|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
aikoncwd Grandmaster Cheater Reputation: 23
Joined: 21 Dec 2012 Posts: 591 Location: Spain (Barcelona)
|
Posted: Fri Nov 28, 2014 8:13 pm Post subject: AikonCWD's challenge #1: Test your skill here! |
|
|
Here is, my #1 challenge for you Hitler!
I coded something like a "game" so you can try and test if your skill is able to hack this challenge. The game is coded under an Anticheat Engine called GameShield (don't google it, this engine is homemade by me ). For all of us it's easy to hack games with CheatEngine, but can be a pain if we stuck vs anticheats modules or memory protections.
Well, so this is why I'm here With this game you will fight versus a REAL anticheat engine, hope you get the same fun as I get coding this:
The game is a rogelike with: timers, health/mana/stamina bars, item counters, etc... The character is controlled using that awesome D-pad at the corner. Are you ready to test your skill?
Defeat all protections, antidebuggers and anticheats:
- Run cheatengine without getting detected
- Debug this game using default windbg
- Debug this game using VEH debug without getting detected
- Optional debug this game using DBVM kernel debugger without getting detected
Find valid pointers for all addresses [HP, MP, SP, Time, Keys, Beholders, Coord X, Coord Y]
One address is protected with anticheat. Find the address and try to edit the value without getting detected
Code some auto-assemble (or LUA) scripts:
- Teleport Hack
- Move without loosing stamina
- Every picked key worth like 10
- Every defeat beholder worth like 5
- Beholders don't decrease your HP
- Beholders don't decrease your keys
- Picking keys don't decrease MP
- Every Red potion restores all your health bar
- Every Blue potion restores all your mana bar
- Every Green potion restores all your stamina bar
- Script to frezee time (or to increase time)
- If your health bar is empty, you never die
- If your mana bar is empty, you never die
- If your stamina bar is empty, you can still move
- If time reachs 0, you never die
- Bonus: Make a lua script to move the character using your mouse
DOWNLOAD: https://www.mediafire.com/?s2fa5gfs7kqnrlr
The game is coded under VB6, some antivirus warns about false-positive. It's clean, but if you feel paranoic, use a Virtual Machine to run it.
============================
Feel free to use this thread to talk about the challenge, ask for help or tip's if you get stuck but don't spoil the solution to the other users
MP me if you wan't to post a solution, table or trainer
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
Back to top |
|
|
Krampus Cheater Reputation: 0
Joined: 22 Nov 2014 Posts: 41
|
|
Back to top |
|
|
atom0s Moderator Reputation: 200
Joined: 25 Jan 2006 Posts: 8546 Location: 127.0.0.1
|
Posted: Sat Nov 29, 2014 1:51 am Post subject: |
|
|
Don't have time to mess with this fully right now, but here's a quick start for anyone else interested.
Make Cheat Engine Work
The anti-cheat is constantly looking for processes with the name 'cheatengine' in it. It does this by using the 'winmgmts' object from Visual Basic. It is querying the running processes and checking if any of their names contain 'cheatengine' in them.
To make Cheat Engine work, simply rename the Cheat Engine executable.
Make Cheat Engine Work (Debugging)
I am not sure this detection works. I can debug the application fine with Cheat Engine after making Cheat Engine work just by renaming it. So I am unsure if this is broken or not. However this detection is done by using 'ZwQueryInformationProcess'. There are three calls to this API doing:
- 1. Checking the debug port.
- 2. Checking the debug flags.
- 3. Checking the debug object handle.
Bypassing this is fairly simple. You can use OllyDbg to do this with any plugin that can protect the debug flags such as:
- OllyAdvanced
- StrongOD
- ScyillaHide
- TitanHide
You could do this manually as well by hooking the ZwQueryInformationProcess API and faking the results.
Making VEH Debugging Work
The anti-cheat is constantly looking for a loaded module named 'vehdebug-i386.dll' via GetModuleHandle.
To bypass this, you can do one of two things:
- 1. Hex edit the game to remove the name 'vehdebug-i386.dll' to something else.
- 2. Alter Cheat Engine to load a different DLL for the VEH debugger via altering the source and recompiling it, or hex edit it as well.
Making DBVM Debugging Work
The anti-cheat is also constantly looking for the DBVM driver being loaded on the system via the 'winmgmts' stuff. This time it is checking the running services and comparing their information to 'CEDRIVER'. This info includes:
- Caption
- Description
- DisplayName
- Name
- PathName (Looks for 'cheat' in the path.)
- PathName (Looks for 'dbk32.sys' in the path.)
- PathName (Looks for 'dbk64.sys' in the path.)
To bypass this, you will need to do a few things:
- Alter the name of the driver.
- Alter the path the driver loads from. (Move CE to a new folder.)
- Alter the various information about the driver listed above.
The Game Shield Timer Loop
If you still want to defeat the anti-cheat in a different manner, you can kill the timer that is running to monitor for the above things. You can find the timer function at:
Address: 4BB571
Detection Check Addresses
Here are the addresses for all the anti-cheat checks:
- Debugger Check: 4BC3CA
- DBVM Check: 4BB8D2
- Process Name Check: 4BC069
- VEH Debugger Check: 4BBF12
There are also a few other functions that make use of the above checkers:
- 4B85BD - Triggers the YouDied display based on a detected cheat.
- 4B807C - Compares memory.
- 4BA996 - Another timer scanning for the above cheats.
It also seems like any action may cause a detection check too.
(Not 100% sure on this didn't get to look too deep into it.)
But that should cover the anti-cheat and get others started.
_________________
- Retired. |
|
Back to top |
|
|
JJHACKER Cheater Reputation: 0
Joined: 04 Aug 2010 Posts: 26 Location: [EBP-J]
|
|
Back to top |
|
|
aikoncwd Grandmaster Cheater Reputation: 23
Joined: 21 Dec 2012 Posts: 591 Location: Spain (Barcelona)
|
Posted: Sat Nov 29, 2014 5:56 am Post subject: |
|
|
@atom0s: Excellent analysis man. Now you can continue hacking the "game" finding pointers and creating the AA scripts
@JJHACKER: Well, the objective of this is not only to patch the home-made functions. You need to use CheatEngine and try to "hack" the hame as I commented. If you want a hard challenge I can protect this with VMProtec or Themida, but this is too boring and complicated for regular users.
Let me know if you are interested and I can compile + pack this "game" with VMProtect so you can test your cracking skills too
btw, good job!
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
Back to top |
|
|
JJHACKER Cheater Reputation: 0
Joined: 04 Aug 2010 Posts: 26 Location: [EBP-J]
|
|
Back to top |
|
|
atom0s Moderator Reputation: 200
Joined: 25 Jan 2006 Posts: 8546 Location: 127.0.0.1
|
Posted: Sat Nov 29, 2014 8:41 pm Post subject: |
|
|
Alright, today I have some free time to play around with this.
So here is what I have found so far. Not done yet just posting some progress.
Before you read, just know I did use OllyDbg as the debugging method of choice. I can use Cheat Engines debugger fine with the info I posted above, I just do not really like using CE for debugging as it has various issues and bugs.
But, the object of making CE work and be usable to debug is already accomplished so that part of this challenge is done.
1. Locating The Player Information
The first step was to locate the player information and see how the data was handled. In this applications case, simply searching for the data is not an option as the data is "encoded" in a manner to prevent cheating from happening easily. (More info on this below.) So I took to debugging to attempt to locate some usable information.
The first thing I came across was the string: "FFFFFFFFFFFFFC22"
Immediately this stood out to me as a double value in string/hex form. So converting this back to an actual value gives us: -990.00
Afterward, I debugged the parts of the code that made use of this string which we see here:
Code: | 004B7E4B . 8B4E 7C MOV ECX,DWORD PTR DS:[ESI+7C]
004B7E4E . 66:8941 04 MOV WORD PTR DS:[ECX+4],AX
004B7E52 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004B7E55 . E8 4A99F4FF CALL <JMP.&MSVBVM60.__vbaFreeVar>
004B7E5A . BA E46A4100 MOV EDX,challeng.00416AE4 ; UNICODE "FFFFFFFFFFFFFC22"
004B7E5F . 8D8E 88000000 LEA ECX,DWORD PTR DS:[ESI+88]
004B7E65 . E8 2299F4FF CALL <JMP.&MSVBVM60.__vbaStrCopy>
004B7E6A . BA 0C6B4100 MOV EDX,challeng.00416B0C
004B7E6F . 8D8E 8C000000 LEA ECX,DWORD PTR DS:[ESI+8C]
004B7E75 . E8 1299F4FF CALL <JMP.&MSVBVM60.__vbaStrCopy> |
From this if we monitor the data, we see that the string is truncated and copied to [ESI+88]. Next, we let the game run and we will see that the value that was stored in ESI+88 is changing as the game plays. Freezing this value freezes the time.
