Cheat Engine

[atom0s]

There is a check for the VEH debugger by looking for the following two modules:
- vehdebug-i386.dll
- vehdebug-x86_64.dll

It uses GetModuleHandle to try and detect both of them. There are other methods of detection for other things that could also be triggering the problem if you have defeated that part of the anti-cheat though.

If you want a hint there is a timer running constantly that does all the various debugger checks which you can find at address: 0x004BB571

An easy way to kill the protection is by making this timer not work or just instantly return.

[ulysse31]

Hey atom0s, thanks.
I had the naive idea that because the dll name is an argument to the getmodulehandleA function, it should be somewhere in the memory space.

I cracked the Getmodulehandle okay, but I'm wondering how you've been able to tell which APIs this program used to detect cheats ?
Especially the zwQueryInformationProcess, did you use a tool that'd report use of antidebug API? did you go through the potential APIs that you knew it could be using ?

[aikoncwd]

[ulysse31]

Ah yes, thank you I actually thought I made a try with 00 sets of bytes between the hexas but if I did I failed to make it properly because it does work now that I look for the string.

I've managed to attach windbg too but I am having trouble finding the timer function myself, any hint on how to achieve that ? appears that either the time value is encrypted in the memory, either it's not in the memory, either it's using a new variable address every time the time value changes

[atom0s]

[ulysse31]

thanks a lot for taking the time to make this tutorial, it'll help a great deal

[aikoncwd]

Since this crackme/challenge is defeat. I can try to make a challenge #2 adding more complicated routines, some obfuscation strings, etc...

Any interested on that project?

[ulysse31]

Sure, I'm sure those who had fun with the first project will have fun with the 2nd one. Once I'll be done toying with the first one I'll definitely try the 2nd one if you make it

[atom0s]

[h3x1c]

[atom0s]

Haven't really posted much in terms of tutorials anymore due to some personal reasons against sharing things anymore.

As for tools, it depends on the situation. I have hundreds of different apps I use for various purposes when doing reversing, unpacking, cracking, etc. Just depends on what is needed based on the target at hand.

Some things I use very often though would be:
- dnSpy / ILSpy / Reflector (.NET decompilers.)
- ImpREC (Import reconstruction tool for unpacked files.)
- PEiD / ProtectionID / DiE (Protection scanners.)
- de4dot (.NET Deobfuscator)
- John The Ripper (Password bruteforcer.)

Aside from that I have tons of sub-tools for various different obfuscators/protectors that come in handy. As well as the various plugins for all the programs mentioned.

My tools also consist of things like:
- procmon (Process Monitor)
- procexp (Process Explorer)
- PuTTY / NuTTY (SSH clients.)
- Wireshark
- Tcpview
- SmartSniff
- Various .NET related tools.

And so on. Just depends on what I'm doing.

[Jerduh74]

No thanks though. I'm not that computer geek professor to do some hacks and such. -_-

[sasatefa2009]

i've bypassed the detection and here is how

Load the game into Ollydbg

Go to all of these addresses using " ctrl+g " and change every jump instruction to " jmp "

004B81A4
004B8612
004B8663
004B8697
004B86CB
004BA18E
004BA1FE
004BA26E
004BA2DE
004BAAF3
004BAB74
004BABED
004BAC66
004BB5D9
004BB660
004BB6D9
004BB752

Now lets bypass the process detection for cheat engine and Kernel Mode Debugger

go to these addresses and " nop " them

004BC238
004BBDB3
004BBD2A


for VEH debugger detection
1- veh for x64

004BBFA3 :- change the jump to make it jump to the next " jmp " instruction which in my pc is 004BBFCB

2- veh for x32

004BBF6A :- follow it in dump and change it to what ever you want and don't forget to check the " keep size "


** extra bypass ( no time over ) **

004B97FD change it to " jmp "

you can save what you did in an exe file with " copy to executable -> all modifications "
then right click in the new window and " save file "

don't expect to talk about the 'what to do' with cheat engine

that was a quick tutorial for bypassing the detection

i'll be waiting for the next challenge Aikon

[LunarTemplar]

o.0 I've apparently been called out ... back in November

[arstgarcia]

I've read the whole thread, my respect, and salute to those who accepting the challenge and sharing experiences here. My lvl is way too low to accept this LOL

Thank you for sharing great tips!