Stealthedit plugin for dealing with memory checks (Last update: 21th May, 2012)

STN

Founder
Administrator
Joined
Mar 2, 2017
Messages
3,758
Reaction score
45
Recreating Geri's tutorials and articles before his site got wiped out. Wealth of information in it!
-----
UPDATE, 21th May, 2012: Cheat Engine 6.2 is released and if you use it already, you are able to use the new Stealthedit 2. Scroll down to the bottom of the original article to see the section about Stealthedit 2.

This tutorial will cover how to use stealthedit plugin for Cheat Engine in order to bypass memory checks without any extra hassle.

You will need:
Cheat Engine 6.1 or higher (Created by Dark Byte)
Stealthedit plugin (discussed below)
32-bit version of the tutorial of CE 6.1 (Part of CE 6.1 but included here for your convenience, in case you have another version)

What is stealthedit plugin:
This plugin was made to deal with memory integrity checks that you may find in single player games sometimes. If a game has such protection, it will scan the game codes in the memory and in case it will find some difference compared to the original codes, it will usually just crash the game. Such a memory check was described already in the



Now that we have added our plugin, some new (and awesome) options will appear in Cheat Engine. Open the disassembler view, right-click on a code and choose the "Stealthedit this page" option. As you will see (also shown on the video), the original code that you have copied is marked with blue color, and the copy is marked with green color. In the address column, you will see the address of the original code and the address of the copy too, thus you can jump from one to another. Obviously, we want to use the copy instead of the original code so whatever changes you do with the code, do it on the green codes. Also note that the code before and after the green part will not be used, so it is useless to fiddle with it. If you want to change a code, use stealthedit on it and modify the green codes only.

Additionally, the plugin will enable a new auto-assemble instruction that you can use in your scripts. The new instruction is

stealthedit(name, address, size)

You will have to give a name to the memory address that you copy, you have to specify the address that you want to copy and also type in how much memory do you want to copy. If let's say the code you want to modify is 6 bytes, put in 6 for size, or any small number that you like.
NOTE: Stealthedit will copy at least the whole page, even if you give a smaller size.



Stealthedit instruction tutorial:

In this final part, you will learn how to use the stealthedit instruction with a small unofficial Cheat Engine tutorial that I have created for you. If you didn't get the 32-bit version of the CE 6.1 tutorial yet, download it now ( 32-bit version of the tutorial of CE 6.1 ).
Additionally, you will need a cheat table that I have created for testing, learning and practicing. You can download the cheat table from here:
Stealthedit tutorial CT


Do not peek into the scripts or you will ruin the challenge of completing the steps by yourself. You will see 5 scripts in the table:
Lame memory protection
Solve tutorial step 2
Solve tutorial step 2 with stealthedit
Solve tutorial step 3
Solve tutorial step 3 with stealthedit

Start the CE 6.1 tutorial and enable "Solve tutorial step 2". Proceed to the second step of the tutorial, click on the Hit me button and guess what, the Next button will be available. Same goes to step 3. This can be done easily, just check which code is writing to the address of health, and make a small script such as:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access

originalcode:
sub [ebx+00000458],eax
mov [ebx+00000458],(int)1000

exit:
jmp returnhere

"Tutorial-i386.exe"+20F3E:
jmp newmem
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+20F3E:
sub [ebx+00000458],eax
//Alt: db 29 83 58 04 00 00

I hope this is clear, it should be at this point, the very basics of code injection. If it is not clear, you should learn the basics of code injection first. This is how you make an easy cheat when there is no memory check. Smooth like a dream.
Restart the tutorial and enable the "Lame memory protection" option. (Before you even think about looking at this protection, this is in no way similar to a real life memory protection, it is just imitating it and checking a few codes only and as stupid as lame as it is, it will do it's job for this practice.) Now that the protection is enabled, try to enable the script that you used before to solve the tutorial, "Solve tutorial step 2". If I have done it right, you should experience a small problem, namely that the tutorial has just closed. That's what happens if you try to change a protected code. If you want, you can also try to replace the original code with a NOP at address at 00420F3E or 004213F7, but the same thing will happen, the tutorial will be closed. My lame check will detect if you try to change any of these codes that are writing to the value, so code injection is a no go. Sure you could go and find another code, but in a real life memory check, all codes are scanned so there are no alternative codes that you could use.

What we did so far is that we have enabled a memory check and experienced what would happen in a real life situation. Now we try out stealthedit. Restart the tutorial, enable the memory check and enable the "Solve tutorial step 2 with stealthedit" option. It should work like a charm, no crash, but a working cheat, that's how we want it. Here is the script that you would see in that option:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealthedit(stealth_tut2,00420F3E,6) //name is stealth_tut2, the address that we copy is 00420F3E and the code is 6 bytes long
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
registersymbol(staddress) //we register a symbol and label that can be used in the DISABLE section to disable the script
label(staddress)

newmem: //this is allocated memory, you have read,write,execute access


originalcode:
sub [ebx+00000458],eax
mov [ebx+00000458],(int)1000

exit:
jmp returnhere

stealth_tut2: //this is where we change our hook from the original code to the copy, stealth_tut2 = the address of the copy of 00420F3E
staddress: //and we make sure that the address of the copy is stored on staddress too
jmp newmem
nop
returnhere:




[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
staddress: //we restore the copy to it's original state to disable the cheat
sub [ebx+00000458],eax
//Alt: db 29 83 58 04 00 00

Compare the 2 scripts for step 2 (DO NOT look into the script for step 3), standard and stealthedit, see the differencies and read the comments. Hopefully it will clear up how is this instruction used. Also note that the stealthedit instruction can be used only once on a memory region and because of this, you can enable this cheat only once. If you disable it after that, you have to restart the game to use the cheat again.

Alternatively, you could just right-click on this code,
00420F3E - 29 83 58040000 - sub [ebx+00000458],eax
create a copy and replace the green code with a NOP. This would make sure that your health will not decrease but you are not catched by the memory check since the original code is unchanged.

Here is a video to summarize this part:
1. Solve tutorial step 2-3 without protection is working fine.
2. Solve tutorial step 2-3 with protection is working crashing.
3. Using NOP on the proteced code is causing a crash.
4. Using Solve tutorial step 2-3 with stealthedit is working even when the protection is enabled.
5. Using NOP on the green copy is working fine, using NOP on the blue original code is causing a crash (just as it should be).


Exercise:
Now that you have seen how to solve step 2, it is time to make your own script. To complete the exercise, you need to create a script with stealthedit to solve step 3 of the tutorial while the memory check is enabled.

There is a restriction: Your code should change the health to 5000 when you press the Hit me button. The code that is writing to the health is 004213F7 - 29 B3 5C040000 - sub [ebx+0000045C],esi
For the sake of this exercise, you are not allowed to use any other code to create your cheat and it should work exactly as I have described. You have to use stealthedit on this code. The solution is available in the CT, but if you want to learn how to do it yourself, do not peek into the script, do it completely by yourself.

If your cheat is working even when the lame memory integrity check is enabled, you have successfully learned how to use stealthedit and you will be able to use it the same way on properly protected single player games, be it protected by Xlive or other memory check.

This concluded the lame stealthedit tutorial.



Stealthedit 2

I have updated this article to add a new version of stealthedit that can be used with CE 6.2 and above. Stealthedit 2 has all the features of the previous version and scripting is working the same way, so the scripts that you have made for Stealthedit will work without any problem with Stealthedit 2 too.

New feature of SE2:
The new feature in Stealthedit 2 is "Find integrity scan routine(s)". As the name suggests, this version is not just able to avoid memory integrity checks, but it can also find them and display where they are. Pretty cool feature, especially for beginners, but even experts could find it interesting that SE2 is not using any debugger to find the checks, so it will not interfere with debugger protections.

