Cheat Engine

rtch71an0 · How do I cheat? Reputation: 0 Joined: 23 Apr 2020 Posts: 2

I've been writing my own scripts and botting on a certain game's private server for over 2 years now totally under the radar up until a few weeks ago. The server has recently undergone a sudden increase in population and as such the game moderators must have been looking for anomalies of resource usage and noticed something was up.

The last two times I've attached CE to process I've received an initial warning and told not to have CE open while playing the game as it was 'consuming an unnatural amount of resources'; and a second warning after a subsequent failed attempt at cloaking the process via a sandboxie instance.

I'm not sure if this is the right place to be asking this, but I'm out of my depth and haven't been able to find anything near as definitive an answer to my specific challenges.

1. They (potentially) discovered me via a resource usage anomaly. (My script incorporates constant readPointer() calls for a number of addresses, enough that the CE UI freezes while the script is active.) But, also possibly via a manual string search for things like CE.
Q1. Aside from reducing the impact of the script itself, is it possible to erase the performance footprint of CE?

2. Which leads into the next question. Obviously, I would like to try a variety of solutions in the way of making CE undetected and changing the windows name, VEH, UDCE, etc. But, before that I hope to gain a more total insight into potential mechanics at play here.
Q2. So, is there any consensus notion of whether, firstly, you can completely conceal the attached process from view of the (as of yet unknown in nature) game moderators tools. Secondly, whether that would also erase detection of the performance impact of the process in question.

Any other insights into this would be greatly appreciated. Let it also be noted that readPointer() is the extent of my scripts interaction with the game memory.

Thanks for your time. I hope this comes across as somewhat engaging.

Dark Byte · Posted: Thu Apr 23, 2020 3:26 am Post subject:

A1: Figure out how it detects the "unnatural resource usage" and hook the API's used to detect that

Could be it's looking at the current working set, but since you said you're only using readpointer and no memscan I doubt it's that

A2: Yes, it is possible. You can either hook the target process and api's it uses to detect CE (and do that before it detects CE) OR use DBVM and do a systemwide kernelmode API hook to hide CE using cloaked memory editing. (Only works for Intel CPU's though)

rtch71an0 · How do I cheat? Reputation: 0 Joined: 23 Apr 2020 Posts: 2

It sounds like using DBVM and something like TitanHide is the closest shot. I'm pretty far out of my depth as it stands, but I'll be banging my head against the keyboard in that general direction now.

Though, I might just have to cut my losses as the game doesn't actually have any automatic consequence (autoban, or self-exit) as a result of attaching a debugger. So I won't be able to safely validate whether I've suceeded in cloaking unless i'm receiving a manual ban. The only way I know its discoverable is because my account is probably being scrutinized by the game moderators :')

Assuming I do make any meaningful progress though, i'd just like to solicit a risk assessment for following through on this. Were you suggesting that hiding CE in ring 0 is something that would confidently obfuscate both the process and its performance signature from anti-debug detection measures? (NB: I have an intuition that this server is unlikely to implement kernel level anti-debug.)

I think I've ascertained that the game is using nProtect GameGuard and According to preliminary research "OpenProcess and ToolHelp32Snapshot" are the two things monitored/blocked.

Given that information, is DBVM and something like TitanHide really the best shot at overcoming this particular challenge?

Shot In The Dark Dumb Question for an Alternative Solution #1: As I only need to read from the game, is it a possibility to read from the game via DVBM's access to [Physical Memory]? o-o (I noticed DB made that suggestion on another post a while back but didn't fully grasp it.)

SITDDQFAAS #2: Would it be fruitful to look into creating my own kernel mode driver to read the game memory to circumvent probable system handle scanning (can you read memory without using WIN API methods for example)?

I know i'm a little bit all over the place, but I hope maybe this discourse could be useful to those in the future looking for a novel method of simply reading game memory undetected.

If only Cheat Engine could accomplish that without attaching to the game process Laughing

If anyone has any other novel solutions or directions to point towards in regards to this, I'd be grateful and follow through on exploring them.

Thank you.

atom0s · Posted: Fri Apr 24, 2020 2:59 pm Post subject:

If the game is using nProtect GameGuard, there are a lot of things that can be done to detect client-sided things. GameGuard includes a lot of features, and depends on which version they are using, and what options they decide to enable. You won't avoid detection with simple memory edits or alterations either. If it's even just a basic version of GG, you will need to hook NT level functions to bypass detections which are going to include:
- Hiding your modules/injected dolls.
- Hiding your personal processes.
- Hiding any memory edits as GG does memory validation.
- Hiding any additional handles, resources, threads, etc. you create.

And so on. Bypassing GG isn't that hard compared to other anti-cheats but it is a bit of work either way to fully bypass and be able to use Cheat Engine as-is without any edits to it.