Cheat Engine

Felheart · Newbie cheater Reputation: 0 Joined: 22 Jun 2009 Posts: 14

Hi there,
is there a "read only mode" for ce?
I remember that MHS had a checkbox named "open in restricted mode".
It prevents the user to make ANY write operations to the target process.

Is there something similar in CE ? Is it possible to do this with a script or something?

Dark Byte · Posted: Thu Nov 24, 2011 5:34 pm Post subject:

No, but you can do it with a plugin
The write api ce uses for everything is provided as a pointer. You can change that pointer to a function of your own that either calls the original function, or discard the write operation (read only)

But what reason do you have for this ?

Felheart · Newbie cheater Reputation: 0 Joined: 22 Jun 2009 Posts: 14

Thanks for the info!
So you mean "WriteProcessMemory" inside the "ExportedFunctions" struct, yes?

Another question: does cheatengine 6.1 still inject any dlls?
I only know of the speedhack dll, but I won't use the speedhack anyway.
When does ce inject any dlls and is there a way to prevent this?
Does the debugger/disassembler/"find what.. this address" use dlls or do these functions write to the target process?

Dark Byte · Posted: Thu Nov 24, 2011 9:43 pm Post subject:

Yes, the writeprocessmemory variable is a pointer to the pointer to the function. So if you change that to your function you can hook it

and ce doesn't inject any dll's when attaching it. Only some stuff like heaptrack and speedhack inject dll's but those are not enabled by default

the debugger only injects a dll if you make use of the VEH debugger interface

There's not much of a speed difference between 32 and 64-bit, but if you do pointerscans 64-bit is recommended

Felheart · Newbie cheater Reputation: 0 Joined: 22 Jun 2009 Posts: 14

I definitely want to use the kernelmode debugger.
Do I have to install DBVM or something?
In the about box it says: "your system supports dbvm".
Do I just have to start with unsigned drivers allowed and thats it?

For my own program (not a really a game):
What possibilies do I have in my own programs to detect the presence of the kernelmode debugger of ce? (what functions / techniques)
I dont want to modify ce's driver (to include a global mutex or something), so is there another way to detect if I'm beeing debugged by ce's kernel debugger?

oh and 64-bit ce is just faster because it can address more memory? (so no diskswaps) or is there more to it?

Thanks for all info. you are a great help Very Happy

Dark Byte · Posted: Fri Nov 25, 2011 7:39 am Post subject:

in 64-bit you need dbvm. In 6.1 do the following: Reboot with unsigned driver support. Then go to the about screen and click on the "Your system supports dbvm"

Then close and reopen ce
(or write the .img to a 3.5" disk or bootable usb drive and boot of that)

There is a way to detect the debugger if global debug is turned off by checking if debug registers are being changed, but if global debug is on there is no way to detect it.

Note: global debug may not work well in 64-bit windows (not much tested)

And 64-bit isn't really faster, it's just that the pointerscan has the tendency to allocate more than 2GB of ram for the pointer database (some extremely object oriented games) causing the 32-bit version to just fail

Also 64-bit lets you debug 64-bit apps

Felheart · Newbie cheater Reputation: 0 Joined: 22 Jun 2009 Posts: 14

Thanks again Dark Byte.
I'm using ce quite often and over time it has become an invaluable part in my toolkit. Thanks for your support Smile