Consider this situation: A certain game exists, and people have made some cheats using Cheat Engine for the game. Those cheats, let's assume, take the form of forcing certain memory locations in the game's address space to take certain values. (For example, an infinite lives cheat might simply force the player's number of lives to always be 3, for example.) Of course, Cheat Engine can also be used to read those values as well.

The question is, how would you write another program that:
1. Pretends to be the game in question.
2. The cheats that have been made for the game work on the program that you wrote.

(For example, maybe your program has lives, and the infinite lives cheat for the game should also work for your program.)

The motivation for this involves a very strange piece of malware that encrypts your files and demands that you play Touhou 12 on Luntaic difficulty and score at least 200 million points in order to decrypt your files; the question is how to write a program that pretends to be Touhou 12 with the player playing on Lunatic difficulty having earned over 200 million points.

1) Depends how the program is being detected. For this one, you'd just need an executable with the right file name.
2) In your program, allocate one or more chunks of memory at the right addresses, optionally setting any extra data. Windows has a low-level VirtualAlloc function to do that.

Low-level languages like C, with minimal runtime overhead, are preferable in order to make sure the needed memory address won't be allocated for aomething else.

And of course, since you'd have to write a program *anyway*, there's no reason to bother with Cheat Engine - just have your program set the data directly and then wait for some input before terminating (so you know it gets picked up). Then you won't have to worry about the cheating tool being detected either... you only need to check what address the toom would modify.

You have to write a program which runs admin, then scans the Touhou 12 game's memory. Hence, the need for admin. The program should wait till Touhou process is loaded then attach. Alternatively, you could try debugging the assembler that it executes. Play Touhou, and only change a little bit, then diff memory snapshots to see if you can determine where things are going into memory. It's definitely not an easy task.

Then if you think you can solve where difficulty and points are placed, then you need to inject those values into the game at the proper location. But you can't be sure if that's all that the ransomeware is checking for. Might be easier to find an existing cheat engine to beat the game on the indicated difficulty.

or you could declare the needed variable in your program, then advise your linker to put the variable in a separate section and map that section at the correct memory address to match the layout from the program you want to imitate.

edit:
you probably also need to take care that the linker doesn't produce a relocatable executable, because then windows' address space randomization might kick in and put your data somewhere else.

Fix for W7

After creating that ransomware, Tvple Eraser could probably get a top job at Apple!

As you know, that is not a "real" malware, and source code is available. See how it fingerprints the Touhou process, and then...

If Touhou was just an example, and you actually want a generic solution, that doesn't exist. Time to fire up IDA Pro and do some reversing on the malware executable.