Cheat Engine

[qoazi]

After a multitude of hours trying to code an internal C++ memory scanner i was able to piece together one that was successful, It works quickly enough for my own tastes and doesn't cause thousands of access violations like many of the previous ones i tried making did.

But i do have one problem, This memory scanner works on most games, But not the one game i wrote it for, This game does have protection and causes a shutdown if i try scanning it, I've managed to Isolate the cause to a VirtualProtect call.
after some googling i found out about Hook hopping functions, and did so on the virtual protect call, This didn't cause any difference and when looking at the function i noticed that the program doesn't have it's own hook there.

This leads me to Think that the VirtualProtect triggers a memorycheck i know this program has, And causes it to shut itself down (Practically freeze)

If i change certain values in the game with CE the memcheck detects that too, and attaching a debugger causes a shutdown all the same (But this i can get around, Debugging with CE is a possiblity if something i'd like to avoid)

I've been rambling for a while now, Anyway the Point, question, I'd like to as is; Is there a way to find and disable this memcheck function? I've tried seeing what accesses the values that would shutdown if changed, But that caused a shutdown ;-;

[atom0s]

Without knowing the game / protection name its hard to say but it looks like you avoided saying it on purpose due to the forum rules which is fine.

If it is an online game that uses something like GameGuard, nProtect, HackShield, XTrap, etc. for protection you are going to have a lot more work ahead of you given that they all use a driver for their protection.

If it is not those and something more basic, then you have other options.

For one, you need to get debugging working. Try Cheat Engines other options for debugging such as the VEH debugging or kernel mode debugging. If those don't work, try using OllyDbg instead. There are tons of plugins for it that help with bypassing anti-debugging techniques that can assist in getting debugging working.

Once you can get debugging working, the next step is to attempt to locate the protection(s). Take one of the addresses you are sure have protection on them and set a breakpoint on access. You are going to want to log what accesses the address while nothing is happening in game.

For example, take your health address and set a breakpoint. Ensure you are near nothing where your health will change so that you are just standing still and nothing is going on.

If the protection is constantly monitoring the address you may get a hit on the breakpoint right away from the protection.

In other cases, you may need to have something happen to the value for the protection to show up as well.

It is pretty much trial and error from there to find what you need.

[qoazi]

Ah, Alright, that's Close to what i was planning to do, But i didn't consider using a breakpoint, That's a good idea!

I've tried using olly, But at first OllyDbg pausing all the threads caused the shutdown to occur, After getting around that OllyDbg creating a mass of new threads cause the shutdown to occur (Both these occur on attaching, and cannot start the program itself Using OllyDbg)

I've tried all the Debuggers, Even Kernel mode is detected altough through some trial and erros (And tons of bluescreens) i can get it working for a limited time atleast (now i just need to remember how)

I'll try finding it if i get it working, Thanks!

PS: I'm not sure what name this protection has, If any. I've pretty much only Heard rumors about it as i had most of my exploits handling unprotected areas only, But it's Always refered to as "memcheck" and apparently compares a Hash of the code to make sure no Changes occur without permission

[ulysse31]

Go there so you can make sure what you are dealing with is a memory integrity check :
http://forum.cheatengine.org/viewtopic.php?t=545388&sid=547c8b38d77cae64cc12ac928f0ea814
If you bypass it with stealth edit then yes it is.

Then go there for the tutorials, those are from Geri, these are as good tutorials as you can get on the internet concerning the bypass of memory checks :
http://www.szemelyesintegracio.hu/cheats/41-game-hacking-articles

Even if the protections he bypasses are easier than what's used nowadays in most of games, this will give you the good way to start which is pretty much what atomos said, although now you got the video.

[qoazi]

[ulysse31]