Registration Code (Part 1): w%kQ6
Registration Code (Part 2): b<#$1[*(cw~
In order to register on this forum, you must use the codes above. Combine them into one code (copy paste).

Dumping Cheat Engine Trainers

Personal posts regarding my releases and research on various topics.
User avatar
atom0s
Site Admin
Posts: 403
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Dumping Cheat Engine Trainers

Post by atom0s » Sun Aug 09, 2015 3:23 am

Given that I am a moderator on Cheat Engine's forums, one of my duties is to keep the forums clean of various things. One of which is harmful files / trainers that could contain things that are harmful to the users that download and run them. When Cheat Engine 6.0 beta was first started and posted in the beta only section of the forum, I immediately updated my old trainer dumper tool from Cheat Engine 5.6 to work with the newest version of Cheat Engine.

This was a major overhaul to the popular tool with an entire rewrite of how the trainer files are handled from their original format. That said, I decided to just rewrite my tool specifically for Cheat Engine 6 and use a separate one for older files.

As of today, Cheat Engine is now at version 6.4 and through the 4 major revisions the sub-set of changes have altered the trainer files and their method of being saved numerous times. In total there are two major ways the files are saved based on the version of Cheat Engine being used to create them. There is also two ways a trainer can be saved and protected:
- As a stand-alone .exe file.
- As a compiled/protected .CETRAINER file that Cheat Engine understands how to read.

Each of these methods have their own ups and downs. Keep in mind though, Cheat Engine is open source so these protections are mainly just to deter newbies from editing credits and claiming they wrote something they didn't. So this post should not be seen as anything major or hard-core in terms of creating a dumping tool as the source is freely available.

Stand-Alone Executable File (.exe)
  • Using this approach, trainer makers can create a stand-alone solution within Cheat Engine that actually does a few things pretty interesting for the user and makes their trainer able to make use of Cheat Engine fully. When Cheat Engine generates a stand-alone executable it does the following steps:
    1. The users cheat table is compressed with zlib.
    2. The users cheat table is then xor encrypted multiple times.
    3. Cheat Engine creates a new SFX file for the trainer using a base exectuable.
    4. Cheat Engine builds an archive file that contains the various files that this trainer will need to run.
    5. Cheat Engine injects this new archive into the SFX file's resources and names it 'ARCHIVE'.
    6. Cheat Engine injects another resource named 'DECOMPRESSOR' into the files resources which is used to extract the 'ARCHIVE' resource.
    7. Cheat Engine finalizes the image and renames it to the trainer creators desired name.
    When this file is executed, it will startup and look for the 'DECOMPRESSOR' and 'ARCHIVE' resources and extract them. The decompressor will then run and extract the contents of archive. This archive contains a number of files based on what the trainer requires to run. By default this will at least include:
    • cheatengine-i386.exe / cheatengine-x86_64.exe
    • lua.dll
    • dbghelp.dll
    Outside of that it can also include various files based on the trainers needs such as the dbk32/64.sys driver, speedhack.dll etc.

    Once the files are extracted, if a .CETRAINER file is found in the archive, the decompressor will launch the Cheat Engine executable with the trainer file as the 2nd argument. Then the following information for loading a .CETRAINER file comes into play.
.CETRAINER File (.CETRAINER)
  • CETRAINER files can come in two manners, protected and unprotected. These files are simple .xml files that hold the Cheat Table information. If protected, the files are compressed and encrypted via a simple xor encryption.

    The flow of how these files are loaded follows:
    • Cheat Engine loads the file.
    • Checks if the file is already xml by seeing if '<?xml' exists as the first 5 characters.
    • If '<?xml' exists, just load the table as normal.
    • If not, then the file is considered protected and must be decoded.
    • The first layer of protection is a 3-way xor encryption.
      1. The first wave is a before-key relationship where the the first byte (x) starts at 2 and the first xor key starts at x-2.
      2. The second wave is an after-key relationship where the first byte (x) starts at length-2 and the first xor key starts at x+1.
      3. The last wave is a static-incrementing key relationship where the key starts at 0xCE and increments each xor.
    • Next the newly xor'd data is then decompressed using zlib.
    • Old Decompress Method
      • Using older trainer files have no special compression or buffer, the entire buffer is assumed to be compressed and can be processed.
    • New Decompress Method
      • Using newer trainer files will show a 5 byte header saying 'CHEAT'. This should be skipped before attempting to decompress the buffer.
      • Next the newer files also have the compressed data size after the 'CHEAT' header which should be read and used to know how much data to read and inflate from the compressed data stream.
    • At this point the .CETRAINER file should be clean .xml text and can be reused/edited/etc. again.
Summing It Up
  • Is this a secure method of protection? No not at all, but it is not meant to be. It is, again, meant to deter the newbies from stealing work of others. Overall this is more of a compression method to help reduce the size of the compiled trainer. Granted, due to the fact that .exe trainer files include Cheat Engine's core files to work, the file size of trainers are fairly large with little to no cheats added. A base trainer could be around 3-5MB which is a bit excessive but due to how it works, is very nice for the user given they have full access to CE then.

    For those looking to really protect their trainer / work and do not want it to be seen by others so easily, I do not recommend making your trainers in Cheat Engine, and if you do, you should use an additional packer/protector on top of what Cheat Engine does. Another thing you can do is download Cheat Engines source code and modify the code to implement other methods of protection on top of whats already there. It can help in the long run to protect things.

    Keep in mind though, if your trainer does anything with WriteProcessMemory / ReadProcessMemory it can be easily 'spied' on and stolen still!
CeDumper - Drop-and-dump Solution

Because of needing to check files often like I mentioned above, I wrote a tool to dump the trainer files easily.
A simple drag-and-drop interface can be used to dump any trainer file made with Cheat Engine that is not modded from the original protection setup.
Image Image Image

I will probably release this tool in the near future since others may find it useful to keep themselves protected against malicious trainer files from Cheat Engine.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.me/atom0s
mariopo3
Posts: 4
Joined: Fri May 06, 2016 7:54 am

Re: Dumping Cheat Engine Trainers

Post by mariopo3 » Fri May 06, 2016 7:58 am

share plz
User avatar
atom0s
Site Admin
Posts: 403
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Re: Dumping Cheat Engine Trainers

Post by atom0s » Fri May 06, 2016 8:04 am

The tool is not publicly released. If you have a personal trainer of your own that you need decompiled, I can assist you though.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.me/atom0s
mariopo3
Posts: 4
Joined: Fri May 06, 2016 7:54 am

Re: Dumping Cheat Engine Trainers

Post by mariopo3 » Fri May 06, 2016 9:19 am

yes, this trainer plz
Attachments
Pc_A8Tby_km_v2.4.3.rar
(187.79 KiB) Downloaded 309 times
User avatar
atom0s
Site Admin
Posts: 403
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Re: Dumping Cheat Engine Trainers

Post by atom0s » Fri May 06, 2016 10:04 am

That trainer is a .NET file packed with dotNetReactor.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.me/atom0s
mariopo3
Posts: 4
Joined: Fri May 06, 2016 7:54 am

Re: Dumping Cheat Engine Trainers

Post by mariopo3 » Fri May 06, 2016 1:20 pm

you cant decompile the file?
User avatar
atom0s
Site Admin
Posts: 403
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Re: Dumping Cheat Engine Trainers

Post by atom0s » Fri May 06, 2016 1:23 pm

mariopo3 wrote:you cant decompile the file?
The file is not a CE trainer.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.me/atom0s
mariopo3
Posts: 4
Joined: Fri May 06, 2016 7:54 am

Re: Dumping Cheat Engine Trainers

Post by mariopo3 » Fri May 06, 2016 1:26 pm

thanks, i am trying but i dont got all the codes
User avatar
atom0s
Site Admin
Posts: 403
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Re: Dumping Cheat Engine Trainers

Post by atom0s » Fri May 06, 2016 1:50 pm

mariopo3 wrote:thanks, i am trying but i dont got all the codes
The trainer is a .NET trainer (Vb.NET) packed with .NET Reactor.
I'm going to assume it's not yours either so I won't assist you in pirated someone else's work.

The unpacked trainer is also not a CE trainer, it is just a Vb.NET program so this has nothing to do with this topic.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.me/atom0s
DilanW
Posts: 1
Joined: Sun Jun 12, 2016 1:39 am

Re: Dumping Cheat Engine Trainers

Post by DilanW » Sun Jun 12, 2016 1:54 am

Is CeDumper available to download ?
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest