Three years later, I think I know enough to answer my own question. 🙂
A computer program usually communicates with the kernel using predefined functions called system calls. Each OS has a different set of calls but often they do similar things like — allocating memory, reading and writing files, or handling processes. According to this page, there are around 480+ system calls in Windows NT kernel.
For any purpose that deals with the hardware, programs usually resort to system calls because that’s what OS does best and one of these things happen to be knowing time. Computer games often need to render 60 frames / second and to make this happen they need to call the rendering function every 16.6ms. On Windows, “GetTickCount()” is usually used for this which returns number of milliseconds passed since the Windows has been up (“If no of milliseconds passed since the last tick count is more than 16ms, render a new frame else continue.”).
SpeedHacking, in general, works by injecting code into the running process and hacking the timing functions to return sped-up / slowed-down “ticks” to modify the program’s running speed.
Although, I can’t be sure how exactly CE achieved this (the source code is pretty hard to understand) but another programmer pulled off a similar thing (video) on Linux. In the source code, you can see how the author modified a similar system call for Linux (“gettimeofday()“) for this.
go gettimeofday_orig;
int val;
gettimeofday_orig=(go)dlsym(RTLD_NEXT,"gettimeofday");
if (!timezero)
{
timezero = new timeval;
val = gettimeofday_orig(timezero,tz);
(*tv) = (*timezero);
return val;
}
I am not sure how it’s detected but I would be going with @Harold’s idea that the game probably spots the DLL getting injected.