Dumping Cheat Engine Trainers
Given that I am a moderator on Cheat Engine’s forums, one of my duties is to keep the forums clean of various things. One of which is harmful files / trainers that could contain things that are harmful to the users that download and run them. When Cheat Engine 6.0 beta was first started and posted in the beta only section of the forum, I immediately updated my old trainer dumper tool from Cheat Engine 5.6 to work with the newest version of Cheat Engine.
This was a major overhaul to the popular tool with an entire rewrite of how the trainer files are handled from their original format. That said, I decided to just rewrite my tool specifically for Cheat Engine 6 and use a separate one for older files.
As of today, Cheat Engine is now at version 6.4 and through the 4 major revisions the sub-set of changes have altered the trainer files and their method of being saved numerous times. In total there are two major ways the files are saved based on the version of Cheat Engine being used to create them. There is also two ways a trainer can be saved and protected:
- As a stand-alone .exe file.
- As a compiled/protected .CETRAINER file that Cheat Engine understands how to read.
Each of these methods have their own ups and downs. Keep in mind though, Cheat Engine is open source so these protections are mainly just to deter newbies from editing credits and claiming they wrote something they didn’t. So this post should not be seen as anything major or hard-core in terms of creating a dumping tool as the source is freely available.
Stand-Alone Executable File (.exe)
Using this approach, trainer makers can create a stand-alone solution within Cheat Engine that actually does a few things pretty interesting for the user and makes their trainer able to make use of Cheat Engine fully. When Cheat Engine generates a stand-alone executable it does the following steps:
- The users cheat table is compressed with zlib.
- The users cheat table is then xor encrypted multiple times.
- Cheat Engine creates a new SFX file for the trainer using a base exectuable.
- Cheat Engine builds an archive file that contains the various files that this trainer will need to run.
- Cheat Engine injects this new archive into the SFX file’s resources and names it ‘ARCHIVE’.
- Cheat Engine injects another resource named ‘DECOMPRESSOR’ into the files resources which is used to extract the ‘ARCHIVE’ resource.
- Cheat Engine finalizes the image and renames it to the trainer creators desired name.
When this file is executed, it will startup and look for the ‘DECOMPRESSOR’ and ‘ARCHIVE’ resources and extract them. The decompressor will then run and extract the contents of archive. This archive contains a number of files based on what the trainer requires to run. By default this will at least include:
- cheatengine-i386.exe / cheatengine-x86_64.exe
- lua.dll
- dbghelp.dll
Outside of that it can also include various files based on the trainers needs such as the dbk32/64.sys driver, speedhack.dll etc.
Once the files are extracted, if a .CETRAINER file is found in the archive, the decompressor will launch the Cheat Engine executable with the trainer file as the 2nd argument. Then the following information for loading a .CETRAINER file comes into play.
.CETRAINER File (.CETRAINER)
CETRAINER files can come in two manners, protected and unprotected. These files are simple .xml files that hold the Cheat Table information. If protected, the files are compressed and encrypted via a simple xor encryption.
The flow of how these files are loaded follows:
- Cheat Engine loads the file.
- Checks if the file is already xml by seeing if
'<?xml'
exists as the first 5 characters. - If
'<?xml'
exists, just load the table as normal. - If not, then the file is considered protected and must be decoded.
- The first layer of protection is a 3-way xor encryption.
- The first wave is a before-key relationship where the the first byte (x) starts at 2 and the first xor key starts at x-2.
- The second wave is an after-key relationship where the first byte (x) starts at length-2 and the first xor key starts at x+1.
- The last wave is a static-incrementing key relationship where the key starts at 0xCE and increments each xor.
- Next the newly xor’d data is then decompressed using zlib.
- Old Decompress Method
- Using older trainer files have no special compression or buffer, the entire buffer is assumed to be compressed and can be processed.
- New Decompress Method
- Using newer trainer files will show a 5 byte header saying ‘CHEAT’. This should be skipped before attempting to decompress the buffer.
- Next the newer files also have the compressed data size after the ‘CHEAT’ header which should be read and used to know how much data to read and inflate from the compressed data stream.
- At this point the .CETRAINER file should be clean .xml text and can be reused/edited/etc. again.
Summing It Up
Is this a secure method of protection? No not at all, but it is not meant to be. It is, again, meant to deter the newbies from stealing work of others. Overall this is more of a compression method to help reduce the size of the compiled trainer. Granted, due to the fact that .exe trainer files include Cheat Engine’s core files to work, the file size of trainers are fairly large with little to no cheats added. A base trainer could be around 3-5MB which is a bit excessive but due to how it works, is very nice for the user given they have full access to CE then.
For those looking to really protect their trainer / work and do not want it to be seen by others so easily, I do not recommend making your trainers in Cheat Engine, and if you do, you should use an additional packer/protector on top of what Cheat Engine does. Another thing you can do is download Cheat Engines source code and modify the code to implement other methods of protection on top of whats already there. It can help in the long run to protect things.
Keep in mind though, if your trainer does anything with WriteProcessMemory / ReadProcessMemory it can be easily ‘spied’ on and stolen still!
CeDumper - Drop-and-dump Solution
Because of needing to check files often like I mentioned above, I wrote a tool to dump the trainer files easily.
A simple drag-and-drop interface can be used to dump any trainer file made with Cheat Engine that is not modded from the original protection setup.
Comments