How to Crack and Patch Applications with Cheat Engine February 1, 2017

You may or may not have heard of Cheat Engine (CE henceforth), a tool developed primarily for hacking video games. Its workflow bodes well for dynamic analysis commonplace in hacking games, but as it turns out, it’s also a wonderful tool for reversing non-game applications.

It can be a bit of a bear initially if you’re used to tools like IDA Pro, Ollydbg, etc. — and the lack of straight-forward features like patching bytes (though it can be achieved in a roundabout way) can be off-putting — but CE has its own unique feature set that allows for some extremely fun and interesting analysis techniques. Here are a few:

Temporary Patching : CE utilizes XML-formatted “cheat tables” (.CT extension) that allows users to create/store/share their hacks. These files modify a game’s instructions and/or data as they exist in memory while running. In the context of non-game applications, this means you can easily create scripts that modify anything you want while that application is running, thus not affecting the binary itself. This is wonderful for rapid testing, especially in the context of collaborative efforts where you can just share your .CT with whomever.

: CE utilizes XML-formatted “cheat tables” (.CT extension) that allows users to create/store/share their hacks. These files modify a game’s instructions and/or data as they exist in memory while running. In the context of non-game applications, this means you can easily create scripts that modify anything you want while that application is running, thus not affecting the binary itself. This is wonderful for rapid testing, especially in the context of collaborative efforts where you can just share your .CT with whomever. Mono Dissector : Save for obfuscated .NET assemblies, CE has a built-in .NET dissector that allows you to quickly view methods and properties. You can JIT methods as well and modify the Assembly instructions in the disassembler. The Mono Dissector isn’t pretty, but functionally, it gets the job done.

: Save for obfuscated .NET assemblies, CE has a built-in .NET dissector that allows you to quickly view methods and properties. You can JIT methods as well and modify the Assembly instructions in the disassembler. The Mono Dissector isn’t pretty, but functionally, it gets the job done. Ultimap : This feature of CE allows you to narrow down functions by recording calls and allowing you to filter; however, this feature only works with capable Intel CPUs. If you happen to have a recent-gen Intel CPU with Processor Trace, you can take advantage of Ultimap 2, which requires less overhead and eliminates the need for DBVM.

: This feature of CE allows you to narrow down functions by recording calls and allowing you to filter; however, this feature only works with capable Intel CPUs. If you happen to have a recent-gen Intel CPU with Processor Trace, you can take advantage of Ultimap 2, which requires less overhead and eliminates the need for DBVM. Conditional Break and Trace : I love the way CE implements break and trace. If you have, say, a pesky shared instruction with tons of data flowing through it, you can quickly and easily tell CE to only break on certain conditions (like only if RBX contains the base address of a structure you’re interested in inspecting the offsets of via the structure dissector, covered in the next point).

: I love the way CE implements break and trace. If you have, say, a pesky shared instruction with tons of data flowing through it, you can quickly and easily tell CE to only break on certain conditions (like only if RBX contains the base address of a structure you’re interested in inspecting the offsets of via the structure dissector, covered in the next point). Dissect Data/Structures : In games, it’s common for multiple related values to be stored in [baseAddress+offsets]. Think ammo [baseAddress+04], max ammo [baseAddress+08], health [baseAddress+0C], max health [baseAddress+10], etc. This tool can help you visualize a structure and instantly identify data that you might not have been able to otherwise. It’s also great for comparing scenarios where you have the same data structure used for different purposes, such as player and enemy health using a shared instruction that writes to different memory addresses. This allows you to find differences where you can then write a script that targets just the player or just the enemy instead of modifying the shared instruction which would effect both or all.

: In games, it’s common for multiple related values to be stored in [baseAddress+offsets]. Think ammo [baseAddress+04], max ammo [baseAddress+08], health [baseAddress+0C], max health [baseAddress+10], etc. This tool can help you visualize a structure and instantly identify data that you might not have been able to otherwise. It’s also great for comparing scenarios where you have the same data structure used for different purposes, such as player and enemy health using a shared instruction that writes to different memory addresses. This allows you to find differences where you can then write a script that targets just the player or just the enemy instead of modifying the shared instruction which would effect both or all. Assembly or Lua : CE gives you powerful scripting options via its inbuilt Auto Assembler and extensive set of Lua functions–each allowing you to craft powerful, reusable scripts to aid in general reversing. You can even mix ‘n match the two throughout a script.

: CE gives you powerful scripting options via its inbuilt Auto Assembler and extensive set of Lua functions–each allowing you to craft powerful, reusable scripts to aid in general reversing. You can even mix ‘n match the two throughout a script. Debugger Options-a-Plenty : The out-of-the-box VEH debugger feature allows you to hide from nearly everything, but you can also opt for Windows debugger or make use of a kernelmode debugger via DBVM. Should those prove ineffective, CE supports plug-ins, so put those custom DLLs of yours to good use!

: The out-of-the-box VEH debugger feature allows you to hide from nearly everything, but you can also opt for Windows debugger or make use of a kernelmode debugger via DBVM. Should those prove ineffective, CE supports plug-ins, so put those custom DLLs of yours to good use! Open Source : That’s right, CE is open source! One of the primary benefits of this is that it allows you to compile what the community colloquially refers to as UCE (Undetectable Cheat Engine) builds. You basically strip the binaries of any/all references to CE that anti-debugging functionality might flag.

: That’s right, CE is open source! One of the primary benefits of this is that it allows you to compile what the community colloquially refers to as UCE (Undetectable Cheat Engine) builds. You basically strip the binaries of any/all references to CE that anti-debugging functionality might flag. Etc.: I could go on and on and on about CE’s features, but hopefully the aforementioned has at least piqued your interest a little bit.

Bearing those points in mind, I’ve recorded a 2-part video series showing you how to crack and patch applications with Cheat Engine. (Yes, my alias on YouTube is “Sn34kyMofo” for reasons I think are obvious, lol.)

I cover much more ground than just replicating solutions you’ve seen elsewhere for the crackmes I use, so save for the seasoned reverser/hacker, you stand to pick up some different, creative approaches to reversing applications.

How to Crack and Patch Applications with CE (Part 1)

How to Crack and Patch Applications with CE (Part 2)

In closing, I really hope I’ve inspired you to consider CE outside of the confines of its primary purpose as a game-hacking tool. The CE community is extremely knowledgeable and helpful (provided you’ve put in at least a small bit of effort to search for answers to your questions), so go poke around there sometime.

Feel free to let me know your thoughts in the comments below, and please share this with anyone whom you think would find it useful. Thanks for reading and I’ll see you in the next article!