Bingo, we have the time location.
2. Locating A Pointer
I am not going to go into much detail here since it's not needed as using the pointer scanner of CE is pretty straight forward. But to give a little info, I scanned for the address of ESI+88 at that point, and came up with a large number of results. Restarting the game and rescanning the results with the new location of ESI+88 yielded me a small and specific pointer of:
"challenge #1.exe"+000BD010
I loaded of my VM for Windows XP, altered Cheat Engine to run on there too and tested the pointer, works. So I concluded this is a usable base pointer to work with.
3. Finding Other Information
Now that we know that inside of this initialization function, were we have found the timer info in, that ESI is used as a base pointer to the timer data, we can assume that it holds other data in this area too.
Towards the top of the function the first use of ESI we will see is:
Code: | 004B7D60 . 8B46 44 MOV EAX,DWORD PTR DS:[ESI+44]
004B7D63 . 66:C740 02 0E0>MOV WORD PTR DS:[EAX+2],0E
004B7D69 . 8B46 44 MOV EAX,DWORD PTR DS:[ESI+44]
004B7D6C . 66:C740 04 0E0>MOV WORD PTR DS:[EAX+4],0E |
This is actually the player model X and Y axis coords.
So we now know where these values are within this structure.
Following below these instructions we will also see the locations for the key and the eye. (position +60 and +7C respectively for their pointers.)
Next is the timer block information, which I explained above.
Next is some unknown block of data being initialized by a logical AND against 0 in the block. This happens at the pointer located at ESI+A0. I have not researched into what this block is for yet.
Next is the player mana and health:
Code: |
004B7F2D . D905 78114000 FLD DWORD PTR DS:[401178]
004B7F33 . 8B86 CC000000 MOV EAX,DWORD PTR DS:[ESI+CC]
004B7F39 . 66:83A6 D80000>AND WORD PTR DS:[ESI+D8],0
004B7F41 . D99E B0000000 FSTP DWORD PTR DS:[ESI+B0] <-- Store the initial player health
004B7F47 . DD05 70114000 FLD QWORD PTR DS:[401170]
004B7F4D . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004B7F50 . DD9E B4000000 FSTP QWORD PTR DS:[ESI+B4] <-- Store the initial player mana |
From this, we can see that on initialization the values look like this:
- Player Health
--> Initial value: -100 (float)
- Player Mana
--> Initial value: 500 (double)
Debugging more will result in us finding the other data values as well.
4. Key Count and Eye Count Values
The last part of the data to find is the key and eye counts. These are a bit trickier. The key count is actually the last part of the timer information above at offset ESI+8C. However, this value is a string. The length of the string is the count of the keys.
So to read this we would use:
[[ESI+8C] - 4] = key length
The game appends a character (so far just seems to be A) to the length each time a key is touched. The -4 offset points to the actual length which is what matters, the string does not.
And last, the eye count. This ones a bit more confusing. It is a single value by itself. This one can be found doing a normal scan, however the pointer we use to get to it consists of two parts.
The first part is the table the data is located in. This is found at:
[ESI+A0] = pointer to info table
The next part is the index in the table to locate the value at:
[ESI+AC] = index in the pointer table.
I am not sure if there is a suitable way to add this to a cheat table, I have not kept up with Cheat Engines newest features and such. So a double read usage thing is not something I am familiar with CE being able to do.
However this would look like this:
eax = [ESI+A0]
ecx = [ESI+AC]
value = (eax + ecx * 4)
Attached is a basic cheat table accessing these values described above.
Cheat table contains access to the following addresses:
- Health
- Mana
- Time
- Player X / Y
- Key X / Y
- Eye X / Y
- Key Count
And a small patch to never run out of time.
_________________
- Retired. |
|
Back to top |
|
|
atom0s Moderator Reputation: 200
Joined: 25 Jan 2006 Posts: 8546 Location: 127.0.0.1
|
Posted: Sat Nov 29, 2014 9:27 pm Post subject: |
|
|
Missed the stamina some how, so here is that information.
To start, the stamina is located at:
[ESI+CC]+8 = player stamina
However this is the address that is protected by the anti-cheat. There is a comparison to check if the value is what it should be each iteration here:
Code: | 004B9CEB . 8985 04FEFFFF MOV DWORD PTR SS:[EBP-1FC],EAX
004B9CF1 > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004B9CF4 . 8B80 CC000000 MOV EAX,DWORD PTR DS:[EAX+CC]
004B9CFA . 8B8D 44FFFFFF MOV ECX,DWORD PTR SS:[EBP-BC]
004B9D00 . 0FBF0448 MOVSX EAX,WORD PTR DS:[EAX+ECX*2]
004B9D04 . 8985 00FEFFFF MOV DWORD PTR SS:[EBP-200],EAX
004B9D0A . DB85 00FEFFFF FILD DWORD PTR SS:[EBP-200]
004B9D10 . D99D FCFDFFFF FSTP DWORD PTR SS:[EBP-204]
004B9D16 . D985 50FFFFFF FLD DWORD PTR SS:[EBP-B0]
004B9D1C . D89D FCFDFFFF FCOMP DWORD PTR SS:[EBP-204]
004B9D22 . DFE0 FSTSW AX
004B9D24 . 9E SAHF
004B9D25 . 74 0C JE SHORT challeng.004B9D33
004B9D27 . C785 F8FDFFFF >MOV DWORD PTR SS:[EBP-208],1
|
If they do not match, EBP-208 is set as a flag that we are cheating. (There are other checks too but this is the one I found while testing.)
Either way, the stamina is checked and then we are passed to a function to check if we are cheating:
Code: | 004B8195 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
004B8198 . 66:397D 0C CMP WORD PTR SS:[EBP+C],DI
004B819C . 897D DC MOV DWORD PTR SS:[EBP-24],EDI
004B819F . 897D CC MOV DWORD PTR SS:[EBP-34],EDI
004B81A2 . 8938 MOV DWORD PTR DS:[EAX],EDI
004B81A4 . 74 2F JE SHORT challeng.004B81D5
004B81A6 . 8B06 MOV EAX,DWORD PTR DS:[ESI]
004B81A8 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004B81AB . 51 PUSH ECX
004B81AC . 68 146B4100 PUSH challeng.00416B14 ; UNICODE "FUCK YOU CHEATER!"
004B81B1 . 56 PUSH ESI
004B81B2 . FF90 08070000 CALL DWORD PTR DS:[EAX+708]
004B81B8 . 3BC7 CMP EAX,EDI
004B81BA . 7D 11 JGE SHORT challeng.004B81CD |
To bypass the anti-cheat here, we just patch the JE line to Jump.
_________________
- Retired. |
|
Back to top |
|
|
atom0s Moderator Reputation: 200
Joined: 25 Jan 2006 Posts: 8546 Location: 127.0.0.1
|
Posted: Sun Nov 30, 2014 12:10 am Post subject: |
|
|
Here is an updated table with various scripts and such added.
At this time I ran out of time between playing with this and work so wont have time to finish the rest of the options.
If you want to teleport the player around via the mouse, here is a C# source I did for that:
Code: | var cursorX = Cursor.Position.X;
var cursorY = Cursor.Position.Y;
// Obtain the target window handle..
var hWnd = FindWindow(IntPtr.Zero, "AikonCWD's challenge #1");
// Obtain the target window rect..
var rect = new RECT();
GetWindowRect(hWnd, ref rect);
var r = new Rectangle(rect.Left, rect.Top, rect.Right - rect.Left, rect.Bottom - rect.Top);
if (r.Contains(cursorX, cursorY))
{
var windowX = (cursorX - rect.Left) - 32;
var windowY = (cursorY - rect.Top) - 32;
// Write player position values..
var playerPointer = Memory.Read<int>(this.Process, new IntPtr(basePointer + 0x44));
Memory.Write(this.Process, new IntPtr(playerPointer + 0x02), (short)windowX);
Memory.Write(this.Process, new IntPtr(playerPointer + 0x04), (short)windowY);
}
|
_________________
- Retired. |
|
Back to top |
|
|
aikoncwd Grandmaster Cheater Reputation: 23
Joined: 21 Dec 2012 Posts: 591 Location: Spain (Barcelona)
|
Posted: Sun Nov 30, 2014 7:39 am Post subject: |
|
|
wow atom0s you really did a great job here, awesome! May I ask some questions?
Can you rank this challenge (0 to 10), point of view -> fun?
Can you rank this challenge (0 to 10), point of view -> hard?
Which address was the hardest/fun to work witk? Eyes? Stamina?
Also, can you give me some tips to make a better (and harder) challenge next time?
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
Back to top |
|
|
atom0s Moderator Reputation: 200
Joined: 25 Jan 2006 Posts: 8546 Location: 127.0.0.1
|
Posted: Sun Nov 30, 2014 3:22 pm Post subject: |
|
|
Given that it's coded in Visual Basic 5/6 it was a little annoying for some values since VB handles things through its own runtime rather then just using raw asm to optimize the code down to better/faster code. So working with string based stuff is probably the most annoying. But using a more detailed debugger like OllyDbg can make things a lot easier.
Fun point of view: 8/10
Hard point of view: 3-4/10 (For newbies it will probably be like a 7-8.)
The hardest address to work with was probably the eye count given that it was broken into two parts being an array and an index. But once it is figured out its easy to do.
Your anti-cheat was pretty basic, bypassing it was fairly simple once the details of it were figured out. It's pretty much impossible to make an anti-cheat from user-mode that is going to be any bit efficient since hooks and patches can bypass everything you do easily. But it should deter some of the newbie cheaters that are not used to anti-cheats.
The usage of your data was good, making things not use the default assumed values of like 0 to 100 for health, but instead using -100 to 0 etc. Little encoding/masking tricks like that help protect data some, again from the newbies.
Stuff like this is great to help newbies get into game hacking and understanding different ways data can be handled and such. So it is a great challenge for those looking to learn the basics, as well as those looking to understand how some basic anti-cheat methods work. It should help them analyze a file more closely and think about how to bypass things more thoroughly.
Some tips for any future challenges:
- I wouldn't recommend using VB5/6 for things, the runtime calls make it very easy to follow the code flow.
- Strengthen the anti-cheat by encoding your strings so they are not visible. (Such as xor encoding them or using non-ascii characters to represent actual words.)
- Look into using raw ASM to walk the process information for debugging info instead of using API to help prevent direct API hooks.
- Add more features for determining if the process is being debugged. Such as detecting the process was paused based on time information.
- Scan for other known tools that cheaters use.
- Protect your memory areas with Crc32 checks or similar.
And so on. But like I said since its all done in user mode, it will be easy to bypass all of it. It's more of a question for yourself. Are you interested in seeing people bypass your anti-cheating methods, or hack the application itself more? And if you are interested in them working with the anti-cheat, whats your target group of people to mess with it? Such as newbies, advanced users, or experts etc.
In your next challenge if you do decide to make another one, try coding it in a different language and see if that sparks some new ideas.
_________________
- Retired. |
|
Back to top |
|
|
smashninja How do I cheat? Reputation: 0
Joined: 28 Nov 2014 Posts: 3
|
Posted: Sat Jan 03, 2015 1:54 pm Post subject: Cool |
|
|
This is pretty cool. This can definitely help me improve my skills.
|
|
Back to top |
|
|
Cryptokun Newbie cheater Reputation: 0
Joined: 01 Jan 2015 Posts: 23
|
Posted: Sun Jan 04, 2015 1:57 pm Post subject: |
|
|
Was much more fun that what I was expecting IDA makes life a lot easier though haha
Have anything else up your sleeve?
|
|
Back to top |
|
|
aikoncwd Grandmaster Cheater Reputation: 23
Joined: 21 Dec 2012 Posts: 591 Location: Spain (Barcelona)
|
Posted: Sun Jan 04, 2015 3:38 pm Post subject: |
|
|
Cryptokun wrote: | Have anything else up your sleeve? |
What?
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
Back to top |
|
|
Cryptokun Newbie cheater Reputation: 0
Joined: 01 Jan 2015 Posts: 23
|
Posted: Sun Jan 04, 2015 5:31 pm Post subject: |
|
|
AikonCWD wrote: | Cryptokun wrote: | Have anything else up your sleeve? |
What? |
Another hack me haha
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
|
|