View previous topic :: View next topic |
Author |
Message |
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Aug 23, 2014 6:37 pm Post subject: CE footprint from open process and/or readmem? |
|
|
Something interesting I am running in to. I am hacking a game protected by an anticheat (HS). I have abandoned doing anything in kernel mode (no dbvm or dbk64) because of some complications (see my other thread: http://forum.cheatengine.org/viewtopic.php?t=575636).
If I attach CE to the game after HS has boot up, when I try to scan memory I receive an error indicating that there is no memory to scan. This is because HS is hiding the process and probably hooking openprocess, or readprocmem or another relevant windows function.
I have figured out a way to attach cheat engine to the game process before HS boots up which prevents the memory from becoming "unreadable" and I can continue to scan after the game has started. I attach CE in the normal way, but interestingly, after a while in game HS closes the client. So then I close CE and then reboot the game. A few minutes later the game closes again without CE even open.
Any idea's on this?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Aug 23, 2014 8:09 pm Post subject: |
|
|
Try opening the process with kernelmode openprocess (they are not related to dbvm at all) and see if it still does that
And try having cheat engine just open once and not targeting anything. Perhaps it's just a normal cheat engine detection. (E.g a physical memory scan for part of ce)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Aug 23, 2014 10:27 pm Post subject: |
|
|
The anticheat does not detect cheatengine (6.4) if it is open but not attached or attached to something else in standard user mode. However, dbk64.sys is detected, so anytime I try to use kernel mode--even without attaching--the anticheat closes the game. If I use the kernelmodeunloader executable to remove the driver, then the game can be played fine without being closed, but if the driver is still loaded then the game will be closed by HS.
This is why I am choosing to work in user mode and not kernel mode. It's surprising to me, though, that if I simply attach with cheat engine and do a scan then close (all in user mode), that the anticheat can pick up on that.
What kind of "footprint" could this be?
|
|
Back to top |
|
|
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sun Aug 24, 2014 12:12 pm Post subject: |
|
|
So I have tried using openprocess in my own app, and had the same results. So I guess it's not a CE issue. Still just having a hard time understanding how the anticheat can detect that openprocess has been called on the machine, even before the anticheat was launched.
I boot the machine, open a test_application to attach to, then I open my hack_application which openproc's the test_application. Then I close both completely, and then I boot the game. 15 minutes later HS closes the game. Nothing about that makes sense to me. As a last resort I am going to attempt a new install of windows 7 (this time x32) and see if a fresh machine has the same results, to rule out any cross talk that could be happening between background apps and HS.
|
|
Back to top |
|
|
|