Cheat Engine

Leopounet · How do I cheat? Reputation: 0 Joined: 18 Feb 2023 Posts: 5

For context : I am trying to create a patch for Unrailed!. In this game, there is a currency and I found the instruction that modifies it. But I find the use of Cheat Tables not ideal (especially if I want to play with friends). So I want to create a patch, so that they can just apply it and then play the modded version.

Unfortunately, the instruction does not exist until it is needed, which from what I read online means that it is JIT compiled. Now, I don't know everything about JIT and I am eager to learn, but from what I understand, the code (not compiled) has to be somewhere, and if I modify it correctly, it will act as a patch (not saying that the modifications are easy to make). But I can not find the pre-jitted code.

Right now I have found some X code stored on the heap that is modified (maybe the JIT step?), and pasted somewhere else, and the new code is modified again to generate the actual assembly code I found at first (the one I can modify via a cheat table/aob injection). But this X code is already on the heap when I find it, so it is not what I am looking for.

I have read on other post that maybe other softwares like Harmony could help me, but I am not sure if it would really help. Also, my approach is maybe bad and I am okay with any other method that could generate a patch. Anyway, any help/guidance is appreciated because I can't seem to go any further right now.

Also, I am quite a newbie when it comes to CE but otherwise I am not a newbie in computer science, low-level stuff etc. I can go in more depth if that helps too.[/b]

ParkourPenguin · Posted: Sun Feb 19, 2023 1:00 am Post subject:

TLDR: if you don't already know how to do it, it's probably not worth your time to learn, especially if simply sharing a cheat table works. Turn it into a trainer if you insist.

Generally speaking, source code (e.g. C#, Java, Flash ActionScript) gets compiled to bytecode (e.g. respectively: CIL, Java bytecode, Flash ABC) that gets distributed. When the user runs the program, the bytecode gets JIT-compiled to the machine code of the native computer and can then be run. This machine code is what CE reads and shows as assembly instructions.

It sounds like you want to find and modify the bytecode. This is generally easier with a decompiler (turns bytecode back into source code). e.g. for old Flash games, there are plenty of tutorials on this: look up JPEXS on youtube or something. Investigate how the game was created (language, engine, etc) and try to find a suitable decompiler.

If it's dotnet / mono / java, CE might help a little. There might be an additional menu that appears at the top of the main CE window after you attach to a process.

Permanently modifying bytecode might be easier said than done. There could be checksums or hashes that verify the integrity of the data that you'll have to figure out and update. If that's the case, find a decompiler that does it for you, or give up.

Leopounet · How do I cheat? Reputation: 0 Joined: 18 Feb 2023 Posts: 5

ParkourPenguin · Posted: Sun Feb 19, 2023 2:53 pm Post subject:

Leopounet · How do I cheat? Reputation: 0 Joined: 18 Feb 2023 Posts: 5

There is a .exe file (UnrailedGame.exe), in which I suppose the pre-jitted code is located (otherwise where could it be ? Maybe I am wrong here). If I could detect which instructions access this memory region, I could maybe intercept the JIT process.

I would then have as the entry the pre-jitted code and as the output the 'post-JIT'. Not quite, because it is another intermediate representation from what I found, as I said, I feel like there is at least :

The pre-jitted code, [maybe something else, which would be indeed a road block for now], an intermediate code, and then the real assembly code added on the stack.

Since I know what opcode sequence I am looking for in the last two steps, if I can know when the original code is accessed (in UnrailedGame.exe supposedly), I can break when the opcodes of interest are wirtten on the heap (or just before by waiting for the preceeding opcodes). And then since I know which instruction reads the original code from the UnrailedGame.exe file, I can step until I reach it and see what opcodes are being read from the original file. Then it is just a matter of finding them in a software that can generate patches.

I don't know if this is clear or even if that makes sense/would work, but that's how I was approaching this issue. And that's why detecting accesses to memory regions could help.

ParkourPenguin · Posted: Sun Feb 19, 2023 4:32 pm Post subject:

Leopounet · How do I cheat? Reputation: 0 Joined: 18 Feb 2023 Posts: 5

ParkourPenguin · Posted: Sun Feb 19, 2023 7:32 pm Post subject:

Files typically get opened, written into the process's memory somewhere (like any other dynamically-allocated memory), then closed. You generally won't see a sign that says "this memory is from the file C:\whatever\bytecode.bin" or something. There are other ways of working with files (e.g. memory mapped files).

"common sequences of bytecode"- "common" meaning "occurring frequently," and "sequences of bytecode" practically meaning "arrays of bytes."

If you look at machine code often enough, you'll notice patterns. Some bytes may appear more often than others, or maybe they appear in specific places. In 64-bit code, the byte "48" is a very common prefix byte. The bytes "55 48 89 E5" are often the start of some function.
These heuristics can help someone ascertain something that would otherwise be very tedious using a more "correct" way.

Whatever bytecode format is being used, I'm certain heuristics exist for that as well- certain sequences of bytes that are only common in that particular bytecode format.
It might be even easier than that. e.g. swf files have magic numbers (aka file signatures) at the beginning.

Leopounet · How do I cheat? Reputation: 0 Joined: 18 Feb 2023 Posts: 5

Okay I see thank you.

Also, I was wondering, is it possible that the .exe file is basically divided in two parts :

1 - The code at the entry point that is readable/executable code out of the box ;
2 - A 'compressed' .data/.text/... part that is expanded at runtime and contains the actual bytecodes I am trying to find/modify (the ones that are then jitted etc) ?

I am not saying this is the case here, but the structure of the .exe file reminds me of the structure I would find in ZIP/RAR/... files.

ParkourPenguin · Posted: Mon Feb 20, 2023 3:37 pm Post subject:

There are several parts to an exe file. Look up "portable executable format" for more information.

My point still stands: even if the bytecode is getting packed into the exe, there's going to be a lot of other stuff there that's completely unrelated to bytecode.