Revision as of 03:42, 7 August 2018 editGreenC bot (talk | contribs)Bots2,548,643 edits Rescued 1 archive link; remove 1 link. Wayback Medic 2.1← Previous edit | Latest revision as of 14:56, 29 April 2023 edit undoRkieferbaum (talk | contribs)Autopatrolled, Extended confirmed users, New page reviewers, Pending changes reviewers, Rollbackers29,812 editsm →top: error 64 in CWP + clean upTag: AWB | ||
(18 intermediate revisions by 17 users not shown) | |||
Line 1: | Line 1: | ||
{{short description|Program that modifies computer game memory to allow cheating}} | |||
{{multiple issues| | {{multiple issues| | ||
{{essay-like|date=August 2017}} | {{essay-like|date=August 2017}} | ||
Line 7: | Line 8: | ||
==History== | ==History== | ||
In the 1980s and 1990s, trainers were generally integrated straight into the actual game by ]s. When the game was first started, the trainer loaded first, asking the player if |
In the 1980s and 1990s, trainers were generally integrated straight into the actual game by ]s. When the game was first started, the trainer loaded first, asking the player if they wished to cheat and which cheats would like to be enabled. Then the code would proceed to the actual game. These embedded trainers came with ] about the groups releasing the game and the trainer often used to showcase the skills of the cracking group ] coding skills.<ref name="FLT group">{{cite web|url=http://www.defacto2.net/organisation/fairlight|archive-url=https://web.archive.org/web/20111006085741/http://www.defacto2.net/organisation/fairlight|url-status=dead|archive-date=6 October 2011|title=Defacto2 Group Information Page for Fairlight|accessdate=14 February 2014|work=Contains information about their old demos and releases and stats}}</ref> Some of these groups focus entirely on their ] today.<ref name="Razor1911 group">{{cite web|url=http://www.pouet.net/prod.php?which=55991|title=Razor1911 group demos|accessdate=14 February 2014|work=Razor1911 demoscene division which coded impressive demos back in the early days of embedded trainers}}</ref> In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option or cheat in the trainer, for example: ''"the Mega Krew presents: '''Ms. Astro Chicken++'''"''. Modern trainers append their titles with a single + or writing "plus" and a number, as many have several functions. The number used represents the number of modifications the trainer has available, e.g. 'infinite health' or 'one hit kills'. Another difference is the inclusion of game version or digital download source of game. For example: "Hitman: Absolution Steam +11 Trainer",<ref name="deviatedhacking hitman trainer">{{cite web|url=http://deviatedhacking.com/index.php/topic/1737-hitman-absolution-steam-11-trainer/|title=Hitman Trainer|accessdate=14 February 2014|date=21 November 2012|work=Naming of Trainers by Modern trainer groups}}</ref> "F.E.A.R 3 v 1.3 PLUS 9 Trainer" etc.<ref name="gamecopyworld.com">{{cite web|url=http://m0004.gamecopyworld.com/games/pc_grand_theft_auto_4.shtml|title=GCW list of trainers|accessdate=14 February 2014}}</ref><ref name="deviatedhacking.com">{{cite web|url=http://deviatedhacking.com/forum/5-game-trainers/|title=Listing by the famous scene trainer making group DVT|accessdate=5 June 2015}}</ref> | ||
Modern trainers also come as separately downloaded programs. Instead of modifying the game's programming directly, they modify values stored in memory. In fact, this has become so common that trainers today, by definition, only modify memory; modification to the game's executable is frowned upon and such programs are not considered true trainers but patches instead. | Modern trainers also come as separately downloaded programs. Instead of modifying the game's programming directly, they modify values stored in memory. In fact, this has become so common that trainers today, by definition, only modify memory; modification to the game's executable is frowned upon and such programs are not considered true trainers but patches instead. | ||
Line 13: | Line 14: | ||
With ] the memory ] are often stored dynamically on the ] but modern ]s use ]. Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires ] methods like ] of ] and ], ] or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed. | With ] the memory ] are often stored dynamically on the ] but modern ]s use ]. Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires ] methods like ] of ] and ], ] or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed. | ||
Modern operating systems also come with ] for security. Together with ASLR, the binaries are loaded to a different virtual memory address each code execution. This makes the reliable modification of static memory values more complex. The load address has to be determined and subtracted from a found memory address to obtain a static memory offset. This offset is often exactly the address of the static variable within the PIE binary. E.g. the ] tool ] supports PIE this way.<ref name="scanmem PIE support">{{cite web|url=https://github.com/coolwanglu/scanmem_/pull/25|title=Scanmem: introduce region type and load address support|accessdate=5 June 2015}}</ref> For the configured memory offset the game trainer determines the load address as well and adds it back during run-time. The same method can be used for ] as well. | Modern operating systems also come with ] for security. Together with ASLR, the binaries are loaded to a different virtual memory address each code execution. This makes the reliable modification of static memory values more complex. The load address has to be determined and subtracted from a found memory address to obtain a static memory offset. This offset is often exactly the address of the static variable within the PIE binary. E.g. the ] tool ] supports PIE this way.<ref name="scanmem PIE support">{{cite web|url=https://github.com/coolwanglu/scanmem_/pull/25|title=Scanmem: introduce region type and load address support|website=]|accessdate=5 June 2015}}</ref> For the configured memory offset the game trainer determines the load address as well and adds it back during run-time. The same method can be used for ] as well. | ||
==Static access pointers vs. API hooking== | ==Static access pointers vs. API hooking== | ||
Searching and following access pointers reverse to pointers on static memory can be cumbersome. It doesn't provide the size of the object and if there are multiple objects of the same class, these often can't be handled correctly as there can be e.g. vectors or lists in between on the heap. But the advantage is that this method can be used to attach to an already running process if it works. | Searching and following access pointers reverse to pointers on static memory can be cumbersome. It doesn't provide the size of the object and if there are multiple objects of the same class, these often can't be handled correctly as there can be e.g. vectors or lists in between on the heap. But the advantage is that this method can be used to attach to an already running process if it works. | ||
The DMA (Dynamic Memory Allocation) support in is an example for that. | The DMA (Dynamic Memory Allocation) support in ] is an example for that. | ||
API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spies on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to a unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through ]. | API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spies on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to a unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through ]. | ||
The disadvantage is: This can be detected as ]. But it is possible to find more values within objects by dumping and comparing them. Also |
The disadvantage is: This can be detected as ]. But it is possible to find more values within objects by dumping and comparing them. Also adaptation to other game and compiler versions becomes simple as all it takes is to look for a library function call with known parameter (the object size) in the disassembly. | ||
E.g. the ] universal game trainer "ugtrain" shows this method completely legal with ] games as examples.<ref name="ugtrain">{{cite web|url=https://github.com/ugtrain/ugtrain|title=universal game trainer "ugtrain"|accessdate=25 December 2015}}</ref> | E.g. the ] universal game trainer "ugtrain" shows this method completely legal with ] games as examples.<ref name="ugtrain">{{cite web|url=https://github.com/ugtrain/ugtrain|title=universal game trainer "ugtrain"|website=]|accessdate=25 December 2015}}</ref> | ||
==Automated |
==Automated tools used in trainer making== | ||
In the past, trainers were often coded in assembly language or any of the high level language available at the time. Today, trainers can also be made with automated trainer making tools that just require basic information about cheats such as address and injection code, the program then compiles the trainer using pre-defined values and settings requiring no programming skill from the end-user. The most popular trainer making tool used today is ] which supports wide variety of injection types and pointers, other tools that were used in past but are no longer as applicable are ], ] and ] etc.<ref name="GCW">{{cite web|url=http://m0004.gamecopyworld.com/games/gcw_game_tools.shtml#Trainer_Tools|title=Trainer Making Tools|accessdate=14 February 2014}}</ref> Some of the advanced techniques that Cheat Engine trainers supports include code injection, code shifting and the flexibility and versatility provided by its Lua scripting<ref name="lua">{{cite web|url=http://wiki.cheatengine.org/index.php?title=Lua&oldid=1670|title=Lua|accessdate=2014-02-14|date=2013-06-11|work=Cheat Engine Lua Wiki explaining some of the scripting functions available in CE}}</ref> which has phased out other trainer making tools which lacked the support for some of these features. | In the past, trainers were often coded in assembly language or any of the high level language available at the time. Today, trainers can also be made with automated trainer making tools that just require basic information about cheats such as address and injection code, the program then compiles the trainer using pre-defined values and settings requiring no programming skill from the end-user. The most popular trainer making tool used today is ] which supports wide variety of injection types and pointers, other tools that were used in past but are no longer as applicable are ], ] and ] etc.<ref name="GCW">{{cite web|url=http://m0004.gamecopyworld.com/games/gcw_game_tools.shtml#Trainer_Tools|title=Trainer Making Tools|accessdate=14 February 2014}}</ref> Some of the advanced techniques that Cheat Engine trainers supports include ], code shifting and the flexibility and versatility provided by its Lua scripting<ref name="FearlessRevolution">{{cite web|url=https://fearlessrevolution.com|title=FearlessRevolution|accessdate=2020-03-25|date=2020-03-25|work=Community dedicated to cheat engine trainers and tables}}</ref><ref name="lua">{{cite web|url=http://wiki.cheatengine.org/index.php?title=Lua&oldid=1670|title=Lua|accessdate=2014-02-14|date=2013-06-11|work=Cheat Engine Lua Wiki explaining some of the scripting functions available in CE}}</ref> which has phased out other trainer making tools which lacked the support for some of these features. | ||
<ref>{{cite web|url=https://optrainers.com/|title=OPTrainers|accessdate=2021-06-23}}</ref> | |||
==See also== | |||
* | |||
*] | |||
*] | |||
==References== | ==References== | ||
{{Reflist |
{{Reflist}} | ||
] | ] | ||
] | ] |
Latest revision as of 14:56, 29 April 2023
Program that modifies computer game memory to allow cheatingThis article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
Game trainers are programs made to modify memory of a computer game thereby modifying its behavior using addresses and values, in order to allow cheating. It can "freeze" a memory address disallowing the game from lowering or changing the information stored at that memory address (e.g. health meter, ammo counter, etc.) or manipulate the data at the memory addresses specified to suit the needs of the person cheating at the game.
History
In the 1980s and 1990s, trainers were generally integrated straight into the actual game by cracking groups. When the game was first started, the trainer loaded first, asking the player if they wished to cheat and which cheats would like to be enabled. Then the code would proceed to the actual game. These embedded trainers came with intros about the groups releasing the game and the trainer often used to showcase the skills of the cracking group demo coding skills. Some of these groups focus entirely on their Demoscene today. In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option or cheat in the trainer, for example: "the Mega Krew presents: Ms. Astro Chicken++". Modern trainers append their titles with a single + or writing "plus" and a number, as many have several functions. The number used represents the number of modifications the trainer has available, e.g. 'infinite health' or 'one hit kills'. Another difference is the inclusion of game version or digital download source of game. For example: "Hitman: Absolution Steam +11 Trainer", "F.E.A.R 3 v 1.3 PLUS 9 Trainer" etc.
Modern trainers also come as separately downloaded programs. Instead of modifying the game's programming directly, they modify values stored in memory. In fact, this has become so common that trainers today, by definition, only modify memory; modification to the game's executable is frowned upon and such programs are not considered true trainers but patches instead.
With object-oriented programming the memory objects are often stored dynamically on the heap but modern operating systems use address space layout randomization (ASLR). Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires reverse engineering methods like API hooking of malloc() and free(), code injection or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed.
Modern operating systems also come with position-independent executables (PIE) for security. Together with ASLR, the binaries are loaded to a different virtual memory address each code execution. This makes the reliable modification of static memory values more complex. The load address has to be determined and subtracted from a found memory address to obtain a static memory offset. This offset is often exactly the address of the static variable within the PIE binary. E.g. the Linux tool scanmem supports PIE this way. For the configured memory offset the game trainer determines the load address as well and adds it back during run-time. The same method can be used for dynamic libraries as well.
Static access pointers vs. API hooking
Searching and following access pointers reverse to pointers on static memory can be cumbersome. It doesn't provide the size of the object and if there are multiple objects of the same class, these often can't be handled correctly as there can be e.g. vectors or lists in between on the heap. But the advantage is that this method can be used to attach to an already running process if it works. The DMA (Dynamic Memory Allocation) support in Cheat Engine is an example for that.
API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spies on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to a unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through inter-process communication (IPC). The disadvantage is: This can be detected as malware. But it is possible to find more values within objects by dumping and comparing them. Also adaptation to other game and compiler versions becomes simple as all it takes is to look for a library function call with known parameter (the object size) in the disassembly. E.g. the free and open-source (FOSS) universal game trainer "ugtrain" shows this method completely legal with FOSS games as examples.
Automated tools used in trainer making
In the past, trainers were often coded in assembly language or any of the high level language available at the time. Today, trainers can also be made with automated trainer making tools that just require basic information about cheats such as address and injection code, the program then compiles the trainer using pre-defined values and settings requiring no programming skill from the end-user. The most popular trainer making tool used today is Cheat Engine which supports wide variety of injection types and pointers, other tools that were used in past but are no longer as applicable are Trainer Maker Kit, Game Trainer Studio and Trainer Creation Kit etc. Some of the advanced techniques that Cheat Engine trainers supports include code injection, code shifting and the flexibility and versatility provided by its Lua scripting which has phased out other trainer making tools which lacked the support for some of these features.
References
- "Defacto2 Group Information Page for Fairlight". Contains information about their old demos and releases and stats. Archived from the original on 6 October 2011. Retrieved 14 February 2014.
- "Razor1911 group demos". Razor1911 demoscene division which coded impressive demos back in the early days of embedded trainers. Retrieved 14 February 2014.
- "Hitman Trainer". Naming of Trainers by Modern trainer groups. 21 November 2012. Retrieved 14 February 2014.
- "GCW list of trainers". Retrieved 14 February 2014.
- "Listing by the famous scene trainer making group DVT". Retrieved 5 June 2015.
- "Scanmem: introduce region type and load address support". GitHub. Retrieved 5 June 2015.
- "universal game trainer "ugtrain"". GitHub. Retrieved 25 December 2015.
- "Trainer Making Tools". Retrieved 14 February 2014.
- "FearlessRevolution". Community dedicated to cheat engine trainers and tables. 2020-03-25. Retrieved 2020-03-25.
- "Lua". Cheat Engine Lua Wiki explaining some of the scripting functions available in CE. 2013-06-11. Retrieved 2014-02-14.
- "OPTrainers". Retrieved 2021-06-23.