GameGuard ByPass

Ask questions about cheating in any games you would like. Does not need to pertain to MicroMacro.
Post Reply
Message
Author
elapidd82
Posts: 6
Joined: Tue Jan 26, 2010 10:10 am

GameGuard ByPass

#1 Post by elapidd82 » Tue Jan 26, 2010 10:25 am

I decided to take a stab at witting a generic GameGuard ByPass, but I haven't done this before, so I would like your inputs on this topic if possible on a general direction.

So I guess I would need to
  • 1. Start out by disassembling [game].exe
  • 2. Find reference of GameGuard launch point
  • 3. Most people just say NOP it, but why dont we do a JMP to a code cave?
  • 4. Figure out how the echo system works so that we dont get disconnect after N minutes
  • 5. Recompile the [game].exe
As for step 4, how do we figure out what is being sent to GameGuard server to create the echo?

I am a complete newbie when it comes to this, but if someone could point me to the right direction, I can figure this out :)

Thanks for reading and your potential help in this silly project of mine.

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: GameGuard ByPass

#2 Post by Administrator » Tue Jan 26, 2010 5:08 pm

There are hundreds of IDs to work with in these messages, and they will change quite often. I've heard of people doing it before with some success (until they hit a message ID they haven't coded yet), but it is short lived as all this work will be scraped when the next version of GameGuard is released.

You could, though, hook into the Winsock functions used to send/recieve data by the game (Yes, this can still be done with GameGuard loaded if you know what you're doing -- but it may be more work than it's worth). There are also software, such as Wireshark, that may allow you to grab this information. Alternatively, I think there might also be plugins for virtual machines that should be very reliable (no way for GameGuard to know this is happening and stop it from within the VM).

The Game Deception Forums are also a good place to gather more information on GameGuard.

elapidd82
Posts: 6
Joined: Tue Jan 26, 2010 10:10 am

Re: GameGuard ByPass

#3 Post by elapidd82 » Wed Jan 27, 2010 10:25 am

Thank you for your response :)
I have seen other versions of GameGuard ByPass (specificly per each game), how could they bypass GameGuard when it does server check periodicly?

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: GameGuard ByPass

#4 Post by Administrator » Wed Jan 27, 2010 4:26 pm

Most of the time, it does not do any server-sided checks.

elapidd82
Posts: 6
Joined: Tue Jan 26, 2010 10:10 am

Re: GameGuard ByPass

#5 Post by elapidd82 » Wed Jan 27, 2010 10:58 pm

Thank you :) I faced another challenge here ... ASProtect, Admin, do you have any recommendation for me? I tried the lazy way out (ASPR stripper) and that got virus & rebooted my VM .. not cool...
How I admire those who can make ByPass so easily...

Oh, and I am targeting Karos Online!!!

elapidd82
Posts: 6
Joined: Tue Jan 26, 2010 10:10 am

Re: GameGuard ByPass

#6 Post by elapidd82 » Fri Jan 29, 2010 8:09 am

Just want to share some thoughts on my research so far. Apparently hacking GameGuard directly is really hard, because it requires you to unpack the game itself which is protected by different programs such as ASProtect...
there are instructions to unpack the executable by looking for the stolen bytes, typing the missing pieces... use LordPE * ImportRec to recompile the executable.
then use OllyDbg to find entry point to gameguard and eventually disable them

there are other suggestions such as kernel mode driver, dll injection or ring0..

my question is still to figure out how gameguard works, so that i can find alternative ways of avoiding their hooks.

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: GameGuard ByPass

#7 Post by Administrator » Fri Jan 29, 2010 10:01 am

You don't avoid the hooks. If you do, GameGuard will notice the hooks are missing and cause the game to close. Unless you catch when it's going to check the hooks, then rewrite them and remove them again once it's finished. That's a lot more work than it's worth, though. The "best" solution would be a kernel mode driver. Good luck with that, though.

User avatar
3cmSailorfuku
Posts: 354
Joined: Mon Jan 21, 2008 6:25 pm

Re: GameGuard ByPass

#8 Post by 3cmSailorfuku » Sat Jan 30, 2010 3:04 pm

elapidd82 wrote: my question is still to figure out how gameguard works, so that i can find alternative ways of avoiding their hooks.
It depends on the build of gameguard. