Cheat Engine

[emperor]

Okay the topic name is a bit stupid i couldn't think of a better one as this post is about game guard ...with cheat engine.
When game guard is running, you just can't cheat the game. Well...what I mean is i tried selecting the game prozess using the network version of CE and...fruitless. It's impossible to scan, as it gives an error when selecting the prozess.So...does anybody know what to do, in order to cheat those games with cheat engine.

[Dark Byte]

Next version of CE will work on nProtect. Even over the network.

Only problem is that this method I'm using(kernel mode programming) will absolutly not work on 9x, because I'm to lazy to port it to there.

It's already working nicely in the beta.

[Dark Byte]

Oh yes, one method you can use right now is save the memoryregions of ntdll.dll and kernel32.dll in CE before the gamne has started. (best reboot first so they are clean)

then after starting the game load those memory regions back in CE wich will undo the changes nprotect did to cheat engine. thus removing the hook on openprocess and other apis and allowing you to scan the memory.

[ßiÃÆ]

[emperor]

[Dark Byte]

one time initialization : (best do this after a reboot and your system is clean from anti cheats or other api hooks of viruses etc...)
Select the Cheat Engine process
Go to the memory view window
click view->enumerate dll's and functions. (Version 4.3, but only needed in the preparing phase so you can still use it with older versions like 4.2)
find the spot of kernel32.dll and ntdll.dll (in my case they are always at 77e60000 and 77f50000, XP SP1)
click view->memoryregions and find the address of kernel32 and ntdll
the line after it will have a protect type called "Execute+Read" (on my system 77e61000)
Rightclick it and select save selected memory regions. type in kernel32 and hit save
Repeat the above for ntdll (so in my ststem I save 77f51000)


Removing nProtect from CE:
Now, when the game with nProtect has started it will have messed with your kernel32 and ntdll modules. (You'll notice it by looking at the memory at the location of openprocess in the kernel module, it'll have a jump to a completly different address, and in enumerate dll's you'll notice a new module called npggnt, or something)
Select the cheat engine process if it wasn't already opened.
go to the memory view window
click file->load memoryregions and select "all files (*.*)".
and load the kernel.m000x and ntdll.m000x files.
It is extremely unlikely those adresses will have changed, so just click ok when it asks the address to place it.
If all went ok you can now select the process you want to cheat on and scan it's memory.

(If I where nProtect I would prevent any process I have hooked into to change the memory at kernel32 and ntdll, but last time I tried it didn't do that, but don't be surprised if this method is patched some day)

Edit: In case you are wondering, yes, this method should also work to unprotect other memory scanners.

[ßiÃÆ]

it wont work on game with nprotect rev 68, so no other method to get around this right?

[Dark Byte]

try this beta:
http://www.syndiv.com/ce/beta/ce44k.rar

It doesn't contain any code yet to hide cheat engine, or the driver. (will be added)

Also, this is a early beta and has the ability to completly take down your system if you don't use it safely. (E.g.: You can access kernel memory 80000000 and above, but access non-allocated memory in that region and you'll crash. )

another thing, while I'm releasing this beta I've been experimenting with some methods to speed up scanning by only scanning memory that has been accessed by the program, meaning that a scan for something that doesn't change will not work cause there's a chance it'll never get accessed. (but that also means the game doesn't use that memory anyhow, so why scan it?)

I havn't put in code yet to change the protection of a memory page in case the kernel version of openprocess failes. (If it fails CE uses a secondary method to gain access to the memory, but regular api calls that havn't been wrapped by my DBK32.dll will then fail)
But, if you REALLY need to change some memory from read only to writable use the following formula: 0xc0000000+((Address / 0x1000) *4)
to get the page table entry of that page.
add that address as a 12 bit entry and set the 2'nd bit counting from right to 1 and it'll be writable. (If it's a shared page, like a dll I recommend setting the 3th bit from left to 1 instead (copy-on-write bit) else you'll globally change the memory instead of only in the process, but in some cases that might be usefull.... )

[ßiÃÆ]

thanks , i try it

edit:

yep, it worked. at first i think it wont work, because it say cannot write all the memory, after that i try to open the process, yep... worked.

[ßiÃÆ]

it work at first, hehehe... made unlimited item and sell it... got lots of money

then strange thing happen, it work also the 2nd time but not fully functional... it can search, it can find the value and address....

but a few second after that, the value turn to "??" do the same search, it can be found, but the same happen... few second the value again turn to "??"

http://www.ryl.com.my

[Dark Byte]

If you didn't close the CE beta the normal way(e.g rebooted or closed it with taks manager, or had a spontanous reboot/blue screen) you've screwed up the driver that it loads.

Best method to check is open any process with CE and add addres c0000000 if that address results ?? you're going to do some special handling.

in a command prompt type : (doesn't matter where)
net stop MSJDRVR
net start MSJDRVR

(and in case you're wondering why I call it MSJDRVR, thats because it's the basic example where I ripped out all the original code and added mine, I havn't come to renaming it yet)

if all went right you should then be able to use CE again and add address c0000000 and it should show 0 instead of ??

Edit: download the updated dbk32.dll at http://syndiv.com/ce/beta/ce44k2.rar and overwrite the original with this. It can handle crashes better. Open and close Cheat Engine one time and wait a minute. Then open CE and the kernel module should be working again.


But that doesn't really explain why it finds some addresses first and after scanning it results in ?? . This sounds as if you where using the hyperscan where it didn't filter itself, or you somehow scanned the cheatengine process instead of the game. (could be a bug where it gives processhandle -1 to scan, wich equals to current process, or the routine to change the current processcontext in kernel failed, but then the whole function should have failed)

[ßiÃÆ]

if i do this
net stop MSJDRVR
net start MSJDRVR

??

if i do this
net stop MSJDRVR

0

[Dark Byte]

you used that updated dll? If you close CE then it'll remove the driver from the service list. So that it can be added next time you start CE again.

If you then have closed CE, the net start/stop MSJDRVR then should fail because it doesn't exist. (If it doesnt fail after closing CE I recommend a reboot)

[ßiÃÆ]

yes, i use the updated dll. thanks Dark Byte

if i do this
net stop MSJDRVR
net start MSJDRVR

??

cannot hack game

if i do this
net stop MSJDRVR

0

i can hack that games

:)

[emperor]