Cheat Engine

[pkedpker]

I've read probably most of the tutorials on making a UCE.. most of them say the same thing.

I've already completely renamed dbk32.dll to my own name as well as changed all the exports & functions to my own names and linked them to NewKernelHandler. I kept the typecasts the old names

compiled it.

I've compiled the driver as well not much changing here? I did the configuration file change TARGETNAME= to my name.. but isn't that the same as changing filenames? honestly I don't know..

I also removed all strings related to Cheat Engine in main project. Before this I was using a public UCE which worked for a while.. now it's detected so I'm giving it a shot to make my own private UCE.

I changed the CEDRIVER55, DBKPROCLIST55, DBKTHREADLIST55 strings

I open my cheatengine executable in hex editor cannot find any 'cheat engine' related string.. seems perfect..

I found one string in dbk32.dll relating to DBK32functions which I thought hackshield would add that string to detection list.. so I renamed that as well..

Now I cannot find anything else to rename..

Other then the GUI.. which I haven't edited at all.. because the UCE i was using used the same GUI as cheat engine without any problems.. yes i know it's detected now.. but I don't really think it could be the GUI..


Anyways I am just asking if anyone knows what strings Hackshield detects. anyone know?

Sorry if this is in wrong section couldn't find a better section.

Also I'd like to say if anyone can tell me why I get this blue screen of death error.

IRQL_NOT_LESS_OR_EQUAL

with the UCE I made I haven't did any heavy editing just replaces and a few pchar(a+b's)'s to join the common API names.

[Dark Byte]

It can also be code, e.g the nmemoryscan routine could be detected, or the result a window returns could be detected.

also, the position of the buttons could be detected

as for IRQL_NOT_LESS_OR_EQUAL, check the driver. Best way is load memory.dmp into windbg and if your searchpath is set properly so it can find the .gdb of the driver, then you might see the exact line that caused the crash

[Anden100]

Its quite a lot easier and simpler to just code a "Hackshield killer", by simply hooking all of the api's used by HackShield

[cziter15]

You don't need to hook. Just simply patch the code that is for memory scan and nano scan object. Just google for it

[pkedpker]

I dont understand you cziter..

btw thanks Dark Byte

thing is no memory.dmp is yet generated I haven't attached to any process I did test it.. it attaches and works like normal Cheat Engine.

But this UCE.. when I start it up.. then run the game which loads the HackShield instantly a blue screen. With same error everytime.

Wrote it down this time.

IRQL_NOT_LESS_OR_EQUAL
Stop: 0x0000000A ( 0x00000004, 0x0000001C, 0x00000001, 0x804EDAD7 )



I'm guessing it's registery related or maybe because I haven't ran the SystemcallRetriver

when I compiled the SystemcallRetriver and put it in folder with UCE run it it just blasts with this message.

Systemcaller couldn't be executed.

Stuck in 1/4 Phase while processbar still going.. then goes to Phase 2/4 with another same messagebox about couldn't be executed.. yah..

Initializing data structures
Opening the windows kernel
Get Processlist
Reading the PEProcess structures
Finding the offset for the name
name of the process was found at offset 174
Confirming the offset
The offset is correct(1)
The offset is correct(2)

Finding out the activeprocess offset
The activeprocess linked list is propably at 088
According to process2 the previous peprocess in the list is 8AA7D490
PEProcess of process1 is at 8AA7D490
This seems to be alright

Going to figure out the debugport
Failed to spawn the idle process
Going to retrieve some callnumbers used inside windows.
This will take a while and you may see the progressbar at the bottom go completly full 4 times
Phase 1/4 (please wait....)
Phase 2/4 (please wait....)
Phase 3/4 (please wait....)
Phase 4/4 (please wait....)
Followed by a inputbox with a 0 in it as default


Something about that 8AA7D490 seems familiar to blue screen number.. just a bit less