Cheat Engine

Nazgul · How do I cheat? Reputation: 0 Joined: 01 Jan 2016 Posts: 4

Hi,

Currently I am hooking some win api functions. Tho there are checks for this. They are not checking any bytes, but they check if the 'ret' addy is equal to theirs. Since using detours makes life much easier, I prefer using that instead of using assembly (annoying for 20 apis), so I have to bypass their checks. My guess would be in the end of my detours to have some assembly to fake the ret addy. Tho I do not know in what register it is, since when I place a bp on the return addy, I do not see the 'ret' addy in the stack

func()
{
// func
ret bytes // this address I would like to have
}

main()
{
call func
// bp poss
}

In what register should I change to have my detours wall working again. Or is there maybe an even better method. I do not know how they detect the 'ret' address.

Gr

Zanzer · Posted: Fri Jan 01, 2016 5:57 pm Post subject:

The address for the return is stored at the top of the stack ([esp]/[rsp]) when you execute the CALL instruction.
The value in it is the address of the next instruction after the call statement, normally EIP/RIP plus 5.

Nazgul · How do I cheat? Reputation: 0 Joined: 01 Jan 2016 Posts: 4

Zanzer · Posted: Fri Jan 01, 2016 6:31 pm Post subject:

So hack their check and make it always match.
Where is this check? Inside each function?

Nazgul · How do I cheat? Reputation: 0 Joined: 01 Jan 2016 Posts: 4

ulysse31 · Posted: Sat Jan 02, 2016 10:05 pm Post subject:

If you don't know the checks they are using how can you be sure they use checks at all ?
I find this odd for winapi's, usually the game's mem integrity checks stop at the game module boundaries, one of the reason for this being that API are not loaded at the same address (except user kernel and ntdl) every time.

So what makes you say they check the APIs ? I hope you do not base this affirmation solely on crashs.