Cheat Engine Undetected
Posting this here with the permission from Send/haxor24. Tired of kids selling this all over the internet for $100. I am not gonna tell you how to use it.
Update: This was made for beta. The commercial release is now here and it has additional anti-debug. This quick fix no longer works but you can still use this undetected cheat engine for hacking other games. Read thread for details Wondering where all the hacks are for Call of Duty WWII? I haven't made any cheats but if you play around with Call of Duty WW2 you will notice that opening Cheat Engine will cause WWII to crash because they use some detection based on file paths and window names. If you change these things in Cheat Engine you can make it undetected for this game and then you can use Cheat Engine like you normally would.
So I'm attaching a undetected cheat engine to this post so you can download it. How to use:. Extract the.exe to your Cheat Engine Folder. Rename the cheat engine folder to anything you want except 'Cheat Engine'.
Run the new.exe I did notice some TLS callback stuff so I don't think you can start the game from a debugger. When you set a breakpoint with the normal windows debugger it crashes the game, when you use VEH debugger I get this: Doesn't matter what kind of breakpoint you use (Hardware, Int3, Page Execeution) they all cause the game to crash. But you can search, scan and write to memory using cheat engine no. But what about DBVM and Dark Bytes's kernel driver dbk64.sys so we can attach the debugger? Well the security certificate signed dbk64.sys from the official Cheat Engine installation only talks to CheatEngine.exe that are signed by DarkByte himself.
So since we modified the CheatEngine.exe we must compile it ourselves! Don't worry I already did it for you, I'm attaching a dbk64.sys that I compiled myself and it is unsigned. Now you must 'Disabled Driver Signing' in your operating system to allow us to run it. To do this on Windows 10, hold shift and restart. Now go to Startup Setting and restart. It will give you options, #7 is 'Disable Driver Signing Enforcement' you have to do this everytime unless you patch your system to do this every time.
On Windows7 just reboot and hit F8 to get safe mode settings and you will see the same options. Now set DVBM in the debugger options of cheat engine, go to Help-About, enable DBVM and you can set breakpoints and hack this game to shit. Hey im working at the moment on finding out how the anti debug of CoD ww2 works. But im pretty much stuck. The game closes after some time when i attach any of my debuggers or use wpm. Things i know at the moment: These functions get overwritten to disable the possibility of attaching using a debugger all using jmps to ExitProcess: CopyFileExW DbgBreakPoint DbgUserBreakPoint DbgUiConnectToDbg DbgUiContinue DbgUiConvertStateChangeStructure DbgUiDebugActiveProcess DbgUiGetThreadDebugObject DbgUiIssueRemoteBreakin DbgUiRemoteBreakin DbgUiSetThreadDebugObject DbgUiStopDebugging DbgUiWaitStateChange DbgPrintReturnControlC DbgPrompt Patching all of those makes it possible to attach a debugger.
If i use x64dbg it most of the time doesnt realize the prozess ends or has ended, which i think is pretty strange. Also im not sure if it is random when the process ends or not.
I would love to know if somebody has any idea how to approach this problem. Not being able to use a debugger makes it pretty hard to guess what is actually going on. Hey thanks for your answer. Im doing that already and that is the problem. After removing all of those it is goes this way.: I attach a dbg. Game crashes/Ends (after some time. I have most of the time enough time to get into a local game and jump around for a minute or two).
Debugger just sits there. Here is my sloppy source in cs The code seems to work fine. At that point im relatively sure that the game checks those functions if they are still patched and closes the game if not. I also read somewhere about a THREADCREATEFLAGSHIDEFROMDEBUGGER flag which hides threads from the debugger. It would make sense to me if those threads would be the root of the problem because setting breakpoints seems to be inconsistent.
The only issue with that is that starting the game with a debugger attached creates mem access errors. I think you also mentioned that in your cod ww2 dbvm video if i remember correctly. Edit: Can you check something if it shows up like that for you too? When using x64dbg and ScyllaHide and you Suspend the process before the hooks are written: set an access breakpoint on CopyFileExW. It should trigger after some time and give as source around here 's2mp64ship.exe'+1E8C3.
If it does please let me know. Also this seems to patch the functions 's2mp64ship.exe'+1E6ABC. Just in case anyone finds this thread. Trying to do the same i did: Multiple problems arise. Detection of your tools.
If you use tools which are pretty much know like IDA,WinDBG,Cheat Engine,x64dbg the process scans for those and closes in response if those are running. Detection of local memory patches. If you patch out the Anti Debug measure like i did the process will behave the same and close after x minutes/seconds. Usage of dynamic jmps. You will probably see pretty fast that if the program doesnt expect to get back to its original address it will simply clear the stack and jmp to i.e.
TerminateProcess This makes debugging pretty time consuming. So looking at the stack wont help you much here. Im giving up at this point because it is too time consuming. In case you just want to wpm/rpm you can just write your own application to scan the process because those are not getting detected in general.
Undetectable Cheat Engine (UCE) step by step tutorial Note: Words in light blue should be payed attention to. They are side notes and important tips.
KEEP THEM IN MIND!! Keep a piece of paper and pen, or a word document in handy. Write down EVERY change in string because this will be VERYY useful later on. Creating DBK32.sys 2A. Changing the basics and manipulating //hideme Find driver.dat in your main CE Source and open in notepad. Change the following: Note: through out my TUT.
I used the string 'c4n0n' in my screen shots. This word has been detected so please don't use it. Be creative and think of any word you want. Note that my example below 'string' has also been detected so don't use that either. This is where the piece of paper plays its first role.
Write these changes down!!. CEDRIVER53 string1 DBKProclist53 string2 DBKThreadList53 string3 dbk32.sys string.sys. Now we will compile String.sys (DBK32.sys).
Go to your DBKKernel directory and copy the address. After that, open up Windows XP Free Build. I use this simply because I use WindowsXP. A lot of people like to use Windows 2000 Free Build. It's your choice which one you want to use. For noobs, if you cant find it go to: Start All Programs Development Kits Windows DDK Build Environment Windows XP Windows XP Free Build Environment When it is open.
Type 'cd' (no quotes) then press space bar and then right click and paste the path to your DBKKernel folder as seen in screen shot 1. You should get something like the 2nd Screen Shot. After that press enter. If your DDK is not in the same drive as your Cheat Engine folder, then type in the drive your CE folder is in ( If you don't know what I'm talking about, or both of them are in the same hard drive then just ignore what I said about typing in the drive. Now Type in 'ce' as in screen shot 3 and then press enter.
Hopefully you will get something like the last screen shot. thumball is good and well. It should say '7 files compiled. 1 Executable built.' String.sys or whatever you named it will be in your main CE directory. Replacing Detected Strings Note: The following is one of the most tedious steps. Don't rush through it or you'll screw up.
Locate+open 'dbk32.dpr' in your dbk32 folder with Delphi 7(screenshot1 below). Go to ViewProject Manager and expand 'dbk32.dll'.
Double click on 'DBK32functions' to open it (screenshot2 below). Replace the following in DBK32functions. Perhaps use the find method to make things easier?. CEDRIVER52 String1(This is the same thing as CEDRIVER53). DBKProcList51 String2 (This is the same thing as DBKProcList53). DBKThreadList51 String3 (This is the same thing as DBKThreadList53) Done?
Ok save all and close all. Open up Actual Search and Replace. Go to 'File Settings Editor' go through your folders and find your delphi32.exe. It will most likely be under 'C:Program FilesBorlandDelphi7Bindelphi32.exe' Press ok Under options tab, check mark the box that says 'include subfolders'. Keep in mind where this box is because it will be used later in this tut.
Under 'Masks' enter: newkernelhandler.pas; DBK32functions.pas; DBK32.dpr Under 'Path' put in your main Cheat Engine directory. Last but not least, tick the box under Mask that says 'whole words'. In my replace field, I used the word 'c4n0n'. Instead of c4n0n, fill it in with whatever word you want. Whenever you press modify, you are modifying a file, NOT a line.
Note: REMEMBER!! THERE IS AN UNDO BUTTON IN CASE YOU MESS UP!!(its the curved arrow on the right side.). thumbyou got no errors, then string.dll will be in your main CE folder. Making CEHook Use Actual Search and Replace again. Search for myhook (Include subfolders) Rename myhook in the files CEHook.dpr and hypermode.pas ONLY. Myhook string54 Now open CEHook.dpr with Delphi. This file is in the CEHook folder.
We will need to comment out 'system;' under 'uses'. In order to comment out.
Undetected Cheats
Add ' // ' before 'system'. After commenting it out.
Creating Stealth - Open up stealth.dpr within your Stealth directory and compile it. There's nothing to change.
Renaming NewKernelHandler and CeFuncProc Open up cheatengine.dpr from your Main CE folder. Go to project manager and open up NewKernelHandler.pas and CeFuncProc.pas Again 'File Save As'. Save into main CE folder.???‚¬?? NewKernelHandler.pas StringHandler.pas (replace?
CeFuncProc.pas String55.pas Save and close. Use search and replace and search for NewKernelHandler and CeFuncProc (do not include subfolders).
Mask is '.???‚¬?????‚¬?? NewKernelHandler Stringhandler (change in all files EXCEPT for Newkernelhandler.pas)???‚¬?? CeFuncProc String55 3F.
Changing value strings (hex values) The values we will be changing here are 00400000, 7FFFFFFF, 80000000. We are changing them into different values, NOT into letters/names. We will be using the basic windows calculator. Go to Start Run type in 'calc' OR you can just go to your calculator under Accessories.
Either way, just open up calculator. Once it opens press View Scientific Hex. Enter one of the above values. Then click Dec add a number (ex. Do not use the minus sign.) Then change back to Hex and you will get your new value! Use Search and Replace and replace the values.
(Include subfolders) Mask is. Below I +5 to my values.
You can add any number you want. You don't have to use 5.???‚¬?? 00400000 00400005???‚¬?? 7FFFFFFF 80000004???‚¬?? 80000000 80000005 3G. Changing words within the CheatEngine GUI Now search again (Do not include subfolders) and change:???‚¬??
Nextscanbutton String56???‚¬?? Scanvalue String57???‚¬?? Scanvalue2 String58???‚¬?? ScanType String59???‚¬?? VarType String60???‚¬??
Newscan String61???‚¬?? ScanText String62???‚¬?? Syndic.com/ce myspace.com (you can change it to any website =D) 3H. Now use search again (Do not include subfolders). Your mask will be.pas change the following:???‚¬?? CheatEngine StringEngine???‚¬??
Cheat engine String Engine 3I. Configuring the Cheat Engine GUI Open cheatengine.bpg from main CE directory.
Using Project Manager, open MainUnit which is under Cheatengine.exe. Double clicking on it will make the Cheat Engine GUI pop up. In the GUI, look for the words 'scan type' and 'value type' faded in grey. Click on the drag down box next to scan type.
Here we are just checking if you changed your strings correctly. After clicking the drop down menu box. Look to the left of the screen under Object Treeview and Object Inspector. Hopefully under Object Treeview, String59 is highlighted. Now look at Object Inspector and scroll down until you see 'name'. Hopefully right next to it, there is a box that says String59 also.
If you did this step correctly repeat it with value type. Finally, click on the labels 'ProtectMe2' and 'crash me' which are next to the red pointer on the GUI. Click on them and look inside Object Inspector. Go to 'caption' and delete the words there. So basically, ProtectMe2 and Crash Me are still there BUT we can't see them!! Here are some optional things that you can do in order to personalize your UCE = wooh!!
They are the words in pink. If you do not want to personalize your UCE then skip down to the next step. Changing Version Info.
Select Cheatengine.exe in Project Manager and 'right click Options'. Click 'Version Info' tab. If you do not want anything at the bottom to show, untick the box that says 'include version.???‚¬??
Other than that, you can also edit the words at the bottom like Company Name and File Description. Changing Application Name, Help File and Icon. Click the tab 'Application' and from there, stuff is pretty self explanatory. Changing Settings and About section. In Project Manager, open up the files 'formsettingsunit' and 'aboutunit'.
Click on the things that you want to edit and change the captions in Object Inspector. (Give credz to Dark Byte for making this source). Comping cheatengine.exe View project manager and click on the drop down menu. Make sure Cheatengine.exe is selected and NOT cheatengine.DEU / NLD / RUS. Minimize Delphi real quick, and with windows explorer, go to your main CE folder.
Right click in any empty space and select New Text Document. Rename the file as 'trainerwithassembler.exe' Done. Now go back to Delphi and compile. Here is the other long step (but on the brighter side. YOU ARE VERY CLOSE TO FINISHING!!).
After you attempt to compile, you WILL get errors. The first will be Error autoassembler.pas (531): Undeclared identifier: 'KernelAlloc' Hopefully you wrote down your changes on a piece of paper like I had asked. Look back at that paper and change KernelAlloc to whatever you changed it to.
Cheat Engine Undetected
In this tut, I changed KernelAlloc to String50. Compile again.
How To Make Your Cheat Engine Undetected
You will get another error. Fix it and compile again. Keep doing this until you no longer have any errors.
This is a long step, BUT it is a key step!! Finishing Touches 4A. Compiling Needed Files for UCE Open Delphi. With Delphi open systemcallsignal.dpr in SystemcallRetriever folder. Compile. Open Systemcallretriever.dpr in SystemcallRetriver folder (you will get some errors so change them). Kernelmoduleunloader.dpr in dbk32kernelmodule unloader folder 4B.
Other Stuff Note: First off. Make a copy of your edited source before you proceed in case you mess up. Now open cheatengine.bpg from the main directory then 'save as' stringengine.bpg in main directory.
Reopen cheatengine.bpg from the main directory and 'right click' on cheatengine.exe and select 'view source' Save cheatengine.dpr as stringengine.dpr then compile it and you will get StringEngine.exe.!! Hopefully you have all these files now. Make a new folder and toss them all in. stringengine.exe.
driver.dat. string.sys. string.dll.
stealth.dll. cehook.dll. systemcallsignal.exe. systemcallretriever.exe. kernelmoduleunloader.exe Now you just have to test it. Testing Your UCE 5. Open your CE.
Change the settings according to these pictures provided by LilHustla of gameguardattackers. I was too lazy to take my own screenshots, and these settings worked for me. So give thanks to him! Compiled sys, renamed strings to gm3x1, gm3x2 etc. Replaced, compiled everything, no errors (except the showed in tutorial), step by step, backups for every step. Well, with the configuration above, I opened it to attach on AIKABR and it restarted my PC. I'm sure that I've made everything perfect, I've made the CE in 2,5 hours, after 5 testing attempts, ce is perfect, tested in other games with cheat tabs, but on Aika it has been detected.
I suggest Aika players to don't try this tutorial, if someone made it undetectable by xtrap of AIKABR, tell me how, because following every word of this tutorial xtrap detected.