low-levelanti-cheat

How does CheatEngine's speed hack work?


Cheat Engine comes with a feature called speed hack which basically can slow down or increase speed of the game. Actually, not only games, if there is a software with clock ticking it can speed-en up that too. How does that work? I might imagine there is some internal clock on which these things run but not sure how these things happen on low level.

While this feature has worked on most of the games I tried, it has also failed on many, for eg, NFS Most wanted. Why? Is there any different mechanism on which these games run or it is just some anti-cheat?


Solution

  • Three years later, I think I know enough to answer my own question. :)

    A computer program usually communicates with the kernel using predefined functions called system calls. Each OS has a different set of calls but often they do similar things like — allocating memory, reading and writing files, or handling processes. According to this page, there are around 480+ system calls in Windows NT kernel.

    For any purpose that deals with the hardware, programs usually resort to system calls because that's what OS does best and one of these things happen to be knowing time. Computer games often need to render 60 frames / second and to make this happen they need to call the rendering function every 16.6ms. On Windows, "GetTickCount()" is usually used for this which returns number of milliseconds passed since the Windows has been up ("If no of milliseconds passed since the last tick count is more than 16ms, render a new frame else continue.").

    SpeedHacking, in general, works by injecting code into the running process and hacking the timing functions to return sped-up / slowed-down "ticks" to modify the program's running speed.

    Although, I can't be sure how exactly CE achieved this (the source code is pretty hard to understand) but another programmer pulled off a similar thing (video) on Linux. In the source code, you can see how the author modified a similar system call for Linux ("gettimeofday()") for this.

    go gettimeofday_orig;
    
    int val;
    gettimeofday_orig=(go)dlsym(RTLD_NEXT,"gettimeofday");
    
    if (!timezero)
    {
        timezero = new timeval;
        val = gettimeofday_orig(timezero,tz);
        (*tv) = (*timezero);
        return val;
    }
    

    I am not sure how it's detected but I would be going with @Harold's idea that the game probably spots the DLL getting injected.