Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to bypass crc32 checks?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 144

PostPosted: Tue Aug 06, 2019 6:32 am    Post subject: How to bypass crc32 checks? Reply with quote

Hello I'm trying to bypass some crc32 checks in a game (I know these kind of protections are widely used anyway) because the game checks if the memory has been modified using these...
I've seen some people already using a widely used method that consists of copying the memory page the crc32 function is checking somewhere else and redirecting the crc32 function that newly created memorypage...
This method is kinda big and I don't understand why it works and also why couldn't people just try to nop some instructions in these crc32 functions or disabling them somehow without this need of re-allocating a new memory page and redirecting the crc to it?

P.s:
I mean resuming isn't there a simpler method to bypass a crc32 check instead of creating a new page, copying memory to it, redirecting crc32 to that new page?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 368

Joined: 09 May 2003
Posts: 21780
Location: The netherlands

PostPosted: Tue Aug 06, 2019 1:03 pm    Post subject: Reply with quote

you need to find all the routines that read the memory (more than one) and then change the functions to return the same value as if it was unchanged.

you can find the final function result and return that, or you can make a copy of the game memory and adjust the read pointer to the copy


finding those functions can be done by finding what accesses code addresses

and sometimes thise checks are so simple that a simple infinite loop is enough

------
or you can use dbvm memory cloak on the regions you wish to edit. CE's autoassembler will know what to do in such a region (assuming you specified the virtual address)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 144

PostPosted: Tue Aug 06, 2019 1:20 pm    Post subject: Reply with quote

Dark Byte wrote:
you need to find all the routines that read the memory (more than one) and then change the functions to return the same value as if it was unchanged.

you can find the final function result and return that, or you can make a copy of the game memory and adjust the read pointer to the copy


finding those functions can be done by finding what accesses code addresses

and sometimes thise checks are so simple that a simple infinite loop is enough

------
or you can use dbvm memory cloak on the regions you wish to edit. CE's autoassembler will know what to do in such a region (assuming you specified the virtual address)

First of all thank you , always helpful!
If I put an infinite loop the game gets stuck because these are in the main thread of it, I don't think I can use dbvm memory cloak because these checks are in a region protected with SEC_NO_CHANGE ...
I've tried to look for the final result but the function is huge and it seems all obfuscated, but this might be the only valid one of your suggestions (I guess).
Well thank you, if you have other tips or anything to say it's well accepted or if anybody else has too!
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 148

Joined: 25 Jan 2006
Posts: 7684
Location: 127.0.0.1

PostPosted: Wed Aug 07, 2019 1:05 am    Post subject: Reply with quote

Some common ways to deal with this:

1. Patch the CRC function to compare against the same data rather than the modified memory area.
2. Patch the CRC function to just not fail.
3. Patch the CRC function to skip the entire check and always return the correct value.

These methods really depend on how the check function is written. It will determine what method you can actually use if one of those patches are viable.

Other methods would include:

1. Copy the original memory into a new block and redirect the scan to that. (As you mentioned in your post.)
2. Patch the code to read from the original file on disk if it is comparing the raw data.
3. Block access to the memory region, assuming the CRC function will not error if it does not have permission/access.

In some cases, you may need to go to a lower level of alterations, such as with some anti-cheats you will be forced to hook Nt functions and alter how they return data. You can bypass some hash checks like this easily by altering memory page status', blocking access, faking return values when reading from the target memory areas and so on.

For example, bypassing something like GameGuard's CRC checks can be done very easily doing 2 NT function hooks and faking the returns.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 144

PostPosted: Wed Aug 07, 2019 2:11 am    Post subject: Reply with quote

atom0s wrote:
Some common ways to deal with this:

1. Patch the CRC function to compare against the same data rather than the modified memory area.
2. Patch the CRC function to just not fail.
3. Patch the CRC function to skip the entire check and always return the correct value.

These methods really depend on how the check function is written. It will determine what method you can actually use if one of those patches are viable.

Other methods would include:

1. Copy the original memory into a new block and redirect the scan to that. (As you mentioned in your post.)
2. Patch the code to read from the original file on disk if it is comparing the raw data.
3. Block access to the memory region, assuming the CRC function will not error if it does not have permission/access.

In some cases, you may need to go to a lower level of alterations, such as with some anti-cheats you will be forced to hook Nt functions and alter how they return data. You can bypass some hash checks like this easily by altering memory page status', blocking access, faking return values when reading from the target memory areas and so on.

For example, bypassing something like GameGuard's CRC checks can be done very easily doing 2 NT function hooks and faking the returns.

ok thank you a lot for the reply, btw I'm looking for a way that should be less detectable like VEH hooking I'm trying (in another thread, hopefully if you can reply it would be awesome ty)
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 368

Joined: 09 May 2003
Posts: 21780
Location: The netherlands

PostPosted: Wed Aug 07, 2019 7:10 am    Post subject: Reply with quote

dbvm memory cloak doesn't touch page protection
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
atom0s
Moderator
Reputation: 148

Joined: 25 Jan 2006
Posts: 7684
Location: 127.0.0.1

PostPosted: Wed Aug 07, 2019 12:56 pm    Post subject: Reply with quote

Viloresi wrote:

ok thank you a lot for the reply, btw I'm looking for a way that should be less detectable like VEH hooking I'm trying (in another thread, hopefully if you can reply it would be awesome ty)


Detection all depends on the target. Methods that work for 1 app/anti-cheat may not work for another due to different levels of detections and blocks. Stuff that works for GameGuard doesn't work for Xigncode for example.

Preventing detection comes down to the target and what your intentions are. In some cases, you don't need to do anything special because of what the goal is as not every part of an anti-cheat requires special stuff to get around detections of what is being done. Xigncode has a few 'flaws' with this kind of stuff for example, where you can edit memory under certain conditions and not trigger any of their detections.

CRC check bypasses is going to pretty much guarantee you will be editing something to some degree since you either need to fake the data or alter the function in some manner. Remaining undetected will be based on which approach you take, and what level of anti-cheat you are dealing with. User-mode anti-cheats are easily bypassed, where as lower level ones that use a driver will require more work in some cases.

It's hard to discuss this kind of topic here since we don't allow in depth discussions if you mention the target. If you can give more info on what the target is doing to detect you without mentioning what the target is, then we can still discuss this further.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Viloresi
Expert Cheater
Reputation: 0

Joined: 02 Feb 2017
Posts: 144

PostPosted: Wed Aug 07, 2019 5:13 pm    Post subject: Reply with quote

Thank you both for the replies, I've resolved my issue there were hooks all arounds and not crc check has I thought , if you check my other thread about VEH that was the key to victory! I'm gonna celebrate now Embarassed Laughing
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites