Cheat Engine

Hatschi

Hi,

I get 'error while opening this process' all the time while trying to open the process in CE. The game is called 'Space Rangers HD'. This never happened before and all entires of the search function belongs to browsers only.

Any idea how to get CE working?

Dark Byte · Posted: Mon Oct 21, 2013 3:55 am Post subject:

Try enabling kernelmode OpenProcess in settings->extra (and perhaps also query memory and query access regions, but only if needed)

what kind of game is this? Multiplayer ?

If it's not multiplayer, then wait for/get the cracked/warez version instead. they usually don't have crap like that

Tip: If it opens with kernelmode access, then if you wish to use the pointerscan, you must set it to not care that the pointer must be a static (or manually adjust cheat engine in the sourcecode to set a specific range as static, assuming the game doesn't load the main module dynamically)

Hatschi · Posted: Mon Oct 21, 2013 4:22 am Post subject:

It's the RELOADED version and nope, it's a single player game.
Enabling the openprocess did the trick, but as soon as I've attach the debugger of CE, the game closes and CE tells me: "VEH Debug error - Unknown error during injection".

Dark Byte · Posted: Mon Oct 21, 2013 4:33 am Post subject:

dll injection probably fails because the symbol lookup is failing (symbol lookup doesn't make use of the kernelmode openprocess)

If you can, try kernelmode debug (dbvm or 32-bit os)

Dark Byte · Posted: Mon Oct 21, 2013 4:41 am Post subject:

Execute this lua script before opening the target process and you should be able to do symbol lookups and dll injection.

Hatschi · Posted: Mon Oct 21, 2013 4:54 am Post subject:

I can open the process with your LUA script but yes, the VEH debugger doesn't work.

DVBM works great, no issues at all, sadly I have to use it on my notebook as DVBM crashes on my desktop computer, never been able to get it running there although CE says that DVBM is supported.

Thanks for your help

user601 · Moderator Reputation: 0 Joined: 07 Oct 2004 Posts: 65

I just bought this game just to check out the protection, and VEH debug does work.

(perhaps it helps if you have memory view->debug events open and attach the veh debug before actually starting a new game)

Anyhow, money was found(4 byte unencrypted) and the code that writes to it during resource trade is rangers.exe+300b16: mov [edx+000000E8],eax

I probably won't touch this game any further though, but hope it helps

Caliber · Posted: Mon Oct 21, 2013 11:45 am Post subject:

Firstly, this seems incredibly overkill for a developer to do especially when it appears the game has 20+ cheatcodes available? I guess they did this to try and kill piracy more than stop cheaters?

at any rate, I haven't messed with this quite yet, but is there any way you can tell us exactly what the game is doing (or the PE structure has been modified) to itself to cause it to not be able to be opened and etc by normal means?

For instance, when I run the game, apparently the game is 32 bit, but if you use task manager it appears as though it is 64 bit (the *32 is missing), and etc.

having to resort to NTOpenProcess and relying on a kernel mode driver for a budget game seems crazy...

any input is appreciated.

best,
Cal

Dark Byte · Posted: Mon Oct 21, 2013 1:06 pm Post subject:

I haven't really checked it, but the behaviour resembles the effect of ObRegisterCallbacks where it denies usermode from obtaining a handle to the process, including simple internal and query accesses.

It's probably some kind of DRM. This same developer made use of Starforce in the past(kernelmode drm system)

But it could also just be a simple rights management thing in windows (e.g: advapi and remove all access to it )