How does CheatEngine's speed hack work?

Question

Cheat Engine comes with a feature called speed hack which basically can slow down or increase speed of the game. Actually, not only games, if there is a software with clock ticking it can speed-en up that too. How does that work? I might imagine there is some internal clock on which these things run but not sure how these things happen on low level.

While this feature has worked on most of the games I tried, it has also failed on many, for eg, NFS Most wanted. Why? Is there any different mechanism on which these games run or it is just some anti-cheat?

Answer 1

Three years later, I think I know enough to answer my own question. :)

A computer program usually communicates with the kernel using predefined functions called system calls. Each OS has a different set of calls but often they do similar things like — allocating memory, reading and writing files, or handling processes. According to this page, there are around 480+ system calls in Windows NT kernel.

For any purpose that deals with the hardware, programs usually resort to system calls because that's what OS does best and one of these things happen to be knowing time. Computer games often need to render 60 frames / second and to make this happen they need to call the rendering function every 16.6ms. On Windows, "GetTickCount()" is usually used for this which returns number of milliseconds passed since the Windows has been up ("If no of milliseconds passed since the last tick count is more than 16ms, render a new frame else continue.").

SpeedHacking, in general, works by injecting code into the running process and hacking the timing functions to return sped-up / slowed-down "ticks" to modify the program's running speed.

Although, I can't be sure how exactly CE achieved this (the source code is pretty hard to understand) but another programmer pulled off a similar thing (video) on Linux. In the source code, you can see how the author modified a similar system call for Linux ("gettimeofday()") for this.

go gettimeofday_orig;

int val;
gettimeofday_orig=(go)dlsym(RTLD_NEXT,"gettimeofday");

if (!timezero)
{
    timezero = new timeval;
    val = gettimeofday_orig(timezero,tz);
    (*tv) = (*timezero);
    return val;
}

I am not sure how it's detected but I would be going with @Harold's idea that the game probably spots the DLL getting injected.

Answer 2

Cheat Engines Old Speedhack:

• Runs the application in a very high priority thread
• Uses timed sleeping to speed up the game
• When a function is called, it will be given an emulated timer which is sped up

Cheat Engines New Speedhack:

• When the Cheat Engine speed dll is injected into the program, it is modified to the speed you selected in the Cheat Engine panel
• Sets a base reference of the current time
• returned time = basetime+((currenttime-basetime)*speed

Detection:

• Both Methods are easy to detect by sending a packet with the time every couple of seconds to be validated by a server
• The game may be able to detect the dll being injected

Source: http://wiki.cheatengine.org/index.php?title=Cheat_Engine:Internals#Speedhack

Answer 3

I think the reason why it does not work in some applications (mostly games) is that some games link the in-game clock to the frames per second. Therefore your game will slow down or crash if you try to speedhack it.

Source: http://hackerbot.net/tutorials/353-speed-up-hack-slow-down-cheat

Personally I have only encountered very few games that wouldnt react to the speedhack. Even if they are tied to the FPS, you can still speedhack it to some degree.