Decided to make a uce and make a log for it so you guys may learn the method I use. (it's slow, takes a lot of time and patience, but eventually works)
I start out with a half uce. (this is starting from a old Cheat Engine version, even before the 5.3 release, I had to add loadbinary to it seperatly)
note:
When I add a unit I remove uses from he list that haven't officially been added yet to prevent them from being compiled. That means I then have to comment out the procedures that use stuff of those units that aren't included anymore)
note2: Please understand that I don't type flawless so don't just copy/paste names and hope they work. You need a IQ of above 30 to be able to figure out what the real name should be)
day 1:
removed all files from the dpr except main and commented out all code and slightly resized the main window. (using (* *) to comment)
Cheat Engine undetected
adding some files back
MainUnit , ProcessWindowUnit , formsettingsunit ,UndoChanges , HotkeyHandler , MainUnit2, NewKernelHandler , AddAddress,
***uncProc, (commented basicly all code, and only for each function uncomment the needed functions)
SyncObjs2,
Debugger,
symbolhandler ,
disassembler ,
frmautoinjectunit ,
autoassembler
hypermode
Assemblerunit
AdvancedOptionsUnit
CommentsUnit
frmProcessWatcherUnit
debugger2
Filehandler
added aboutunit.pas. CAUSED DETECTION
commented out all code in aboutunit.pas, UNDETECTED.
Meaning, detection is inside the code
put the code back , except link to forum and link to paypal donation
uncommented paypal (most important piece of code there is) UNDETECTED, meaning that the link to the forum is detected.
Note, link to the mainsite was already commented, likely to be detected as well.
added units:
plugin
pluginexport
memorybrowser HACK ATTAMPT DETECTED
commented ALL code: hack detected. means GUI or unitname stuff
renaming unitname to mbu
noticed foundcodeis used, removed it. :DETECTED
removed mbu.pas from project: UNDETECTED
added mbu.pas back, and wiped the uses list DETECTED
changed object name from TMemoryBrowser TMB caption to Mem View
UNDETECTED
Caption or objectname is detected
Resetting objectname to TMemoryBrower (hoping this isnt' detected else i'll have to do some replacing)
DETECTED (crap) Time to use ASR to replace it. (or manually if needed)
Renaming to MB to test it's not a fluke: UNDETECTED
Time to re-add some code
(for people using replace tools, first replace all MemoryBrowserFormUnit to mbu and then replace all MemoryBrowser to mb)
uncommented Pastefromclipboard1Click and stringtobytes (***uncproc)
adding units:
valuechange (DETECTED)
changing name of ValueChangeFrom to VCF
HACK DETECTED, changing name back for now and comment code
commenting out all code DETECTED
also changing name DETECTED
changed caption of window to "homo" DETECTED
changed vartype to "VRTP" DETECTED
resized window DETECTED
changed combobox item values from:
1 Byte
2 Bytes
4 Bytes
8 Bytes
Float
Double
Text
Array of Bytes
to:one
two
three
four
five
six
seven
eight
DETECTED
changed valuetext to vinput DETECTED
commented out the private and public parts of the class DETECTED
changed cbUnicode to cbu DETECTED
rename valuechange.* to vsu.* DETECTED
renmove vsu.pas... UNDETECTED
adding reinit.pas UNDETECTED
adding typepopup DETECTED (perhaps detected because of form count?)
created a new form (empty) UNDETECTED
gave it the propeties + components of VSU DETECTED
renamed button1 and button2 to bx and by DETECTED
setting bordericons to default DETECTED
setting borderstyle to default : bsSizeable DETECTED
changing valuetext to vltext (seems I only changed the caption) DETECTED
resizing and moving every object UNDETECTED WTF?
