| View previous topic :: View next topic |
| Author |
Message |
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
 Posted: Sun Apr 25, 2010 7:19 pm Post subject: Since I cant pm slugsnark.. Please help me anyone. |
 |
|
slugsnark said, once a dll is injected, it will be granted to access the memory even if it has gameguard.
My concern was I injected my code and nothing happens.
So I did an Investigation, I attached CE on the game..
GG doesn't detect the CE for someseconds.
I open up memory regions and found all the memory, after split second it became "?? ?? ??" like all memory was gone.. Then after a while I got detected.. Do you have any Idea on this? =3 Could you please give me a headstart or a clue so I can start researching.
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Apr 26, 2010 2:09 am Post subject: |
|
|
| what game are you trying this on ? make sure your dll has actually been successfully injected and that injection was not blocked. you can do this by having it launch a window on initialization ( spawn a thread out of dllmain ). also what language are you using ? posting your code would be helpful too. ?? ?? ?? usually means either the process has closed or ce can not read it because the memory was deallocated or some other reason
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Tue Apr 27, 2010 6:20 am Post subject: |
|
|
Audition Philippines.
I used C++.
When I inject the DLL, the menu shows up on the game, so it means it is loaded right? But gameguard re allocates everything. I use CE to check it and nothing shows up, bunch of "??"
Can you introduce me about those Drivers and Kernels?
Give me some headstart if possible, thank you >.<
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 474
Joined: 09 May 2003
Posts: 25954
Location: The netherlands
|
| Posted: Tue Apr 27, 2010 6:22 am Post subject: |
|
|
you could also try the virtualpagedir plugin for ce since reading is also blocked in kernelmode with GG
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Tue Apr 27, 2010 8:07 am Post subject: |
|
|
| Dark Byte wrote: | | you could also try the virtualpagedir plugin for ce since reading is also blocked in kernelmode with GG |
As of now, I am done trying the plugin DB.
First I signed the dbk64.sys then run the CE.
I got 'CRC=3' when I attach any process to CE,
then I'm getting consecutive popup errors on clicking Memory View.
Tried it on XP and on Vista 64.
If kernel is detected by GG too, what bypass is applicable to GG now? =3
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25954
Location: The netherlands
|
| Posted: Tue Apr 27, 2010 8:24 am Post subject: |
|
|
For 64-bit: Yes, the virtualpagedir plugin won't work on there
The kernelmode hook shouldn't be a problem then so you can just use kernelmode readwrite processmemory, but as you said, GG will detect it.
For 32-bit: The message "This process CR3=" is normal and expected, and what error popups did you get
As for a bypass for the detection: Either disable GG or edit the code till it's undetected
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Tue Apr 27, 2010 8:48 am Post subject: |
|
|
The dll is undetected, I can play whole long time with the DLL on, but it doesn't do anything. I can only see a menu on my game. 
The problem is, I can't check whether I successfully edited an Address, or GG disable my dll from editing.
Now I'm thinking if some of the codes are wrong here, please check this one.
C/P'ed from my other thread.
| Code: | BYTE* ScanAOB(BYTE* AOB, BYTE* memdump, int searchsize, int aobsize)
{
int a = 0, i = 0;
for(i = 0; i < searchsize; i++)
{
while(AOB[a] == '?')
{
a++;
i++;
}
if(memdump[i] == AOB[a])
{
if(a == (aobsize - 1))
{
return &memdump[i-a];
}
a++;
}
else{
a = 0;
}
}
return 0;
}
|
I call it with this:
| Code: |
byte SendAob[9] = {0x37, 0x34, 0x32, 0x31, 0x34, 0x31, 0x31, 0x38, 0x39};
DWORD SendAddy = (DWORD)ScanAOB(SendAob, (byte*)0x00400000, 0x600000, 9);
|
Then I combined it with WriteProcessMemory :
| Code: |
byte Lvl91[9] = {0x31, 0x31, 0x32, 0x31, 0x31, 0x31, 0x31, 0x38, 0x39};
WriteProcessMemory(auHandler,(void*)SendAddy,Lvl91,9,NULL);
|
[EDIT]
Okay! I do some investigations again 
I recode the program to edit all address to nop,
wait for the GG to hide the memories and press the CrashKey )
And it crashes. So my conclusion is that gameguard just hides it, my dll is still hooked at the game. Thanks for all the help here. I learn many things on this site 
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Tue Apr 27, 2010 10:25 am Post subject: |
|
|
don't use writeprocessmemory. if you're using a dll you have direct access which means you can do things like :
| Code: | | *( BYTE * )SendAddy = 0x90; |
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Tue Apr 27, 2010 11:36 am Post subject: |
|
|
| Slugsnack wrote: | don't use writeprocessmemory. if you're using a dll you have direct access which means you can do things like :
| Code: | | *( BYTE * )SendAddy = 0x90; |
|
Really? THanks for the info! Just tested and it works cool, thanks!
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
