[juan81]

i play some online game and use kerneldetective to change program with disasmbler.. it's still detect >,< when i change it will detect..
Where can i learn more about hook kernel mode in delphi..

sorry for my silly question >,<

[EP_X0FF]

Hello,

what kind of program it's detect? What have you change?

Regards.

[juan81]

Thx for replay..
i play cabal online in my country..
i change for example.. like perfect combo...

Code: Select all

0053E873  |. |8B8E 14490000 MOV ECX,[DWORD DS:ESI+4914]
0053E879  |. |DFE0          FSTSW AX
0053E87B  |. |F6C4 01       TEST AH,01
0053E87E  |. |75 1B         JNE SHORT 0053E89B
0053E880  |. |D896 38490000 FCOM [DWORD DS:ESI+4938]
0053E886  |. |DFE0          FSTSW AX
0053E888  |. |F6C4 41       TEST AH,41
0053E88B  |. |7A 0E         JPE SHORT 0053E89B
0053E88D  |. |DDD8          FSTP ST
0053E88F  |. |C686 10490000 MOV [BYTE DS:ESI+4910],3
0053E896  |. |E9 97000000   JMP 0053E932
0053E89B  |> |D896 2C490000 FCOM [DWORD DS:ESI+492C]
0053E8A1  |. |DFE0          FSTSW AX
0053E8A3  |. |F6C4 01       TEST AH,01
0053E8A6  |. |75 0D         JNE SHORT 0053E8B5
0053E8A8  |. |D896 30490000 FCOM [DWORD DS:ESI+4930] <---- i change to JMP 0053E88D
0053E8AE  |. |DFE0          FSTSW AX
0053E8B0  |. |F6C4 05       TEST AH,05
0053E8B3  |. |7B 1A         JPO SHORT 0053E8CF <-- i change to JMP 0053E88D

i change at kerneldetectiv disasmbler because only that program is not detect from nprotect gameguard...
after i change that code.. nprotect close.. and 5 minutes after that... that game is close too..

i have tried in rev 1467 and 1493 and my os is win 7 32bit and working..
after gameguard patch 1504 is detected...

i tried to inject dll to change that code for that game.. it's sucess after i change one address from that game..

how can i learn more about kernel programming to make program like KernelDetective. by GamingMasteR at this forum and at4re forum

[EP_X0FF]

I know GameGuard behavior. It hooks a lot of kernel (SSDT, some anti-attach techniques based on Ke functions hooks) and performs various code self-integrity checks, including monitoring of NtDeviceIoControlFile input/output buffers. If anything suspicious detected it is simple exits. Will see what GamingMasteR can suggest here.

[GamingMasteR]

Hi,

As EP_X0FF said, it's related to code self-integrity checks only .
You have to seek deeper to know the code check procedures .
Or you can use different way of patching (HWBP for example ;) )

[juan81]

hi,
it's very difficult to unpack gamemon.des (thimida and winlicence) and debug it.. and seek deeper check proc and crc32 checking..
HWPB patching, give me where i have to learn it..?
Like easyhook and bypass patchguard?

[GamingMasteR]

Use hardware breakpoints :
- Use debug registers to set hwbp on the address you want to hook .
- Hook debug ISR (int1) .
- When breakpoint happens change what you want in the thread context (eip for example) .

Not sure if new GG will detect hwbp also but you may give it a try .

[EP_X0FF]

In addition, this maybe helpful: http://www.codeproject.com/KB/system/so ... oking.aspx :)

[GamingMasteR]

Does anyone know a small game with GG protection ? I've really poor connection :cry:

[EP_X0FF]

I've investigated Lineage2+GameGuard few years ago with modem (3 Kb/s) connection :) Unfortunately everything I have with GG is gone.