 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Sat Apr 10, 2010 9:44 pm Post subject: GameGuard Hack Detected |
 |
|
I tried everything, renaming strings, changing names, hookhops, and I still get the same results.
m.cpp
| Code: |
#include <windows.h>
#include <sstream>
#include <iostream>
#include <fstream>
using namespace std;
#include "a.h"
#include "f.h"
void di()
{
HDC d;
DWORD bptr = gcba();
DWORD mbptr1 = bptr + ofm1;
DWORD mbptr2 = bptr + ofm2;
DWORD rmptr1 = bptr + ofrm1;
DWORD mpptr1 = bptr + ofmp1;
while (1)
{
stringstream ss1, ss2, ss3, ss4;
string msfdwt, rmfdwt, mpfdwt;
d = cdcx("DISPLAY", NULL, NULL, NULL);
sbkm(d, 1);
stc(d, RGB(255, 0, 0));
DWORD mbvfr1, mbvfr2, rnvfr1, mvfr1;
mbvfr1 = *(DWORD*) mbptr1;
mbvfr2 = *(DWORD*) mbptr2;
rnvfr1 = *(DWORD*) rmptr1 + 1;
mvfr1 = *(DWORD*) mpptr1;
ss1 << mbvfr1;
ss2 << mbvfr2;
ss3 << rnvfr1;
ss4 << mvfr1;
msfdwt = "Mobile.V: ";
msfdwt += ss1.str();
rmfdwt = "Room.V: ";
rmfdwt += ss3.str();
mpfdwt = "Map.V: ";
mpfdwt += ss4.str();
tox(d, 10, 10, msfdwt.c_str(), msfdwt.length());
tox(d, 10, 30, rmfdwt.c_str(), rmfdwt.length());
tox(d, 10, 50, mpfdwt.c_str(), mpfdwt.length());
s(5);
}
}
BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD fdwReason, LPVOID lpReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) di, NULL, NULL, NULL);
}
}
return TRUE;
}
|
f.h
| Code: |
#include <windows.h>
DWORD gmhaptr = (DWORD) GetModuleHandleA + 5;
HMODULE WINAPI gmha(LPCSTR lmn)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [gmha]
}
}
DWORD llptr = (DWORD) LoadLibraryA + 5;
HMODULE WINAPI ll(LPCSTR lfn)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [llptr]
}
}
DWORD stcptr = (DWORD) SetTextColor + 5;
COLORREF WINAPI stc(HDC hd, COLORREF c)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [stcptr]
}
}
DWORD sbkmptr = (DWORD) SetBkMode + 5;
int WINAPI sbkm(HDC hd, int bm)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [sbkmptr]
}
}
DWORD toptr = (DWORD) TextOutA + 5;
BOOL WINAPI tox(HDC hd, int sta, int sto, LPCSTR str, int strlen)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [toptr]
}
}
DWORD cdcptr = (DWORD) CreateDCA + 5;
HDC WINAPI cdcx(LPCSTR d, LPCSTR de, LPCSTR out, CONST DEVMODE* lid)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [cdcptr]
}
}
DWORD sptr = (DWORD) Sleep + 5;
VOID WINAPI s(DWORD f)
{
__asm {
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [sptr]
}
}
DWORD gcba()
{
DWORD ba;
ba = (DWORD) gmha("GunBound.gme");
if (!ba)
{
ba = (DWORD) ll("GunBound.gme");
}
return ba;
}
|
I'm not gunna share a.h cuz its filled with offsets and addresses, and I dont want some noob who is browsing the internet to steal my offsets that I found with my hardwork, hope you guys understand.
|
|
| Back to top |
|
 |
Bswap
Newbie cheater
 Reputation: 0
Joined: 18 Aug 2009
Posts: 21
|
| Posted: Sat Apr 10, 2010 11:44 pm Post subject: |
|
|
| Quote: | case DLL_PROCESS_ATTACH:
{
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) di, NULL, NULL, NULL);
} |
If I were developing GG, I would hook CreateThread().
They probably check the value of ESP (the return EIP following the CALL) and if its address is beyond the range of the games code section, the function was called from an external source.
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sun Apr 11, 2010 3:53 am Post subject: |
|
|
GameGuard could be traversing the PEB in search of injected modules.
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 474
Joined: 09 May 2003
Posts: 25952
Location: The netherlands
|
| Posted: Sun Apr 11, 2010 4:31 am Post subject: |
|
|
or gg is looking through the game's memory for known dll injections and hooks.
e.g, doing a scan for:
| Code: |
MOV EDI,EDI
PUSH EBP
MOV ESP,EBP
JMP [xxxxxxxx]
|
will detect most of the injected dll's
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sun Apr 11, 2010 9:28 am Post subject: |
|
|
@Dark Byte so then what can I do?
If GG does check the ESP and check if there is any address beyond the games region what can I do to bypass that, never knew GG was this hard to bypass.
|
|
| Back to top |
|
|
HomerSexual
Grandmaster Cheater Supreme
 Reputation: 5
Joined: 03 Feb 2007
Posts: 1657
|
| Posted: Sun Apr 11, 2010 9:33 am Post subject: |
|
|
| iPromise wrote: | @Dark Byte so then what can I do?
If GG does check the ESP and check if there is any address beyond the games region what can I do to bypass that, never knew GG was this hard to bypass. |
come up with conventional methods of hacking
_________________
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Apr 11, 2010 2:23 pm Post subject: |
|
|
oh just btw. changing function names does not actually help you at all since none of your functions are being exported. changing function names also does nothing unless you are not removing debug information from your compiled executable. comment out/in code until you find the bit that is detected. most likely it's detecting a code signature. changing names is good only if it's a string. when you find the detected code, try to switch around statements, or do some other method that attains the same result.
good luck gg king !!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
