View previous topic :: View next topic |
Is this a good idea? |
Is a stupid idea, Cheat Engine cannot be beaten by another poor copy... |
|
60% |
[ 3 ] |
Yes this is a nice idea, and i maybe want participate in it! |
|
40% |
[ 2 ] |
|
Total Votes : 5 |
|
Author |
Message |
Krähne Expert Cheater Reputation: 0
Joined: 06 Jun 2010 Posts: 108 Location: Inside of my Kernel
|
Posted: Sat Apr 02, 2011 10:09 am Post subject: |
|
|
Wiccaan wrote: | Most anti-cheats can block injection or will straight up ban you for it. A good number of UCE's are still undetected due to making use of the driver since most of the time the majority of checks and such in anti-cheats are usermode checks. |
Yeah, but... what if the launcher (injector of .dll engine) uses a driver for unhook all the apis that will need?; i mean... WPM, RPM, VAE, CRT, etc...
_________________
Excuse me if you don't understand what I just said, but "english" isn't my native language. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sat Apr 02, 2011 10:22 am Post subject: |
|
|
If you go use a driver like that then why even bother with a usermode dll?
A driver is present in every processes taskspace, which means that you just have to make sure the context your thread is executed in belongs to the target process and do all the edits in there (example of this is the CETC project which is a kernelmode memory scanner with a network interface for control)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Krähne Expert Cheater Reputation: 0
Joined: 06 Jun 2010 Posts: 108 Location: Inside of my Kernel
|
Posted: Sat Apr 02, 2011 11:14 am Post subject: |
|
|
Dark Byte wrote: | If you go use a driver like that then why even bother with a usermode dll?
A driver is present in every processes taskspace, which means that you just have to make sure the context your thread is executed in belongs to the target process and do all the edits in there (example of this is the CETC project which is a kernelmode memory scanner with a network interface for control) |
Well... because I was thinking that if not using the Win32 API when it was scanning, reading and modifying memory, on the understanding that I injected into the process, then it would be difficult to detect me.
I do not know if it's a stupid idea, maybe yes, but who knows right?...
Another thing, is that when creating a driver, are not it necessary to use the usermode APIs?, i mean... Is the driver who modify the memory and not the GUI?
For example: I would not use OpenProcess on user level, but... zwOpenProcess kernel level?, the driver are doing the job of openprocess?.
I was thinking that the only function of the driver was unhook the Windows API, and i will can use it from usermode without problems... haha epic noob.
_________________
Excuse me if you don't understand what I just said, but "english" isn't my native language. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Sat Apr 02, 2011 12:16 pm Post subject: |
|
|
You just use the kernelmode KeAttachProcess, or just change the CR3 register to the value of the target process. (or even just map the physical memory of the target process to a local virtual address)
From there you can read and edit all the memory without anything blocking you, or even able to block you (Virtualpagedir plugin in the plugin section for example makes use of mapping the physical memory of the target process based on the physical address stored in Cr3 of the target)
but yeah, if you don't know the difference between CR3 and CR0 then usermode is the easiest option for now
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Krähne Expert Cheater Reputation: 0
Joined: 06 Jun 2010 Posts: 108 Location: Inside of my Kernel
|
Posted: Sat Apr 02, 2011 10:20 pm Post subject: |
|
|
Dark Byte wrote: | You just use the kernelmode KeAttachProcess, or just change the CR3 register to the value of the target process. (or even just map the physical memory of the target process to a local virtual address)
From there you can read and edit all the memory without anything blocking you, or even able to block you (Virtualpagedir plugin in the plugin section for example makes use of mapping the physical memory of the target process based on the physical address stored in Cr3 of the target)
but yeah, if you don't know the difference between CR3 and CR0 then usermode is the easiest option for now |
I really do not know the difference between CR3 and CR0, Will you has there a manual that explains it?; Something for beginners ... I'll appreciate it.
Anyways, what do you mean by usermode?.
Thanks for the answer.
_________________
Excuse me if you don't understand what I just said, but "english" isn't my native language. |
|
Back to top |
|
|
Innovation Grandmaster Cheater Reputation: 12
Joined: 14 Aug 2008 Posts: 617
|
Posted: Sun Apr 03, 2011 12:48 am Post subject: |
|
|
DaasCook wrote: | I really do not know the difference between CR3 and CR0, Will you has there a manual that explains it?; Something for beginners ... I'll appreciate it. |
CR0 and CR3 are both control registers. CR0 is typically used to hold many important values such as whether protected mode is enabled or not. CR3 is used for virtual to physical memory translations.
