[Windows 7 x64] Gameguard Bypass for CE

[netHoxInc]

Another option would be a selfmade driver. Even tho GG is ring3, we dont rly need to go ring0 ro achieve that, it just makes it being an easy solution without much reversing of GG.

[cookie69]

Quote:

Originally Posted by I Feelz I

the kernel driver is only for w7 x64. u can try it with titanhide but i didnt give support for it.

There is even a better and powerful free tool called Windows Kernel Driver and it works with 32/64 versions from windows Xp to win10:

But even after I hided CE, it still get's detected by gg so maybe you need to understand how CE gets detected (maybe a noob window search, a registry search...)

By the way, WKE is detected by antivir but it is false positive as it is using a fake sign certificate which gets detected by most antivir.

[TheAllfather]

In the past this was the only method that has worked for me and im scared to install a windows 7 version on top of my windows 10. I feel like this is going to break my computer lolz

I have tried editing cheat engine window title, button, process name and rename some buttons to something else but it still got detected.

[Hömer]

Quote:

Originally Posted by TheAllfather

In the past this was the only method that has worked for me and im scared to install a windows 7 version on top of my windows 10. I feel like this is going to break my computer lolz

I have tried editing cheat engine window title, button, process name and rename some buttons to something else but it still got detected.

Just use a Virutal Machine. This is easy to install and to configure.
If you have Windows 10 Pro - Use Hyper-V.

[I Feelz I]

Quote:

Originally Posted by cookie69

There is even a better and powerful free tool called Windows Kernel Driver and it works with 32/64 versions from windows Xp to win10:

But even after I hided CE, it still get's detected by gg so maybe you need to understand how CE gets detected (maybe a noob window search, a registry search...)

By the way, WKE is detected by antivir but it is false positive as it is using a fake sign certificate which gets detected by most antivir.

did u disable the patchguard from w10 before?

[Gyakusatsu-]

everything's fine.
1. PatchGuard disabled (even windows10 (also 17134+))
2. Hidecon -ph /* (PID) CheatEngine (v7.3) */
3. Starting play2bit-deFlyff in Virtualbox without Sound actived ( Warning MSG before GG can start, for (me) more time analysing PID+Attach Neuz.exe )
4. Detecting.

Same Method on patched x64 Windows-10 (also 17134+with UPGDSED)
4. Detected.

Next try: TitanHide (Both x64 Windows-7001 and Windows-10)
1. Until step warning ''no Sound'' so, I have enough time to explore the PID of Neuz and Attach with CE / x64dbg

2. Hiding after Attach via GUI
( 2.5 hiding PID with Hidecon )
3. Detected.

i think there is a system of instant closing after Attach with Debugger
maybe i am using wrong version of CE / 64dbg?
maybe i should attach GameMon.des to hide?

Also i would talk about the code of changing the interface of CE..just as repack.
Here's the code:

 Spoiler

function renameComponents(c)
local i
if c.Component then
for i=0,c.ComponentCount-1 do
renameComponents(c.Component[i])
end
end

if c.Caption then
c.Caption='Yakuzana'
end
end


for i=0,getFormCount()-1 do
local form = getForm(i)
for j=0,form.ControlCount-1 do
renameComponents(form)
end

form.Caption='Mafia'
end

registerFormAddNotification(function(f)
f.registerCreateCallback(function(frm)
renameComponents(f)
end)
end)

[rftech23]

Quote:

Originally Posted by cookie69

If you do it perfectly, you must be able to bypass the gg with CE and you can even modify Game memory (I did a mistake when I said that you can't modify the memory..)
I personally had to re-patch the kernel to be able to use CE again but it is working and it is undetected with Windows 7 x64 bits

Hello, nice work here!

So, I was trying to bypass the hackshield on a certain Flyff pserver via reverse engineering its MiniA.exe via x32dbg software. The results got me stuck so below are the steps i did including the results of each.

1st. I did the sunkist method so i can launch the MiniA.exe via shortcut so it looks like i launch it on launcher.

2nd. I attached the MiniA.exe to x32dbg app to reverse the address where 'EHSvc.dll' is located. Did changes i have found on the internet. (changing the memory address of 'EHSvc.dll' to 2 bytes (00 00))

3rd. So, after the modifications, i have patched the MiniA.exe to the game folder but with different name so the original MiniA.exe would be backed up.

4th. Changed the names on the game folder so I would run the MiniA.exe(patched) via MiniA.exe - shortcut.

5th(result1). Right after launching the MiniA.exe - shortcut even in administrator, the process exits immediately. So, attached MiniA.exe(patched) again on debbuger to modify the kernel32.ExitProcess. Locates its address and assembled it to 'ret' so it wont exit.

6th(result2). After doing the first workaround and patched it, i ended up with an .exe that could not be read by the game so i guess that was not the right move, i even did the same modification on kernel32.TerminateProcess but ended up with the same result.

Now i am kinda stuck with this and been searching for workarounds tho. Any clarifications on my steps that made me wrong is highly appreciated!

Thanks guys