Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Dekaron > Dekaron Exploits, Hacks, Bots, Tools & Macros
You last visited: Today at 22:32

  • Please register to post and access all features, it's quick, easy and FREE!

 

[TUTORIAL]HOW TO MAKE UCE [undetectable cheats]

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Nov 2011
Posts: 576
Received Thanks: 64
[TUTORIAL]HOW TO MAKE UCE [undetectable cheats]

Mental's Tutorial On How To Make A UCE

1. Lets learn about what actually is UCE !
UNDETECTED CHEAT ENGINE
Its the same version same thing as the Original Cheat Engine only that we
will change the detected strings and files whit undetected ones . This may
be confusing for know but you will understand in the following process .

2. Strings
STRING LINES OF UCE AND CE
Strings are lines , words that are found in Cheat Engines source code
these words make CE a UCE that is if you change them properly . PB
is set to detect these words and by changing them to different ones
that aren't in their logs we make our ce a uce . These words once compiled
make DLL library files and EXE application files that we can run then and
use for hacking and so on .

3. Preparation
3a. Knowledge and Skillz
- Bit Understanding
- Don't Touch What You Don't Know What Works
- Don't Be a Noob
- Run Some Music While You Are Working
- Take All Your Litle Brothers and Sisters away
- You Need Peace , Concentration , Strong Will
- Decide What Will Be the name of you UCE

3b. Tools Of Need
- Windows DDK -- > Download Here
- Delphi 7 -- > Download Here
- Actual Search And Replace -- > Download Here
- Cheat Engine 5.2 Source Code -- > Download Here
- A picture for a background , costume icon , and idea of about box .
- Paint or Photoshop for better graphics rofl

Preparing your workspace !
Install DDK and Delphi 7 and Actuall Search And Replace
Go to you main harddisk C/ H/ whatever and make extract there
Cheat Engine source Code .

Getting Started :


You Can Skip This Part If you are Making it For PB and go down to PART-2

1. UCE Tutorial [DEBUGGER FIXES]
Ok, the first debugger fix is given to us by DarkByte, and is for GameGuard Revision 822/826. We will not be doing the interrupt fix right now, because it is included in 833 fix.

Download and extract to your DBKKernel folder:

Open memscan.c and add #include "jumper.h" to the list of #includes,
Open DBKDRVR.c and add #include "jumper.h" to the list of #includes.

Keep DBKDRVR open, because we now have to fix memaccess.

Search the word "driverentry" in dbkdrvr.c; now replace "driverentry" in the search box with "return ntstatus;" Press find until you come to the 3rd one and add this code before it .

{
UNICODE_STRING y;
RtlInitUnicodeString(&y, L"KeAttachProcess");
AddressOfKeAttachProcess=MmGetSystemRoutineAddress (&y);
}


So it looks like

ExFreePool(BufDriverString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);


ZwClose(reg);
{
UNICODE_STRING y;
RtlInitUnicodeString(&y, L"KeAttachProcess");
AddressOfKeAttachProcess=MmGetSystemRoutineAddress (&y);
}

return ntStatus;



NEXT SEARCH
For this line UINT_PTR *processid
and add this code :

Code:
if (*processid==0xdeadbeef) 

{                
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&AddressOfKeAttachProcess; 

   ntStatus=STATUS_SUCCESS; 

   break; 
}

[B]So it looks like :[/B]

{ 

UINT_PTR *processid; 

PEPROCESS selectedprocess; 

processid=Irp->AssociatedIrp.SystemBuffer;

 

if (*processid==0xdeadbeef)

{                    

   *(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&AddressOfKeAttachProcess;

   ntStatus=STATUS_SUCCESS;

   break;

}

if 

 (PsLookupProcessByProcessId((PVOID)(*processid),&selectedprocess)==STATUS_SUCCESS)

 *(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)selectedprocess; 

 else 

 *(PULONG)Irp->AssociatedIrp.SystemBuffer=0;

 
ObDereferenceObject(selectedprocess);  

ntStatus= STATUS_SUCCESS;

break; 
}
Open Source.ce and add jumper.c to the list.

After this is done, open Mainunit.pas in your main CE folder...Add the word "disassembler" to the list of uses.

Now search for the line procedure TMainform.FormCreate(Sender: TObject);

Before it add this whole thing :

Code:
procedure fixmemaccess;
var KeAttachProcessAddress,x: dword;
    s: string;
    sl: tstringlist;

    KiAttachProcessAddress: dword;
    a,b: boolean;
    i: integer;
    DriversKeAttachProcessAddressAddress: dword;
    oldprocesshandle: dword;
begin
  oldprocesshandle:=processhandle;
  try
  loaddbk32;
  UseDBKReadWriteMemory;
  //query is needed too to scan, but thats up to the user

  processhandle:=newkernelhandler.OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessID);

  //I don't even have to adjust the jxx instructions since all of them point to when it fails, so thats ok
  KeAttachProcessAddress:=dword(GetKProcAddress('KeAttachProcess'));
  KiAttachProcessAddress:=0;

  sl:=tstringlist.Create;
  x:=KeAttachProcessAddress;

  a:=symhandler.showmodules;
  b:=symhandler.showsymbols;

  symhandler.showmodules:=false;
  symhandler.showsymbols:=false;


  sl.Add('Kalloc(mymem,4096)');
  sl.add('Kalloc(mymem2,4096)');
  sl.add('');
  sl.add('mymem2:');

  sl.add('');
  sl.add('mymem:');

  s:='';
  while (x<KeAttachProcessAddress+$200) and (s<>'ret 0004') do
  begin
    s:=disassemble(x);
    s:=copy(s,pos('-',s)+2,length(s));
    s:=copy(s,pos('-',s)+2,length(s));

    if pos('call 8',s)>0 then
    begin
      KiAttachProcessAddress:=strtoint('$'+copy(s,pos(' ',s)+1,length(s)));
      s:='call mymem2';
    end;

    sl.Add(s);
  end;

