 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
an00b
Newbie cheater
![]() Reputation: 0
Joined: 08 Jun 2007
Posts: 11
|
 Posted: Sat Feb 16, 2008 3:35 pm Post subject: [question]how does the speedhack for CE work? |
 |
|
| I made my speedhack in C by hooking queryperformancecounter, it was made for counterstrike at first but now I want it to work for everything like CE's. How would I make my speedhack work for every game? I could post my speedhack if someone wants me to.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sun Feb 17, 2008 1:29 am Post subject: |
|
|
ce also hooks timegettime and gettickcount
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
an00b
Newbie cheater
![]() Reputation: 0
Joined: 08 Jun 2007
Posts: 11
|
| Posted: Mon Feb 25, 2008 7:17 pm Post subject: |
|
|
| thanks, helped alot
|
|
| Back to top |
|
|
Chaosis13
Master Cheater
![]() Reputation: 0
Joined: 14 Aug 2007
Posts: 372
|
| Posted: Thu Mar 27, 2008 5:43 pm Post subject: |
|
|
| I don't know, but I think its a shell command with a timmer. If you know any visual basic, it shouldn't be hard to find the shell command on a site. I have used it in a program of mine before.
|
|
| Back to top |
|
|
blackmorpheus
Expert Cheater
![]() Reputation: 0
Joined: 05 Apr 2008
Posts: 159
|
| Posted: Sat Oct 25, 2008 9:06 am Post subject: |
|
|
Could you post your speedhack? It's C++ ? 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
|
| Back to top |
|
|
why06
How do I cheat?
![]() Reputation: 0
Joined: 13 Jul 2009
Posts: 1
|
| Posted: Tue Aug 25, 2009 6:30 am Post subject: |
|
|
I know this is an old post. And BTW thanks so much for all the help you give.
Do you know if this code for the original Speed hack can compile in Delphi 2009? Because I tried to do it, but it's not working. It may be that I'm not compiling it the right way, but the only tutorials I can find for learning Delphi is on about(dot)com and those are out dated. Unless I get a book. :L
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Tue Aug 25, 2009 11:00 am Post subject: |
|
|
No idea, I only use delphi 7
Try looking at the errors and try to fix them
also, don't look for tutorials, look for data and information
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
cereal1
Cheater
![]() Reputation: 0
Joined: 29 May 2007
Posts: 27
|
| Posted: Sat Oct 03, 2009 8:03 pm Post subject: |
|
|
Sorry if I'm repeating a question that is already asked, but how does hooking both...
QueryPerformanceCounter
&
QueryPerformanceFrequency
...allow you to control the speed of a certain process like you do with Cheat Engine? Isn't "Query" more like asking for information?
I opened up speedhacktest.dpr and all it does is show the Counter and Frequency.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sun Oct 04, 2009 4:32 am Post subject: |
|
|
I only hook QueryPerformanceCounter , not frequency
QueryPerformanceCounter returns the time the system has been running
QueryPerformanceFrequency returns how much that counter normally goes up each second
So, the speedhack changes the output of QueryPerformanceCounter by adding or removing an calculated amount and then returning that
speedhacktest is just a test to see if the speedhack actually works (if you use the speedhack on it you can see the timers speeding up or slowing down)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
cereal1
Cheater
![]() Reputation: 0
Joined: 29 May 2007
Posts: 27
|
| Posted: Wed Oct 07, 2009 7:25 pm Post subject: |
|
|
| Thanks.
|
|
| Back to top |
|
|
theonetrueace
Newbie cheater
![]() Reputation: 0
Joined: 05 Feb 2008
Posts: 14
|
| Posted: Sun Oct 18, 2009 10:59 pm Post subject: |
|
|
| DarkByte can u please explain why you ran the trunc function on the return value before passing it back to the app?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Mon Oct 19, 2009 4:54 am Post subject: |
|
|
gettickcount and queryperformancecounter have a return type DWORD
speedmultiplier is a floating point value that can be anything like 0.75
So it needs to be converted to an integer type before returning
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
theonetrueace
Newbie cheater
![]() Reputation: 0
Joined: 05 Feb 2008
Posts: 14
|
| Posted: Tue Oct 20, 2009 11:53 pm Post subject: |
|
|
Another question, when injecting the dll into the process can you think of a reason i would be getting an error on VirtualAllocateEx? Heres what I'm trying to use....
| Code: | hProcess:=NewKernelHandler.OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
injectedlocation:=VirtualAllocEx(hProcess,nil,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
|
and this is the error...
| Code: | Attempted to write or read protected memory. This is often an indication that other memory is corrupt.
|
If you can't think of any reason this would happen under normal circumstances, how would you think I could go about tracking down this issue...the problem seems to be inside the call to virtualallocateex....i found this out by breaking out of the code before and after this call....another thing i should say, i am creating a delphi dll which i am calling from vb.net inorder to inject the hook dll....going to eventually be partially recoding the hook dll to make it do what i want, but i'm stuck at the injection for now....
ok to recap, i'm obtaining the processID through my own call in vb.net which seems to be working....
| Code: | | GetWindowThreadProcessId(hWindow, lpdwProcessId) |
then i'm sending that id straight into my edited InjectDLL procedure...and then inside the InjectDLL procedure the code up top, of this post, is being ran, amoungst the other code within that procedure....heres the whole procedure...
| Code: |
function InjectDLL(dllname: string; functiontocall: string; processID: tHandle):integer;
var LoadLibraryPtr: pointer;
GetProcAddressPtr: Pointer;
injectedlocation: pointer;
h: Thandle;
inject: array [0..4095] of byte;
x:dword;
outp:TAssemblerBytes;
position,position2: dword;
dllLocation: string;
startaddresS: dword;
functionloc: dword;
returnINT: integer;
hProcess: tHandle;
begin
returnint:=1;
h:=LoadLibrary('Kernel32.dll');
returnint:=returnint+1;
if h=0 then raise exception.Create('No kernel32.dll loaded');
returnint:=returnint+1;
try
returnint:=returnint+1;
GetProcAddressPtr:=GetProcAddress(h,'GetProcAddress');
returnint:=returnint+1;
if getprocaddressptr=nil then raise exception.Create('GetProcAddress not found');
returnint:=returnint+1;
LoadLibraryPtr:=GetProcAddress(h,'LoadLibraryA');
returnint:=returnint+1;
if LoadLibraryptr=nil then raise exception.Create('LoadLibraryA not found');
returnint:=returnint+1;
hProcess:=NewKernelHandler.OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
injectedlocation:=VirtualAllocEx(hProcess,nil,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
returnint:=returnint+1;
if injectedlocation=nil then raise exception.Create('Failed to allocate memory');
returnint:=returnint+1;
{result:=returnINT ;
exit;}
dlllocation:=dllname;
position:=dword(injectedlocation);
position2:=0;
copymemory(@inject[0],pchar(dllLocation+#0),length(dllLocation)+1);
inc(position,length(dllLocation)+1);
inc(position2,length(dllLocation)+1);
functionloc:=position;
copymemory(@inject[position2],pchar(functiontocall+#0),length(functiontocall)+1);
inc(position,length(functiontocall)+1);
inc(position2,length(functiontocall)+1);
startaddress:=position;
{ assemble('mov ['+inttohex(injectedlocation+4096-4,8)+'],esp');
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));}
assemble('PUSHFD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('PUSHAD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
//loadlibrary(cehook);
assemble('PUSH '+IntToHex(dword(injectedlocation),8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('CALL '+IntToHex(dword(LoadLibraryPtr),8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
if functiontocall<>'' then
begin
//getprocaddress
assemble('PUSH '+IntToHex(functionloc,8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('PUSH EAX',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('CALL '+IntToHex(dword(GetProcAddressPtr),8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
//call function
assemble('CALL EAX',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
end;
assemble('POPAD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('POPFD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('RET',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
returnint:=returnint+1;
//call the routine
if not writeprocessmemory(processhandle,injectedlocation,@inject[0],position2,x) then raise exception.Create('Failed to inject the dll loader');
returnint:=returnint+1;
if createremotethread(processhandle,nil,0,pointeR(startaddress),nil,0,x)=0 then raise exception.Create('Failed to execute the dll loader');
returnint:=returnint+100;
finally
FreeLibrary(h);
result:=returnint+1;
end;
end; |
i should also state, the DLL is compiling just fine and i have included some of the required units that allowed this all to work....
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Wed Oct 21, 2009 2:46 am Post subject: |
|
|
what address was being read ?
anyhow, break on the instruction, press ctrl+alt+c and then trace through the assembler code with f7
also, have you messed up newkernelhandler.pas 's initialization ?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
