|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
catfood Cheater Reputation: 0
Joined: 22 Jun 2015 Posts: 34
|
Posted: Sun Sep 05, 2021 8:33 am Post subject: general question on cheat engine detection |
|
|
Hey all, im playing a casual game, but they added some cheat engine detection, and I'm just really curious how they know. I don't actually care about beating their security, as I do have someone's modded CE version that works. I don't care about being able to cheat in the game, I'm just so curious HOW they're detecting.
I changed:
*the file name
*the process name
*the icon
*the file hash
*every instance inside cheat engine that says "cheat engine", "cheatengine"
*the .dll name (I also stripped CE down to the exe and 1 single dll)
*the publisher info and version
*the file size
yet even clicking this heavily modded CE (not even attaching), the game instantly gives a popup saying it detected CE.
I'm so so curious how. at this point I don't even care about cheating, I'm just dumbfounded how they could know. i figure compiling myself would get around their security, but my goal isn't to cheat, it's just to understand HOW theyre still able to know after I've changed all those things.
it still knows the second I click my super modded cheatengine program... how?
I'm just curious for learning's sake HOW they're detecting that CE is running.
the second I click CE it
|
|
Back to top |
|
|
LeFiXER Grandmaster Cheater Supreme Reputation: 20
Joined: 02 Sep 2011 Posts: 1053 Location: 0x90
|
Posted: Sun Sep 05, 2021 10:06 am Post subject: |
|
|
Yeah, anti-debugger measures. I know it doesn't really give any insight as to how but they are detecting when CE attaches.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Sun Sep 05, 2021 4:31 pm Post subject: |
|
|
Older AC's (and other userlevel ones) used methods of detection through window enumeration and looking at child objects on a window, such as controls/layout of said windows. They could be looking for things such as:
- The name / class of known controls of the CE parent window.
- The positions of the controls of the CE parent window.
- The known icons/hashes of data within CEs parent window.
Cheat Engine has a lot of custom controls that it has named, which those names remain in the process when its compiled due to how Delphi/Pascal works. So they could be detecting things such as 'TfrmAssemblyScan', 'TfrmMemoryViewEx', etc.
You would basically need to rename everything inside of CE to avoid actual detection of strings, or heavily modify the exe so that none of the strings are seen at runtime. (You'd still need to also fake/hide the class object names when they are queried with system API too.)
There are still a ton of other means of detection too all depending on what kind of AC they decided to develop.
_________________
- Retired. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|