 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
karaulov
Advanced Cheater
![]() Reputation: 0
Joined: 12 Aug 2013
Posts: 65
Location: Belarus
|
 Posted: Sat May 28, 2016 1:10 pm Post subject: Bypass anticheat with CE VEH Debugger? |
 |
|
Script detected by anticheat :
| Code: |
RequiredCEVersion=6.51
waitforenable = 5
initializedscript = false
t = nil
oldvalue1 = nil
oldvalue2 = nil
oldvalue3 = nil
oldvalue4 = nil
function DisableMaphack( )
print("MH disabled.")
writeBytes(getAddress("Game.dll") + 0x3A159B,oldvalue1)
writeBytes(getAddress("Game.dll") + 0x2851B0,oldvalue2)
writeBytes(getAddress("Game.dll") + 0x3999F9,oldvalue3)
writeBytes(getAddress("Game.dll") + 0x3A14BC,oldvalue4)
end
function EnableMaphack( )
print("MH enabled.")
writeBytes(getAddress("Game.dll") + 0x3A159B,0x09,0xD1)
writeBytes(getAddress("Game.dll") + 0x2851B0,0xEB,0x2B)
writeBytes(getAddress("Game.dll") + 0x3999F9,0x09,0xC3)
writeBytes(getAddress("Game.dll") + 0x3A14BC,0xEB,0x34)
end
function EnableMaphackTimer( )
if (waitforenable > 0) then
waitforenable = waitforenable - 1
elseif (waitforenable == 0) then
waitforenable = waitforenable - 1
EnableMaphack()
end
end
function debugger_onBreakpoint()
print("Antihack scan memory. Now need disable MH .")
waitforenable = 3
DisableMaphack( )
debug_continueFromBreakpoint(co_run)
end
function addDestroyTimersButton()
local btn=getMainForm().frmAutoInject.Button1
local newButton = createButton(getMainForm().frmAutoInject.Panel1)
newButton.Height = 31
newButton.Width = 129
newButton.Caption = "Disable script"
newButton.AnchorSideTop.Control = btn
newButton.AnchorSideLeft.Control = btn
newButton.AnchorSideLeft.Side = asrBottom
newButton.BorderSpacing.Left = 5
newButton.OnClick = function ()
if (initializedscript == true) then
DisableMaphack( )
end
detachIfPossible( )
closeCE()
end
end
if (getCEVersion() < RequiredCEVersion) then
print("Bad cheatengine version. Update to 6.5.1+ ")
else
if (initializedscript == false ) then
initializedscript = true
if (t == nil) then
t = createTimer(nil)
end
timer_onTimer(t, EnableMaphackTimer)
timer_setInterval(t,1000)
timer_setEnabled(t, true)
addDestroyTimersButton()
waitforenable = 3
-- detachIfPossible( )
debugProcess(2)
oldvalue1 = readBytes(getAddress("Game.dll") + 0x3A159B,2,true)
oldvalue2 = readBytes(getAddress("Game.dll") + 0x2851B0,2,true)
oldvalue3 = readBytes(getAddress("Game.dll") + 0x3999F9,2,true)
oldvalue4 = readBytes(getAddress("Game.dll") + 0x3A14BC,2,true)
-- debug_removeBreakpoint(getAddress("Game.dll") + 0x3A159B)
-- debug_removeBreakpoint(getAddress("Game.dll") + 0x2851B0)
-- debug_removeBreakpoint(getAddress("Game.dll") + 0x3999F9)
-- debug_removeBreakpoint(getAddress("Game.dll") + 0x3A14BC)
debug_setBreakpoint(getAddress("Game.dll") + 0x3A159B,2,1 )
debug_setBreakpoint(getAddress("Game.dll") + 0x2851B0,2,1 )
debug_setBreakpoint(getAddress("Game.dll") + 0x3999F9,2,1 )
debug_setBreakpoint(getAddress("Game.dll") + 0x3A14BC,2,1 )
end
end
|
Why? Breakpoints works, cheat disabled before scanner and after scan enabled.
