| View previous topic :: View next topic |
| Author |
Message |
brunojex
How do I cheat?
![]() Reputation: 0
Joined: 30 Jan 2013
Posts: 5
|
 Posted: Sun May 26, 2013 8:36 am Post subject: CE getting terminated by game client |
 |
|
Not sure if this is right section but here goes.
I've been trying to figure out how an online game client with some random protection is managing to terminate CE after detecting it.
At first i thought it could be runing some kernel code to get it done but
i dont see any driver getting load when game starts, and i dont see any suspicious device handles either.( I hooked Terminateprocess routine but
it doesnt seem to be the one doing it).
So my questions are:
Is it possible to detect and shutdown ce withought resorting to kernel mode code?
How much can be acomplished by runing user code only? Can you get more than just the pid related information, or do you actually need to go down to the kernel and retrieve a handle to do so?
Sorry if questions look kinda vague or noobish, but just trying to get an idea of the possibilities so i can narrow down what to try next.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sun May 26, 2013 8:47 am Post subject: |
|
|
Did you hook TerminateProcess in the target process or in CE ?
Anyhow, you can also inject a dll into cheat engine that calls ExitProcess
or send WM_Destroy to ce's window
or overwrite ce's memory with random garbage
Have you tried running the game while on a limited user account ? (So not admin) and then launch cheat engine as admin
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
brunojex
How do I cheat?
![]() Reputation: 0
Joined: 30 Jan 2013
Posts: 5
|
| Posted: Sun May 26, 2013 9:47 am Post subject: |
|
|
I meant i hooked the gameclient's Terminateprocess.
Didnt remember that it could be shutting down CE from inside CE itself.
But just runned some tests and terminate process isnt called from CE neither is ExitProcess (just hooked and tested).
Aint familiarised with window notifications so not sure how to test WM_Destroy message may have to dig up on this a bit. (do i just hook SendMessage?)
Any crucial ntoskrnl routine in case its doing this on kernel or its ZwTerminate process the most likely way?
(just tried putting a breakpoint on windbg, and got no hits for Zwterminateprocess).
I havent tested kernel hooks yet because im not sure if a driver is being used (hooked createservice and startservice and got no hits) so i may just end up finding some kernel routine doing it and still not be sure if its called via windows apis or not.
(Just tried runing CE normaly and the game client as a non admin user and CE still getting terminated)
UPDATE:
Tried running wpe pro with the gameclient on.
It also gets detected obviosly, yet the client doesnt shut it down.
Now i wonder if it doesnt shut it down because it doesnt wish to or if it doesnt because it cant do it.
Is it possible that it particulary wants to shutdown CE, or theres actually
something in CE it is exploiting ( since CE is open source)
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
