This tutorial will cover how to use stealthedit plugin for Cheat Engine in order to bypass memory checks without any extra hassle.

You will need:
Cheat Engine 6.1 or higher (Created by Dark Byte)
Stealthedit plugin (discussed below)
32-bit version of the tutorial of CE 6.1 (Part of CE 6.1 but included here for your convenience, in case you have another version)

What is stealthedit plugin:
This plugin was made to deal with memory integrity checks that you may find in single player games sometimes. If a game has such protection, it will scan the game codes in the memory and in case it will find some difference compared to the original codes, it will usually just crash the game. Such a memory check was described already in the Dealing with Xlive and similar protections article. These memory checks are sometimes added to keep out crackers (which has nothing to do with the current topic as cracks are obviously working differently from trainers) and in some rare cases, they are added as an anti-cheat protection (which is already our concern if we want to make god mode or other cheat, or a simple modification that makes the game more fun). Also note that we are talking about single player games so if you plan to use this in a multiplayer game, you will most likely utterly fail as those games are using hackshields of all kind, most of them detecting Cheat Engine to start with, so don't even bother asking me about multiplayer usage of this plugin, because this is not the point of this article.

The stealthedit plugin is NOT created by me, I write the documentation and tutorial only.

Now if you are a beginner and you want to skip technical gibberish that is useful though not very neccessary to use this plugin, just download  stealthedit ( Download link for stealthedit plugin ) and jump to the How to install and enable the plugin part.

How is it working:

The idea behind the stealthedit plugin is that we do not modify the original code at all, instead we make a copy of that code and re-route the program to use the copy instead of the original code. Since the memory check is scanning the unmodified original code only, we can do whatever we want with our copy, including code injections, which is the main method of creating cheats.

Technical stuff:

It is working on both 32 and 64 bit systems and it requires Cheat Engine 6.1 or higher. Here are some notes from the creator of this plugin:

stealthedit should work on 64-bit systems as well (as long as the target is 32-bit, I haven't implemented the local page method yet which is required due to RIP addressing).

If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.

Then add the stealthedit plugin

Compatibility notes:
XP SP1 and before:Probably won't work
XP SP2 and Vista NO SP: Enable DEP for ALL programs
XP SP3+ and Vista SP1+: Should just work

This plugin is using the SetProcessDEPPolicy API to let windows pass the no execute exception down to the target process and raise an exception. When the exception is raised, CE will re-direct the program to use the copy instead of the original code, so we can run our little script that we inject into the copy without being detected by the memory integrity check.

Download link for the stealthedit plugin

How to install and enable the plugin:
Just download the plugin, copy it in some folder wherever you want (I recommend to create a folder in CE folder) and choose the plugin in the CE settings.

1. Open Cheat Engine.
2. Click on Settings.
3. Choose Plugins.
4. Click on Add new.
5. Select the downloaded DLL file (i386 for 32-bit, x86_64 for 64-bit).
6. Enable the checkbox.
7. Click on OK.

IMPORTANT for CE 6.1 users.
If you use Cheat Engine 6.1: There is a bug where the first plugin never gets enabled on restart. to get by that just add any other plugin as first plugin (like the c-example) and keep it disabled.

Here is a video to help you installing the plugin (note that I had the C plugin added already, this is why I deleted it to show how to add it again from start).

Now that we have added our plugin, some new (and awesome) options will appear in Cheat Engine. Open the disassembler view, right-click on a code and choose the "Stealthedit this page" option. As you will see (also shown on the video), the original code that you have copied is marked with blue color, and the copy is marked with green color. In the address column, you will see the address of the original code and the address of the copy too, thus you can jump from one to another. Obviously, we want to use the copy instead of the original code so whatever changes you do with the code, do it on the green codes. Also note that the code before and after the green part will not be used, so it is useless to fiddle with it. If you want to change a code, use stealthedit on it and modify the green codes only.

Additionally, the plugin will enable a new auto-assemble instruction that you can use in your scripts. The new instruction is

stealthedit(name, address, size)

You will have to give a name to the memory address that you copy, you have to specify the address that you want to copy and also type in how much memory do you want to copy. If let's say the code you want to modify is 6 bytes, put in 6 for size, or any small number that you like.
NOTE: Stealthedit will copy at least the whole page, even if you give a smaller size.

Stealthedit instruction tutorial:

In this final part, you will learn how to use the stealthedit instruction with a small unofficial Cheat Engine tutorial that I have created for you. If you didn't get the 32-bit version of the CE 6.1 tutorial yet, download it now ( 32-bit version of the tutorial of CE 6.1 ).
Additionally, you will need a cheat table that I have created for testing, learning and practicing. You can download the cheat table from here:
Stealthedit tutorial CT

Do not peek into the scripts or you will ruin the challenge of completing the steps by yourself. You will see 5 scripts in the table:
Lame memory protection
Solve tutorial step 2
Solve tutorial step 2 with stealthedit
Solve tutorial step 3
Solve tutorial step 3 with stealthedit

Start the CE 6.1 tutorial and enable "Solve tutorial step 2". Proceed to the second step of the tutorial, click on the Hit me button and guess what, the Next button will be available. Same goes to step 3. This can be done easily, just check which code is writing to the address of health, and make a small script such as:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access

originalcode:
sub [ebx+00000458],eax
mov [ebx+00000458],(int)1000

exit:
jmp returnhere

"Tutorial-i386.exe"+20F3E:
jmp newmem
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+20F3E:
sub [ebx+00000458],eax
//Alt: db 29 83 58 04 00 00

I hope this is clear, it should be at this point, the very basics of code injection. If it is not clear, you should learn the basics of code injection first. This is how you make an easy cheat when there is no memory check. Smooth like a dream.
Restart the tutorial and enable the "Lame memory protection" option. (Before you even think about looking at this protection, this is in no way similar to a real life memory protection, it is just imitating it and checking a few codes only and as stupid as lame as it is, it will do it's job for this practice.) Now that the protection is enabled, try to enable the script that you used before to solve the tutorial, "Solve tutorial step 2". If I have done it right, you should experience a small problem, namely that the tutorial has just closed. That's what happens if you try to change a protected code. If you want, you can also try to replace the original code with a NOP at address at 00420F3E or 004213F7, but the same thing will happen, the tutorial will be closed. My lame check will detect if you try to change any of these codes that are writing to the value, so code injection is a no go. Sure you could go and find another code, but in a real life memory check, all codes are scanned so there are no alternative codes that you could use.

What we did so far is that we have enabled a memory check and experienced what would happen in a real life situation. Now we try out stealthedit. Restart the tutorial, enable the memory check and enable the "Solve tutorial step 2 with stealthedit" option. It should work like a charm, no crash, but a working cheat, that's how we want it. Here is the script that you would see in that option:

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
stealthedit(stealth_tut2,00420F3E,6)   //name is stealth_tut2, the address that we copy is 00420F3E and the code is 6 bytes long
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
registersymbol(staddress)     //we register a symbol and label that can be used in the DISABLE section to disable the script
label(staddress)

newmem: //this is allocated memory, you have read,write,execute access

originalcode:
sub [ebx+00000458],eax
mov [ebx+00000458],(int)1000

exit:
jmp returnhere

stealth_tut2:              //this is where we change our hook from the original code to the copy, stealth_tut2 = the address of the copy of 00420F3E
staddress:                //and we make sure that the address of the copy is stored on staddress too
jmp newmem
nop
returnhere:

 
 
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
staddress:            //we restore the copy to it's original state to disable the cheat
sub [ebx+00000458],eax
//Alt: db 29 83 58 04 00 00

Compare the 2 scripts for step 2 (DO NOT look into the script for step 3), standard and stealthedit, see the differencies and read the comments. Hopefully it will clear up how is this instruction used. Also note that the stealthedit instruction can be used only once on a memory region and because of this, you can enable this cheat only once. If you disable it after that, you have to restart the game to use the cheat again.

Alternatively, you could just right-click on this code,
00420F3E - 29 83 58040000             - sub [ebx+00000458],eax
create a copy and replace the green code with a NOP. This would make sure that your health will not decrease but you are not catched by the memory check since the original code is unchanged.

Here is a video to summarize this part:
1. Solve tutorial step 2-3 without protection is working fine.
2. Solve tutorial step 2-3 with protection is working crashing.
3. Using NOP on the proteced code is causing a crash.
4. Using Solve tutorial step 2-3 with stealthedit is working even when the protection is enabled.
5. Using NOP on the green copy is working fine, using NOP on the blue original code is causing a crash (just as it should be).

Exercise:
Now that you have seen how to solve step 2, it is time to make your own script. To complete the exercise, you need to create a script with stealthedit to solve step 3 of the tutorial while the memory check is enabled.

There is a restriction: Your code should change the health to 5000 when you press the Hit me button. The code that is writing to the health is 004213F7 - 29 B3 5C040000             - sub [ebx+0000045C],esi
For the sake of this exercise, you are not allowed to use any other code to create your cheat and it should work exactly as I have described. You have to use stealthedit on this code. The solution is available in the CT, but if you want to learn how to do it yourself, do not peek into the script, do it completely by yourself.

If your cheat is working even when the lame memory integrity check is enabled, you have successfully learned how to use stealthedit and you will be able to use it the same way on properly protected single player games, be it protected by Xlive or other memory check.

This concluded the lame stealthedit tutorial.

Peace!
Geri