May be CE change memory protection and not restore it back ? Or Debugger break after read (not before read) ??
One of anticheat use RtlMoveMemory for cheat detectiong.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25287
Location: The netherlands
|
| Posted: Sat May 28, 2016 3:12 pm Post subject: |
|
|
Perhaps it detects the breakpoints
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 218
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat May 28, 2016 3:18 pm Post subject: |
|
|
Try only this line (launch game, launch CE, open process, execute this line):
Does it detect attached debugger?
Then try this script (launch game, launch CE, open process, execute this script):
| Code: | function debugger_onBreakpoint()
debug_continueFromBreakpoint(co_run)
return 1
end
debugProcess(2)
debug_setBreakpoint("Game.dll+3A159B",2,bptAccess,bpmDebugRegister) |
Does it detect breakpoints?
You can also try bpmException
_________________
|
|
| Back to top |
|
|
karaulov
Advanced Cheater
![]() Reputation: 0
Joined: 12 Aug 2013
Posts: 65
Location: Belarus
|
| Posted: Sat May 28, 2016 10:22 pm Post subject: |
|
|
Anticheat detect only default debugger by hooks.
screenshot url : i . imgur . com / M5eQDBe.png
But i can disable hooks:
| Code: |
writeBytes(getAddress("DbgUiRemoteBreakin"),0x6A,0x08,0x68,0xE8,0x07,0x5A,0x77)
writeBytes(getAddress("DbgBreakPoint"),0xCC)
|
But default debugger detected and after it. (Possible by Themida)
VEH and Kernel debuggers not detected by anticheat. But works only VEH (debugProcess(2)) debugger, kernel just not working.
I choose debugger type 2 (debugProcess(2) - VEH) it undetected, works, but possible offsets read before break??
I don't know how to work debugger 
Possible to restore old memory before read?
|
|
| Back to top |
|
|
pachela
How do I cheat?
![]() Reputation: 0
Joined: 22 Mar 2016
Posts: 4
|
| Posted: Mon Jul 04, 2016 12:49 pm Post subject: |
|
|
| karaulov wrote: | Anticheat detect only default debugger by hooks.
screenshot url : i . imgur . com / M5eQDBe.png
But i can disable hooks:
| Code: |
writeBytes(getAddress("DbgUiRemoteBreakin"),0x6A,0x08,0x68,0xE8,0x07,0x5A,0x77)
writeBytes(getAddress("DbgBreakPoint"),0xCC)
|
But default debugger detected and after it. (Possible by Themida)
VEH and Kernel debuggers not detected by anticheat. But works only VEH (debugProcess(2)) debugger, kernel just not working.
I choose debugger type 2 (debugProcess(2) - VEH) it undetected, works, but possible offsets read before break??
I don't know how to work debugger
Possible to restore old memory before read? |
Сначала на русском, потом переведу, так как мой английский ужасен, а ты вижу по нику из СНГ.
Суть в том, что когда ты пытаешься поставить оригинальное значение на хук "DbgUiRemoteBreakin", то через скрипты либо банальным ручным редактированием, не изменяется с патченого на оригинал. Ты в окне асемблера открой нужный адрес и посмотр, что код выполняется только на часть отвечающую за хук "DbgBreakPoint". Через PC Hunter я вручную снимал эти хуки, значение изменялось на оригинал, но кернлмод дебагер не ставит брекпоинты, а вех или стандартный виндовский, вообще не читают памят, защита Themida не дает. Тут нужно не давать игре подгружать эти 2 хука. Как это сделать, я не знаю.
Now on English:
When you're trying to put a script or manually on the original value of the hook "DbgUiRemoteBreakin", the value is not changed. In asemblera window open the desired address, and see that the code is executed only on the part of the responsible for the hook "DbgBreakPoint". With program PC Hunter I manually removed the hooks, the value changes to the original, but kernlmod debugger does not set the breakpoint, and VEH or standard Windows debugger, do not read the memory, Themida protection does not do it. Here it is necessary not to give the game to load those 2 hooks. How to do it, I do not know.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
