Cheat Engine

Thy Gamer · Posted: Tue Oct 18, 2005 2:06 pm Post subject: NProtect?

CAn any one tell me what it does and mor einfo on it. One of my favorite games is getting it but I don't know what it does at all, and if I know I could unpack it and hack it but I'm not really waste my time if someone else all ready knows. Smile

Dark Byte · Posted: Tue Oct 18, 2005 2:27 pm Post subject:

it detects tools like cheat engine unless you edit it so they don't detect it anymore.
and it usually prevents debugging.

Thy Gamer · Posted: Tue Oct 18, 2005 3:17 pm Post subject:

AwAiS · Posted: Tue Oct 18, 2005 8:01 pm Post subject:

if it prevents debugging, then the purpose of even trying to get far with it has lost much value...

do you know of any way to make the current CE work alongside it without major modifications?

ducspam · Posted: Tue Oct 18, 2005 10:41 pm Post subject:

I spend a week trying to code that debugger and now the game got NProtected. lol that sucks so bad.

I tested:
1) First thing was that it shut down the game process when it detect CE running. So I decided to use the code I wrote to see if it detect that.

2) It didn't detect my code, but my code require the game process; which NProtect did a good job hiding it.

3) I check my code and all I need was the game process id, searched on the net and found "KProcCheck" which find the hidden processes and also give you the id, so I ran the game, ran "KProcCheck" and grab the game process id and feed it into the code, and it didn't debug crap. Debug event code was 0, no exception, no thread created, no nothing.

4) So I thought NProtect probably did a "patch" trick to some dll that's probably why debug didn't work(similar to what you taught me about IsDebuggerPresent, Dark Byte), so I tried CreateProcess API to lauch the game with the DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS as flags and what do you know, game doesn't start. If I ran it with a normal flag, the game starts up.

I did a search and found some people saying hex editing the stealth.dll in CE and got it to work. But I have no clue, and also, I got some unprotect.dll file that suppose to bypass this NProtect schema, but I have no clue how to use it.

Enlighten us if you know more or a work around about this. Interested as it is, very tiring as to coming up with a design to counter attack. Hopefully the next version of CE will have this anti-nprotect. Wink

BTW: Dark Byte, I forgot to thank you you for your help with the debugger. It was a learning experience. Thank you very much.

Dark Byte · Posted: Wed Oct 19, 2005 4:23 am Post subject:

To get cheat engine to work (when you have a undetected version):
First close the game (reboot is prefered)
go to settings->extra and enable undo memory modifications and force memory to be writable.
answer yes and click ok.

Now restart cheat engine and from then on you can just start the nprotect game and cheat engine and you'll be able to open the game using the processlist (long) method, using the processwatcher or using the window list (when the memory has been fixed it can see the the window in the list again)

Diquil · Posted: Wed Oct 19, 2005 6:41 am Post subject: Making trainers

Can CE also make trainers for Nprotected games? I tried making one selecting the progress that runs before Nprotect fully executes but it didn't work. Offcourse I can do it manually every time, but hey, if you do something, do it good. =)

Situation: I can target the game process (Maplestory.exe) in the process list before Nprotect is fully loaded, but afterwards it's only in the "Process List (long)". Since the trainer maker doesn't seem to support this list (?) my trainer doesn't work.

I also tried in different trainer makers, but in none of them I can seem to target the process anymore once Nprotect is loaded.

Thanks, and sorry if missed something really obvious Rolling Eyes

Dark Byte · Posted: Wed Oct 19, 2005 6:56 am Post subject:

No, the trainers of ce don't use any kernel mode routines and also don't fix their memory that nprotect alters.

So, even if they aren't detected they won't work because they can't target the process or write to it

(Je zult je eigen trainer moeten schrijven)

ducspam · Posted: Wed Oct 19, 2005 7:09 am Post subject:

Your methods does not seem to work.

1) Game still shut down after the detection of CE starting up.
2) If CE is already up, then running the game, after attaching CE to the game, NProtect will error out causing the game to shutdown.

I don't know, that's what happen in my case (with a reboot too). But I was able to see the game process in Process Watcher and the "long" listed version. GameMon.des was also there.

Question:
Is there a way to load all (all needed) API from kernel32, user32 dlls into a program before hand? This way the program can access clean, unmodified version, API and debug from there?

Dark Byte · Posted: Wed Oct 19, 2005 8:04 am Post subject:

you forgot the most important part:

ducspam · Posted: Wed Oct 19, 2005 6:02 pm Post subject:

AwAiS · Posted: Wed Oct 19, 2005 7:42 pm Post subject:

how functionable will an undetected, if possible, version be?.. you say nProtect disallows debug events..

Dark Byte · Posted: Wed Oct 19, 2005 9:59 pm Post subject:

sharr · Posted: Thu Oct 20, 2005 12:11 pm Post subject: hum...

well do you mean we gotta get a dll injector and inject a dll like unprotect.dll? or this was an old way to do it?

I already did it but I do something wrong or it's old and I didn t realized Wink

Thy Gamer · Posted: Thu Oct 20, 2005 1:46 pm Post subject:

We got alot of MapleStory people here don't we. Smile

If any of you are GB cheaters, Have you tried the NOPs way? That should do the trick, then go into Hacker's View(The program) and change it(hex it) and it should work. I do this later on but if you want it bad, there is some starting info.