View previous topic :: View next topic |
Author |
Message |
emperor Master Cheater Reputation: 0
Joined: 16 May 2003 Posts: 470 Location: Germany
|
Posted: Mon Jun 28, 2004 11:25 am Post subject: nProtect Game guard |
|
|
Okay the topic name is a bit stupid i couldn't think of a better one as this post is about game guard ...with cheat engine.
When game guard is running, you just can't cheat the game. Well...what I mean is i tried selecting the game prozess using the network version of CE and...fruitless. It's impossible to scan, as it gives an error when selecting the prozess.So...does anybody know what to do, in order to cheat those games with cheat engine.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Mon Jun 28, 2004 12:10 pm Post subject: |
|
|
Next version of CE will work on nProtect. Even over the network.
Only problem is that this method I'm using(kernel mode programming) will absolutly not work on 9x, because I'm to lazy to port it to there.
It's already working nicely in the beta.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Mon Jun 28, 2004 12:20 pm Post subject: |
|
|
Oh yes, one method you can use right now is save the memoryregions of ntdll.dll and kernel32.dll in CE before the gamne has started. (best reboot first so they are clean)
then after starting the game load those memory regions back in CE wich will undo the changes nprotect did to cheat engine. thus removing the hook on openprocess and other apis and allowing you to scan the memory.
|
|
Back to top |
|
|
ßiÃƒÆ Newbie cheater Reputation: 0
Joined: 15 May 2004 Posts: 18
|
Posted: Tue Jun 29, 2004 7:16 am Post subject: |
|
|
Dark Byte wrote: | Oh yes, one method you can use right now is save the memoryregions of ntdll.dll and kernel32.dll in CE before the gamne has started. (best reboot first so they are clean)
then after starting the game load those memory regions back in CE wich will undo the changes nprotect did to cheat engine. thus removing the hook on openprocess and other apis and allowing you to scan the memory. |
how step by step to do that?
|
|
Back to top |
|
|
emperor Master Cheater Reputation: 0
Joined: 16 May 2003 Posts: 470 Location: Germany
|
Posted: Tue Jun 29, 2004 11:06 am Post subject: |
|
|
ßié wrote: | Dark Byte wrote: | Oh yes, one method you can use right now is save the memoryregions of ntdll.dll and kernel32.dll in CE before the gamne has started. (best reboot first so they are clean)
then after starting the game load those memory regions back in CE wich will undo the changes nprotect did to cheat engine. thus removing the hook on openprocess and other apis and allowing you to scan the memory. |
how step by step to do that? |
Yep I am wondering that too....i cannot find ntdll.dll and kernel32.dll in my prozess list. Well at least for me you needn't bother explaining as I'm fine with waiting.
Dunno if ßié is fine with waiting though...
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Tue Jun 29, 2004 11:47 am Post subject: |
|
|
one time initialization : (best do this after a reboot and your system is clean from anti cheats or other api hooks of viruses etc...)
Select the Cheat Engine process
Go to the memory view window
click view->enumerate dll's and functions. (Version 4.3, but only needed in the preparing phase so you can still use it with older versions like 4.2)
find the spot of kernel32.dll and ntdll.dll (in my case they are always at 77e60000 and 77f50000, XP SP1)
click view->memoryregions and find the address of kernel32 and ntdll
the line after it will have a protect type called "Execute+Read" (on my system 77e61000)
Rightclick it and select save selected memory regions. type in kernel32 and hit save
Repeat the above for ntdll (so in my ststem I save 77f51000)
Removing nProtect from CE:
Now, when the game with nProtect has started it will have messed with your kernel32 and ntdll modules. (You'll notice it by looking at the memory at the location of openprocess in the kernel module, it'll have a jump to a completly different address, and in enumerate dll's you'll notice a new module called npggnt, or something)
Select the cheat engine process if it wasn't already opened.
go to the memory view window
click file->load memoryregions and select "all files (*.*)".
and load the kernel.m000x and ntdll.m000x files.
It is extremely unlikely those adresses will have changed, so just click ok when it asks the address to place it.
If all went ok you can now select the process you want to cheat on and scan it's memory.
(If I where nProtect I would prevent any process I have hooked into to change the memory at kernel32 and ntdll, but last time I tried it didn't do that, but don't be surprised if this method is patched some day)
Edit: In case you are wondering, yes, this method should also work to unprotect other memory scanners.
|
|
Back to top |
|
|
ßiÃƒÆ Newbie cheater Reputation: 0
Joined: 15 May 2004 Posts: 18
|
Posted: Sat Jul 03, 2004 9:17 am Post subject: |
|
|
it wont work on game with nprotect rev 68, so no other method to get around this right?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Sat Jul 03, 2004 10:23 am Post subject: |
|
|
try this beta:
http://www.syndiv.com/ce/beta/ce44k.rar
It doesn't contain any code yet to hide cheat engine, or the driver. (will be added)
Also, this is a early beta and has the ability to completly take down your system if you don't use it safely. (E.g.: You can access kernel memory 80000000 and above, but access non-allocated memory in that region and you'll crash. )
another thing, while I'm releasing this beta I've been experimenting with some methods to speed up scanning by only scanning memory that has been accessed by the program, meaning that a scan for something that doesn't change will not work cause there's a chance it'll never get accessed. (but that also means the game doesn't use that memory anyhow, so why scan it?)
