 15, 2015 9:52 am Post subject:

If the game is still crashing, and you know, for certain, that nothing is being modified other than your harmless injection, then the part about creating a breakpoint 'trap' is not necessary. I only mentioned it because it's less intrusive during game-play and it can help when attaching the debugger for a particular instruction causes the target process to lag too much.

The process is simple. Just create your harmless script, and inside your script, compare the address of the register with your timer address and if it doesn't match, have the code jump to a copy of the original code (trap). Once you activate the script, follow the jump to your codecave and set a breakpoint inside the section of code that only executes when the address of the register is not the same as your timer address. Doing this will freeze the target if/when the breakpoint gets executed, allowing you to verify, with certainty, that another address is being accessed by that particular instruction. You can play the game without any interference from the debugger while you check to see if anything catches.

XaneXXXX · Posted: Tue Dec 15, 2015 10:33 am Post subject:

++METHOS · Posted: Tue Dec 15, 2015 10:56 am Post subject:

Are you working within the main module? If not, try to see if anything is 'accessing' your timer address from within the main module before you proceed.

XaneXXXX · Posted: Tue Dec 15, 2015 11:06 am Post subject:

++METHOS · Posted: Tue Dec 15, 2015 11:23 am Post subject:

By main module, I mean game.exe.

If none exist, try finding a different timer value (if possible).

Before doing anything, make sure your timer address actually works. Before doing injection, you should always test. If manually freezing the timer address, without injection, works, then your next test would be to see if it causes the game to crash at a later time while it's frozen. If it does, then I would try to find a different address/value.

The other issues that you are experiencing are probably due to the fact that the value being manipulated is 8 byte.

XaneXXXX · Posted: Tue Dec 15, 2015 11:33 am Post subject:

++METHOS · Posted: Tue Dec 15, 2015 11:36 am Post subject:

Regarding the timer address...don't be so sure. Oftentimes, there are multiple addresses for things. Some 'seem' to work, but there may be a better option. I would say, if freezing the timer does not cause the game to crash, and works as intended, then it's probably okay to proceed. It would be better to work within the main module, but as long as the external modules are game files, you should be fine for trainer purposes.

XaneXXXX · Posted: Tue Dec 15, 2015 11:43 am Post subject:

++METHOS · Posted: Tue Dec 15, 2015 12:52 pm Post subject:

Regarding the link, CE automatically calculates the module entry point. The OP in that thread either didn't know that, or, was wanting to know how to duplicate that function using C#.

It could be that the dll for this target is encrypted or has shifting code etc..

I grabbed the game, but I can't complete the stupid tutorial to do anything. Very Happy

Hopefully, I can try something soon. I will report back.

XaneXXXX · Posted: Tue Dec 15, 2015 12:55 pm Post subject:

++METHOS · Posted: Tue Dec 15, 2015 1:09 pm Post subject:

Something just came up with my work, so I will not be able to look at this until some other time. Although, if I cannot complete the tutorial, I may just give up. Cool

XaneXXXX · Posted: Tue Dec 15, 2015 2:27 pm Post subject: