Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


OMG VIRUS!!!
Goto page Previous  1, 2, 3 ... 14, 15, 16 ... 33, 34, 35  Next
 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Megamandos
How do I cheat?
Reputation: 0

Joined: 04 Aug 2009
Posts: 1

PostPosted: Tue Aug 11, 2009 7:33 pm    Post subject: Reply with quote

ROFLMAO... you used CE on WoW!

Its online, EVERYTHING is serverside you tard.

There are no real "hacks" for WoW, the you-tube videos are just showing the "display values" on the client (localy). So when you see those videos for people hitting for like 1 million, thats because they are just hacking their client so it says shit like that. When in actuality they are hitting for like 5, cause they are noobs. And when people sell "1337 w0w h4x" for like $29.99, its a scam using a trainer that took some douche like 2 minutes to make.

If you want WoW to be easier (which in itself is difficult to fathom) then get some addons. If you are trying to make a BOT, then you are in the wrong place and you need to pick up a book on C++/VB.NET/C#/etc. and TCP, and go download Ethereal and start reverse engineering or send mouse-clicks to the client (which I have seen, but its very unreliable.)
Back to top
View user's profile Send private message AIM Address
ghostnghost
How do I cheat?
Reputation: 0

Joined: 11 Aug 2009
Posts: 2

PostPosted: Thu Aug 13, 2009 10:54 am    Post subject: Reply with quote

Do there exists a version without virus warns?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Aug 13, 2009 11:24 am    Post subject: Reply with quote

yes, but it only works on computers without crappy av software
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ghostnghost
How do I cheat?
Reputation: 0

Joined: 11 Aug 2009
Posts: 2

PostPosted: Fri Aug 14, 2009 8:15 am    Post subject: Reply with quote

ESET nod32 3.0 isnt crappy>.> but when will come version without virus alarms?I can't disable it because i have other viruses that come at every moment.
Back to top
View user's profile Send private message
Haswell
Grandmaster Cheater
Reputation: 10

Joined: 24 Nov 2007
Posts: 703

PostPosted: Fri Aug 14, 2009 8:36 am    Post subject: Reply with quote

You're not getting DB's meaning.

If you're so paranoid, don't use CE at all. Otherwise, go read some tutorials on "how to add CE into your AV's exception list". In case you're too dumb to use the search function, I'll tell you here:
1. After downloading CE, disconnect from the internet.
2. Disable your AV
3. Install CE
4. Add CE to your AV's exception list (don't ask how, go search)

CE contains no virus. End of discussion.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri Aug 14, 2009 5:22 pm    Post subject: Reply with quote

Quote:
I can't disable it because i have other viruses that come at every moment.

Then get a firewall.

Really, if you GET viruses just like that it's already way too late for any anti virus, because that means they are already executing. Perhaps they've already gained kernel access and disabled your AV...

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
EG
How do I cheat?
Reputation: 0

Joined: 17 Aug 2009
Posts: 2

PostPosted: Mon Aug 17, 2009 7:01 pm    Post subject: lol Reply with quote

Quote:
This program is freeware, you can copy it as much as you like.

If this program accidentaly screws up and destroys data on your PC, electrocutes you,makes your monitor explode in your face, set's your house on fire, kills you, changes all the text you say in online games to oink, causes everyone on the planet(and beyond) to try to kill you, hacks into a nearby nuclear misile and targets your house, changes your bank balance to $0, gets you banned from online games, adds your name to a hitman's list, sucks you into the computer and plays pong with you(with you as ball), causes secret agencies to come after you, makes you believe you got maggots crawling under your skin, turns your room into a gate to hell, becomes sentient and starts killing everyone on this planet, gets you sent to jail with a guy named big bubba or does anything else you don't want it to do, don't blame the author of this program!!

Do you agree to this?


Now that you ask that I m pretty sure noone can sue you lol


Cool
Back to top
View user's profile Send private message
lolskillz
How do I cheat?
Reputation: 0

Joined: 18 Aug 2009
Posts: 4

PostPosted: Tue Aug 18, 2009 2:01 pm    Post subject: Re: OMG VIRUS!!! Reply with quote

Dark Byte wrote:
And if you're wondering why the driver is detected that is because it uses some of the Zwxxxx functions exported by windows meant to be used by drivers. And it also uses the exported variable KeServiceDescriptorTable. (Also provided by windows to be used by drivers)
Now since anti virus programmers have no idea how to detect a rootkit, they just look at suspicious behaviour. And any driver that uses those functions that are exported by windows is classified as a trojan rootkit.
Thats kinda like saying that everyone carrying a gun is a psychopathic murderer. (while only 85% of them actually is)


Well it is retarded to call through the KeServiceDescriptorTable so I don't blame them. Whats even more retarded is to write a driver to scan userland memory, when there is no reason what so ever to do so.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Aug 18, 2009 3:36 pm    Post subject: Reply with quote

KeServiceDescriptorTable is only used when the user picks the stealth routines, no functions are called through it from the sriver

As for accessing userland memory from a driver, it has it's uses when ReadVirtualMemory is hooked kernelside

Anyhow, none of these things are used by default. Only when the user explicitly wants to use them

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
HonestGamer
Cheater
Reputation: 1

Joined: 13 Aug 2009
Posts: 27
Location: India

PostPosted: Wed Aug 19, 2009 12:57 am    Post subject: Reply with quote

Dark Byte wrote:
shaon120 wrote:
i have norten antivirus and its updated frequently I even saw on google that it has a trojan horse

Then download


Cheat Engine and Retarded? One thing I just cannot understand..LOL Laughing
Back to top
View user's profile Send private message
lolskillz
How do I cheat?
Reputation: 0

Joined: 18 Aug 2009
Posts: 4

PostPosted: Wed Aug 19, 2009 4:28 am    Post subject: Reply with quote

Dark Byte wrote:
KeServiceDescriptorTable is only used when the user picks the stealth routines, no functions are called through it from the sriver

As for accessing userland memory from a driver, it has it's uses when ReadVirtualMemory is hooked kernelside

Anyhow, none of these things are used by default. Only when the user explicitly wants to use them


Ah, yea. I guess if you were to tamper with some lame game protection, like gameguard, it would be cool to at least have the option.

If the driver is used, do you read the pde from cr3 and manually walk the paging system to scan (with pae/x64?)? or do you restore the hooks from ZwReadVirtualMemory? or simply KeStackAttachProcess?

I doubt any decent vendors would detect you for calling ZwReadMem/StackAttach. And reading Cr3 shouldn't be detected either.
KeServiceDescriptorTable I guess could be detected by a few (both importing it and resolving it dynamically).

You don't clear the WP flag from cr0 do you? That would probably cause a few detections if you do.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Aug 19, 2009 5:03 am    Post subject: Reply with quote

For memory access there are 2 options.
The default is using KeStackAttachProcess, or when the user uses the pagedir plugin it uses CR3
Downside of using raw memory access like this is paged out memory, but it's still useful enough as the code and data that is of interest is usually accessed a lot

as for restoring the hooks, that is implemented but not called in the released version of ce . It doesn't so much restore the hooks as it makes a copy of the kernel (or at least the whole path KeAttachProcess takes) and adjusts the relocation addresses related to code but leaves data addresses intact
( as restoring it in the original will be detected by those anti-cheats and then they put it back or simply reboot, and no real way to make sure another thread on another cpu is currently checking if it's changed or not)
This method is used in a couple of UCE's (undetected ce's)

As for clearing the WP flag on CR0, I have to admit, I do. (when the user enables stealth) But only in such a way that it shouldn't cause problems. (disable interrupts, clear WP, quick edit on memory I know is paged in, restore WP bit, restore interrupts)
I could probably try making the memory writable instead

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
lolskillz
How do I cheat?
Reputation: 0

Joined: 18 Aug 2009
Posts: 4

PostPosted: Wed Aug 19, 2009 5:45 am    Post subject: Reply with quote

Dark Byte wrote:
For memory access there are 2 options.
The default is using KeStackAttachProcess, or when the user uses the pagedir plugin it uses CR3 and physical memory (in this plugin the physical memory is access directly without api calls)
Downside of CR3 memory is paged out memory, but it's still useful enough as the code and data that is of interest is usually accessed a lot

as for restoring the hooks, that is implemented but not called in the released version of ce . It doesn't so much restore the hooks as it makes a copy of the kernel (or at least the whole path KeAttachProcess takes) and adjusts the relocation addresses related to code but leaves data addresses intact
( as restoring it in the original will be detected by those anti-cheats and then they put it back or simply reboot, and no real way to make sure another thread on another cpu is currently checking if it's changed or not)
This method is used in a couple of UCE's (undetected ce's)

As for clearing the WP flag on CR0, I have to admit, I do. (when the user enables stealth) But only in such a way that it shouldn't cause problems. (disable interrupts, clear WP, quick edit on memory I know is paged in, restore WP bit, restore interrupts)
I could probably try making the memory writable instead


Regardless of you how you clear WP from CR0, it will most likely cause issues with vendors that emulate the suspicious files.

"...a copy of the kernel (or at least the whole path KeAttachProcess takes) and adjusts the relocation addresses related to code but leaves data addresses intact"

Ah yea, that is probably preferable, I can imagine lots of anti-hack drivers would have a busy-thread checking for changes to the in-memory instance of the kernel. I dont undestand the relocation part tho.

I would relocate everything in my copied instance according to the relocation directory (against the true ntoskrnl image base, not against the copied instance). If you don't relocate data access, it would crash badly when accessing static data since ntoskrnl always is relocated when loaded. Relocating code so that all calls call into the actual instance would most unlikely ever cause an issue since inline hooks would only be found in the top level of the function (unless some properly stupid person wrote the code Wink). Also all data will be properly initialized.

Feels like this sub-thread is getting somewhat unrelated to the topic now tho Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Aug 19, 2009 6:04 am    Post subject: Reply with quote

Gameguard hooks KeAttachProcess (and even the unexported KiAttachProcess), and KeAttachProcess is called by ZwReadVirtualMemory
And you got to love their method of rebooting the system using the keyboard port when they detect a hack in kernel

anyhow, with not relocating the data pointers I mean leave them to what they currently are as in the loaded kernel (so the copied kernel makes use of the same already initialized data structures, mutexes, events, memory allocation arrays, etc... as the original kernel, but makes sure it doesn't jump back to the original kernelcode, of course, since most are relative jumps, there's not much to change at this point)

Quote:

Feels like this sub-thread is getting somewhat unrelated to the topic now tho

Mwah, a few topic with useful content in a thread mostly filled with emotion and fear based posts is a nice change

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
lolskillz
How do I cheat?
Reputation: 0

Joined: 18 Aug 2009
Posts: 4

PostPosted: Wed Aug 19, 2009 9:29 am    Post subject: Reply with quote

Dark Byte wrote:
Gameguard hooks KeAttachProcess (and even the unexported KiAttachProcess), and KeAttachProcess is called by ZwReadVirtualMemory
And you got to love their method of rebooting the system using the keyboard port when they detect a hack in kernel

anyhow, with not relocating the data pointers I mean leave them to what they currently are as in the loaded kernel (so the copied kernel makes use of the same already initialized data structures, mutexes, events, memory allocation arrays, etc... as the original kernel, but makes sure it doesn't jump back to the original kernelcode, of course, since most are relative jumps, there's not much to change at this point)

Quote:

Feels like this sub-thread is getting somewhat unrelated to the topic now tho

Mwah, a few topic with useful content in a thread mostly filled with emotion and fear based posts is a nice change


Ah, now I see what you mean. I figured you read the kernel from disk, expanded it and relocated. If you copy the existing one and restore it, everything should work "out of the box". As you said, all branches would be relative (a part from IAT). So just make sure it is intact according to on-disk image.

And yes, GG is stunningly retarded. Got to love how it doesn't uninstall the driver even when you uninstall the games Wink truely brilliant concept.

Remeber last time I fucked around with. Got so seriously fed up with their broken driver that I ended up disabling the staticly linked loader portion of GG in the game (Top of the function that starts the GameGuard.xxx updater: mov eax, 0x755; retn 0x10 if im not misstaken, 5 sec fix Wink), then re-implemented the client<->server protocol and encryption in a proxy.

Lemme know if you need some development help on this project, sounds like a kinda fun sparetime project.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page Previous  1, 2, 3 ... 14, 15, 16 ... 33, 34, 35  Next
Page 15 of 35

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites