| View previous topic :: View next topic |
| Author |
Message |
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Sat May 29, 2010 10:58 am Post subject: GameGuard + my memory scanner |
 |
|
I figured out why my memory scanner was being detected:
| Quote: |
user32.dll
GetWindowThreadProcessId
PostMessageA
PostMessageW
SendInput
SendMessageA
SendMessageW
SetCursorPos
SetWindowsHookExA
SetWindowsHookExW
keybd_event
mouse_event
|
I used hooked functions (Ring3).
But if I hookhop SendMessage this api is also detected:
| Quote: |
kernel32.dll
CreateProcessInternalW
DebugActiveProcess
DeviceIoControl
GetProcAddress
LoadLibraryExW
MapViewOfFile
MapViewOfFileEx
MoveFileW
OpenProcess
ReadProcessMemory
VirtualProtect
VirtualProtectEx
WriteProcessMemory
|
And hookhops need GetProcAddress, so what should I do?
|
|
| Back to top |
|
 |
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Sat May 29, 2010 12:30 pm Post subject: |
|
|
| Write your own GetProcAddress? Read the exports from the PE header of the wanted module. You can probably find examples of that on the net.
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sat May 29, 2010 2:26 pm Post subject: |
|
|
Maybe we can do this? :
| Quote: |
DWORD Ptr = SendMessage + 5;
|
I heard that you can do this in VC++ compiler, just double checking if I should do it that way.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat May 29, 2010 3:29 pm Post subject: |
|
|
| calling a hooked api doesn't make it detected you know. also @ your previous post, go test it and see if it works
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sat May 29, 2010 7:47 pm Post subject: |
|
|
Got it 
| Code: |
// SendMessage
DWORD JumpPtr = (DWORD) SendMessage + 5;
LRESULT WINAPI SendMessageX(__in HWND hWnd, __in UINT Msg, __in WPARAM wParam, __in LPARAM lParam)
{
__asm {
MOV EDI, EDI
PUSH EBP
MOV ESP, EBP
JMP [JumpPtr]
}
}
|
|
|
| Back to top |
|
|
Noz3001
I'm a spammer
 Reputation: 26
Joined: 29 May 2006
Posts: 6220
Location: /dev/null
|
| Posted: Sat May 29, 2010 9:33 pm Post subject: |
|
|
| iPromise wrote: | Got it
| Code: |
// SendMessage
DWORD JumpPtr = (DWORD) SendMessage + 5;
LRESULT WINAPI SendMessageX(__in HWND hWnd, __in UINT Msg, __in WPARAM wParam, __in LPARAM lParam)
{
__asm {
MOV EDI, EDI
PUSH EBP
MOV ESP, EBP
JMP [JumpPtr]
}
}
|
|
Doesn't it end up in a r0 hook
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sat May 29, 2010 10:04 pm Post subject: |
|
|
| I dont think so, I never got a gameguard hack detection since.
|
|
| Back to top |
|
|
zile
Advanced Cheater
![]() Reputation: 0
Joined: 11 Jul 2009
Posts: 75
|
| Posted: Sat May 29, 2010 10:23 pm Post subject: |
|
|
ur dll is doesnt work with wolfteam's gg
once i inject to the second wolfteam.bin, gg sends an error about initialize failed
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sat May 29, 2010 10:49 pm Post subject: |
|
|
My dll? My memory engine or did you test my hookhop for sendmessage?
Either way inject it before GG loads I soppose.
|
|
| Back to top |
|
|
zile
Advanced Cheater
![]() Reputation: 0
Joined: 11 Jul 2009
Posts: 75
|
| Posted: Sat May 29, 2010 11:05 pm Post subject: |
|
|
ur mem engine
gg makes 2 of the game processes, and im supposed to inject to the 2nd one right? the second one only appears after gg loading is complete
once i inject it, gg's error pops out, i dunno might be different from gunbound
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sun May 30, 2010 2:33 pm Post subject: |
|
|
| The method originally for GunBound or any other game is to inject it to the correct process, try injecting it to notepad and see how it goes, if everything works fine try to inject it to the right process of your game, not the one packed with armadillo.
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Sun May 30, 2010 6:54 pm Post subject: Re: GameGuard + my memory scanner |
|
|
Can you tell me how too view this things?
I wanna check something.
| Quote: |
user32.dll
GetWindowThreadProcessId
PostMessageA
PostMessageW
SendInput
SendMessageA
SendMessageW
SetCursorPos
SetWindowsHookExA
SetWindowsHookExW
keybd_event
mouse_event
|
| Quote: |
kernel32.dll
CreateProcessInternalW
DebugActiveProcess
DeviceIoControl
GetProcAddress
LoadLibraryExW
MapViewOfFile
MapViewOfFileEx
MoveFileW
OpenProcess
ReadProcessMemory
VirtualProtect
VirtualProtectEx
WriteProcessMemory
|
|
|
| Back to top |
|
|
zile
Advanced Cheater
![]() Reputation: 0
Joined: 11 Jul 2009
Posts: 75
|
| Posted: Tue Jun 01, 2010 1:43 am Post subject: |
|
|
| try rootkit unhooker , worked last time (not unhook) , not sure about now
|
|
| Back to top |
|
|
WaffleMaster
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 19 Oct 2006
Posts: 1237
|
| Posted: Wed Jun 02, 2010 3:48 pm Post subject: |
|
|
| iPromise wrote: | Got it
| Code: |
// SendMessage
DWORD JumpPtr = (DWORD) SendMessage + 5;
LRESULT WINAPI SendMessageX(__in HWND hWnd, __in UINT Msg, __in WPARAM wParam, __in LPARAM lParam)
{
__asm {
MOV EDI, EDI
PUSH EBP
MOV ESP, EBP
JMP [JumpPtr]
}
}
|
|
"mov edi,edi" is not needed, and "mov esp,ebp" is just wrong; you'll screw up the stack.
Also, since it's a WINAPI, won't "push ebp" and "mov ebp,esp" be present at the function's entry point anyway? Borland C++ does that by default, but it's a weird IDE, so I don't know about the rest.
_________________
Problem, CEF?
Buying zhelms/leech in Windia. PM me. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
