Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
STN
Founder
Founder
Posts: 2846
Joined: Thu Mar 02, 2017 7:48 pm
Reputation: 255

Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by STN » Tue Apr 18, 2017 12:56 am

Recreating Geri's tutorials and articles before his site got wiped out. Wealth of information in it!
-----
UPDATE, 21th May, 2012: Cheat Engine 6.2 is released and if you use it already, you are able to use the new Stealthedit 2. Scroll down to the bottom of the original article to see the section about Stealthedit 2.

This tutorial will cover how to use stealthedit plugin for Cheat Engine in order to bypass memory checks without any extra hassle.

You will need:
Cheat Engine 6.1 or higher (Created by Dark Byte)
Stealthedit plugin (discussed below)
32-bit version of the tutorial of CE 6.1 (Part of CE 6.1 but included here for your convenience, in case you have another version)

What is stealthedit plugin:
This plugin was made to deal with memory integrity checks that you may find in single player games sometimes. If a game has such protection, it will scan the game codes in the memory and in case it will find some difference compared to the original codes, it will usually just crash the game. Such a memory check was described already in the Dealing with Xlive and similar protections article. These memory checks are sometimes added to keep out crackers (which has nothing to do with the current topic as cracks are obviously working differently from trainers) and in some rare cases, they are added as an anti-cheat protection (which is already our concern if we want to make god mode or other cheat, or a simple modification that makes the game more fun). Also note that we are talking about single player games so if you plan to use this in a multiplayer game, you will most likely utterly fail as those games are using hackshields of all kind, most of them detecting Cheat Engine to start with, so don't even bother asking me about multiplayer usage of this plugin, because this is not the point of this article.

The stealthedit plugin is NOT created by me, I write the documentation and tutorial only.

Now if you are a beginner and you want to skip technical gibberish that is useful though not very neccessary to use this plugin, just download stealthedit ( Download link for stealthedit plugin ) and jump to the How to install and enable the plugin part.

How is it working:

The idea behind the stealthedit plugin is that we do not modify the original code at all, instead we make a copy of that code and re-route the program to use the copy instead of the original code. Since the memory check is scanning the unmodified original code only, we can do whatever we want with our copy, including code injections, which is the main method of creating cheats.

Technical stuff:

It is working on both 32 and 64 bit systems and it requires Cheat Engine 6.1 or higher. Here are some notes from the creator of this plugin:

stealthedit should work on 64-bit systems as well (as long as the target is 32-bit, I haven't implemented the local page method yet which is required due to RIP addressing).

If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.

Then add the stealthedit plugin

Compatibility notes:
XP SP1 and before:Probably won't work
XP SP2 and Vista NO SP: Enable DEP for ALL programs
XP SP3+ and Vista SP1+: Should just work

This plugin is using the SetProcessDEPPolicy API to let windows pass the no execute exception down to the target process and raise an exception. When the exception is raised, CE will re-direct the program to use the copy instead of the original code, so we can run our little script that we inject into the copy without being detected by the memory integrity check.

Download link for the stealthedit plugin



How to install and enable the plugin:
Just download the plugin, copy it in some folder wherever you want (I recommend to create a folder in CE folder) and choose the plugin in the CE settings.

1. Open Cheat Engine.
2. Click on Settings.
3. Choose Plugins.
4. Click on Add new.
5. Select the downloaded DLL file (i386 for 32-bit, x86_64 for 64-bit).
6. Enable the checkbox.
7. Click on OK.

IMPORTANT for CE 6.1 users.
If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.
This bug has been fixed in CE 6.2.

Here is a video to help you installing the plugin (note that I had the C plugin added already, this is why I deleted it to show how to add it again from start).





Now that we have added our plugin, some new (and awesome) options will appear in Cheat Engine. Open the disassembler view, right-click on a code and choose the "Stealthedit this page" option. As you will see (also shown on the video), the original code that you have copied is marked with blue color, and the copy is marked with green color. In the address column, you will see the address of the original code and the address of the copy too, thus you can jump from one to another. Obviously, we want to use the copy instead of the original code so whatever changes you do with the code, do it on the green codes. Also note that the code before and after the green part will not be used, so it is useless to fiddle with it. If you want to change a code, use stealthedit on it and modify the green codes only.

Additionally, the plugin will enable a new auto-assemble instruction that you can use in your scripts. The new instruction is

stealthedit(name, address, size)

You will have to give a name to the memory address that you copy, you have to specify the address that you want to copy and also type in how much memory do you want to copy. If let's say the code you want to modify is 6 bytes, put in 6 for size, or any small number that you like.
NOTE: Stealthedit will copy at least the whole page, even if you give a smaller size.



Stealthedit instruction tutorial:

In this final part, you will learn how to use the stealthedit instruction with a small unofficial Cheat Engine tutorial that I have created for you. If you didn't get the 32-bit version of the CE 6.1 tutorial yet, download it now ( 32-bit version of the tutorial of CE 6.1 ).
Additionally, you will need a cheat table that I have created for testing, learning and practicing. You can download the cheat table from here:
Stealthedit tutorial CT


Do not peek into the scripts or you will ruin the challenge of completing the steps by yourself. You will see 5 scripts in the table:
Lame memory protection
Solve tutorial step 2
Solve tutorial step 2 with stealthedit
Solve tutorial step 3
Solve tutorial step 3 with stealthedit

Start the CE 6.1 tutorial and enable "Solve tutorial step 2". Proceed to the second step of the tutorial, click on the Hit me button and guess what, the Next button will be available. Same goes to step 3. This can be done easily, just check which code is writing to the address of health, and make a small script such as:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access

originalcode:
sub [ebx+00000458],eax
mov [ebx+00000458],(int)1000

exit:
jmp returnhere

"Tutorial-i386.exe"+20F3E:
jmp newmem
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+20F3E:
sub [ebx+00000458],eax
//Alt: db 29 83 58 04 00 00

I hope this is clear, it should be at this point, the very basics of code injection. If it is not clear, you should learn the basics of code injection first. This is how you make an easy cheat when there is no memory check. Smooth like a dream.
Restart the tutorial and enable the "Lame memory protection" option. (Before you even think about looking at this protection, this is in no way similar to a real life memory protection, it is just imitating it and checking a few codes only and as stupid as lame as it is, it will do it's job for this practice.) Now that the protection is enabled, try to enable the script that you used before to solve the tutorial, "Solve tutorial step 2". If I have done it right, you should experience a small problem, namely that the tutorial has just closed. That's what happens if you try to change a protected code. If you want, you can also try to replace the original code with a NOP at address at 00420F3E or 004213F7, but the same thing will happen, the tutorial will be closed. My lame check will detect if you try to change any of these codes that are writing to the value, so code injection is a no go. Sure you could go and find another code, but in a real life memory check, all codes are scanned so there are no alternative codes that you could use.

What we did so far is that we have enabled a memory check and experienced what would happen in a real life situation. Now we try out stealthedit. Restart the tutorial, enable the memory check and enable the "Solve tutorial step 2 with stealthedit" option. It should work like a charm, no crash, but a working cheat, that's how we want it. Here is the script that you would see in that option:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealthedit(stealth_tut2,00420F3E,6) //name is stealth_tut2, the address that we copy is 00420F3E and the code is 6 bytes long
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
registersymbol(staddress) //we register a symbol and label that can be used in the DISABLE section to disable the script
label(staddress)

newmem: //this is allocated memory, you have read,write,execute access


originalcode:
sub [ebx+00000458],eax
mov [ebx+00000458],(int)1000

exit:
jmp returnhere

stealth_tut2: //this is where we change our hook from the original code to the copy, stealth_tut2 = the address of the copy of 00420F3E
staddress: //and we make sure that the address of the copy is stored on staddress too
jmp newmem
nop
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
staddress: //we restore the copy to it's original state to disable the cheat
sub [ebx+00000458],eax
//Alt: db 29 83 58 04 00 00

Compare the 2 scripts for step 2 (DO NOT look into the script for step 3), standard and stealthedit, see the differencies and read the comments. Hopefully it will clear up how is this instruction used. Also note that the stealthedit instruction can be used only once on a memory region and because of this, you can enable this cheat only once. If you disable it after that, you have to restart the game to use the cheat again.

Alternatively, you could just right-click on this code,
00420F3E - 29 83 58040000 - sub [ebx+00000458],eax
create a copy and replace the green code with a NOP. This would make sure that your health will not decrease but you are not catched by the memory check since the original code is unchanged.

Here is a video to summarize this part:
1. Solve tutorial step 2-3 without protection is working fine.
2. Solve tutorial step 2-3 with protection is working crashing.
3. Using NOP on the proteced code is causing a crash.
4. Using Solve tutorial step 2-3 with stealthedit is working even when the protection is enabled.
5. Using NOP on the green copy is working fine, using NOP on the blue original code is causing a crash (just as it should be).