  //now generate the jumper for KiAttachProcess
  if KiAttachProcessAddress=0 then raise exception.Create('No KiAttachProcess call found');
  x:=KiAttachProcessAddress;
  i:=4;

  while (x<KiAttachProcessAddress+5) do
  begin
    s:=disassemble(x);
    s:=copy(s,pos('-',s)+2,length(s));
    s:=copy(s,pos('-',s)+2,length(s));
   
    sl.Insert(i,s);
    inc(i);
  end;
  sl.Insert(i,'jmp '+inttohex(x,8));

  DriversKeAttachProcessAddressAddress:=getpeprocess($deadbeef);
  if DriversKeAttachProcessAddressAddress=0 then raise exception.Create('OMG YOU LOSER!');

  sl.Add('');
  sl.Add(inttohex(DriversKeAttachProcessAddressAddress,8)+':');
  sl.add('dd mymem');

  symhandler.showmodules:=a;
  symhandler.showsymbols:=b;

  if not autoassemble(sl,false) then raise exception.create('Auto assembler error.');

  finally
    processhandle:=oldprocesshandle;
  end;
end;
For 5.2 users....add the line "fixmemaccess;" right before the line "hotkeypressed:=-1;" which is right after "procedure TMainForm.FormCreate(Sender: TObject);"

For 5.3 users....add the line "fixmemaccess" right after the line "pluginhandler:=TPluginhandler.create;"

Now download fixmemfiles.rar and extract all to the Main CE source folder...Replace all.


That is all for the Register Fixes...

FOR UNDETECTING IN REV 878:

Code that is detected for rev 833 in mainunit.pas:

if err>0 then
begin
if res=-1 then
begin

end;

ok:=res=mryes;

if (res=mryes) or (res=mrno) then
res:=-1; //reset
end
else
ok:=true;


end else ok:=true;

(it may be a bit different in CE 5.2)

Add more variables and junk code. My code that is undetected is this(5.2): (this color means i added or changed it)

if err>IQ then
begin
if res=X then
begin
res:=messagedlg('The record with description '''+memrec[i].Description+''' has as interpretable address '''+memrec[i].interpretableaddress+'''. The recalculation will change it to '+symhandler.getNameFromAddress(memrec[i].Address+calculate,true,true)+'. Do you want to edit it to the new address?',mtconfirmation,[mbyes,mbno,mbNoToAll,mbYesToAll,mbCancel],0);
if res=mrcancel then exit;
end;

ok:=res=mryes;

if (res=mryes) or (res=mrno) then
res:=X; //reset
end
else
ok:=true;

and under variables i put:

var newaddress:dword;
calculate: Integer;
i,j,err: Integer;
selectedi: Integer;
X: Integer;
IQ: Integer;

firstispointer,dontdopointers: boolean;
re: string;
ok: boolean;

res: integer;

After the first begin:

begin
res:=-1;
X:=-1;
X:=X;
IQ:=0;
IQ:=IQ;

//first find out how many where selected.(from here on i didnt touch)
i:=0;
selectedi:=0;
while (i<numberofrecords) and (selectedi<2) do
begin

(u can do the same thing for 5.3, just edit the IQ and X part...)

REV 878 FIX:

The code that is detected in disassembler.pas:

function disassemble(var offset: dword; var description: string): string; overload;
var memory: TMemory;
actualread: dword;
startoffset: dword;
tempresult: string;
tempst: string;
wordptr: ^word;
dwordptr: ^dword;
dwordptr2: ^dword;
singleptr: ^single;
doubleptr: ^double;
extenedptr: ^extended;
int64ptr: ^int64;
i,j: integer;

prefix: TPrefix;
prefix2: TPrefix;
isprefix: boolean;

last: dword;
foundit: boolean;
begin
result:=inttohex(offset, 8 ) + ' - ';

Change it to this:

function disassemble(var offset: dword; var description: string): string; overload;
var memory: TMemory;
actualread: dword;
startoffset: dword;
tempresult: string;
tempst: string;
wordptr: ^word;
dwordptr: ^dword;
dwordptr2: ^dword;
singleptr: ^single;
doubleptr: ^double;
extenedptr: ^extended;
int64ptr: ^int64;
i,j: integer;

prefix: TPrefix;
prefix2: TPrefix;
isprefix: boolean;

last: dword;
foundit: boolean;

//just added this few lines to increment the bytes
A:string;
B:string;
C:string;
D:string;
E:string;
F:string;
G:string;
H:string;
K:string;
L:string;
M:string;
//just added this few lines to increment the bytes
begin

//just added this few lines to increment the bytes
A:='a';
B:='b';
C:='c';
D:='d';
E:='e';
F:='f';
G:='g';
H:='h';
K:='k';
L:='l';
M:='m';
//just added this few lines to increment the bytes

result:=inttohex(offset, 8 ) + ' - ';

(thanks to sphere90 for this dissassembler fix)

Part 2

MAKING YOUR CE UNDETECTABLE

1A)Find and open Driver.dat in the main source of your CE with notepad and replace the following strings...
CEDRIVER53 ----> Whatever1 (Strings may be different for 5.2 Source, but you get the concept)
DBKProcList53 ----> Whatever2
DBKThreadList53 ----> Whatever3
dbk32.sys ----> Whatever.sys

1B)Find and open DBKDrvr.c in your DBKKernel folder and search for "hideme" (the second one down)



You will see "//hideme(DriverObject)" Remove the // from hideme (aka uncomment)

This MAY cause the Blue Screen Of Death (bsod)...If it does, there is a fix where u dont have to uncomment hideme, but that is private.

1C)Find and open Sources and sources.ce in the DBKKernel Folder with notepad and replace the following:
"TARGETNAME=DBK32" to "TARGETNAME=Whatever" ("whatever" being a random string, but try to be consistent)

1D)

Using ASR, PathMain Source Folder)with the mask (memscan.c; DBKDrvr.c),
(Include Subfolders)
search and replace the following:



KeStackAttachProcess((PKPROCESS)selectedprocess,&a pc_state); ----> KeAttachProcess((PEPROCESS)selectedprocess);

KeUnstackDetachProcess(&apc_state); ----> KeDetachProcess();

1E)Fixing ioctl:

Using ASR, Path (Main Source Folder) with the mask (DBKDrvr.c; dbk32functions.pas),
search and replace the following:
(Include Subfolders)(untick the "Whole Word" function for this fix only!)

0x080 ----> 0x087(you can replace the 7,8,9 with whatever number you want, but 789 works the best) 0x081 ----> 0x088
0x082 ----> 0x089

$080 ----> $087
$081 ----> $088
$082 ----> $089

If you already did the debug fixes, you can proceed to this step...

2) First, copy your dbkkernel path and place your main CE folder in the C:\ Drive, with the name "CE".

Then go to START --> All Programs --> Development kits --> WinDDK --> Build Environments --> WindowXP --> Window XP Free Build Environment
If you use Windows 2000 or another OS choose the appropriate one...

Next, type in cd "space" then right click and press paste...

If you did this right, C:\WinDDK\numbers, will change to C:\ce\dbkkernel

Next, type "ce" and you will start compiling whatever.sys

You must register and activate your account in order to view images.

3a ) Open "dbk32.dpr" in the dbk32 Directory with Delphi. Then we open the "Project Manager" under "VIEW" and expand "dbk32.dll" and double click on "DBK32functions" to open it.
Replace the following in DBK32functions.
CEDRIVER53 >>> Whatever1 (for 5.2 source search CEDRIVER51 instead of CEDRIVER53)
DBKProcList53 >>> Whatever2
DBKThreadList53 >>> Whatever3
Now save all and close all.
Next using ASR, Path (Main Source Folder) with the mask (*.*), search and replace the followings. (Include Subfolders)
dbk32.sys >>> Whatever.sys
dbk32.dll >>> Whatever.dll


Now we will replace all those mentioned strings to something else using ASR, Path (Main Source Folder) with the mask (dbk32.dpr; dbk32functions.pas) (Include Subfolders).
VQE ---> Whatever4
OP ---> Whatever5
OT ---> Whatever6
NOP ---> Whatever7
RPM ---> Whatever8
WPM ---> Whatever9
VAE ---> Whatever10

For a full lists of strings download this: strings.rar

Once you have gone through the entire list of strings, change the mask to (newkernelhandler.pas). Instead of changing the strings normally like this:

VQE ---> Whatever4
OP ---> Whatever5
OT ---> Whatever6
NOP ---> Whatever7
RPM ---> Whatever8
WPM ---> Whatever9
VAE ---> Whatever10

Change the strings like this:

'VQE' ---> 'Whatever4'
'OP' ---> 'Whatever5'
'OT' ---> 'Whatever6'
'NOP' ---> 'Whatever7'
'RPM' ---> 'Whatever8'
'WPM' ---> 'Whatever9'
'VAE' ---> 'Whatever10'

Note that the quotes are VERY IMPORTANT, as with the mask as newkernelhandler.pas, and you are not using the quotes, you are going to get undeclared functions in the other files, giving a big hassle to change them all. It will still be undetected doing it using this method, so no need to worry whether or not it will be detected. If you are too lazy, you might get unpalatable results with the undetecting of the UCE. Ok, that is all I have to say. (i was too lazy to explain it...thanks to flawedmatrix)

3b)Save the DBK32functions.pas and DBK32.dpr in new names.

With DBK32functions.pas and DBK32.dpr opened in Delphi. Go "FILE> Save As".
(These are only my changes, you can change to other names)

DBK32.dpr >>> Whatever.dpr (according to my change list "Whatever.dll")(Save in dbk32 folder)
You will see that the "library DBK32;" has been changed to "library Whatever;"

DBK32functions.pas >>> Whateverfunctions.pas (Save in dbk32 folder)

After this you will see that Whatever.dpr's "uses" and Project Manager, DBK32functions.pas will be changed to whateverfunctions.pas.

Now save all and close all.

Now open Whatever.dpr in Delphi, you compile Whatever.dll. Go "Project> compile whatever" or Ctrl+F9.

Its ok to get "Hint" or "Warning", but if you get "Error" go recheck your steps again, coz you have made a mistake or forgot to change something somewhere.

If you do not get any Errors, your Whatever.dll will be at the main CE Source Directory.

3c) Next using ASR, Path (Main Source Folder) with the mask (*.*), search and replace "myhook". (Include Subfolders)

Rename the myhook in CEHook.dpr and hypermode.pas only to Whatever54.

Now open up CEHook.dpr in CEHook Directory with Delphi
(Note:For Borland users, you need to delete/comment out "system;" under "USES")

Then Compile CEHooK.dpr.

3d ) Next open up stealth.dpr in the stealth Directory with delphi and just compile it. Nothing to change.

3e) Now open up cheatengine.dpr in the main directory with Delphi.
(Note: Make sure the cheatengine.dpr you opened is from the main directory and not DEU, NLD or RUS directory!)

Go to the Project Manager and look for newkernelhandler.pas and

CeFuncProc.pas and open both up.
And save them as:

newkernelhandler.pas >>> Whateverhandler.pas

CeFuncProc .pas >>> Whatever55.pas

Save all and close all.
Next using ASR, Path (Main Source Folder) with the mask (*.*)(Do not include subfolders) and search for newkernelhandler and CeFuncProc, then change them to
newkernelhandler >>> Whateverhandler (EXCEPT for Newkernelhandler.pas)
CeFuncProc >>> Whatever55 (EXCEPT for CeFuncProc.pas)

3f )Next the value strings(hex)
* 00400000
* 7fffffff
* 80000000

Using ASR, Path (Main Source Folder) with the mask (*.*)(Include subfolders)

Search and replace the 3 values with the new value you calculated. (Note: ONLY change the values, leave the "$" alone)

Note: You must change it to a different value!

Eg:+2 from the value (Do not subtract, you may get some errors)

Use your windows calculator, select "View> Scientific>", select "HEX"

Enter the values. Then select "Dec". Then you + "any value".

Then you change it back to "Hex" and use this value for these changes.

So for Example using +2, you will get:

* 00400000 ---> 00400002
* 7fffffff ---> 80000001
* 80000000 ---> 80000002

3g) Now using ASR, Path (Main Source Folder) with the mask (*.*)(Do not include subfolders), Search and replace the followings.

nextscanbutton >>> Whatever56
scanvalue >>> Whatever57
scanvalue2 >>> Whatever58
ScanType >>> Whatever59
VarType >>> Whatever60
newscan >>> Whatever61
ScanText >>> Whatever62
syndiv.com/ce >>> Google.com(Anything (like your UCE homepage if its public) )
CheatEngine >>> WhateverEngine (EXCEPT for cheatengine.bpg)
cheat engine >>> Whatever Engine

Next open up MainUnit.pas with Delphi and locate the following:

if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes then
shellexecute(0,'open','Tutorial.exe','','',sw_show );

Replace the "Tutorial" with "Project1" like this:

if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes then
shellexecute(0,'open','Project1.exe','','',sw_show );

Now save and close it

Now open up OpenSave.pas with Delphi and locate the following:

7 "Tutorial.exe":Application processname
Replace "Tutorial" with "Project1" like so:

7 "Project1.exe":Application processname (This is not detected, but change it so it will open up Project1 when prompted)

Then in openSave.pas with Delphi and locate the following: (this is only for CE 5.3)

if x<>'WhateverEngine' then
raise exception.Create('This is not a valid Whatever Engine table');
Now comment it out like so:

//if x<>'WhateverEngine' then
//raise exception.Create('This is not a valid Whatever Engine table');

Doing this will allow you to open other Cheat Tables(.CT), which are not saved by your engine.

Now save and close it .





Optional
For Versions Options, go to the project manager and rigth click whateverengine.exe. then click options...Go to version info... for customizable features. Untick "include version info in project" If you do not want it .


Optional
As for the Settings and About section, in the Project Manager open up "formsettingsunit" and "aboutunit".

Click on the sections you want to change and change the captions only.
(Give some credit to Dark Byte for his Source code)
3i ) Changing project group and cheatengine.exe into Whateverengine. (Note: Make a copy of your edited source before you proceed)

- Changing project group name.

Open cheatengine.bpg from the main directory, then "save as" Whateverengine.bpg in the main directory. Close and open whateverengine.bpg to test it.

- Changing the cheatengine.exe name.

Open Whateverengine.bpg from the main directory and in the project manager, "Right click" on cheatengine.exe and select "View Source".



Then you save Cheatengine.dpr as Whateverengine.dpr in the main ce source folder.

Now repeat this for the followings:
Cheatengine.DEU (Save as Whateverengine.dpr and save it in the DEU Folder)
Cheatengine.NLD (Save as Whateverengine.dpr and save it in the NLD Folder)
Cheatengine.RUS (Save as Whateverengine.dpr and save it in the RUS Folder)

3j)Compiling "whateverengine.exe" (cheatengine.exe).

First, download trainerwithassembler.zip

Now open up whateverengine.dpr in the main CE source folder with delphi and
You go "Project> compile whateverengine" or Ctrl+F9.

4. Finishing
4a) Compile all of these using Delphi:

- Pscan.dll (Pscan.dpr in injectedpointerscan folder)

- emptydll.dll (emptydll.dpr in SystemcallRetriever folder)

- emptyprocess.exe (emptyprocess.dpr in SystemcallRetriever folder)

- systemcallsignal.exe (systemcallsignal.dpr in SystemcallRetriever folder)

- Systemcallretriever.exe(change anything if needed) (Systemcallretriever.dpr in SystemcallRetriever folder)

- Kernelmoduleunloader.exe (Kernelmoduleunloader.dpr in "dbk32\Kernelmodule unloader" folder)

- Project1.exe (Project1.dpr in Tutorial folder)

4b)copy all of these files to a folder

WhateverEngine.exe (Cheatengine.exe)
Whatever.sys (dbk32.sys)
Whatever.dll (dbk32.dll)
driver.dat
Cehook.dll
stealth.dll ( Rolling Dice suggests you that you don't need to use Stealth.dll - it may cause lagging ) ( it's your opinion to put it in or not )
PScan.dll
emptydll.dll
emptyprocess.exe
systemcallsignal.exe
Systemcallretriever.exe
Kernelmoduleunloader.exe
Project1.exe
(Missing files will cause errors when you execute.)

Best Lcuk At Hacking


VIDEO TUTORIAL OFF ALL THIS IS COMMING IN 2 WEEKS BY ME


3N1P // 3 NICK 1 PERSON

MENTAL81 // DISFUSION // KRISTI81


credist to mental



Naniooooo is offline  
Thanks
6 Users
Old   #2
 
elite*gold: 0
Join Date: Jan 2012
Posts: 2,230
Received Thanks: 923
Yet another copy paste tutorial made by someone else. I assume you havent tested it?


guesswho-.- is offline  
Old   #3
 
elite*gold: 0
Join Date: Nov 2011
Posts: 576
Received Thanks: 64
I SAID CREDITS GO TO BLABLA BLA BLALBLA !!!!!!!!!!!!!!!!!!!

and do you remmebr when you always guys siad me leech
dosnt work
*****
etc

i released somthing and i figure it now and it make ce undetecable
so have a nice day lolz
Naniooooo is offline  
Old   #4
 
elite*gold: 0
Join Date: Dec 2009
Posts: 531
Received Thanks: 71
Quote:
Originally Posted by Naniooooo View Post
I SAID CREDITS GO TO BLABLA BLA BLALBLA !!!!!!!!!!!!!!!!!!!

and do you remmebr when you always guys siad me leech
dosnt work
*****
etc

i released somthing and i figure it now and it make ce undetecable
so have a nice day lolz

Hmm, perhaps you should get the download links for it?
It's hard to try this out without any links.


poweritup is offline  
Old   #5
 
elite*gold: 0
Join Date: Sep 2007
Posts: 309
Received Thanks: 124
Quote:
Originally Posted by Naniooooo View Post
I SAID CREDITS GO TO BLABLA BLA BLALBLA !!!!!!!!!!!!!!!!!!!

and do you remmebr when you always guys siad me leech
dosnt work
*****
etc

i released somthing and i figure it now and it make ce undetecable
so have a nice day lolz
Proof or it doesn't work. Video, pic, something.
SkyDrag0n is offline  
Old   #6
 
elite*gold: 0
Join Date: Dec 2009
Posts: 531
Received Thanks: 71
Quote:
Originally Posted by Naniooooo View Post
Mental's Tutorial On How To Make A UCE

1. Lets learn about what actually is UCE !
UNDETECTED CHEAT ENGINE
Its the same version same thing as the Original Cheat Engine only that we
will change the detected strings and files whit undetected ones . This may
be confusing for know but you will understand in the following process .

