FearLess Cheat Engine

IFireflyl wrote: ↑

Wed Dec 08, 2021 10:12 pm

This game requires some effort as it is (apparently) detecting that Cheat Engine is running and then force closing the game. I had to look up how to create an undetected cheat engine which worked for searching for values, but for some reason I don't have the ability to use the debuggers with that (which is pretty necessary for people making cheat tables). I think that means we'll only be able to get trainers for this, and not an actual cheat table. I could definitely be wrong on that, but I don't know how else a table creator will be able to get around the game detecting that Cheat Engine itself is running.

stlmikey wrote: ↑

Wed Dec 08, 2021 10:21 pm

I was able to use C***** to find health but that's about it. Comes with about 60 results and only 1 seem to be correct but it seems to change after load. I tried to find ammo but results that I came up with it would not hold the value..

IFireflyl wrote: ↑

Wed Dec 08, 2021 10:27 pm

stlmikey wrote: ↑

Wed Dec 08, 2021 10:21 pm

I was able to use C***** to find health but that's about it. Comes with about 60 results and only 1 seem to be correct but it seems to change after load. I tried to find ammo but results that I came up with it would not hold the value..

I don't use that as it isn't open source and they're kind of dodgy. But using the modified CE I was able to find ammo in 2-byte values. The problem is that the addresses jump with checkpoints. That's where I think the debugger would come in handy. We'll have to wait for one of the greats to figure this out. I'm too noob for this unfortunately.

Game detects some things just on launch, like Process Hacker
Renamed Cheatengine 7.1 seems to be able to be running
Game detects VEH breakpoints eventually
Game detects changes to game code.

Game code is mirrored in non .text area

example..

AOB search: 49 8D 4E 10 48 03 C8

041188F9 - 49 8D 4E 10 - lea rcx,[r14+10]
041188FD - 48 03 C8 - add rcx,rax
04118900 - E8 3B6F1500 - call 0426F840
04118905 - 44 0FBF E0 - movsx r12d,ax
04118909 - 33 C0 - xor eax,eax
0411890B - 66 39 03 - cmp [rbx],ax
0411890E - 76 07 - jna 04118917
04118910 - 0FB7 43 02 - movzx eax,word ptr [rbx+02]

matches:

HaloInfinite.exe+5F88F9 - 49 8D 4E 10 - lea rcx,[r14+10]
HaloInfinite.exe+5F88FD - 48 03 C8 - add rcx,rax
HaloInfinite.exe+5F8900 - E8 3B6F1500 - call HaloInfinite.exe+74F840
HaloInfinite.exe+5F8905 - 44 0FBF E0 - movsx r12d,ax
HaloInfinite.exe+5F8909 - 33 C0 - xor eax,eax
HaloInfinite.exe+5F890B - 66 39 03 - cmp [rbx],ax
HaloInfinite.exe+5F890E - 76 07 - jna HaloInfinite.exe+5F8917
HaloInfinite.exe+5F8910 - 0FB7 43 02 - movzx eax,word ptr [rbx+02]

FURTHER! Any change to one of the above code, the other will mirror it, BUT will also trigger game lockup.

Game SCANS the .text in non .text and non module code, likely manual mapped. Here is code that scans game .exe..

02DA81B0 - 48 8B C1 - mov rax,rcx
02DA81B3 - 4D 85 C0 - test r8,r8
02DA81B6 - 74 1F - je 02DA81D7
02DA81B8 - 0FB6 0A - movzx ecx,byte ptr [rdx]
02DA81BB - 48 33 C8 - xor rcx,rax
02DA81BE - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
02DA81C8 - 48 0FAF C8 - imul rcx,rax
02DA81CC - 49 FF C8 - dec r8
02DA81CF - 48 FF C2 - inc rdx
02DA81D2 - E9 D9FFFFFF - jmp 02DA81B0
02DA81D7 - C3 - ret

Further the manually mapped code is called by multiple places, which take the result of this and check it vs. a value.

FURTHER! the manually mapped code is also scanned for integrity by Arbiter.dll, here, and maybe elsewhere:

Arbiter.dll+3000 - 48 8B C1 - mov rax,rcx
Arbiter.dll+3003 - 4D 85 C0 - test r8,r8
Arbiter.dll+3006 - 74 1F - je Arbiter.dll+3027
Arbiter.dll+3008 - 0FB6 0A - movzx ecx,byte ptr [rdx]
Arbiter.dll+300B - 48 33 C8 - xor rcx,rax
Arbiter.dll+300E - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+3018 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+301C - 49 FF C8 - dec r8
Arbiter.dll+301F - 48 FF C2 - inc rdx
Arbiter.dll+3022 - E9 D9FFFFFF - jmp Arbiter.dll+3000
Arbiter.dll+3027 - C3 - ret


Example call:

Arbiter.dll+25EC96 - 41 0FB6 0F - movzx ecx,byte ptr [r15]
Arbiter.dll+25EC9A - 48 B8 25232284E49CF2CB - mov rax,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECA4 - 48 33 C8 - xor rcx,rax
Arbiter.dll+25ECA7 - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+25ECB1 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+25ECB5 - 4D 8D 46 FF - lea r8,[r14-01]
Arbiter.dll+25ECB9 - 49 8D 57 01 - lea rdx,[r15+01]
-----> Arbiter.dll+25ECBD - E8 3E43DAFF - call Arbiter.dll+3000 <----------
Arbiter.dll+25ECC2 - 48 8B D8 - mov rbx,rax
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECD1 - F3 0F10 0D 976A0600 - movss xmm1,[Arbiter.dll+2C5770] { (Nan) }


I've been unable to beat this, as mainly using PAGE EXCEPTIONS allowed me to breakpoint in places that were hard to get breakpoint without instant lockup.

I have no idea how the game is writing or matching the two areas (mapped and .text)

Writing over the game code causes eventual lockup due to integrity check by the manually mapped code.

It also appears that Arbiter.dll, and possibly the manually mapped loop are separate threads from the main game thread, Although making HARD JMP in the manually mapped code causes game to pause/lock.

For instance:

02DA81B0 - 48 8B C1 - mov rax,rcx
to:
02DA81B0 - EB FE - jmp 02DA81B0
02DA81B2 - 90 - nop

Game instantly locks, so that code must be called regularly or part of the main game loop?

acecel wrote: ↑

Thu Dec 09, 2021 5:26 am

Why would they use such a complex anti-cheat system on the singleplayer part of the game ?
On the multi i understand completely but on the other end it's kinda overkill for singleplayer i feel