| View previous topic :: View next topic |
| Author |
Message |
soggytoast111
Cheater
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 26
|
 Posted: Wed Sep 30, 2020 8:16 am Post subject: Anti Cheat detecting dbk64.sys driver |
 |
|
Hi, I'd like to use kernel mode features on a game that I'm trying to hack, unfortunately the anticheat is giving me some trouble.
I can get cheat engine to run using the usual stealth methods (hex edit to change all references of "cheat engine" to something else). But when I try to activate DBVM the game immediately crashes. Even if I close cheat engine, the game won't boot until I actually unload the dbk64 driver.
I've been reading up on a lot of ways to bypass anticheat, but nothing so far seems to mention detecting the kernel mode driver. Any ideas on how I could possibly get around this?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25806
Location: The netherlands
|
| Posted: Wed Sep 30, 2020 8:20 am Post subject: |
|
|
the easiest method to hide ce's driver is to go to PsLoadedModules, go to the last entry of the list, and then adjust the size of CE's driver to very small . The most common tools that scan ce's driver will then fail
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
soggytoast111
Cheater
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 26
|
| Posted: Wed Sep 30, 2020 1:12 pm Post subject: |
|
|
Just tried that now. Nope, doesn't work.
I also set the size to very large and changed the name - game still won't start.
Is it possible to actually change the filename?
Edit: Scratch that - changed the path in PsLoadedModuleList too but it still won't load. Grr.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25806
Location: The netherlands
|
| Posted: Wed Sep 30, 2020 1:21 pm Post subject: |
|
|
yes, if you provide a driver64.dat file in the ce folder you can rename it
| Code: |
servicename
processeventname
threadeventname
sysfile
vmx_p1_txt
vmx_p2_txt
ultimapservicename
ultimapsysfile
|
the default when the file is not present:
| Code: |
CEDRIVER60
DBKProcList60
DBKThreadList60
dbk64.sys
76543210
fedcba98
ULTIMAP2
ultimap2-64.sys
|
So if you just rename dbk64.sys to bla.sys you have to change the name in the driver64.dat file then as well
(you may want to change the cedriver60 part as well)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
soggytoast111
Cheater
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 26
|
| Posted: Wed Sep 30, 2020 7:47 pm Post subject: |
|
|
Nope, unfortunately it didn't work 
Do you think I've set it up properly?
ibb(dot)co/LJ0w4Gs
Just to confirm, after doing this I ran Kernelunloader.exe and the game booted up fine. It's definitely detecting the driver somehow.
Any other suggestions? Thanks for the help in any case.
Edit - updated screenshot for better quality.
Last edited by soggytoast111 on Thu Oct 01, 2020 5:50 am; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25806
Location: The netherlands
|
| Posted: Wed Sep 30, 2020 11:21 pm Post subject: |
|
|
Try changing the path to the sys file to an unrelated driver file
Also,i'm currently on my phone and the imgur picture quality is so bad i can't see the offset used for SizeOfImage (edit: seems to be correct)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Thu Oct 01, 2020 4:59 am; edited 1 time in total |
|
| Back to top |
|
|
blankTM
Cheater
![]() Reputation: 1
Joined: 03 May 2020
Posts: 49
|
| Posted: Thu Oct 01, 2020 1:27 am Post subject: Re: Anti Cheat detecting dbk64.sys driver |
|
|
If you are win10 2004, you can try
| Code: |
EXE='csrss.exe'
TOKEN = 0x4B8
PROTECTION = 0x87A
CheatEngineProcessID=getCheatEngineProcessID()
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
PEProcess=dbk_getPEProcess(getProcessIDFromProcessName(EXE))
CEPEProcess=dbk_getPEProcess(CheatEngineProcessID)
System=dbk_getPEProcess(0x4)
openProcess(CheatEngineProcessID)
writePointer(CEPEProcess+TOKEN,readPointer(System+TOKEN))
writePointer(CEPEProcess+PROTECTION,readPointer(PEProcess+PROTECTION))
|
|
|
| Back to top |
|
|
soggytoast111
Cheater
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 26
|
| Posted: Thu Oct 01, 2020 8:19 am Post subject: Re: Anti Cheat detecting dbk64.sys driver |
|
|
| blankTM wrote: | If you are win10 2004, you can try
| Code: |
EXE='csrss.exe'
TOKEN = 0x4B8
PROTECTION = 0x87A
CheatEngineProcessID=getCheatEngineProcessID()
dbk_initialize()
dbk_useKernelmodeOpenProcess()
dbk_useKernelmodeProcessMemoryAccess()
PEProcess=dbk_getPEProcess(getProcessIDFromProcessName(EXE))
CEPEProcess=dbk_getPEProcess(CheatEngineProcessID)
System=dbk_getPEProcess(0x4)
openProcess(CheatEngineProcessID)
writePointer(CEPEProcess+TOKEN,readPointer(System+TOKEN))
writePointer(CEPEProcess+PROTECTION,readPointer(PEProcess+PROTECTION))
|
|
Just paste this into LUA Engine? I tried that but I'm not sure if it did anything and it didn't fix the problem unfortunately .
By the way, doing more research I think the anti-cheat system is called "CrackProof" - anyone else ever heard of this or have any known workarounds?
|
|
| Back to top |
|
|
blankTM
Cheater
![]() Reputation: 1
Joined: 03 May 2020
Posts: 49
|
| Posted: Thu Oct 01, 2020 3:03 pm Post subject: Re: Anti Cheat detecting dbk64.sys driver |
|
|
| Please tell me what game this is, it may be anti-debugging
|
|
| Back to top |
|
|
soggytoast111
Cheater
![]() Reputation: 0
Joined: 25 Sep 2020
Posts: 26
|
| Posted: Thu Oct 01, 2020 3:40 pm Post subject: Re: Anti Cheat detecting dbk64.sys driver |
|
|
| blankTM wrote: | | Please tell me what game this is, it may be anti-debugging |
Please PM me, I'd rather not talk about this in public.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