Let's check it out, first you need to download it so click on:
Stealthedit 2 download link


Enable it the same way as you do with the previous version. Notice that there was a bug in CE 6.1 with plugin selections, but this is fixed in CE 6.2 so skip this part:

IMPORTANT for CE 6.1 users.
If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.
This bug has been fixed in CE 6.2.

Now in CE 6.2, you should see a "Plugins" option in the main menu. Click on it and choose "Stealthedit settings". You will see a new window where you can select "Find integrity scan routine(s)". Enable it and click on "Apply settings". Remember that when you start Cheat Engine, this option is turned off by default, but you will rarely have to use it, so it is good this way.

You can test it on some game, but for my example, I will use the same tutorial and memory check that I have made for the Stealthedit tutorial. So start the Cheat Engine 6.1 tutorial and load the Stealthedit tutorial CT that you can find above. First, enable the "Lame memory protection" option, then activate the "Solve tutorial step 2 with stealthedit" option. In just a few milliseconds, Cheat Engine will show you a new window, called "Integrity scan routines". In the window, you will find an address, which is the address of the code that is checking the memory. Double-click on the address and the disassembler will jump to the code, which is in this case

cmp [Tutorial-i386.exe+20F3C],832940FF

Yes, this is my lame memory check so you are at the right address. A real memory check code would look differently of course, but the important thing is that this plugin can find the code for you. From this point, it is up to you to disable the memory check if you want to disable it at all, or just use the stealthedit plugin to make a script that will not be found by this check.

Rewatch page after set time:
This is a setting for the integrity scan finder. The default value for it is 100 ms but on my computer, setting it to 1 ms did not cause any problems. The lower the better. If CE is scanning the page more frequently, there is a higher chance that it will find the integrity check. Setting this value to as low as possible has a major impact on the time that you need to find that check. In some cases, I needed 5-10 minutes to find a check with 100 ms scanning time, but I have found it almost immediately with 1 ms scanning time. So if your computer can handle it, set it to as low as you can. Of course if the check itself is slow and it is rarely scanning the stealthedited memory region, it will still take some time to find it. Patience is a virtue.

A few things to mention regarding this feature.

1. Normal memory integrity checks are not so incredibly fast like my memory check. My check is fast because it is checking a few bytes only, but normal memory checks are scanning much larger areas. It can take minutes or in some cases even 10 or 20 minutes for a memory check to scan the area.

2. This feature will find memory checks that are scanning the stealthedited area, not all memory checks in the game. If a memory integrity check is not scanning the stealthedited memory region, it will not be found.

3. A side effect of this feature is that it will interfere with the disassembler. When you stealthedit a page, the disassembler will show only ?? or some random values in that area. Keep in mind that the memory region didn't change and if you turn off the option, the disassembler will work again and it will show the correct codes.

4. As I said, this feature is not using the debugger so if the game is crashing as soon as you attach a debugger to it and you want to find a memory check, this is a good way to do it.

Ok as usually, here is a video to show how it works. You can see how to turn on the feature, then I activate the memory check and as I said, it will not be found until a memory region is stealthedited. You can do this by using the stealthedit instruction in an AA script, or doing it manually in the disassembler window. It also shows that the disassembler will be messed up a bit, but as you turn off the feature, it will work normally again.
Peace!
Geri
 

++METHOS

Administrator
Administrator
Joined
Mar 2, 2017
Messages
205
Reaction score
34
Good work, backing these up.
 

Vee_

Cat-alyzer
Fearless Donors
Joined
Mar 14, 2017
Messages
384
Reaction score
40
Thanks for securing this one ++METHOS and Rest In Peace Geri
 

lifesucks420

Noobzor
Joined
Apr 17, 2017
Messages
11
Reaction score
1
I've tested it on the 2nd version in this thread, I guess it's outdated but haven't found anything more up to date, if it works for you, what version do you use?
 

++METHOS

Administrator
Administrator
Joined
Mar 2, 2017
Messages
205
Reaction score
34
Not sure about CE 6.6, but the latest build includes support for x64:

2.4

The last time I used it may have been for CE 6.5, but you can test it. I would recommend using stealtheditex for 64-bit targets.
 

++METHOS

Administrator
Administrator
Joined
Mar 2, 2017
Messages
205
Reaction score
34
Can you elaborate? Are you saying that SE is not working with 6.7? If so, then we will need to have this addressed. I've not had time to look at 6.7 yet.
 

3xd_tango

Noobzor
Joined
Jul 3, 2017
Messages
11
Reaction score
0
++METHOS said:
Can you elaborate? Are you saying that SE is not working with 6.7? If so, then we will need to have this addressed. I've not had time to look at 6.7 yet.
the above main topic has 2 .rar and not working but your 2.4 is working thanks and sorry
 

++METHOS

Administrator
Administrator
Joined
Mar 2, 2017
Messages
205
Reaction score
34
Thank you for the clarification.
 

Blayde

Expert Cheater
Joined
Aug 25, 2017
Messages
230
Reaction score
43
STN said:
Rewatch page after set time:
This is a setting for the integrity scan finder. The default value for it is 100 ms but on my computer, setting it to 1 ms did not cause any problems. The lower the better.............................
Hi,
Quick question.I have i7 6700k proc (overclocked to 4.8GHz). What is the min. value for this one :?:
 

STN

Founder
Administrator
Joined
Mar 2, 2017
Messages
3,758
Reaction score
45
minegotitsnotch said:
is it me or is the download like dead?
I removed it cause http://fearlessrevolution.com/viewtopic.php?f=8&t=5298
 

virusposter

What is cheating?
Joined
Jan 10, 2018
Messages
2
Reaction score
2
Here's the most recent version (still old, but works with 6.7)

password: somes3ecretp8s0wd
 

Attachments

jaksropo

What is cheating?
Joined
Mar 27, 2019
Messages
2
Reaction score
0
Hello, dude. can you share the source code of stealth edit?
 

StakFallT

What is cheating?
Joined
Dec 8, 2019
Messages
1
Reaction score
0
This plugin was made to deal with memory integrity checks that you may find in single player games sometimes. If a game has such protection, it will scan the game codes in the memory and in case it will find some difference compared to the original codes, it will usually just crash the game.
-- STN

Not sure if it's been mentioned here or not, but Wizardry 8 is a BIG culprit of this crap. It's weird because I don't recall seeing it mentioned anywhere (not just here, but anywhere really), but everytime I've used cheat engine on it and make a change to a value, the game automatically goes to a Falcon Northwest ad that when you click to get past, the game then auto-closes. I'm guessing it's a game-exit ad that occurs every time you exit the game (I can't recall, been a long while since I played the game), and I remember there were only trainers for like version 1.00 (or something like that) and version 1.01 is the version on my disc (and Steam I think as well since I bought the collection there also). And it's not just once every now and then like the game just got confused and "inflated its airbags", no; it was consistent. everytime.

Sorry to add to an aging post (especially as my 1st post :/), but I kinda wanted to document that game as falling into the case of some sort of memory integrity check in case someone else is doing internet searches trying to find info on the very thing I was dealing with (i.e. you're not alone, it's not you :)) I could have created a new topic, but it seems like it would be an "empty" post to create a new topic just for that, especially when I personally feel like it fits better here since this plugin deals with the very thing I'm documenting :)

Come to think of it, if the point of the memory integrity check is to prevent crackers, I wonder if a cracked copy wouldn't have that issue... It's not like I don't own (at this point) two copies of it.

Disclaimer: It MAY have changed since then (i.e. there may be trainers out there for the 1.01? version), I don't know. As I mentioned, it's been a long while since I played the game, but last I played it, it was that way and it sucked because I was on a store-bought copy of the game (pressed-disc) and didn't have access to an earlier version short of maybe downloading an older executable off the net somewhere.
 
Top