Cheat Engine

[Diaxis]

I was reading somewhere here that one way to skirt HackShield is to hook CreateProcess and perform your DLL injection there. Is there anyone here that has actually done that? I'm working on Rappelz at the moment and it looks like OpenProcess is failing. I'm pretty good at tearing down unprotected games, injecting dlls and manually writing code detours, but I'm not too experienced yet with these protected games. Any suggestions on where I might begin? Thx!

[linden]

OpenProcess is hooked by HackShield from the kernel side. You have to bypass that before you can do anything...

ZwOpenProcess
ZwReadVirtualMemory
ZwWriteVirtualMemory

These functions are hooked from the kernel side in most protected games.

[Diaxis]

You know I've often wondered if it would be possible to duplicate dll functionality under Windows, so that HackShield does whatever it wants successfully to the original dll's, but when it came time for me to OpenProcess or write to memory, a backup DLL would be called instead. I would think OpenProcess, as a piece of code, would work properly if it were instanced elsewhere, no? The functions could probably be renamed to keep calls distinct.

Do you think its technically possible to duplicate the OpenProcess code, make a new routine called OpenProcezz or whatever and then somehow coerce the OS to use it when called?

[linden]

[Diaxis]

I don't know how familiar you are with VMWare, but I've been able to get some of these games to run ( in some fashion ) on a "virtual machine". VMWare basically lets you create a computer that runs in a window, and you can install the OS of your choice on this virtual computer. When I launch games like ROSE Online, the GameGuard stuff works fine, but it only locks down the guest OS. I am able to read and write memory just fine on the parent OS, and can inject my DLL's actually into and modify the vmware process without any trouble.

The problem I run into of course is that the emulated OS is very slow, and the game doesn't always run properly, if at all. The second problem I have is that I'm actually emulating Windows virtual memory management, so even if I am able to inject a DLL into the vmware process, I cannot write a JMP that redirects execution into my injected DLL, because the addressing is incompatible ( the DLL uses the addressing of the host OS, the game uses the addressing of the guest OS ). Its only useful in that I can maybe dump the unencrypted game program to disk and load that file into my disassembler.

So anyway, I was thinking it might be a worthwhile project to create a tool that basically allows HackShield and GameGuard to do whatever they want , while maintaining the API functionality elsewhere. But that would require some heavy duty knowledge of the OS and affected API's. I don't know how to write a driver or a ring 0 module, but I'd like to learn.

I write bots and trainers as a kind of hobby. I can't post URL's yet (doh) so you'll have to piece it together:

www DOT playerbionics DOT com/uorobot.jpg
that is is one I did for UO a while back. Right now I'm working on DDO, Rappelz, and some other games that are in beta. If anyone wants to collaborate on figuring out some packet forging, please give me a shout ( jblackwell88 at yahoo dot com ).

[ppxdf]

could u pay some ruppees (money from rappelz) for my UCE bypassed?
email me and tell me how much ruppees can u pay for it.

[SunBeam]

Umm, I think you can. Remember HackShield as most anti-cheat appz rely on ntdll.dll. I've seen this app which bypassed SafeDisc protections, by actually moving ntdll.dll from system32, making a backup, and replacing it with a modded one Bet you can do the same, replace it, make HS load it, and hack away...

[jonni67]

btw what games u trying to packet...cause some are total internet based memory thats not editable like rs...