Cheat Engine

[darpangs]

Hi guys.

I'm in some trouble now.

I used to make some cheat program against GG.

but GG has detected my program every time.

I used to update my program which is not detected anymore by GG.

but few days later, GG detect my program again.

I guess that GG scans my program's some memory portion which has
'Execute+Write Copy' protection and 'Image' Type.

so I want to cover my program's such memory regions as 'Read+Write' Protection and 'Private' Type.

I'm considering to hook kernel32!NtQueryVirtualMemory or modify some values on PTE, PDE. but I'm not sure yet.

I need to digging about this.



anyway, how can I modify AllocationProtect of the memory region?

if I use VirtualProtect, I can modify just 'Protect' property in MEMORY_BASIC_INFORMATION.

maybe GG checks the default Memory property ( AllocationProtect ) and 'Type' in MEMORY_BASIC_INFORMATION.

and one more thnig.

I want to know Memory some region's type in kernel mode.

In usermode, I can check out that type ( Mapped, Private, Image ) using VirtualQuery api.

but I can not find such api in ddk documents.

Thank you in advance.

[Slugsnack]

why not just hook virtualquery so when it tries to find what protection a region has you can return what you like

[darpangs]

I know that ( but im not 100% sure ) GG detects stuffs kind of hooks like SSDT Hook.

one day, I hooked interrupt service routine for debug interrupt.

then GG rebooted my system immediately.

so i guess Hooking is difficult way.

Have you ever hooked some kernel stuffs before under GG running situation?

[Dark Byte]

GG uses a low level modulelist (starts at fs:xxxxxxxx) to find the base address of loaded modules. Including the filepaths to those loaded modules.
I bet they'll even read the physical file if it's loaded

[darpangs]

thanks darkbyte.

then, i have to think another way...

thank you for your reply before i start digging.

anyway, DarkByte relied to me! wow!