removed temp forum, readded vsu.pad changed width of buttons DETECTED
changed position of buttons to the extremes DETECTED
changed WIDTHS of objects UNDETECTED
only changed the width of the combobox with items UNDETECTED
width=120=UNDETECTED
width=121=DETECTED (LOL, thats a manually set value, so for people reading this, try to set all sizes devidable by 2 (or better devidable by 8, thats delphi's default anyhow, so just jugling the width will fix it)
restored valuechange to original except width=120 DETECTED
commenting code DETECTED
changing vartype to vrt UNDETECTED (good old vartype detection I see)
comented code (but proterties and functionnames intact) DETECTED
changed the caption UNDETECTED
Day 2:
added unit:
addressparser
APIhooktemplatesettingsfrm
changeoffsetunit
changetimers
ConfigUnrandomizerFrm
dissectcodethread
dissectcodeunit uncommenting getexecutablememoryregionsfromregion
driverlist
ExtraTrainerComponents
findwindowunit
firstscanhandler
formAddressChangeUnit
formAddToCodeList
formChangedAddresses
FormDebugStringsUnit
formDifferentBitSizeUnit
formFoundcodeListExtraUnit
formHotkeyunit
formMemoryModifier
DETECTED (ok, this isn't a important one, but just for fun trying to make undetected)
changed caption to TM : DETECTED
changed objectname from frmMemoryModifier to MM DETECTED
changed Generate Trainer to GenTrain : DETECTED
changed "List of items in the trainer" to "doh" :DETECTED
changed widths of all objects to dividable by 5: DETECTED
ren "formMemoryModifier.*" mmu.* :DETECTED
change caption of ALL objects except memo with text cheatengine.org :DETECTED
also change memo: UNDETECTED (i'm a retard sometimes)
restored formMemoryModifier and only change memo
added units:
formMemoryTrainerAddEntry
MemoryTrainerDesignUnit
memoryregionsunit
formMemoryTrainerUnit
formPatcher*
formPointerOrPointeeUnit
formProcessInfo
formScanningUnit
foundcodeunit
frmBreakpointlistunit
frmBreakThreadUnit
injectedpointerscanunit
SaveFirstScan
uncommented some code in mainunit (Hotkey2)
added hotkeys.pas uncommented ConvertKeyComboToString DETECTED
comment out ConvertKeyComboToString DETECTED
removed hotkeys.pas to make sure it is detected UNDETECTED
commented code :detected
changed odd widths of some objects to normal widths: UNDETECTED
uncomment ConvertKeyComboToString (and the code in hotkeys.pas that uses it)
uncomment TMainForm.hotkey (+MainForm.enable/disablecheat)
uncomment TMainForm.freedebugger and TMainForm.CheckIfSaved
added PasteTableentryFRM
uncomment TMainform.Paste1Click + TMainform.paste
uncomment TMainform.Copy1Click + copySelectedRecords
uncomment freezethem + setbit
uncomment reinterpretaddresses
added InjectedpointerscanornotFRM
uncomment Findoutwhataccessesthisaddress1Click+SetReadWriteB reakpoint
uncomment Browsethismemoryregion1Click,ValueClick+changevalu e
uncomment SortByTypeButtonClick+SortByValueButtonClick+Sc4nv alueoldKeyPress+checkpaste
uncomment Calculatenewvaluepart21Click :DETECTED (what a surpise, same as always)
pinpointed the detected code to the code in "if err>0 then" behind the val call
changed =-1 to not xxx>=0 UNDETECTED
of course, since it's not a very important piece of code you could just comment it out as well
uncomment code of V4rTypeChange+VarToBytes + ByteStringTo*
uncommented some more mainunit code and undetected
added pointerscannerfrm
uncommented newscan + uncomment GetMemoryRangesAndScanValue2+GetMemoryRanges2+clos efiles
uncommented NextScanButtonClick
uncommented TypeClick+Deletethisrecord1Click+SortByFrozenButto nClick+SortByDescriptionButtonClick+SortByDescript ionButtonClick+deletegroups
uncommented ScanTypeChange+ScanTypeChange
uncommented DosClick +windowsclick+SpeedButton2Click
(note that 80000000 was already edited)
uncommented SpeedButton3Click+Selectallitems1Click+Freezeallad dresses2Click
included opensave
uncomment actOpenExecute
uncomment actSaveExecute, hmm remember, this STARTED out as a uce, a clean Cheat Engine might get detected here
add units:
frmhotkeyconfigunit
frmExcludeHideUnit
ModuleSafetyUnit
uncommented TformSettings.Button1Click
uncommented all formsettings code
uncommented all mainunit2 code
uncommented all undochanges code
uncommenting code of newkernelhandler undetected... again, remember I started out as a old uce, usually this is detected (especially the order the functions are loaded)
test inbetween: enable kernelmode read/write processmemory
DETECTED
turn off option in settings and restart uce
UNDETECTED
this indicates that the DLL is detected
uncommented all code of addaddress
added addressparser
added frmstacktraceunit
added frmThreadlistunit
added frmCreatedProcessListUnit
uncommented all code in debug
added APIhooktemplatesettingsfrm
uncommenting all code of frautoinject+AddAutoAssembleScript
added frmDissectwindowUnit, frmCapturedTimersUnit and frmDirectXUnit
added frmFindCodeInFileUnit and standaloneunit
uncommenting all advancedoptions code
uncommenting all frmProcessWatcherUnit code
uncommenting all debug2 code
uncommenting frmModifyRegistersUnit code
uncommented getathreadid
uncommented pluginexports
uncommented plugin
uncommented formscanning+FillListIfPossible
uncommented loadptr and loadv6 (opensave.pas)
uncommented findwindow
uncommented valuechange code
for those wondering how I find my commented code back, I do a file search for "(*" since it's used nowhere else in the code
added unit frmEnumerateDLLsUnit
frmFindstaticsUnit
savedisassemblyfrm
frmSaveMemoryRegionUnit
frmLoadMemoryunit
-
frmFillMemoryUnit
frmCodecaveScannerUnit
symbolconfigunit
Structuresfrm
-
frmDisassemblyscanunit,driverlist and ServiceDescriptorTables
uncommented create and show in memorybrowser
uncommented ALL code in memorybrowser, stil undected.
UCE GUI IS UNDETECTED and fully operational
Next step, making the dll undetected:
day3:
making the dll undetected (dbk32 folder)
first off, rename dbk32* to wii128* (and make the same adjustment in Cheat Engine's newkernelhandler.pas)
change that also in the dpr of the dll and unitname of wii128functions.pas
in gui enable settings->extra->read/write processmemory
Driver doesn't have to be present, this will just load the dll
DETECTED
removing all exports UNDETECTED
uncommenting exports
VQE,OP,OT,NOP,RPM,WPM and VAE
UNDETECTED
uncommenting exports
CreateRemoteAPC
ReadPhysicalMemory
WritePhysicalMemory
GetPhysicalAddress
GetPEProcess
GetPEThread
DETECTED
comment back
uncomment
CreateRemoteAPC
ReadPhysicalMemory
WritePhysicalMemory
UNDETECTED
uncomment
GetPhysicalAddress
GetPEProcess
GetPEThread
DETECTED
recomment
uncomment GetPhysicalAddress
uncomment GetPEProcess DETECTED
commenting code of peprocess DETECTED
renaming function from GetPEProcess to GPEP (and adjust it in newkernelhandler.pas)
UNDETECTED
uncommenting code of GPEP UNDETECTED (obviously)
uncomment GetPEThread
uncomment
ProtectMe
UnprotectMe
IsValidHandle
uncomment
GetCR4
GetCR3
SetCR3
uncommented all other functions
UNDETECTED
one extra thing, changed the iocontrol input sizes a little bit. e.g readproxcessmemory cna do with a lot smaller input, and writeprocessmemory can do with a lot smaller output (as a extra precaution since I heard combinations of parameters where blocked)
GUI and DLL are undetected now
----------------------------------
making the driver undetected:
edit sources.Cheat Engine and only leave dbkdrvr.c
comment out MSJDispatchIoctl completly
comment out MSJUnloadDriver completly ( till //unhook to unload still works)
comment out createremoteapc
comment out AddressOfInterrupt1Handler=interrupt1; (because I need to add that source file)
and comment out the code for "//determine if PAE is used"
comment out AddSystemServices
still DETECTED , so keep on continuing commenting out code
commented hideme routine (shouldn't matter since it's not used so not compiled)
commented out some more(especially dbgprints) and moved the folder from dbkdrvr to nvid888 and now UNDETECTED (not sure it's the folder, just doing this to be sure...)
time to re-add the code and see what's detected
uncomment setting of AddressOfKeAttachProcess in driverentry
uncomment case IOCTL_CE_OPENPROCESS:
uncomment case IOCTL_CE_OPENTHREAD:
uncomment IOCTL_CE_GETPEPROCESS:, IOCTL_CE_READPHYSICALMEMORY, IOCTL_CE_WRITEPHYSICALMEMORY
uncomment IOCTL_CE_GETPHYSICALADDRESS
uncomment IOCTL_CE_DONTPROTECTME,IOCTL_CE_SETSDTADDRESS, IOCTL_CE_GETSDTADDRESS, IOCTL_CE_GETCR3, IOCTL_CE_SETCR3
uncomment IOCTL_CE_GETSDT, IOCTL_CE_ISUSINGALTERNATEMETHOD
uncomment IOCTL_CE_GETPROCADDRESS, IOCTL_CE_ALLOCATEMEM_NONPAGED
added dbkfunc.c to the sources
uncomment IOCTL_CE_GETCR4
uncomment IOCTL_CE_GETIDT, IOCTL_CE_HOOKINTS
uncomment IOCTL_CE_USEALTERNATEMETHOD, IOCTL_CE_STOPDEBUGGING, IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG
uncomment IOCTL_CE_RETRIEVEDEBUGDATA,IOCTL_CE_DEBUGPROCESS,I OCTL_CE_DEBUGPROCESS_CHANGEREG
added processlist.c and rootkit.c to the sources file
commented out GetThreadData
uncomment IOCTL_CE_STARTPROCESSWATCH,IOCTL_CE_GETPROCESSEVEN TS,IOCTL_CE_GETTHREADEVENTS
uncomment IOCTL_CE_CREATEAPC
added memscan.c to sources.Cheat Engine
comment out WriteProcessMemory,GetMemoryRegionData, ReadProcessMemory and any other function not compilable due to keattachprocess2 (fixed by adding jumper.c)
added threads.c and jumper.c to sources.Cheat Engine
all sour***iles are back. Now uncomment commented out code till detected
uncomment IOCTL_CE_READMEMORY and IOCTL_CE_WRITEMEMORY
uncomment IOCTL_CE_MAKEWRITABLE, IOCTL_CE_QUERY_VIRTUAL_MEMORY
uncomment IOCTL_CE_GETPETHREAD,IOCTL_CE_PROTECTME
uncomment IOCTL_CE_SUSPENDTHREAD, IOCTL_CE_RESUMETHREAD, IOCTL_CE_SUSPENDPROCESS, IOCTL_CE_RESUMEPROCESS, IOCTL_CE_ALLOCATEMEM,
uncommented getshadowtable of the intializer ioctl
completly uncomment MSJUnloadDriver, unhook and AddSystemServices (exception of the dbgprint lines)
DETECTED
commented back addsystemservices and unhook DETECTED
comment back MSJUnloadDriver DETECTED
commented back getshadowtable UNDETECTED (is addressafe is called in there)
again completly uncomment MSJUnloadDriver, unhook and AddSystemServices (exception of the dbgprint lines) UNDETECTED
commented out isaddressafe
uncommented the getshadowtable code UNDETECTED
uncomment isaddresssafe from start till "UINT_PTR PTE,PDE;" UNDETECTED
uncommenting isaddresssafe completly
adding to dbkfunc.h "UINT_PTR pagedirstart;"
in driver entry add the code :
pagedirstart = 0xc0000000;
__asm { nop };
if (pagedirstart != 0xc0000000)
return FALSE; //zomfg, stack is messed
(that stupid if just to make sure it's not optimized to a static var)
replace 0xc0000000 with pagedirstart in IsAddressSafe
UNDETECTED
uncomment writeprocessmemory
uncomment ReadProcessMemory
uncomment GetMemoryRegionData
uncomment mykapc+ code to detect PAE
DRIVER UNDETECTED
getting annoying crashes with the process list
copying recent source processlist.c/.h over current ones, and no crashes.
I won't bother with debug fixes, I made a separate tool for that, which will be implemented in the full Cheat Engine version when done, not worth it in this example uce I quickly made
|
