Cheat Engine

zm0d · Posted: Mon Aug 24, 2015 2:03 am Post subject: Value syncing problem

Hi buddys,

currently trying to enable a feature for an online game, you can use offline but online it's disabled. So I figured out the address of the value and also got a valid static pointer. No problem so far. If the value is 0 the feature is disabled and if the value is 1 the feature is enabled. So far, so good... Creating offline game, change the value to 1 in CE and voilà, it works like a charm. My feature got enabled with not using the internal game menu.
Now, when starting an online game and changing value to 1 in CE, the game disconnects after a few seconds with a syncing problem. I thought that something like this will happen, so going to attach debugger with "Find out what accesses this address" and starting offline game... a dozen opcodes appeard... nothing special so far.. now letting debugger attached and checking wat access this address in online mode. Right when the online game starts, 5-6 opcodes add to the list. Those are more interesting, cause there are some checks if my address-of-interest is 0... If it's not 0, it get's set to 0 and later on, if it's still not 0, then I get unsynced and the game disconnects... Was to simple... changing the value later in the online game, after lets say 1 minute of playing, where all checks were done.

Now... I still get unsynced, even when I change the value after the checks are done. I tried this a couple of times and the "Find out what accesses this address" doesn't show me any further calls or new opcodes to my interesting address, when the game is running. How can this be? How can they access their value, without letting the debugger recognize it? Do they probably do some server-sided checks? If so, how can they send my local value repeatedly without letting the debugger know that it gets accessed?

Edit:
Right when reading my text again, I came to the idea, that they probably create a copy of my interesting value and use this one to check if all is synced?! Rolling Eyes

Greetz,
zm0d

Gniarf · Posted: Mon Aug 24, 2015 10:15 am Post subject:

It could be that one of the functions that read your flag in offline mode is shared, and also used in online mode.

Or your feature itself could check if the game is in online mode and self-kick if used online.

Lastly I don't think a debugger would notice if a program used ReadProcessMemory on itself. I'm not very competent in that area but there are probably other kernel functions that an userland/ring3 debugger wouldn't catch, same thing with (protection) drivers reading a process' memory.DBVM which is a ring0 debugger should spot all those though.

zm0d · Posted: Tue Aug 25, 2015 2:35 am Post subject:

Okay, thanks for your reply.

I spend a few more hours yesterday on determining what's going on there. They create a copy of my interesting value and this copy gets checked on different location if its value is 0. On events (keypress) and different, time-scheduled checks... I was able to bypass all those checks, but my interesting value seemed to be wrong in online mode.
When I was able to change the value to 1 in online match, it didn't enable my feature like it does in offline match. I guess I bypassed a check wrong, with writing a hardcoded 0 in a register... They might use this register somewhere for my feature... Need to dig deeper in it... Nasty issue, but that's what makes it somehow interesting.

Edit:
Funny sidenote - I realized that, when I got unsynced and I'm host, I win the match and my opponent loses... The other way around, when my opponent is host, the game just disconnect and no one wins/loses, but only if you're not losing the game. Poorly coded imo.