Cheat Engine

[emperor]

I don't know anything about "host file entries"...and deleting GG?
The only thing i could associate with it, considering you said you deleted GG is...the thing of changing where GG update connects to in order to make it use useless game guard files? But...this doesn't quiet sound like it..
With AAT i have no problems with alt+tabbing out when AAT runs as admin and game as normal user...but considering you said you deleted GG it leads me to the assumption that you actually stopped GG, which would be also helpful for me as i cannot get any speedhack to work, even if it has admin priveleges. Care to elaborate or giving a good keyword for a google search so i can look it up myself? (if that method you are talking about is for mu only then nevermind)

[oscardrew]

I think what he means is to change the host file so that t updates fro your comp instead of internet (you run a server of your comp). This has been done on MU online

[emperor]

This is what i also suspected and wrote...but if that is the case it makes me wonder: You need some fake nprotect files after all. Anybody has an idea as where to get them?
The rest would be pretty much obvious; add an entry to guard.nprotect.net to the host file to relink to the own computer and run an apache server. But it would actually need some files that it could "update" from so that useless files are installed..

[Dark Byte]

My gues is that they got hold of a old version of nprotect/GG that doesn't modify other running programs, and doesn't detect other hacks. (and perhaps also doesn't close on task switching)

[stomperz]

This is for MU but i've ported it to work with Darkeden.
Maby you can do the same for whatever game you are running.

Reality is a proxy server for MU.
Read about and d/l Reality here http://muo.reality.lv/topic.asp?TOPIC_ID=820&FORUM_ID=1&CAT_ID=1&Forum_Title=General+Chat&Topic_Title=How+to+connect+to+gameserver+%2F+gameguard+error

The "GameGuard.zip" are old GG files.
If you want to try the older GG files you have to rename the *.des files to *.npz
I'm looking for older files.

[emperor]

Well after so much trying all i know is...it updates from the fake server correctly, gets the files, but when it's starting the game it will only flash up...then it's gone. I can only assume...that this game has some kind of extra protection. But thanks, it's still awesome.

[stomperz]

emperor

What game did you try it on?

[emperor]

Phantasy Star Online Blue burst (http://psobb.jp)
Well i adjusted it all accordingly: I set up my apache accordingly ( GameGuard/SEGA/PSO/RealServer ) and edited the hosts file to use 127.0.0.1 for update.nprotect.net . Then I put in those files in the dictory, run game guard, it "updated" from that folder of my apache server, and then I had that other (older?) game guard installed.
(When I started the game, game guard completed its check and then when the game should start it only flashes up and disappears, which is actually the same reaction as would happen when update is canceled ).
And btw those ppl are paranoid, even when only clicking on staffrole, what only shows the credits, nprotect is launched...they are funny

[oscardrew]

How many things did u put in your host file? For the MU one you need tis

127.0.0.1 update.nprotect.net
127.0.0.1 61.78.35.19

I *think* the second one is a failsafe. As in it updates from update.blsabla.net then checks the other one to make sure he files are updated. Also i believe you are supposed to have no GG files in the GG folder (the exe has the download routine).

[emperor]

[stomperz]

My host files is

127.0.0.1 localhost
127.0.0.1 gg.muchina.com
127.0.0.1 ogg.muchina.com
127.0.0.1 update.nprotect.net
127.0.0.1 GameGuard.des

I added 127.0.0.1 61.78.35.19
Just in case.
8)

Buy the way if I don't write protect the HOST file after running MU the HOST file changes to

127.0.0.1 localhost
127.0.0.1 gg.muchina.com
127.0.0.1 ogg.muchina.com
#27.0.0.1 update.nprotect.net
127.0.0.1 GameGuard.des

Gameguard at work???????


Still unable to overwrite the kernel32 and ntdll with the saved files after starting the game.
I was able to find the "jmp, xxxx" in the api and simply put a "ret" in the process "xxxx" to prevent it from executing.

Dark Byte mentioned changing 1 byte to make it writeable again. I'll have to search for it.

[Dark Byte]

If you managed to place a ret there i doubt it's got to do with write protected memory.
Perhaps the restore routine isn't working right, although it does try to make it writable before writing to there. (or you selected a wrong memory region, e.g: data instead of executable)

But to make memory writable you need to use the kernel mode read/write process memory. Then go to ((addressyouwanttochange/0x1000*4)+0xc0000000) and change the 2nd bit to a 1.

Or if you got a recent version of the beta yo can rightclick the region in the memoryregion window and choose "Force to be writable", it'll then try to change all the pages in that memory to writable

[Dark Byte]

Yes, I just downloaded gunbound and looked at the memory
It does hook VirtualProtectEx, wich removes the possibility to make the memory of the kernel and ntdll writable ,from usermode.

I've tested my own method to make it writable and I could change the memory at those locations again.

Oh yes, next version of CE will have a option that when enabled checks the used dll's for modifications and if it finds them restores them with what they should be.

[Dark Byte]

I just tested out my kernel side "hide and protect CE from being opened by other processes" feature on gunbound and came to the following conclusion:
1:If you start cheat engine while nprotect is running it will still manage to inject the dll into cheat engine
2:If you start cheat engine before running nprotect cheat engine will stay unaffected and all the features including attach to process keep working!!!!!
3: :twisted:

And we've got to thank that feature to stomperz for asking "By using ring 0 privilege can't you block GG from setting hooks in the dll's?"

Of course, attaching the debugger to the process can still cause trouble if there is debugger detection.

[emperor]