Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


general question on cheat engine detection

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
catfood
Cheater
Reputation: 0

Joined: 22 Jun 2015
Posts: 34

PostPosted: Sun Sep 05, 2021 8:33 am    Post subject: general question on cheat engine detection Reply with quote

Hey all, im playing a casual game, but they added some cheat engine detection, and I'm just really curious how they know. I don't actually care about beating their security, as I do have someone's modded CE version that works. I don't care about being able to cheat in the game, I'm just so curious HOW they're detecting.

I changed:
*the file name
*the process name
*the icon
*the file hash
*every instance inside cheat engine that says "cheat engine", "cheatengine"
*the .dll name (I also stripped CE down to the exe and 1 single dll)
*the publisher info and version
*the file size

yet even clicking this heavily modded CE (not even attaching), the game instantly gives a popup saying it detected CE.

I'm so so curious how. at this point I don't even care about cheating, I'm just dumbfounded how they could know. i figure compiling myself would get around their security, but my goal isn't to cheat, it's just to understand HOW theyre still able to know after I've changed all those things.

it still knows the second I click my super modded cheatengine program... how?

I'm just curious for learning's sake HOW they're detecting that CE is running.
the second I click CE it
Back to top
View user's profile Send private message
LeFiXER
Grandmaster Cheater Supreme
Reputation: 20

Joined: 02 Sep 2011
Posts: 1053
Location: 0x90

PostPosted: Sun Sep 05, 2021 10:06 am    Post subject: Reply with quote

Yeah, anti-debugger measures. I know it doesn't really give any insight as to how but they are detecting when CE attaches.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Sep 05, 2021 4:31 pm    Post subject: Reply with quote

Older AC's (and other userlevel ones) used methods of detection through window enumeration and looking at child objects on a window, such as controls/layout of said windows. They could be looking for things such as:

- The name / class of known controls of the CE parent window.
- The positions of the controls of the CE parent window.
- The known icons/hashes of data within CEs parent window.

Cheat Engine has a lot of custom controls that it has named, which those names remain in the process when its compiled due to how Delphi/Pascal works. So they could be detecting things such as 'TfrmAssemblyScan', 'TfrmMemoryViewEx', etc.

You would basically need to rename everything inside of CE to avoid actual detection of strings, or heavily modify the exe so that none of the strings are seen at runtime. (You'd still need to also fake/hide the class object names when they are queried with system API too.)

There are still a ton of other means of detection too all depending on what kind of AC they decided to develop.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites