Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Beginner's Guide to Reversing a Trainer With Cheat Engine

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cheat Engine Forum Index -> Cheat Engine Tutorials
View previous topic :: View next topic  
Author Message
random5566
Advanced Cheater
Reputation: 0

Joined: 28 Feb 2008
Posts: 82

PostPosted: Fri Nov 07, 2008 3:36 am    Post subject: Beginner's Guide to Reversing a Trainer With Cheat Engine Reply with quote

Beginner's Guide to Reversing a Trainer With Cheat Engine (CE)
=========================================

For this tutorial to work, you must have a working trainer for a game and of course the game itself. You should also have Cheat Engine 5.4 installed. This tutorial was meant for WinXP users, I cannot verify its usefulness for Vista users.

Why bother reversing a trainer? Why not just use that trainer instead? There are two really good reasons I can think of. First, you may be someone who is interested in making trainers in general, and you have had problems with a game, and are clueless as to how that particular hack was made (example : reveal map function in the C&C Kane's Wrath trainer). Second, you possess a trainer that is copyrighted, meaning you cannot legally distribute that trainer or share it with the your pals at CEF. By reversing that trainer, making a note of all the addresses and offsets that it uses, and all the modified opcodes that trainer performs, you can actually make your own trainer (or cheat table) with identical features/options. This is 100% legit. You can now distribute this trainer freely. One brave step for you, one giant leap for cheaters worldwide. Just make sure you give proper credit to the author of said trainer you referenced from.

The approach here is no different from using CE to hack a game. Instead of just using CE and the game you wish to hack, you are now going to use CE with a game and a trainer. Basically, start CE, start the game, start the trainer, then do a memory scan to find out what was modified. I'll be using an example game here :
Game : Wagons Ho
Game Version : 0.8.3
Trainer : outlaws.exe (trained by the OUTLAWS dox division).
Trainer options : infinite cash (when you spend money you gain it), unlimited weight (wagon can never reach full), unlimited turns (gain a turn in every move instead of losing a turn), unlimited food (with every move you gain 5 food instead of losing it).

To make this tutorial short, I'll only rip one option, the first one : unlimited money.

Step 1 :
Start CE, start the trainer, start the game.



Step 2 :
In the game, start a 'New Game'.



Step 3 :
Alt+Tab to CE, attach CE to the game 'WagonsHoPC.exe', and do a new scan for an unknown initial value.



You'll get a lot of results. This is to be expected. I got 89,444,352 results. Now we'll start to play the 'find the needle in the haystack' game, by filtering the results trying as best we can to narrow the results to less than 10.

Step 4 :
The trainer should be running in the background. Alt+Tab back to the game, and enable the infinite money cheat (F1). Buy some food to see if the cheat works / has been enabled. Then Alt+Tab back to CE, and do a next scan to find out what value has changed.



Step 5 :
Alt+Tab back to the game, buy some food, the cheat will still be enabled so you will gain money instead. Do not disable the infinite money option here, instead Alt+Tab back to CE, and find for an unchanged value. This is called pruning / filtering your searches in order to eliminate the non relevant addresses.



Step 6 :
Alt+Tab back to the game, disable the infinite money option (F1), buy some food to verify that the cheat has now been disabled. Then Alt+Tab back to CE and do a next scan to find for a changed value.



By now you should have less than 200 addresses found. Repeat this process i.e., Step 4 - enable cheat search for a changed value, Step 5 - buy something but do not disable the cheat then do a search for an unchanged value, Step 6 - disable the cheat and search for a changed value, Step 7 - buy something with cheat still disabled and search for a unchanged value. Do steps 4 - 7 over and over until you get about 10 addresses if you're lucky. I could narrow it down to no less than 46 addresses. Out of those 46 addresses found, 4 of those addresses are green meaning static addresses. It is more likely the the opcodes modified will be located within a static address (but this is just my opinion).

Step 7 :
Make sure that the infinite money cheat is disabled. Right click each address and choose 'Disassemble this memory region', the Memory Viewer will pop up (if it wasn't already open) showing you the opcodes at that address you right clicked on, make a note of the opcodes before the cheat when the infinite money cheat was disabled (write then down in notepad or whatever text app you have).



Doing step 7 for all four of the green addresses show that before the trainer's infinite money option was activated, their opcodes were :
When the cheat was disabled :
Address____Bytes______________Opcode
004C17AD__02 8b c2 29 81 f4____add cl, [ebx-0b7ed63e]
004C17AE___8b c2_____________mov eax,edx
004C17AF___c2 29 81___________ret 8129
004C17B0___29 81 f4 91 00 00___sub [ecx+000091f4],eax

Step 8 :
Now enable the infinite money cheat, and repeat step 7. This time we will look again at those 4 green addresses to see if their opcodes were modified.
When the cheat was enabled :
Address _____Bytes_____________Opcode
004C17AD___02 8b c2 01 81 f4____add cl,[ebx-0b7efe3e]
004C17AE ___8b c2______________mov eax,edx
004C17AF____c2 01 81___________ret 8101
004C17B0____01 81 f4 91 00 00___add [ecx+000091f4],eax

It seems three of those four green addresses have been modified when the cheat was enabled. They are 004C17AD, 004C17AF, and 004C17B0.

Step 9 :
Make an AA script that specifies the opcodes for those three addresses when enabled, including the opcodes for those three addresses when they are disabled. In the Memory Viewer window, select the 'Tools' submenu and choose 'Auto Assemble'.



Step 10 :
In the Auto Assemble window, choose the 'Template' menu and select 'Cheat Table framework code'.



There are two ways you can script the infinite money cheat. One way would be to define the bytes themselves instead of specifying the opcodes. The resultant script should look like this :

Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
004C17AD:
db 02 8b c2 01 81 f4

004C17AF:
c2 01 81

004C17B0:
01 81 f4 91 00 00

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
004C17AD:
02 8b c2 29 81 f4

004C17AF:
c2 29 81

004C17B0:
29 8a f4 91 00 00


Or, to make it more readable you could write the script specifying the opcodes instead. The resultant script should look like this :

Code:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
004C17AD:
add cl,[ebx-0b7efe3e]

004C17AF:
ret 8101

004C17B0:
add [ecx+000091f4],eax

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
004C17AD:
add cl, [ebx-0b7ed63e]

004C17AF:
ret 8129

004C17B0:
sub [ecx+000091f4],eax


Note, if you decide to define the bytes manually instead of writing the opcodes, you may an error message stating that 'This instruction can't be
compiled'. This happened during the writing of this tutorial, it seems 'ret 8101' produces no errors, but specifying it using 'db c2 01 81' produces this error message. In any case, if it doesn't work, try writing the script specifying the opcodes instead.

Step 11 :
After writing the script. We need to test if it really worked. But first after writing the script, when you're still in the Auto Assemble window, choose the menu option 'File' and select 'Assign to current cheat table'. This will automatically save your script in the address table (where you freeze values). You can rename the script to something more appropriate like 'Infinite money hack'...etc.



Step 12 :
Close the trainer (not CE, I'm referring to the outlaws.exe trainer). Enable the 'Auto assemble cheat'. Alt+Tab back into the game and buy something. Your money should now increase instead of decrease. Disable the 'Auto assemble cheat' then go back into the game and buy something to verify that the disable codes work. Congratulations, you have just ripped an option from another trainer and perhaps in the process gained some insight into how the pros do it. Full credits go to OUTLAWS, and The Three Amigos for releasing/distro this trainer and of course to Dark Byte for making Cheat Engine. Razz Laughing Very Happy

I've included the cheat table and the trainer made by OUTLAWS in the slim chance that you have the game Wagons Ho 0.83 and would like to go through this tutorial by the read and do method.



The Extension 'rar' was deactivated by an board admin, therefore this Attachment is not displayed.


WagonsHoPC.CT
 Description:
the table

Download
 Filename:  WagonsHoPC.CT
 Filesize:  431 Bytes
 Downloaded:  2256 Time(s)

Back to top
View user's profile Send private message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Fri Nov 07, 2008 6:45 pm    Post subject: Re: Beginner's Guide to Reversing a Trainer With Cheat Engin Reply with quote

random5566 wrote:
Why bother reversing a trainer? Why not just use that trainer instead? There are two really good reasons I can think of. First, you may be someone who is interested in making trainers in general, and you have had problems with a game, and are clueless as to how that particular hack was made (example : reveal map function in the C&C Kane's Wrath trainer). Second, you possess a trainer that is copyrighted, meaning you cannot legally distribute that trainer or share it with the your pals at CEF. By reversing that trainer, making a note of all the addresses and offsets that it uses, and all the modified opcodes that trainer performs, you can actually make your own trainer (or cheat table) with identical features/options. This is 100% legit. You can now distribute this trainer freely. One brave step for you, one giant leap for cheaters worldwide. Just make sure you give proper credit to the author of said trainer you referenced from.


Altho this is a good tutorial and you did explain it very well. It is not something game hackers of the scene will stoop to.
It however is not 100% legit.
1. This is considered ripping options, and is lame.
2. There is a easier & quicker way to get the options of a trainer using ollydbg and breaking WriteProcessMemory.
3. If you have no clue how an option was done for a game.
You need to keep working at it and figure it out instead of stealing it from someone else who worked to get it.
Your not helping yourself by doing that, because you do not learn the method used to find it.
4. You will be nothing more then a rip artist. And the scene teams frown on this.


Sorry to rain on your post mate, you are knowledgeable from your work i have seen. So dont get a bad rep doing this sort of thing. It allows lamers to steal options from others trainers. No matter if they completely write a trainer from scratch, the options was not found by them nor the code being written was done by them. It was done by the original game hacker.

_________________

Back to top
View user's profile Send private message
kdog2fast
Expert Cheater
Reputation: 0

Joined: 01 Jan 2008
Posts: 142

PostPosted: Sat Nov 08, 2008 5:13 pm    Post subject: Reply with quote

This does work for the most part, I tried this method once with three of my personal trainers. One failed but I think it is because it wasn't a CE trainer. I find this might work better on CE trainers then VB trainers or AEM Trainers.

Can this method also pick up auto assembler scripts? If you mentioned it, I must have glanced over it or missed it. My trainers were simple (none had Auto Assembler scripts in them, and Im too busy this week to find out myself)

Good Tut btw Cool

_________________
Back to top
View user's profile Send private message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Sat Nov 08, 2008 7:59 pm    Post subject: Reply with quote

It will work on others too, just depends on how the trainer was written.
Large AA scripts possibly wont find all of the code and if good size code injections are done you wont find all of it.

As i said in my post it is not a good idea to go around doing this. This is a lazy way of getting an option YOU are to lazy to work at finding.

_________________

Back to top
View user's profile Send private message
random5566
Advanced Cheater
Reputation: 0

Joined: 28 Feb 2008
Posts: 82

PostPosted: Sun Nov 09, 2008 12:08 am    Post subject: Reply with quote

Labrynth :
I agree with you. This tutorial is lame. Ripping options is lame. Sad I know you and Wiccan or [Psych] probably won't stoop to this. Confused It's plagiarism and the only person you're cheating is yourself, if you truly want to learn how to hack games, I guess you have to do it the right way. But how is it not 100% legit?? Also, I only made this tut to counter the increasing trend of people seeking to sell their trainers instead of making them free. All I'm saying is that if you do have a trainer which you can't share with people for copyright reasons, at least you can try this method to make a trainer that is freely available. The bad side to this as you've said, is that, alot of people might start ripping other people's hard work.

kdog2fast :
The trainer made by outlaws used in this tutorial isn't created by CE. The proof is in the size, only 17.73 kb. CE trainers are usually 200 kb in size or more. Just thought you should know.

Sorry I didn't reply sooner guys, just got a game 'Space Rangers 2 : Rise of the Dominators', been trying to train it ever since....really hard game to train, not even CheatHappens made a trainer for this game. Confused
Back to top
View user's profile Send private message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Sun Nov 09, 2008 11:49 am    Post subject: Reply with quote

I meant not legit to rip options, it is a legit method for the tutorial.
But that is the reason this is bad.
People will rip others work yup

Even if the only trainer is a one you have to pay for, the fact is the options are getting ripped to make a free release, that could be made without stealing options.
Unless of course you just want to make it a free trainer out of spite.
I know what you mean about that,

The post I made is basically to let anyone know, if you do this you will not get respect from the scene peers. Possibly not get into any groups you would like to join. Unless of course you want to join [ScorpionS]
They rip everyones stuff. But worse they resourcehack and reverse the original trainers to look like they made it.
Back to top
View user's profile Send private message
Psy
Grandmaster Cheater Supreme
Reputation: 1

Joined: 27 Mar 2008
Posts: 1366

PostPosted: Sun Nov 09, 2008 1:39 pm    Post subject: Reply with quote

Ok, let me provide some insight into this.

Although the methodology and the tut itself is sound, the actual ripping is fucking lame as you can possibly get. You have the knowledge, so why even advertise this working? As well as paving the road for new rippers, its also putting yourself in a questionable position. Whatever... I already gave you my 2 cents the other day, and you met with a completely unacceptable response, which just shows what sort of person you have to be to do this.

Let me tell you how I learn how I have learnt things over the years. Not by ripping and copying, but by making friends. You'd be suprised a how much more you will learn by simply asking for the help (and I don't mean full-blown spoonfeeding, because that too is lame). I work hard at it. If I can't do something I don't decide to fire up olly or ce and find what has changed on a keypress and then copy all the bytes I can find. Granted, there are those situations where this is warranted. Their might be that one option that you have partly done but want to find that extra detail that you have missed. So you start a little debugging, maybe monitor the WPM calls and figure out what is done... then re-code it yourself to do the job.

This on-going 'mission' you seem to have... I don't know where its coming from and I don't know what is fueling you. Its heading in the wrong directions thats for sure. For a temporary appreciation of this work by a handful of kids around this forum... but then ultimately disputes with those in the scene and others who work hard on their own hacks... not to mention the eventual feeling of not having acheived anything while doing it. Cheathappens have been doing what they are doing now for years. Get over it! I don't support the idea of having to pay for hacks, but ripping their options isn't doing shit to them, trust me.

What one or two people say on a forum is probably not going to change you mind, but I just hope for your own sake that you take a step back and look at the bigger picture.

~Psy
Back to top
View user's profile Send private message
Dragao da Elite
How do I cheat?
Reputation: 0

Joined: 13 Oct 2007
Posts: 5

PostPosted: Sun Nov 09, 2008 2:53 pm    Post subject: Reply with quote

LoL
This Is Amazing Man !! Rep +

Thank you Very Mych
Back to top
View user's profile Send private message
Psy
Grandmaster Cheater Supreme
Reputation: 1

Joined: 27 Mar 2008
Posts: 1366

PostPosted: Mon Nov 10, 2008 3:25 am    Post subject: Reply with quote

No pithy remark? Suprising.
Back to top
View user's profile Send private message
kdog2fast
Expert Cheater
Reputation: 0

Joined: 01 Jan 2008
Posts: 142

PostPosted: Mon Nov 10, 2008 6:41 pm    Post subject: indeed Reply with quote

Ah I get what you mean Psych but still, this is a useful tutorial nonetheless right? I mean you may be lazy to find the addresses but in the end, if you try and fail this could be a method for those who giveup too easy or for those who seek to learn.

Im not saying I support it but who knows, one day I might stoop down to doing this (I only tried this on my trainers and I doubt I would do it to someone elses but who knows Confused ). It may be viewed as an "immoral" method by most advanced/elite hackers but I still like the tutorial as it did work.

On a positive note, as I was writing that, I thought of a good way to use this. When I usually make trainers, sometimes I delete the tables (I know...god knows something is wrong with me), so If I ever want the table back I can use this method to get my addresses Cool .

_________________
Back to top
View user's profile Send private message
random5566
Advanced Cheater
Reputation: 0

Joined: 28 Feb 2008
Posts: 82

PostPosted: Mon Nov 10, 2008 11:04 pm    Post subject: Reply with quote

[Psych] wrote:
Although the methodology and the tut itself is sound, the actual ripping is fucking lame as you can possibly get. You have the knowledge, so why even advertise this working? As well as paving the road for new rippers, its also putting yourself in a questionable position. Whatever... I already gave you my 2 cents the other day, and you met with a completely unacceptable response, which just shows what sort of person you have to be to do this.


Freedom of expression mean anything to you? I hate censorship of any kind, if I want to make a tutorial on some aspect involving CE that's my business, and who are you to deny me this basic right? The only 2 cents you exchanged with me were antagonistic and inflammatory, for the peeps at CEF who are curious this are just some of [Psych's] replies (I'm only making this private statements public since you're mentioning them) :

"Quit talking about this shit...(referring to Kelsat's trainers or trainers posted that weren't made by the OP even if credit was given"
"why do you call yourself random? Is it because you like to wind people up...bla bla bla...insults...bla bla...more insults"
"you try this again and I'll recommend you for a perm ban." (referring to flaming pm's after being baited into a flame war started by him)
"LOL you're just a kid." (That's it, in one pm that was the whole message)

Just a small sample of the kind of harrassment I have to endure by this so-called mod. In his own words, "shows what sort of person you have to be to do this."

Even after sending a pm to him to call it a truce, that this wasn't personal, and that he should cool off and stop targeting me for whatever reasons he has concocted in his head. He starts off with first assassinating my character by telling people I'm of some lowly sort evidenced by his replies here and he has yet to quit this childish game putting out yet another flame-bait "No pithy remark? Suprising." Rolling Eyes Obviously a lame attempt at provoking a temperamental reply from me so that he can act on his wanton impulses to perm ban me.

I didnn't deserve a banning, I've done nothing wrong, followed forum rules to the letter. Yet that was what he did, a few days ago. All for posting a trainer in the trainer's section which he wasn't even moderating. I gave full credits to the author but apparently this was still in violation to some imaginary rules in Psych's head. It started with a warning for that post, then a second warning (just because he felt like it), then BAM!!! I was banned just like that.

I request that this thread be locked, since it was the intent of the OP (myself) to shed light on some of the uses of CE (whether they are frowned on the scene or not) and it has done it's job. No replies or discussions are needed. The post is now turning into some flame-war / grudge-match, a desire of some rabid individual.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cheat Engine Forum Index -> Cheat Engine Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites