Memory Hacking Software

[Fusion]

Greetings.

The new version of MHS looks great. Unfortunately, I seem to be having some problems with it. I'm playing a game that uses GameGuard (1100+ rev, I can't recall). Anyway, MHS isn't detected, and can attach and search for values. But it doesn't seem to be finding changing values properly!

Simple example, HP. I can search for it and find it. When it changes, I do a sub-search for the new value. And I get no results. At first I thought this must be something to do with the high GameGuard revision. But I tried emulating it to a previous version where I'm 100% certain it works with other memory editors (specifically, Cheat Engine). And yet, MHS can't do it, for some reason.

Perhaps I'm just doing something wrong? I'm only trying to find a changing value. In Cheat Engine I'd do a two-byte search for my HP, let it change, and re-search. And it'd find it. In this, I'm doing an unsigned short search, let it change, and re-search - and I get nothing.

Any suggestions? Thank you.

Edit: It just seems, I dunno, wrong. I'm uncertain, but by turning on 'anything readable' search, it seems to help, and I can narrow down the search. But locking/changing the value does nothing.

[L. Spiro]

Be sure you have opened the correct process.
nProtect Game Guard makes fake copies of the target process and wants you to open them (which is why it leaves one in the main list).
You have to select from All, and NOT the one in the main list.

Furthermore, use Anything Readable and ensure you are using the kernel-mode functions for reading/writing RAM.


L. Spiro

[Fusion]

Be sure you have opened the correct process.
nProtect Game Guard makes fake copies of the target process and wants you to open them (which is why it leaves one in the main list).
You have to select from All, and NOT the one in the main list.

Furthermore, use Anything Readable and ensure you are using the kernel-mode functions for reading/writing RAM.


L. Spiro

Thank you for your swift response! I am indeed using the kernel-mode functions, and 'anything readable'. I'm also selecting from the 'all' list - in fact, I don't see the process in the main list at all.

I can find addresses with 'anything readable', but I can't modify or lock them.

[L. Spiro]

Probably a virtual address protection. I plan to add a “force write operations to succeed” feature but after this.
It is a risky feature and I have to be sure the current risky features are already working.


From the sounds of things they are. Although some features are not working 100% on protected processes, at least no one is getting a blue screen, so I will soon continue with the development of the anti-anti-cheat.

This release really wasn’t meant to be 100% done. Just done enough for most cases.


L. Spiro

[Fusion]

Ah... I thought you said you'd personally tested it on the latest GameGuard revision?

[L. Spiro]

I have.
But I only downloaded the game to test it with MHS. I do not know how to play it and do not have any values to find.

I test for ability to open and ability to find.
I can modify what I find but it does nothing in the game, so I assume I found a wrong address and leave it be.

When I change the values I find, it works as far as actually changing the RAM, but the game shows no change. There could be any number of reasons for this, and may take a lot of my time to study, so for now I leave it be.

To research this I need to put my project on my work computer and I have not had time to do it (as I have been extra busy just making the features for this version).




If someone knows more about how nProtect Game Guard works then he or she may feel urged to post it.

Anyway, there are more things I can still add, but as I said I wanted to be sure the current things are already working.
This is a very serious issue—this release does some very serious work in the kernel and if anything over the 12,000 lines of code used to do it goes wrong…


L. Spiro

[Fusion]

Ah. That's disappointing, I thought this release was finally able to get past GameGuard. Any estimate as to when you'll be able to fix this issue?

[L. Spiro]

Next release or two.

If my plans for the next few features do not fix this problem I will study it on my work computer.


Anyway, inability to write to the target is probably a good thing.
It is not going to bypass CRC’s, and modifying the game RAM could probably trigger some anti-cheat detection.


L. Spiro


[EDIT]
I just looked into it on my lunch break.
I see what it is doing and am surprised it took them so long to do this.
I almost had the bypass for this in this release but decided to hold off until they actually did this.
I may make a patch for it tonight; this is a simple thing to bypass and I should have taken the 10 extra minutes to put it into this release.
[/EDIT]

[Fusion]

[EDIT]
I just looked into it on my lunch break.
I see what it is doing and am surprised it took them so long to do this.
I almost had the bypass for this in this release but decided to hold off until they actually did this.
I may make a patch for it tonight; this is a simple thing to bypass and I should have taken the 10 extra minutes to put it into this release.
[/EDIT]

I'd really appreciate it, if you could!

[L. Spiro]

Great news!

My little patch needs a small extra feature to be complete, so it won’t be ready for another 15 hours since I am going home now and will not be able to test anything I make until I get back to work.


What I have now works 50%, but unfortunately that causes it to blue screen at the other end of the 50%.


The addition will also enhance the rest of the anti-anti-cheats.


L. Spiro

[L. Spiro]

I have made ground but not enough.

Judging from the things I saw, are you sure other memory searchers are working?
They inline hook KeAttachProcess and KeStackAttachProcess both to a few levels of recursion. And they detect if you remove the hooks or do other basic things that other software would be doing.

The bypass for their new system is only possible for a few very advanced software (IDA, Cheat Engine, and MHS), and MHS is the only one that actually employs it.

All custom versions of ReadProcessMemory have to go through one of these functions, and PsLookupProcessByProcessId (used to look up processes by their ID, returns a PEPROCESS) also uses KeStackAttachProcess (there is no hook on PsLookupProcessByProcessId because they rely on the fact that it calls KeStackAttachProcess).

NtOpenProcess calls PsLookupProcessByProcessId which calls KeStackAttachProcess, which is multi-layer hooked with remove protection.





The point, in short, is that the only way to get around all of this involves a very advanced mechanism (since MHS has and uses this very advanced mechanism I will not be explaining what it is) which is not actually used in either of the other 2 software capable of implementing it.


The good news is that MHS 4.0.0.13 was specifically designed for getting around these kinds of hooks, as I have been waiting for them to implement these for a long time and have always been amazed they never did.

However these hooks are not really easy to find with the tools available and I will have to make an addition to MHS to help me study what other things they have done. MHS is currently equipped to handle any bypass system they care to implement, but I need better tools for research to know what I need to be bypassing.

But back to the good news. Once I do bypass these things:
#1: MHS will be the only software that bypasses them, as far as I can see, though I guess it could be done some other way specific to nProtect Game Guard. But I only deal with general solutions.
#2: The methods MHS employs to bypass are resolute. There is no counter for what MHS does, meaning it won’t be some temporary bypass that will get patched out in a month. The bypass is designed for the future and works with scripts as well to ensure an evolving paradigm, and the research tools I am about to implement will also work closely with scripts so that others may get involved with researching anti-cheat protections.


*NOTE*
The words in this post were carefully chosen for those of you working at nProtect who I am already aware are visiting this site. Hi.


L. Spiro

[Fusion]

So still no update? Any time estimate, then? :<

Judging from the things I saw, are you sure other memory searchers are working?

Well, I tested changing memory with the latest GameGuard revision and with an emulated 905. Neither worked with MHS, and I'm certain Cheat Engine works on 905. The latest revision could have stopped it, but 905 worked in any case, where MHS doesn't. For me, anyway.

Edit: Saw this post in another thread.

You will probably have to wait a few days or a week for me to add the correct bypasses to MHS.

Ah, I see. Well, would greatly appreciate if you could add it as soon as possible. Though I guess it can't be rushed.

[L. Spiro]

The latest is 1136, and I am 99% positive no other memory search will work with it; I tested Cheat Engine 5.4 myself and am positive none of the Undetected Cheat Engines will work any better since I know what nProtect Game Guard hooked.

You can’t emulate older versions for long either.


But I only need a little time to add the researching tools and then to continue from there into the bypass.


L. Spiro

[Fusion]

The game I am playing has version 1144. But yes, okay. Thanks.

[L. Spiro]

I thought it updated itself automatically each time you start it.
Mine just uses 1136, but good enough.


L. Spiro