I havn't put in code yet to change the protection of a memory page in case the kernel version of openprocess failes. (If it fails CE uses a secondary method to gain access to the memory, but regular api calls that havn't been wrapped by my DBK32.dll will then fail)
But, if you REALLY need to change some memory from read only to writable use the following formula: 0xc0000000+((Address / 0x1000) *4)
to get the page table entry of that page.
add that address as a 12 bit entry and set the 2'nd bit counting from right to 1 and it'll be writable. (If it's a shared page, like a dll I recommend setting the 3th bit from left to 1 instead (copy-on-write bit) else you'll globally change the memory instead of only in the process, but in some cases that might be usefull.... )
|
|
Back to top |
|
|
ßiÃƒÆ Newbie cheater Reputation: 0
Joined: 15 May 2004 Posts: 18
|
Posted: Sat Jul 03, 2004 10:42 am Post subject: |
|
|
thanks , i try it
edit:
yep, it worked. at first i think it wont work, because it say cannot write all the memory, after that i try to open the process, yep... worked.
|
|
Back to top |
|
|
ßiÃƒÆ Newbie cheater Reputation: 0
Joined: 15 May 2004 Posts: 18
|
Posted: Sat Jul 03, 2004 8:33 pm Post subject: |
|
|
it work at first, hehehe... made unlimited item and sell it... got lots of money
then strange thing happen, it work also the 2nd time but not fully functional... it can search, it can find the value and address....
but a few second after that, the value turn to "??" do the same search, it can be found, but the same happen... few second the value again turn to "??"
http://www.ryl.com.my
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Sun Jul 04, 2004 3:50 am Post subject: |
|
|
If you didn't close the CE beta the normal way(e.g rebooted or closed it with taks manager, or had a spontanous reboot/blue screen) you've screwed up the driver that it loads.
Best method to check is open any process with CE and add addres c0000000 if that address results ?? you're going to do some special handling.
in a command prompt type : (doesn't matter where)
net stop MSJDRVR
net start MSJDRVR
(and in case you're wondering why I call it MSJDRVR, thats because it's the basic example where I ripped out all the original code and added mine, I havn't come to renaming it yet)
if all went right you should then be able to use CE again and add address c0000000 and it should show 0 instead of ??
Edit: download the updated dbk32.dll at http://syndiv.com/ce/beta/ce44k2.rar and overwrite the original with this. It can handle crashes better. Open and close Cheat Engine one time and wait a minute. Then open CE and the kernel module should be working again.
But that doesn't really explain why it finds some addresses first and after scanning it results in ?? . This sounds as if you where using the hyperscan where it didn't filter itself, or you somehow scanned the cheatengine process instead of the game. (could be a bug where it gives processhandle -1 to scan, wich equals to current process, or the routine to change the current processcontext in kernel failed, but then the whole function should have failed)
|
|
Back to top |
|
|
ßiÃƒÆ Newbie cheater Reputation: 0
Joined: 15 May 2004 Posts: 18
|
Posted: Sun Jul 04, 2004 7:39 am Post subject: |
|
|
if i do this
net stop MSJDRVR
net start MSJDRVR
??
if i do this
net stop MSJDRVR
0
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Sun Jul 04, 2004 8:28 am Post subject: |
|
|
you used that updated dll? If you close CE then it'll remove the driver from the service list. So that it can be added next time you start CE again.
If you then have closed CE, the net start/stop MSJDRVR then should fail because it doesn't exist. (If it doesnt fail after closing CE I recommend a reboot)
|
|
Back to top |
|
|
ßiÃƒÆ Newbie cheater Reputation: 0
Joined: 15 May 2004 Posts: 18
|
Posted: Sun Jul 04, 2004 8:37 am Post subject: |
|
|
yes, i use the updated dll. thanks Dark Byte
if i do this
net stop MSJDRVR
net start MSJDRVR
??
cannot hack game
if i do this
net stop MSJDRVR
0
i can hack that games
:)
|
|
Back to top |
|
|
emperor Master Cheater Reputation: 0
Joined: 16 May 2003 Posts: 470 Location: Germany
|
Posted: Tue Jul 06, 2004 7:23 am Post subject: |
|
|
ßié wrote: | it work at first, hehehe... made unlimited item and sell it... got lots of money
then strange thing happen, it work also the 2nd time but not fully functional... it can search, it can find the value and address....
but a few second after that, the value turn to "??" do the same search, it can be found, but the same happen... few second the value again turn to "??"
http://www.ryl.com.my |
Btw care to share that cheat, the way of finding the correct address for it i mean. I can understand if you don't want to, just in case you really don't mind.
|
|
Back to top |
|
|
|