 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
 Posted: Tue Dec 11, 2007 11:57 am Post subject: Regarding newer games and anti-cheat protections built-in |
 |
|
the following games:
Halo2
Gears of War
Kane & Lynch
Universe at War
among others are a growing list of games that utilize the Games For Windows LIVE within their code which basically does the following:
It uses a LOADER program to run the actual game. The game won't run without the LOADER and the LOADER is necessary to run the game.
The LOADER also SCANS the memory of the game at realtime for any changes to a single code. I can replace an INT3 in the games code (the main .exe) with a NOP and it will detect it (usually within a minute).
I need help in finding a way to defeat the scans. I really don't want to remove the copy protection and CD checks, just simply the scanning.
Couple things, the LOADER usually has anti-debug built into it as well, where it detects Ollydbg attached to it.
This is becoming a problem for me since most newer games that we create trainers for are beginning to use this new process.
Any help would be appreciated or if you know someone looking for a challenge that I could work with or contact at least it would help-
Thanks,
Caliber
|
|
| Back to top |
|
 |
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Dec 11, 2007 12:16 pm Post subject: |
|
|
What happens if you pause the process of the loader?
Then try and cheat the game>?
|
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Tue Dec 11, 2007 1:30 pm Post subject: |
|
|
| Labyrnth wrote: | What happens if you pause the process of the loader?
Then try and cheat the game>? |
when you run the launcher, it sets itself as being debugged (similar to the .exe's of the battlefield 2 and battlefield 2142 series)
there is no way to 'pause' the launcher, so i reset the debug port and then attached a debugger to it, which effectively 'paused' it.
the game.exe closes to desktop immediately.
the game.exe must actively check for the launcher, or is tied to it directly in some way.
further investigation also revealed that:
when using CE to detect breakpoints, i set a breakpoint on an area of code location 004CC5B5 to see if the game.exe itself might be doing the scan and lo and behold the xlive.dll actually seems to be reading the memory of the game.exe.
any more discussion or help or tips would be helpful.
i am trying all of this on Universe at War Retail, BTW.
here's what we know so far:
1) game uses launcher: LaunchUAW.exe
2) launcher runs game.
3) game (UAWEA.exe) will not run by itself and requires launcher
4) game exits if launcher is shut down using task manager
5) game exits if launcher is paused by using debugger
6) xlive.dll which is an .dll run by the UAWEA.exe game appears to scan the code of the UAWEA.exe:
two lines of code do the reading:
100b4a2 mov ecx,[edx+08]
100b4ac mov ecx,[edx+04]
7) attaching a debugger to the game crashes it instantly when you resume the game using F9 with olly
 attaching a debugger and then resetting the debug port lets you run the game several seconds and then it crashes again.
9) when game crashes and loader is running, it reports Game Closed Abnormally in a little window.
thanks for any help on this-
best,
Cal
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Dec 11, 2007 1:37 pm Post subject: |
|
|
Attach ce to the loader after the game is up and running,
Pause the process of the loader and see what happens.
Now if the game does not crash, open a new instance of ce and try to hack the game. If the game still crashes when trying to cheat, Your loader is not the problem.
Also, look for hidden files in the install. Such as dat files, You could rename it to exe and the game may run.
I cant really give you exact ways, I dont have the game but im giving ways i know that have worked on other games.
|
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Tue Dec 11, 2007 1:43 pm Post subject: |
|
|
| Labyrnth wrote: | Attach ce to the loader after the game is up and running,
Pause the process of the loader and see what happens.
Now if the game does not crash, open a new instance of ce and try to hack the game. If the game still crashes when trying to cheat, Your loader is not the problem.
Also, look for hidden files in the install. Such as dat files, You could rename it to exe and the game may run.
I cant really give you exact ways, I dont have the game but im giving ways i know that have worked on other games. |
how do you pause using CE, other than doing a scan and Pause while scanning.
maybe a hidden command or button somewhere? sorry to be a pain. thanks for the quick replies btw-
also, how many posts until you can PM people here?
best,
Cal
|
|
| Back to top |
|
|
me
Grandmaster Cheater
 Reputation: 2
Joined: 24 Jun 2004
Posts: 733
Location: location location
|
| Posted: Tue Dec 11, 2007 1:57 pm Post subject: |
|
|
| Caliber wrote: | | Labyrnth wrote: | Attach ce to the loader after the game is up and running,
Pause the process of the loader and see what happens.
Now if the game does not crash, open a new instance of ce and try to hack the game. If the game still crashes when trying to cheat, Your loader is not the problem.
Also, look for hidden files in the install. Such as dat files, You could rename it to exe and the game may run.
I cant really give you exact ways, I dont have the game but im giving ways i know that have worked on other games. |
how do you pause using CE, other than doing a scan and Pause while scanning.
maybe a hidden command or button somewhere? sorry to be a pain. thanks for the quick replies btw-
also, how many posts until you can PM people here?
best,
Cal |
set a hotkey for pause in the cheat engine settings
the settings button is under the cheat engine logo on the top right hand side
_________________
|
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Tue Dec 11, 2007 2:23 pm Post subject: |
|
|
| Labyrnth wrote: | Attach ce to the loader after the game is up and running,
Pause the process of the loader and see what happens.
Now if the game does not crash, open a new instance of ce and try to hack the game. If the game still crashes when trying to cheat, Your loader is not the problem.
Also, look for hidden files in the install. Such as dat files, You could rename it to exe and the game may run.
I cant really give you exact ways, I dont have the game but im giving ways i know that have worked on other games. |
OK, couple more things.
when you run the Launcher, it seems to not only launch the UAWEA.exe but also another file, ~e5.0001, which is also similar to the bf2142 and bf2 days where that `e5.0001 file is basically acting like a debugger to prevent you from attaching another debugger to the file.
at any rate, i paused LaunchUAW.exe using the hotkey and it pauses the launcher and then 10-20 seconds later the game closes and displays a small window that states:
Abnormal game exit detected.
whether or not the Launcher does the scanning, it cannot be paused or shut down without crashing the game.
any other ideas ?
the game uses the Windows - LIVE platform within it and also there is an xlive.dll that is within the process space of the UAWEA.exe when running.
This could be a great learning process for myself and anyone else who participates and follows this thread. Kane and Lynch is another game that uses nearly this exact same method. I wish some of you who were interested would obtain this game (i bought it) or obtain the K & L game and work with me on this to try and figure out what is going on and defeat this scanning. this seems to be more and more common with these newer games that are using the LIVE platform-
best,
Cal
best,
Cal
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Tue Dec 11, 2007 3:23 pm Post subject: |
|
|
How about that other file you talked about, freeze it as well.
Just another thing to try i guess.
|
|
| Back to top |
|
|
me
Grandmaster Cheater
Reputation: 2
Joined: 24 Jun 2004
Posts: 733
Location: location location
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Wed Dec 12, 2007 3:25 pm Post subject: |
|
|
Heh , nice find me.
I knew someone had some ideas.
|
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Wed Dec 12, 2007 10:12 pm Post subject: |
|
|
i did some tracing and testing and figured out what's going on and solved my problem.
just letting everyone know that apparently the games using windows LIVE loads xlive.dll and also uses the .cat file (security catalog files) and possibly the thumbprints within it to compare hash or whatever when scanning the .exe to determine if there are any changes to the game code. if you rename the .cat file then in some cases (like UAW for instance) the game won't use the scanner and your trainer will work without crashing the game. the xlive.dll has the scanner built into it to scan the game .exe. i don't know exactly how it works at this point, but it's not important since i can stop the scanning process by renaming the .cat file.
however, the problem still remains of breakpointing the game code or attaching a debugger like ollydbg without crashing the game.
by the way, i have known for some time about using the kernal debugger in CE since darkbyte told me about it many months ago. this feature has turned out to be an outstanding and powerful tool and i thank him again for his program. however, if there was some way to use kernal breakpointing so we could stop program execution with all the register, stack, etc. info at our fingertips without crashing these games with the built-in debug protections would be awesome. also since games are eventually heading to vista, then a port of this fine progam to the kernal of vista would be most helpful. i don't envy the work involved to do that by darkbyte!
any help or links or referrals to sites or individuals that can help with getting around the protections in these games and allowing breakpointing of games that crash when breakpointed would be very helpful and appreciated.
best,
Cal
|
|
| Back to top |
|
|
me
Grandmaster Cheater
Reputation: 2
Joined: 24 Jun 2004
Posts: 733
Location: location location
|
| Posted: Thu Dec 13, 2007 6:33 am Post subject: |
|
|
nice work
as for vista doesnt the DBVM work for vista already,
not used it cos I got an amd chip, if you got intel it might help,
as for vista,
well its got 8% of the market share after what!! nearly 2 years
that 8% is mostly made up of people buying new machines that have vista pre-installed so they got no choice,
a high percentage of those seem to be either trying to duel boot with xp or in some more extreme cases just installing xp over it,
the games will rely on directX 10 and later rather than vista itself I would think, thats why bill gates tried make it vista compatable only but its already been patched to xp
_________________
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25839
Location: The netherlands
|
| Posted: Thu Dec 13, 2007 6:42 am Post subject: |
|
|
| Caliber wrote: |
by the way, i have known for some time about using the kernal debugger in CE since darkbyte told me about it many months ago. this feature has turned out to be an outstanding and powerful tool and i thank him again for his program. however, if there was some way to use kernal breakpointing so we could stop program execution with all the register, stack, etc. info at our fingertips without crashing these games with the built-in debug protections would be awesome. also since games are eventually heading to vista, then a port of this fine progam to the kernal of vista would be most helpful. i don't envy the work involved to do that by darkbyte!
any help or links or referrals to sites or individuals that can help with getting around the protections in these games and allowing breakpointing of games that crash when breakpointed would be very helpful and appreciated.
best,
Cal |
it's planned for ce 5.5 or 6.0
basically just let the game go into a wait state after saving the registers to a specific spot and wait for an event : e.g CE_DEBUG_CONTINUE event.
Of course, i'm quite busy, and since 5.4 is to be released soon didn't have time to design/implenmt it fully
| Quote: |
as for vista doesnt the DBVM work for vista already,
|
dbvm works on vista yes, even vista64
But for now there's no 'official' 64-bit usermode version of CE for vista 64 yet. (only a few tests on lazarus that have been quite promising, including allowing to load drivers in vista 64 )
Vista 32 should be no problem , tested and works fine
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Caliber
Expert Cheater
![]() Reputation: 2
Joined: 20 Aug 2007
Posts: 102
|
| Posted: Thu Dec 13, 2007 9:13 am Post subject: |
|
|
| Dark Byte wrote: | | Caliber wrote: |
by the way, i have known for some time about using the kernal debugger in CE since darkbyte told me about it many months ago. this feature has turned out to be an outstanding and powerful tool and i thank him again for his program. however, if there was some way to use kernal breakpointing so we could stop program execution with all the register, stack, etc. info at our fingertips without crashing these games with the built-in debug protections would be awesome. also since games are eventually heading to vista, then a port of this fine progam to the kernal of vista would be most helpful. i don't envy the work involved to do that by darkbyte!
any help or links or referrals to sites or individuals that can help with getting around the protections in these games and allowing breakpointing of games that crash when breakpointed would be very helpful and appreciated.
best,
Cal |
it's planned for ce 5.5 or 6.0
basically just let the game go into a wait state after saving the registers to a specific spot and wait for an event : e.g CE_DEBUG_CONTINUE event.
Of course, i'm quite busy, and since 5.4 is to be released soon didn't have time to design/implenmt it fully
| Quote: |
as for vista doesnt the DBVM work for vista already,
|
dbvm works on vista yes, even vista64
But for now there's no 'official' 64-bit usermode version of CE for vista 64 yet. (only a few tests on lazarus that have been quite promising, including allowing to load drivers in vista 64 )
Vista 32 should be no problem , tested and works fine |
thanks for the update on the progress of your updates to CE DarkByte. this has truly been a very useful tool for me. any help that you need don't hesitate to contact me and i'll do what i can.
best,
Cal
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