Take a look at Intel's Developer Manuals.
Last edited by Innovation on Thu Apr 19, 2012 5:17 pm; edited 1 time in total |
|
Back to top |
|
|
Jorg hi I post too much Reputation: 7
Joined: 24 Dec 2007 Posts: 2276 Location: Minnesota
|
Posted: Sun Apr 03, 2011 4:49 pm Post subject: |
|
|
..What if someone creates a way to automatically change everything inside the program to allow it to be undetected?
_________________
CEF will always stay alive. |
|
Back to top |
|
|
Krähne Expert Cheater Reputation: 0
Joined: 06 Jun 2010 Posts: 108 Location: Inside of my Kernel
|
Posted: Sun Apr 03, 2011 7:50 pm Post subject: |
|
|
Jorg hi wrote: | ..What if someone creates a way to automatically change everything inside the program to allow it to be undetected? |
I, robot wrote: | (...)*That*, Detective, is the right question. Program terminated.(...) |
Innovation wrote: | DaasCook wrote: | I really do not know the difference between CR3 and CR0, Will you has there a manual that explains it?; Something for beginners ... I'll appreciate it. |
Take a look at Intel's Developer Manuals. CR0 and CR3 are both control registers. CR0 is typically used to hold many important values such as whether protected mode is enabled or not. CR3 is used for virtual to physical memory translations. |
Lol... Do you have something similar in Spanish?. I guess not, but however, i'm going to try understand it in english :/...
_________________
Excuse me if you don't understand what I just said, but "english" isn't my native language. |
|
Back to top |
|
|
Slugsnack Grandmaster Cheater Supreme Reputation: 71
Joined: 24 Jan 2007 Posts: 1857
|
Posted: Mon Apr 04, 2011 12:50 am Post subject: |
|
|
Jorg hi wrote: | ..What if someone creates a way to automatically change everything inside the program to allow it to be undetected? |
Cue: Polymorphic code
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Mon May 28, 2012 9:50 am Post subject: |
|
|
If I create GUI in C#/WPF and implement core functionality in C++ then is it a good idea or still it can be easily detected?
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Mon May 28, 2012 10:24 am Post subject: |
|
|
The anti cheats will just look for your gui
Search for a window with specific object classes and names, or even just their relative position between eachother (e.g ce's gui has 2 buttons next to eachother and an image in the top-right with a flat button right under it. Quite specific and can be scanned for)
Really, getting access to the process's memory is easy, it's just that hiding your gui is a little more troublesome as you need to manually adjust that every time it's detected (and just randomizing the position and widths of all objects would make a really bad interface for the user)
Anyhow, look up the cetc project, it's a gui-less memory scanner. Only visible thing is the network interface that is used to communicate with it from another system
Of course, if you never give out your undetected program you should be fine
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Fri Jun 22, 2012 12:36 am Post subject: |
|
|
I'm actually almost done my own "Cheat Engine" in C++. I'm adding the dissassembler now and it will be complete.
@Wiccan You can quickly inject your DLL before the anti-cheat initializes.
|
|
Back to top |
|
|
Slugsnack Grandmaster Cheater Supreme Reputation: 71
Joined: 24 Jan 2007 Posts: 1857
|
Posted: Fri Jun 22, 2012 1:45 am Post subject: |
|
|
yes, you can inject before anti-cheat initialises but some of them will check for presence of unknown dll at runtime
|
|
Back to top |
|
|
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Fri Jun 22, 2012 2:32 am Post subject: |
|
|
you're right and I took my gamble on it, but what about the friendly dll's that some external hardwares (keyboards, mouses) and programs that need to inject their dll's globally into every process?
i think the anti cheat engines havn't checked for the precense of unknown dll's because it could lead to an unstable computer/game for the user
and a question, cant you just add on your code to a dll from the games directory bypass the check for any corrupt dlls by the anti-cheat engine. its what we use to do for gunbound we replaced Buddy2.dll, the friend chatting didn't work but your code was injected, and in this case, loaded.
|
|
Back to top |
|
|
Slugsnack Grandmaster Cheater Supreme Reputation: 71
Joined: 24 Jan 2007 Posts: 1857
|
Posted: Fri Jun 22, 2012 2:47 am Post subject: |
|
|
depends how far the protection goes. some of them do integrity checks such as crc32 with the dlls. in regards to globally injected dlls, some protections freak out but often they have a whitelist for these. if your dll injects (with that method), you got lucky because their checks are not as extensive
|
|
Back to top |
|
|
|