2. Strings
STRING LINES OF UCE AND CE
Strings are lines , words that are found in Cheat Engines source code
these words make CE a UCE that is if you change them properly . PB
is set to detect these words and by changing them to different ones
that aren't in their logs we make our ce a uce . These words once compiled
make DLL library files and EXE application files that we can run then and
use for hacking and so on .

3. Preparation
3a. Knowledge and Skillz
- Bit Understanding
- Don't Touch What You Don't Know What Works
- Don't Be a Noob
- Run Some Music While You Are Working
- Take All Your Litle Brothers and Sisters away
- You Need Peace , Concentration , Strong Will
- Decide What Will Be the name of you UCE

3b. Tools Of Need
- Windows DDK -- > Download Here
- Delphi 7 -- > Download Here
- Actual Search And Replace -- > Download Here
- Cheat Engine 5.2 Source Code -- > Download Here
- A picture for a background , costume icon , and idea of about box .
- Paint or Photoshop for better graphics rofl

Preparing your workspace !
Install DDK and Delphi 7 and Actuall Search And Replace
Go to you main harddisk C/ H/ whatever and make extract there
Cheat Engine source Code .

Getting Started :


You Can Skip This Part If you are Making it For PB and go down to PART-2

1. UCE Tutorial [DEBUGGER FIXES]
Ok, the first debugger fix is given to us by DarkByte, and is for GameGuard Revision 822/826. We will not be doing the interrupt fix right now, because it is included in 833 fix.

Download and extract to your DBKKernel folder:

Open memscan.c and add #include "jumper.h" to the list of #includes,
Open DBKDRVR.c and add #include "jumper.h" to the list of #includes.

Keep DBKDRVR open, because we now have to fix memaccess.

Search the word "driverentry" in dbkdrvr.c; now replace "driverentry" in the search box with "return ntstatus;" Press find until you come to the 3rd one and add this code before it .

{
UNICODE_STRING y;
RtlInitUnicodeString(&y, L"KeAttachProcess");
AddressOfKeAttachProcess=MmGetSystemRoutineAddress (&y);
}


So it looks like

ExFreePool(BufDriverString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);


ZwClose(reg);
{
UNICODE_STRING y;
RtlInitUnicodeString(&y, L"KeAttachProcess");
AddressOfKeAttachProcess=MmGetSystemRoutineAddress (&y);
}

return ntStatus;



NEXT SEARCH
For this line UINT_PTR *processid
and add this code :

Code:
if (*processid==0xdeadbeef) 

{                
*(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&AddressOfKeAttachProcess; 

   ntStatus=STATUS_SUCCESS; 

   break; 
}

[B]So it looks like :[/B]

{ 

UINT_PTR *processid; 

PEPROCESS selectedprocess; 

processid=Irp->AssociatedIrp.SystemBuffer;

 

if (*processid==0xdeadbeef)

{                    

   *(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)&AddressOfKeAttachProcess;

   ntStatus=STATUS_SUCCESS;

   break;

}

if 

 (PsLookupProcessByProcessId((PVOID)(*processid),&selectedprocess)==STATUS_SUCCESS)

 *(PULONG)Irp->AssociatedIrp.SystemBuffer=(ULONG)selectedprocess; 

 else 

 *(PULONG)Irp->AssociatedIrp.SystemBuffer=0;

 
ObDereferenceObject(selectedprocess);  

ntStatus= STATUS_SUCCESS;

break; 
}
Open Source.ce and add jumper.c to the list.

After this is done, open Mainunit.pas in your main CE folder...Add the word "disassembler" to the list of uses.

Now search for the line procedure TMainform.FormCreate(Sender: TObject);

Before it add this whole thing :

Code:
procedure fixmemaccess;
var KeAttachProcessAddress,x: dword;
    s: string;
    sl: tstringlist;

    KiAttachProcessAddress: dword;
    a,b: boolean;
    i: integer;
    DriversKeAttachProcessAddressAddress: dword;
    oldprocesshandle: dword;
begin
  oldprocesshandle:=processhandle;
  try
  loaddbk32;
  UseDBKReadWriteMemory;
  //query is needed too to scan, but thats up to the user

  processhandle:=newkernelhandler.OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessID);

  //I don't even have to adjust the jxx instructions since all of them point to when it fails, so thats ok
  KeAttachProcessAddress:=dword(GetKProcAddress('KeAttachProcess'));
  KiAttachProcessAddress:=0;

  sl:=tstringlist.Create;
  x:=KeAttachProcessAddress;

  a:=symhandler.showmodules;
  b:=symhandler.showsymbols;

  symhandler.showmodules:=false;
  symhandler.showsymbols:=false;


  sl.Add('Kalloc(mymem,4096)');
  sl.add('Kalloc(mymem2,4096)');
  sl.add('');
  sl.add('mymem2:');

  sl.add('');
  sl.add('mymem:');

  s:='';
  while (x<KeAttachProcessAddress+$200) and (s<>'ret 0004') do
  begin
    s:=disassemble(x);
    s:=copy(s,pos('-',s)+2,length(s));
    s:=copy(s,pos('-',s)+2,length(s));

    if pos('call 8',s)>0 then
    begin
      KiAttachProcessAddress:=strtoint('$'+copy(s,pos(' ',s)+1,length(s)));
      s:='call mymem2';
    end;

    sl.Add(s);
  end;

  //now generate the jumper for KiAttachProcess
  if KiAttachProcessAddress=0 then raise exception.Create('No KiAttachProcess call found');
  x:=KiAttachProcessAddress;
  i:=4;

  while (x<KiAttachProcessAddress+5) do
  begin
    s:=disassemble(x);
    s:=copy(s,pos('-',s)+2,length(s));
    s:=copy(s,pos('-',s)+2,length(s));
   
    sl.Insert(i,s);
    inc(i);
  end;
  sl.Insert(i,'jmp '+inttohex(x,8));

  DriversKeAttachProcessAddressAddress:=getpeprocess($deadbeef);
  if DriversKeAttachProcessAddressAddress=0 then raise exception.Create('OMG YOU LOSER!');

  sl.Add('');
  sl.Add(inttohex(DriversKeAttachProcessAddressAddress,8)+':');
  sl.add('dd mymem');

  symhandler.showmodules:=a;
  symhandler.showsymbols:=b;

  if not autoassemble(sl,false) then raise exception.create('Auto assembler error.');

  finally
    processhandle:=oldprocesshandle;
  end;
end;
For 5.2 users....add the line "fixmemaccess;" right before the line "hotkeypressed:=-1;" which is right after "procedure TMainForm.FormCreate(Sender: TObject);"

For 5.3 users....add the line "fixmemaccess" right after the line "pluginhandler:=TPluginhandler.create;"

Now download fixmemfiles.rar and extract all to the Main CE source folder...Replace all.


That is all for the Register Fixes...

FOR UNDETECTING IN REV 878:

Code that is detected for rev 833 in mainunit.pas:

if err>0 then
begin
if res=-1 then
begin

end;

ok:=res=mryes;

if (res=mryes) or (res=mrno) then
res:=-1; //reset
end
else
ok:=true;


end else ok:=true;

(it may be a bit different in CE 5.2)

Add more variables and junk code. My code that is undetected is this(5.2): (this color means i added or changed it)

if err>IQ then
begin
if res=X then
begin
res:=messagedlg('The record with description '''+memrec[i].Description+''' has as interpretable address '''+memrec[i].interpretableaddress+'''. The recalculation will change it to '+symhandler.getNameFromAddress(memrec[i].Address+calculate,true,true)+'. Do you want to edit it to the new address?',mtconfirmation,[mbyes,mbno,mbNoToAll,mbYesToAll,mbCancel],0);
if res=mrcancel then exit;
end;

ok:=res=mryes;

if (res=mryes) or (res=mrno) then
res:=X; //reset
end
else
ok:=true;

and under variables i put:

var newaddress:dword;
calculate: Integer;
i,j,err: Integer;
selectedi: Integer;
X: Integer;
IQ: Integer;

firstispointer,dontdopointers: boolean;
re: string;
ok: boolean;

res: integer;

After the first begin:

begin
res:=-1;
X:=-1;
X:=X;
IQ:=0;
IQ:=IQ;

//first find out how many where selected.(from here on i didnt touch)
i:=0;
selectedi:=0;
while (i<numberofrecords) and (selectedi<2) do
begin

(u can do the same thing for 5.3, just edit the IQ and X part...)

REV 878 FIX:

The code that is detected in disassembler.pas:

function disassemble(var offset: dword; var description: string): string; overload;
var memory: TMemory;
actualread: dword;
startoffset: dword;
tempresult: string;
tempst: string;
wordptr: ^word;
dwordptr: ^dword;
dwordptr2: ^dword;
singleptr: ^single;
doubleptr: ^double;
extenedptr: ^extended;
int64ptr: ^int64;
i,j: integer;

prefix: TPrefix;
prefix2: TPrefix;
isprefix: boolean;

last: dword;
foundit: boolean;
begin
result:=inttohex(offset, 8 ) + ' - ';

Change it to this:

function disassemble(var offset: dword; var description: string): string; overload;
var memory: TMemory;
actualread: dword;
startoffset: dword;
tempresult: string;
tempst: string;
wordptr: ^word;
dwordptr: ^dword;
dwordptr2: ^dword;
singleptr: ^single;
doubleptr: ^double;
extenedptr: ^extended;
int64ptr: ^int64;
i,j: integer;

prefix: TPrefix;
prefix2: TPrefix;
isprefix: boolean;

last: dword;
foundit: boolean;

//just added this few lines to increment the bytes
A:string;
B:string;
C:string;
D:string;
E:string;
F:string;
G:string;
H:string;
K:string;
L:string;
M:string;
//just added this few lines to increment the bytes
begin

//just added this few lines to increment the bytes
A:='a';
B:='b';
C:='c';
D:='d';
E:='e';
F:='f';
G:='g';
H:='h';
K:='k';
L:='l';
M:='m';
//just added this few lines to increment the bytes

result:=inttohex(offset, 8 ) + ' - ';

(thanks to sphere90 for this dissassembler fix)

Part 2

MAKING YOUR CE UNDETECTABLE

1A)Find and open Driver.dat in the main source of your CE with notepad and replace the following strings...
CEDRIVER53 ----> Whatever1 (Strings may be different for 5.2 Source, but you get the concept)
DBKProcList53 ----> Whatever2
DBKThreadList53 ----> Whatever3
dbk32.sys ----> Whatever.sys

1B)Find and open DBKDrvr.c in your DBKKernel folder and search for "hideme" (the second one down)



You will see "//hideme(DriverObject)" Remove the // from hideme (aka uncomment)

This MAY cause the Blue Screen Of Death (bsod)...If it does, there is a fix where u dont have to uncomment hideme, but that is private.

1C)Find and open Sources and sources.ce in the DBKKernel Folder with notepad and replace the following:
"TARGETNAME=DBK32" to "TARGETNAME=Whatever" ("whatever" being a random string, but try to be consistent)

1D)

Using ASR, PathMain Source Folder)with the mask (memscan.c; DBKDrvr.c),
(Include Subfolders)
search and replace the following:



KeStackAttachProcess((PKPROCESS)selectedprocess,&a pc_state); ----> KeAttachProcess((PEPROCESS)selectedprocess);

KeUnstackDetachProcess(&apc_state); ----> KeDetachProcess();

1E)Fixing ioctl:

Using ASR, Path (Main Source Folder) with the mask (DBKDrvr.c; dbk32functions.pas),
search and replace the following:
(Include Subfolders)(untick the "Whole Word" function for this fix only!)

0x080 ----> 0x087(you can replace the 7,8,9 with whatever number you want, but 789 works the best) 0x081 ----> 0x088
0x082 ----> 0x089

$080 ----> $087
$081 ----> $088
$082 ----> $089

If you already did the debug fixes, you can proceed to this step...

2) First, copy your dbkkernel path and place your main CE folder in the C:\ Drive, with the name "CE".

Then go to START --> All Programs --> Development kits --> WinDDK --> Build Environments --> WindowXP --> Window XP Free Build Environment
If you use Windows 2000 or another OS choose the appropriate one...

