Lost and reveived:
A cheat which will either be part of a multicheat/mod-app or an external program intended for speeding up Windows programs. This type of cheat will allow the offending player to move quicker than he should be allowed.
This is the truth- but not the whole truth. Not only can we move quickly- we can shoot faster; cast spells quicker, steal flags (sometimes even spawn quicker/instantly!) etc. The whole game engine is running on ecstasy- as if you fed it right into your CPU! This leaves us with endless possibilities when it comes to cheating in games.
How is it done?
All games rely on keeping track of time/time intervals by calling into some OS provided function(s). For a complete list of Windows timing functions- visit the MSDN developer section here.
The most popular of the above list, by far- is QueryPerformanceCounter()- due to it's rather impressive accuracy. GetTickCount() is frequently used in older games- or in games where the accuracy of time is not an important factor.
How can you tell which method the game is using to keep track of time?
I've found, the only way to be 100% sure you've got the right one, is by trial and error. Odds are either GetTickCount() or QueryPerformanceCounter().
If the game uses GetTickCount()
Because GetTickCount() does not call any other lower level functions in Windows- we can hook it using a technique know as 'detour patching'. Here we first locate the defintion of function in memory- save the first few bytes and then overwrite them with an unconditional x86 jump (JMP) to our code. Our code then executes these overwriten instructions- may pass control to the original- and finally modify it's outputted values etc. For more information, and an easy to use API for hooking functions this way- download MS Detours here. (The 'sleep' sample is an excellent and simple example- that shows you everything you need to know to get started).
Here is an example of my hooked speed function:
Code:
DWORD NewGetTickCount()
{
DWORD retVal;
retVal = pOrigGetTickCount();
return (retVal * speedMultiple);
}
If the game uses QueryPerformanceCounter()
[or is a stubs into a kernel mode function]
In a nutshell, the job of most kernel32.dll functions are to prepare any required parameters for the NTDLL.dll related function- and then to call it. This wrapper type function in NTDLL.dll does hardly anything too- it loads eax with the callnumber of the low-level system service defined in ntoskrnl.exe (varies with each service pack), has the edx register point to the first argument of this function, and then executes the x86 instruction syscall- which switches the current thread to privilaged kernel mode (ring 0)- where the real function is executed in the windows kernel.
So, here is an example of the steps taken by the Windows OS when the game engine calls QueryPerformanceCounter() ->
call QueryPerformanceCounter() (in game engine) -> kernel32.dll!QueryPerformanceCounter() -> ntdll.dll!Nt/ZwQueryPerformanceCounter() -> ntoskrnl.exe!ZwQueryPerformanceCounter().
And when processing completes- control is passed backwards up through all the functions again ->
ntoskrnl.exe!ZwQueryPerformanceCounter() returns val to -> ntdll.dll!Nt/ZwQueryPerformanceCounter() returns val to -> kernel32.dll!QueryPerformanceCounter() returns val to -> call to QueryPerformanceCounter() (in game engine).
What we really need to do- is hook this function at the lowest possible level in user-mode (namely NtQueryPerformanceCounter() in ntdll.dll); call the original- and then multiply it's output value by some (speed) number, before we return it to the game.
Typically- your hooked function should look something like...
Code:
NTSTATUS NewNtQueryPerformanceCounter(
PLARGE_INTEGER PerformanceCounter,
PLARGE_INTEGER PerformanceFrequency)
{
PerformanceCounter->QuadPart = ((PerformanceCounter->QuadPart) * SpeedMultiple);
return retVal;
}
Where SpeedMultiple is obviously- the multiple of speed you define the program/game to run at.
You can also hook Nt/ZwQueryPerformanceCounter() using detours- it is much easier- but this method of interception may be detected.
Source: Subsky, former topic on TKC forum