CE 的原始码可在官网下到
http://www.cheatengine.org/ 编译 CE 需用到 WINDDK 跟 Delphi
taken from zander's tut:
1.Making the DBK32.sys.
Open Driver.dat in the Main Source Folder 'CCheatEngineDelphi\' (If it asks you what to open it with, select notepad.)
You will see this, change it to ANY WORD YOU WANT, BUT DO NOT use WHATEVER : (THIS GOES FOR EVERY STRING, DO NOT USE WHATEVER)
CEDRIVER53 ----> Whatever1
DBKPROCLIST53----> Whatever2
DBKTHREADLIST53 ---> Whatever3
dbk32.sys ---> whatever32.sys
2a. Go into the DBKKernel folder and Open DBKDrvr.c.
(Skip 2a If you are using the latest source)
Find (CTRL+F) hideme
(NOTE: It should be the second hideme you find)
You will see something like //hideme(DriverObject); //ok, for those that see this....................
Remove the //(This is called uncommenting strings) so it becomes hideme(DriverObject); //ok, for those that see this....................
(For some this may cause a BSOD(Blue Screen of Death), but it has not happened to me before. If it causes a BSOD,
Try making a CE without hideme. There is a topic about it in the Cheat Engine Forums.)
2c. Open up Sources and Sources.ce in the DBKKernel folder. (Select notepad when it asks you what to open it with)
You will replace:
"TARGETNAME=DBK32" to "TARGETNAME=Whatever32" in both of the folders.
2d. Replacing the KeStackAttachProcess and IOCTL (This has to be done if you want to use pointers and memory view)
(Note: For the KeStackAttachProcess, if you are using the latest source, change it only for DBKDrvr.c because memscan.c is already changed)
Use Actual Search and Replace, Path ( Main Source Folder) with the mask (memscan.c; DBKDrvr.c), search and replace the followings. (Include Subfolders)(TICK WHOLE WORDS)
KeStackAttachProcess((PKPROCESS)selectedprocess,&a pc_state); ----> KeAttachProcess((PEPROCESS)selectedprocess);
KeUnstackDetachProcess(&apc_state); ----> KeDetachProcess();
Then the IOCTL
Using Actual Search and Replace, Path (Main Source Folder) with the mask (DBKDrvr.c; dbk32functions.pas), search and replace the followings. (Include Subfolders) (For this ONLY, untick the "Whole Word" function)
0x080 ---> 0x08A
0x081 ---> 0x08B
0x082 ---> 0x08C
(So if your A is 7, then your B MUST BE 8(It cannot be 9, numbers go as 1,2,3 and not 1,3,4) C will be 9)(Use 7, 8 and 9 because some say the earlier numbers and detected)
(DO NOT USE LETTERS, ONLY NUMBERS)
$080 ---> $08A
$081 ---> $08B
$082 ---> $08C
(So if your A is 7, then your B will be 8 and C will be 9)(Use 7, 8 and 9 because some say the earlier numbers and detected)
BONUS STEP, Fixing your pointers and enabling you to use memory view.
Memory view and Pointer fix:
1. Download the jumper files from here
http://cheatengine.4dwebhosting.com/jumper.rar and put them into your DBKKernel folder.
*if u dun trust teh file, read 1x.
Next you add this line: #include "jumper.h" to the end of the other #include of DBKdrvr.c and memscan.c so DBKdrvr.c will look like
#include "DBKFunc.h"
#include "rootkit.h"
#include "processlist.h"
#include "memscan.h"
#include "threads.h"
#include "jumper.h"
And memscan.c will look like
#include "ntifs.h"
#include <windef.h>
#ifdef CETC
#include "tdiwrapper.h"
#include "kfiles.h"
#endif
#include "memscan.h"
#include "DBKFunc.h"
#include "jumper.h"
After that, add jumper.c to sources.ce so it looks like
SOURCES=DBKDrvr.c DBKFunc.c rootkit.c processlist.c memscan.c threads.c jumper.c
note: if u guyz dun trust me and scream for a scan... well dun bother...
2x) Optional : Creation of jumper.c and jumper.h
1.open notepad *note wordpad not ms office word just good old notepad*
2.paste the following:
PVOID AddressOfKeAttachProcess;
void KeAttachProcess2(PEPROCESS p);
#define KeAttachProcess(i) KeAttachProcess2(i)
3.Save as jumper.h in ur dbkkernel folder and close
4.Open notepad again
5.paste the following:
#include "ntifs.h"
#include <windef.h>
#include "jumper.h"
_declspec( naked ) void KeAttachProcess3(PEPROCESS p)
{
__asm
{
jmp [AddressOfKeAttachProcess]
}
}
void KeAttachProcess2(PEPROCESS p)
{
KeAttachProcess3(p);
}
6. Save as jumper.c in dbkkernel folder too
7. go back up and continue the steps
Credits goes to zander and db not me...
dun think this is the most updated 1 but it's better than nothing.
hopefully some 1 have a more updated way of doing this....
