Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AikonCWD's challenge #1: Test your skill here!
Goto page Previous  1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 304
Location: Paris

PostPosted: Thu Nov 26, 2015 8:04 am    Post subject: Reply with quote

Hey,

I ve been using this program which is a pretty good training ground for newbies like me, I am trying to attach a debugger not by using already built tools such as olly plugins etc but by hooking myself the functions.

And it turns out that I am among other things having problem attaching VEH, Getmodulehandle looks for this dll but by doing so shouldn't it compare it to "veh.186..." who should be a string located in the program's memory ? I assume i'd need to find the string and hexa edit so that the compare doesn't find a match but this doesn't work out, can anyone explain me why ?
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 136

Joined: 25 Jan 2006
Posts: 7216
Location: 127.0.0.1

PostPosted: Thu Nov 26, 2015 1:08 pm    Post subject: Reply with quote

There is a check for the VEH debugger by looking for the following two modules:
- vehdebug-i386.dll
- vehdebug-x86_64.dll

It uses GetModuleHandle to try and detect both of them. There are other methods of detection for other things that could also be triggering the problem if you have defeated that part of the anti-cheat though.

If you want a hint there is a timer running constantly that does all the various debugger checks which you can find at address: 0x004BB571

An easy way to kill the protection is by making this timer not work or just instantly return.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 304
Location: Paris

PostPosted: Thu Nov 26, 2015 3:03 pm    Post subject: Reply with quote

Hey atom0s, thanks.
I had the naive idea that because the dll name is an argument to the getmodulehandleA function, it should be somewhere in the memory space.

I cracked the Getmodulehandle okay, but I'm wondering how you've been able to tell which APIs this program used to detect cheats ?
Especially the zwQueryInformationProcess, did you use a tool that'd report use of antidebug API? did you go through the potential APIs that you knew it could be using ?
Back to top
View user's profile Send private message
AikonCWD
Grandmaster Cheater
Reputation: 23

Joined: 21 Dec 2012
Posts: 589
Location: Spain (Barcelona)

PostPosted: Thu Nov 26, 2015 3:47 pm    Post subject: Reply with quote

ulysse3131 wrote:
Hey,

I ve been using this program which is a pretty good training ground for newbies like me, I am trying to attach a debugger not by using already built tools such as olly plugins etc but by hooking myself the functions.

And it turns out that I am among other things having problem attaching VEH, Getmodulehandle looks for this dll but by doing so shouldn't it compare it to "veh.186..." who should be a string located in the program's memory ? I assume i'd need to find the string and hexa edit so that the compare doesn't find a match but this doesn't work out, can anyone explain me why ?


There are multiple ways to defeat those checks. Remember that VB6 uses unicode string, so you will find each character of the string separated with 0x00

He re is where the string is sotored (remmeber, always in unicode)


_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 304
Location: Paris

PostPosted: Thu Nov 26, 2015 7:51 pm    Post subject: Reply with quote

Ah yes, thank you I actually thought I made a try with 00 sets of bytes between the hexas but if I did I failed to make it properly because it does work now that I look for the string.

I've managed to attach windbg too but I am having trouble finding the timer function myself, any hint on how to achieve that ? appears that either the time value is encrypted in the memory, either it's not in the memory, either it's using a new variable address every time the time value changes
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 136

Joined: 25 Jan 2006
Posts: 7216
Location: 127.0.0.1

PostPosted: Fri Nov 27, 2015 2:18 am    Post subject: Reply with quote

ulysse3131 wrote:
Hey atom0s, thanks.
I had the naive idea that because the dll name is an argument to the getmodulehandleA function, it should be somewhere in the memory space.

I cracked the Getmodulehandle okay, but I'm wondering how you've been able to tell which APIs this program used to detect cheats ?
Especially the zwQueryInformationProcess, did you use a tool that'd report use of antidebug API? did you go through the potential APIs that you knew it could be using ?


I did a static analysis of the file first, meaning without loading it into memory (running it) I did some basic overviews.

I loaded it up in CFF / PEiD / DiE to determine the files type, protection/obfuscation (if any) and other useful information such as if its 32bit/64bit, what imports it has, if it connects to the internet at first glance and so on.

From there I can gather a lot of information.

- I can tell the file is a VB5.0/6.0 file.
- I can tell the file is 32bit.
- I can assume the file is not packed or protected.

At that point I load it up in IDA for further static analysis. With IDA, I can find string references to help determine what various API calls are being made that are imported. Given that it is a VB5/6 app, I know that all imports are handled through LoadLibrary/GetModuleAddress/GetProcAddress calls or are handled via the DllFunctionCall API. In IDA's string window you can find the imports like this:


Following the reference you can find the function call that is referenced to that API:


Next, you can switch IDA to search for unicode strings and find more information since VB5/6 used Unicode as the default string type. You'll find a few more but not that many as IDA's string function is not that great with anything other then C style strings.

So instead, load up the app in OllyDbg and use the UltraString Reference plugin. With that we can see even more of the strings / imports:


More looking you can find even more useful data:


And lastly, since this is a VB5/6 application you can use a decompiler tool such as VB Decompiler Pro to get the best output of information for applications like this.




A lot of information can be determined without ever loading the file. You just need to collect some useful data before hand to know which tools will help with the target.

The overall tools I used were:
- CFF Explorer (pe file explorer)
- PEiD and DiE (protection scanners)
- IDA (disassembler)
- VB Decompiler Pro (decompiler)
- OllyDbg (debugger)
- Cheat Engine

Everything about the anti-cheat can be found at that point without ever running the file.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 304
Location: Paris

PostPosted: Fri Nov 27, 2015 6:06 am    Post subject: Reply with quote

thanks a lot for taking the time to make this tutorial, it'll help a great deal
Back to top
View user's profile Send private message
AikonCWD
Grandmaster Cheater
Reputation: 23

Joined: 21 Dec 2012
Posts: 589
Location: Spain (Barcelona)

PostPosted: Fri Nov 27, 2015 7:40 am    Post subject: This post has 1 review(s) Reply with quote

Since this crackme/challenge is defeat. I can try to make a challenge #2 adding more complicated routines, some obfuscation strings, etc...

Any interested on that project?

_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE
Back to top
View user's profile Send private message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 304
Location: Paris

PostPosted: Fri Nov 27, 2015 12:33 pm    Post subject: Reply with quote

Sure, I'm sure those who had fun with the first project will have fun with the 2nd one. Once I'll be done toying with the first one I'll definitely try the 2nd one if you make it
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 136

Joined: 25 Jan 2006
Posts: 7216
Location: 127.0.0.1

PostPosted: Fri Nov 27, 2015 2:51 pm    Post subject: Reply with quote

AikonCWD wrote:
Since this crackme/challenge is defeat. I can try to make a challenge #2 adding more complicated routines, some obfuscation strings, etc...

Any interested on that project?


Sure, will be something fun to do in my spare time. Smile

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
h3x1c
Master Cheater
Reputation: 17

Joined: 27 Apr 2013
Posts: 303

PostPosted: Fri Dec 04, 2015 11:38 pm    Post subject: Reply with quote

atom0s wrote:
A lot of information can be determined without ever loading the file. You just need to collect some useful data before hand to know which tools will help with the target.

The overall tools I used were:
- CFF Explorer (pe file explorer)
- PEiD and DiE (protection scanners)
- IDA (disassembler)
- VB Decompiler Pro (decompiler)
- OllyDbg (debugger)
- Cheat Engine


Thank you so much for that detailed rundown, atom0s. I'm quite proficient with Assembly and all the standard CE usage at this point in my journey, so I'm looking to take things to the next level and this helps tremendously.

Do you have any other posts you can think of immediately where you've explained your solutions/processes in depth? Also, are there any other particularly noteworth tools you tend to use that you didn't list here?

Thanks!

_________________
Back to top
View user's profile Send private message Visit poster's website
atom0s
Moderator
Reputation: 136

Joined: 25 Jan 2006
Posts: 7216
Location: 127.0.0.1

PostPosted: Fri Dec 04, 2015 11:50 pm    Post subject: Reply with quote

Haven't really posted much in terms of tutorials anymore due to some personal reasons against sharing things anymore.

As for tools, it depends on the situation. I have hundreds of different apps I use for various purposes when doing reversing, unpacking, cracking, etc. Just depends on what is needed based on the target at hand.

Some things I use very often though would be:
- dnSpy / ILSpy / Reflector (.NET decompilers.)
- ImpREC (Import reconstruction tool for unpacked files.)
- PEiD / ProtectionID / DiE (Protection scanners.)
- de4dot (.NET Deobfuscator)
- John The Ripper (Password bruteforcer.)

Aside from that I have tons of sub-tools for various different obfuscators/protectors that come in handy. As well as the various plugins for all the programs mentioned.

My tools also consist of things like:
- procmon (Process Monitor)
- procexp (Process Explorer)
- PuTTY / NuTTY (SSH clients.)
- Wireshark
- Tcpview
- SmartSniff
- Various .NET related tools.

And so on. Just depends on what I'm doing.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Jerduh74
Advanced Cheater
Reputation: 0

Joined: 13 Nov 2015
Posts: 68
Location: Phoenix, AZ

PostPosted: Fri Jan 08, 2016 11:19 pm    Post subject: AikonCWD Reply with quote

No thanks though. I'm not that computer geek professor to do some hacks and such. -_-
Back to top
View user's profile Send private message
sasatefa2009
Cheater
Reputation: 0

Joined: 10 Dec 2014
Posts: 27
Location: Home

PostPosted: Tue Jan 12, 2016 12:19 pm    Post subject: Reply with quote

i've bypassed the detection and here is how Arrow

Load the game into Ollydbg

Go to all of these addresses using " ctrl+g " and change every jump instruction to " jmp "

004B81A4
004B8612
004B8663
004B8697
004B86CB
004BA18E
004BA1FE
004BA26E
004BA2DE
004BAAF3
004BAB74
004BABED
004BAC66
004BB5D9
004BB660
004BB6D9
004BB752

Now lets bypass the process detection for cheat engine and Kernel Mode Debugger

go to these addresses and " nop " them

004BC238
004BBDB3
004BBD2A


for VEH debugger detection
1- veh for x64

004BBFA3 :- change the jump to make it jump to the next " jmp " instruction which in my pc is 004BBFCB

2- veh for x32

004BBF6A :- follow it in dump and change it to what ever you want and don't forget to check the " keep size "


** extra bypass ( no time over ) **

004B97FD change it to " jmp "

you can save what you did in an exe file with " copy to executable -> all modifications "
then right click in the new window and " save file "

don't expect to talk about the 'what to do' with cheat engine

that was a quick tutorial for bypassing the detection

i'll be waiting for the next challenge Aikon Wink

_________________
لا اله الا الله محمد رسول الله
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
LunarTemplar
Newbie cheater
Reputation: 0

Joined: 19 Dec 2015
Posts: 10

PostPosted: Fri Apr 08, 2016 7:38 pm    Post subject: Reply with quote

o.0 I've apparently been called out ... back in November
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Goto page Previous  1, 2, 3, 4  Next
Page 3 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites