But it is possible to find more values within objects by dumping and comparing them. The disadvantage is: This can be detected as malware. The library in the game process and the game trainer need to communicate with each other through inter-process communication (IPC). Often a constructor is found and with that it is possible keep track of all memory objects it allocates.
The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. So matching it reverse is the method of choice. Then, the last matching memory allocation is the correct one. The idea is to close the game process directly after the value is found and the object still exists. With static memory search in parallel it is possible to match the found value address to a unique memory allocation. The library spies on dynamic memory allocations and discovery starts with recording them all. The DMA (Dynamic Memory Allocation) support in Cheat Engine is an example for that.ĪPI hooking works completely differently: A preloader loads a library into the game process while starting it. But the advantage is that this method can be used to attach to an already running process if it works. It doesn't provide the size of the object and if there are multiple objects of the same class, these often can't be handled correctly as there can be e.g. Searching and following access pointers reverse to pointers on static memory can be cumbersome. The same method can be used for dynamic libraries as well. For the configured memory offset the game trainer determines the load address as well and adds it back during run-time. the Linux tool scanmem supports PIE this way. This offset is often exactly the address of the static variable within the PIE binary. The load address has to be determined and subtracted from a found memory address to obtain a static memory offset. This makes the reliable modification of static memory values more complex. Together with ASLR, the binaries are loaded to a different virtual memory address each code execution. Modern operating systems also come with position-independent executables (PIE) for security. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed. This requires reverse engineering methods like API hooking of malloc() and free(), code injection or searching for static access pointers. Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. With object-oriented programming the memory objects are often stored dynamically on the heap but modern operating systems use address space layout randomization (ASLR). In fact, this has become so common that trainers today, by definition, only modify memory modification to the game's executable is frowned upon and such programs are not considered true trainers but patches instead. Instead of modifying the game's programming directly, they modify values stored in memory. Modern trainers also come as separately downloaded programs.
For example: "Hitman: Absolution Steam +11 Trainer", "F.E.A.R 3 v 1.3 PLUS 9 Trainer" etc.
Another difference is the inclusion of game version or digital download source of game. The number used represents the number of modifications the trainer has available, e.g. Modern trainers append their titles with a single + or writing "plus" and a number, as many have several functions.
In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option or cheat in the trainer, for example: "the Mega Krew presents: Ms. Some of these groups focus entirely on their Demoscene today. These embedded trainers came with intros about the groups releasing the game and the trainer often used to showcase the skills of the cracking group demo coding skills. Then the code would proceed to the actual game. When the game was first started, the trainer loaded first, asking the player if they wished to cheat and which cheats would like to be enabled. In the 1980s and 1990s, trainers were generally integrated straight into the actual game by cracking groups.