Next, type in cd "space" then right click and press paste...

If you did this right, C:\WinDDK\numbers, will change to C:\ce\dbkkernel

Next, type "ce" and you will start compiling whatever.sys

You must register and activate your account in order to view images.

3a ) Open "dbk32.dpr" in the dbk32 Directory with Delphi. Then we open the "Project Manager" under "VIEW" and expand "dbk32.dll" and double click on "DBK32functions" to open it.
Replace the following in DBK32functions.
CEDRIVER53 >>> Whatever1 (for 5.2 source search CEDRIVER51 instead of CEDRIVER53)
DBKProcList53 >>> Whatever2
DBKThreadList53 >>> Whatever3
Now save all and close all.
Next using ASR, Path (Main Source Folder) with the mask (*.*), search and replace the followings. (Include Subfolders)
dbk32.sys >>> Whatever.sys
dbk32.dll >>> Whatever.dll


Now we will replace all those mentioned strings to something else using ASR, Path (Main Source Folder) with the mask (dbk32.dpr; dbk32functions.pas) (Include Subfolders).
VQE ---> Whatever4
OP ---> Whatever5
OT ---> Whatever6
NOP ---> Whatever7
RPM ---> Whatever8
WPM ---> Whatever9
VAE ---> Whatever10

For a full lists of strings download this: strings.rar

Once you have gone through the entire list of strings, change the mask to (newkernelhandler.pas). Instead of changing the strings normally like this:

VQE ---> Whatever4
OP ---> Whatever5
OT ---> Whatever6
NOP ---> Whatever7
RPM ---> Whatever8
WPM ---> Whatever9
VAE ---> Whatever10

Change the strings like this:

'VQE' ---> 'Whatever4'
'OP' ---> 'Whatever5'
'OT' ---> 'Whatever6'
'NOP' ---> 'Whatever7'
'RPM' ---> 'Whatever8'
'WPM' ---> 'Whatever9'
'VAE' ---> 'Whatever10'

Note that the quotes are VERY IMPORTANT, as with the mask as newkernelhandler.pas, and you are not using the quotes, you are going to get undeclared functions in the other files, giving a big hassle to change them all. It will still be undetected doing it using this method, so no need to worry whether or not it will be detected. If you are too lazy, you might get unpalatable results with the undetecting of the UCE. Ok, that is all I have to say. (i was too lazy to explain it...thanks to flawedmatrix)

3b)Save the DBK32functions.pas and DBK32.dpr in new names.

With DBK32functions.pas and DBK32.dpr opened in Delphi. Go "FILE> Save As".
(These are only my changes, you can change to other names)

DBK32.dpr >>> Whatever.dpr (according to my change list "Whatever.dll")(Save in dbk32 folder)
You will see that the "library DBK32;" has been changed to "library Whatever;"

DBK32functions.pas >>> Whateverfunctions.pas (Save in dbk32 folder)

After this you will see that Whatever.dpr's "uses" and Project Manager, DBK32functions.pas will be changed to whateverfunctions.pas.

Now save all and close all.

Now open Whatever.dpr in Delphi, you compile Whatever.dll. Go "Project> compile whatever" or Ctrl+F9.

Its ok to get "Hint" or "Warning", but if you get "Error" go recheck your steps again, coz you have made a mistake or forgot to change something somewhere.

If you do not get any Errors, your Whatever.dll will be at the main CE Source Directory.

3c) Next using ASR, Path (Main Source Folder) with the mask (*.*), search and replace "myhook". (Include Subfolders)

Rename the myhook in CEHook.dpr and hypermode.pas only to Whatever54.

Now open up CEHook.dpr in CEHook Directory with Delphi
(Note:For Borland users, you need to delete/comment out "system;" under "USES")

Then Compile CEHooK.dpr.

3d ) Next open up stealth.dpr in the stealth Directory with delphi and just compile it. Nothing to change.

3e) Now open up cheatengine.dpr in the main directory with Delphi.
(Note: Make sure the cheatengine.dpr you opened is from the main directory and not DEU, NLD or RUS directory!)

Go to the Project Manager and look for newkernelhandler.pas and

CeFuncProc.pas and open both up.
And save them as:

newkernelhandler.pas >>> Whateverhandler.pas

CeFuncProc .pas >>> Whatever55.pas

Save all and close all.
Next using ASR, Path (Main Source Folder) with the mask (*.*)(Do not include subfolders) and search for newkernelhandler and CeFuncProc, then change them to
newkernelhandler >>> Whateverhandler (EXCEPT for Newkernelhandler.pas)
CeFuncProc >>> Whatever55 (EXCEPT for CeFuncProc.pas)

3f )Next the value strings(hex)
* 00400000
* 7fffffff
* 80000000

Using ASR, Path (Main Source Folder) with the mask (*.*)(Include subfolders)

Search and replace the 3 values with the new value you calculated. (Note: ONLY change the values, leave the "$" alone)

Note: You must change it to a different value!

Eg:+2 from the value (Do not subtract, you may get some errors)

Use your windows calculator, select "View> Scientific>", select "HEX"

Enter the values. Then select "Dec". Then you + "any value".

Then you change it back to "Hex" and use this value for these changes.

So for Example using +2, you will get:

* 00400000 ---> 00400002
* 7fffffff ---> 80000001
* 80000000 ---> 80000002

3g) Now using ASR, Path (Main Source Folder) with the mask (*.*)(Do not include subfolders), Search and replace the followings.

nextscanbutton >>> Whatever56
scanvalue >>> Whatever57
scanvalue2 >>> Whatever58
ScanType >>> Whatever59
VarType >>> Whatever60
newscan >>> Whatever61
ScanText >>> Whatever62
syndiv.com/ce >>> Google.com(Anything (like your UCE homepage if its public) )
CheatEngine >>> WhateverEngine (EXCEPT for cheatengine.bpg)
cheat engine >>> Whatever Engine

Next open up MainUnit.pas with Delphi and locate the following:

if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes then
shellexecute(0,'open','Tutorial.exe','','',sw_show );

Replace the "Tutorial" with "Project1" like this:

if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes then
shellexecute(0,'open','Project1.exe','','',sw_show );

Now save and close it

Now open up OpenSave.pas with Delphi and locate the following:

7 "Tutorial.exe":Application processname
Replace "Tutorial" with "Project1" like so:

7 "Project1.exe":Application processname (This is not detected, but change it so it will open up Project1 when prompted)

Then in openSave.pas with Delphi and locate the following: (this is only for CE 5.3)

if x<>'WhateverEngine' then
raise exception.Create('This is not a valid Whatever Engine table');
Now comment it out like so:

//if x<>'WhateverEngine' then
//raise exception.Create('This is not a valid Whatever Engine table');

Doing this will allow you to open other Cheat Tables(.CT), which are not saved by your engine.

Now save and close it .





Optional
For Versions Options, go to the project manager and rigth click whateverengine.exe. then click options...Go to version info... for customizable features. Untick "include version info in project" If you do not want it .


Optional
As for the Settings and About section, in the Project Manager open up "formsettingsunit" and "aboutunit".

Click on the sections you want to change and change the captions only.
(Give some credit to Dark Byte for his Source code)
3i ) Changing project group and cheatengine.exe into Whateverengine. (Note: Make a copy of your edited source before you proceed)

- Changing project group name.

Open cheatengine.bpg from the main directory, then "save as" Whateverengine.bpg in the main directory. Close and open whateverengine.bpg to test it.

- Changing the cheatengine.exe name.

Open Whateverengine.bpg from the main directory and in the project manager, "Right click" on cheatengine.exe and select "View Source".



Then you save Cheatengine.dpr as Whateverengine.dpr in the main ce source folder.

Now repeat this for the followings:
Cheatengine.DEU (Save as Whateverengine.dpr and save it in the DEU Folder)
Cheatengine.NLD (Save as Whateverengine.dpr and save it in the NLD Folder)
Cheatengine.RUS (Save as Whateverengine.dpr and save it in the RUS Folder)

3j)Compiling "whateverengine.exe" (cheatengine.exe).

First, download trainerwithassembler.zip

Now open up whateverengine.dpr in the main CE source folder with delphi and
You go "Project> compile whateverengine" or Ctrl+F9.

4. Finishing
4a) Compile all of these using Delphi:

- Pscan.dll (Pscan.dpr in injectedpointerscan folder)

- emptydll.dll (emptydll.dpr in SystemcallRetriever folder)

- emptyprocess.exe (emptyprocess.dpr in SystemcallRetriever folder)

- systemcallsignal.exe (systemcallsignal.dpr in SystemcallRetriever folder)

- Systemcallretriever.exe(change anything if needed) (Systemcallretriever.dpr in SystemcallRetriever folder)

- Kernelmoduleunloader.exe (Kernelmoduleunloader.dpr in "dbk32\Kernelmodule unloader" folder)

- Project1.exe (Project1.dpr in Tutorial folder)

4b)copy all of these files to a folder

WhateverEngine.exe (Cheatengine.exe)
Whatever.sys (dbk32.sys)
Whatever.dll (dbk32.dll)
driver.dat
Cehook.dll
stealth.dll ( Rolling Dice suggests you that you don't need to use Stealth.dll - it may cause lagging ) ( it's your opinion to put it in or not )
PScan.dll
emptydll.dll
emptyprocess.exe
systemcallsignal.exe
Systemcallretriever.exe
Kernelmoduleunloader.exe
Project1.exe
(Missing files will cause errors when you execute.)

Best Lcuk At Hacking


VIDEO TUTORIAL OFF ALL THIS IS COMMING IN 2 WEEKS BY ME


3N1P // 3 NICK 1 PERSON

MENTAL81 // DISFUSION // KRISTI81


credist to mental
Ohh I remember that I have tryed this once. Doesent work on Global DK or Core games.
poweritup is offline  
Old   #7
 
elite*gold: 0
Join Date: Nov 2011
Posts: 576
Received Thanks: 64
try to disable the accesbility to cheat engine folder from others programs that will work
i find program like that but somthings wrongs with it
Naniooooo is offline  
Old   #8

 
elite*gold: 0
Join Date: Jul 2011
Posts: 994
Received Thanks: 472
Btw UCE called UCE cause it means "Undetected Cheat Engine" not "Undetectable Cheats"

**** my Posts are amazing helpfull theese days
Brutalon is offline  
Thanks
2 Users
Old   #9
 
elite*gold: 0
Join Date: Jan 2012
Posts: 2,230
Received Thanks: 923
Quote:
Originally Posted by poweritup View Post
Ohh I remember that I have tryed this once. Doesent work on Global DK or Core games.
did you really have to quote his whole ****** post?
guesswho-.- is offline  
Thanks
3 Users
Old   #10
 
elite*gold: 0
Join Date: Dec 2009
Posts: 531
Received Thanks: 71
Quote:
Originally Posted by guesswho-.- View Post
did you really have to quote his whole ****** post?
Yes I do.
poweritup is offline  
Thanks
1 User
Old   #11
 
elite*gold: 0
Join Date: Sep 2007
Posts: 309
Received Thanks: 124
Quote:
Originally Posted by SkyDrag0n View Post
Proof or it doesn't work. Video, pic, something.
Still waiting.
SkyDrag0n is offline  
Thanks
1 User
Old   #12

 
elite*gold: 0
Join Date: Jul 2011
Posts: 994
Received Thanks: 472
Why the Topics in DK always let me smile?
Brutalon is offline  
Thanks
1 User
Old   #13
 
elite*gold: 0
Join Date: Nov 2011
Posts: 576
Received Thanks: 64
because you are non stop on drugs ?
Naniooooo is offline  
Thanks
1 User
Old   #14

 
elite*gold: 0
Join Date: Jul 2011
Posts: 994
Received Thanks: 472
Quote:
Originally Posted by Naniooooo View Post
because you are non stop on drugs ?
probably true
Brutalon is offline  
Old   #15
 
elite*gold: 0
Join Date: Jul 2008
Posts: 5
Received Thanks: 0
link are down .. someone can upload it again ?


rocawork is offline  
Reply



« Previous Thread | Next Thread »



All times are GMT +1. The time now is 22:32.


Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2017 elitepvpers All Rights Reserved.