Exercise:
Now that you have seen how to solve step 2, it is time to make your own script. To complete the exercise, you need to create a script with stealthedit to solve step 3 of the tutorial while the memory check is enabled.

There is a restriction: Your code should change the health to 5000 when you press the Hit me button. The code that is writing to the health is 004213F7 - 29 B3 5C040000 - sub [ebx+0000045C],esi
For the sake of this exercise, you are not allowed to use any other code to create your cheat and it should work exactly as I have described. You have to use stealthedit on this code. The solution is available in the CT, but if you want to learn how to do it yourself, do not peek into the script, do it completely by yourself.

If your cheat is working even when the lame memory integrity check is enabled, you have successfully learned how to use stealthedit and you will be able to use it the same way on properly protected single player games, be it protected by Xlive or other memory check.

This concluded the lame stealthedit tutorial.



Stealthedit 2

I have updated this article to add a new version of stealthedit that can be used with CE 6.2 and above. Stealthedit 2 has all the features of the previous version and scripting is working the same way, so the scripts that you have made for Stealthedit will work without any problem with Stealthedit 2 too.

New feature of SE2:
The new feature in Stealthedit 2 is "Find integrity scan routine(s)". As the name suggests, this version is not just able to avoid memory integrity checks, but it can also find them and display where they are. Pretty cool feature, especially for beginners, but even experts could find it interesting that SE2 is not using any debugger to find the checks, so it will not interfere with debugger protections.

Let's check it out, first you need to download it so click on:
Stealthedit 2 download link


Enable it the same way as you do with the previous version. Notice that there was a bug in CE 6.1 with plugin selections, but this is fixed in CE 6.2 so skip this part:

IMPORTANT for CE 6.1 users.
If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.
This bug has been fixed in CE 6.2.

Now in CE 6.2, you should see a "Plugins" option in the main menu. Click on it and choose "Stealthedit settings". You will see a new window where you can select "Find integrity scan routine(s)". Enable it and click on "Apply settings". Remember that when you start Cheat Engine, this option is turned off by default, but you will rarely have to use it, so it is good this way.

You can test it on some game, but for my example, I will use the same tutorial and memory check that I have made for the Stealthedit tutorial. So start the Cheat Engine 6.1 tutorial and load the Stealthedit tutorial CT that you can find above. First, enable the "Lame memory protection" option, then activate the "Solve tutorial step 2 with stealthedit" option. In just a few milliseconds, Cheat Engine will show you a new window, called "Integrity scan routines". In the window, you will find an address, which is the address of the code that is checking the memory. Double-click on the address and the disassembler will jump to the code, which is in this case

cmp [Tutorial-i386.exe+20F3C],832940FF

Yes, this is my lame memory check so you are at the right address. A real memory check code would look differently of course, but the important thing is that this plugin can find the code for you. From this point, it is up to you to disable the memory check if you want to disable it at all, or just use the stealthedit plugin to make a script that will not be found by this check.

Rewatch page after set time:
This is a setting for the integrity scan finder. The default value for it is 100 ms but on my computer, setting it to 1 ms did not cause any problems. The lower the better. If CE is scanning the page more frequently, there is a higher chance that it will find the integrity check. Setting this value to as low as possible has a major impact on the time that you need to find that check. In some cases, I needed 5-10 minutes to find a check with 100 ms scanning time, but I have found it almost immediately with 1 ms scanning time. So if your computer can handle it, set it to as low as you can. Of course if the check itself is slow and it is rarely scanning the stealthedited memory region, it will still take some time to find it. Patience is a virtue.

A few things to mention regarding this feature.

1. Normal memory integrity checks are not so incredibly fast like my memory check. My check is fast because it is checking a few bytes only, but normal memory checks are scanning much larger areas. It can take minutes or in some cases even 10 or 20 minutes for a memory check to scan the area.

2. This feature will find memory checks that are scanning the stealthedited area, not all memory checks in the game. If a memory integrity check is not scanning the stealthedited memory region, it will not be found.

3. A side effect of this feature is that it will interfere with the disassembler. When you stealthedit a page, the disassembler will show only ?? or some random values in that area. Keep in mind that the memory region didn't change and if you turn off the option, the disassembler will work again and it will show the correct codes.

4. As I said, this feature is not using the debugger so if the game is crashing as soon as you attach a debugger to it and you want to find a memory check, this is a good way to do it.

