Quante volte ci sarà capitato di avere giochi scritti in modo tale da rendere impossibile il memory scanning, causa doppio processo?
Infatti esistono programmatori, tanto per dirla sul semplice, che creano un secondo processo , il quale debugga continuamente il vero thread del gioco, generando eccezioni bla bla bla, quindi rendendo impossibile l'attacco di un memory scanner a ring0.
Per buttarla sul commerciale, è un meccanismo molto simile a quello adottato da Armadillo; che qualcuno di voi conoscerà proprio perche è stato adottato da Metin in questo periodo, poi sostituito con il piu economico Asprotect, il fratellone di aspack.
Bene, il tutorial sottoelencato spiega proprio come "aggirare" questa protezione, rendendo possibile attaccare il memory scanner, in questo caso il cheat engine 5.0. Tutorial in lingua inglese ma molto comprensibile.
Tools needed:
- Cheatengine 5.0 (found in the tools thread)
The following method will be devided in 2 parts, since the method is different depending on what CPU you have. One part is used for AMD Athlon family (XP, 64bit...), the other is for the rest (all Intel, AMD Sempron etc...)
Also, this method has only been tested on Windows XP servicepack 2. So i can't garantee it will work on any other system.
Method:
1. Run Cheatengine and open the "Settings" window. Go to "extra" and check "Read/Write process memory". Click "Ok"
Note: Ignore the message saying "...some functions may not completely work" since you don't really need those functions for this anyway.
2. Open the processlist (top right of the main CE window). Open the game process from the list by double-clicking it. Do not attach it.
3. In the main CE window, double-click the text in the middle top where it gives you the PID and process name (IE: 00001214-BF2.EXE) and write down the PEProcess address.
4. Open the "Memory view" window. In the lower part of the window (Hex View) right click anywhere and select "Goto address". Enter the address you wrote down and add the hex number BC ie: 85528BC0+BC.
NOTE:The Offset "BC" may be different on other versions of windows or SP1.
Untill this step everything is the same for Athlon aswell as other CPU users.
If you have an Athlon CPU, follow the following steps, if you have some other CPU, go to step 5b.
5a. IE: If the address you wrote down was 85528BC0 you should have the address 85528C7C (85528BC0+BC) at the top left of the Hex View window.
To the right of this address, all you see as hex code is a bunch of "??". That's perfectly normal, don't worry. Above the addresses in the Hex View window you'll also see something called "Physical address", write down that address (ie: 551977C)
6a. Exit the Memory Viewer and open the process list again. Double-click the "[Physical Memory]" process.
7a. Open the Memory Viewer and this time enter the physical address in the "goto address" field.
8a. You'll now see the physical address as the first line in your hex view. After that address you'll see 4 sets of hexnumbers (ie: 68 72 75 85). The list of numbers goes on, but you need to change those 8 numbers to 0s (ie: 00 00 00 00).
You'll now be able to attach Olly, or any other debugger aswell for that matter.
5b. IE: If the address you wrote down was 85528BC0 you should have the address 85528C7C (85528BC0+BC) at the top left of the Hex View window.
To the right of this address, you'll see 4 sets of hexnumbers (ie: 68 72 75 85). The list of numbers goes on, but you need to change those 8 numbers to 0s (ie: 00 00 00 00).
You'll now be able to attach Olly, or any other debugger aswell for that matter.
Troubleshooter:
CheatEngine is not the most stable program ever, so it tends to show a warningbox saying "Access violation at address..." sometimes. To solve this, enter the settings window and just click "OK".
Outro:
This method can also be used to attach multiple debuggers to the same process, like T-Search Autohack and Ollydbg at the same time!
Downloads
Area Tecnica
LinkBack URL
About LinkBacks
[tut] Maledetti ring0!
Rispondi quotando