Ok as usually, here is a video to show how it works. You can see how to turn on the feature, then I activate the memory check and as I said, it will not be found until a memory region is stealthedited. You can do this by using the stealthedit instruction in an AA script, or doing it manually in the disassembler window. It also shows that the disassembler will be messed up a bit, but as you turn off the feature, it will work normally again.

Peace!
Geri

User avatar
++METHOS
Administration
Administration
Posts: 203
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by ++METHOS » Tue Apr 18, 2017 2:36 am

Good work, backing these up.

User avatar
Vee_
Expert Cheater
Expert Cheater
Posts: 77
Joined: Tue Mar 14, 2017 10:18 am
Reputation: 10

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by Vee_ » Tue Apr 18, 2017 6:20 am

Thanks for securing this one ++METHOS and Rest In Peace Geri

lifesucks420
Noobzor
Noobzor
Posts: 11
Joined: Mon Apr 17, 2017 4:28 pm
Reputation: 0

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by lifesucks420 » Tue Apr 18, 2017 7:54 am

not compatible with CE 6.6

User avatar
++METHOS
Administration
Administration
Posts: 203
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by ++METHOS » Tue Apr 18, 2017 7:10 pm

Vee_ wrote:
Tue Apr 18, 2017 6:20 am
Thanks for securing this one ++METHOS
-This was STN. :D
lifesucks420 wrote:
Tue Apr 18, 2017 7:54 am
not compatible with CE 6.6
-Are you running the latest version of SE plugin?

lifesucks420
Noobzor
Noobzor
Posts: 11
Joined: Mon Apr 17, 2017 4:28 pm
Reputation: 0

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by lifesucks420 » Tue Apr 18, 2017 7:59 pm

I've tested it on the 2nd version in this thread, I guess it's outdated but haven't found anything more up to date, if it works for you, what version do you use?

lifesucks420
Noobzor
Noobzor
Posts: 11
Joined: Mon Apr 17, 2017 4:28 pm
Reputation: 0

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by lifesucks420 » Wed Apr 19, 2017 4:18 am

oh okay, my bad, that one works well

User avatar
Vee_
Expert Cheater
Expert Cheater
Posts: 77
Joined: Tue Mar 14, 2017 10:18 am
Reputation: 10

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by Vee_ » Thu Apr 20, 2017 5:35 am

++METHOS wrote:
Tue Apr 18, 2017 7:10 pm
Vee_ wrote:
Tue Apr 18, 2017 6:20 am
Thanks for securing this one ++METHOS
-This was STN. :D
Ah my bad, haha :D
Thanks STN, for securing this one :lol:

3xd_tango
Noobzor
Noobzor
Posts: 10
Joined: Mon Jul 03, 2017 7:20 pm
Reputation: 0

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by 3xd_tango » Wed Jul 05, 2017 8:31 am

Any update for 6.7 please

User avatar
++METHOS
Administration
Administration
Posts: 203
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by ++METHOS » Wed Jul 05, 2017 6:15 pm

Can you elaborate? Are you saying that SE is not working with 6.7? If so, then we will need to have this addressed. I've not had time to look at 6.7 yet.

3xd_tango
Noobzor
Noobzor
Posts: 10
Joined: Mon Jul 03, 2017 7:20 pm
Reputation: 0

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by 3xd_tango » Thu Jul 06, 2017 3:29 pm

++METHOS wrote:
Wed Jul 05, 2017 6:15 pm
Can you elaborate? Are you saying that SE is not working with 6.7? If so, then we will need to have this addressed. I've not had time to look at 6.7 yet.
the above main topic has 2 .rar and not working but your 2.4 is working thanks and sorry

User avatar
++METHOS
Administration
Administration
Posts: 203
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 27

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by ++METHOS » Thu Jul 06, 2017 7:05 pm

Thank you for the clarification.

User avatar
Blayde
Expert Cheater
Expert Cheater
Posts: 81
Joined: Fri Aug 25, 2017 2:37 pm
Reputation: 17

Re: Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

Post by Blayde » Fri Sep 22, 2017 4:32 am

STN wrote:
Tue Apr 18, 2017 12:56 am
Rewatch page after set time:
This is a setting for the integrity scan finder. The default value for it is 100 ms but on my computer, setting it to 1 ms did not cause any problems. The lower the better.............................
Hi,
Quick question.I have i7 6700k proc (overclocked to 4.8GHz). What is the min. value for this one :?:

Post Reply

Who is online

Users browsing this forum: No registered users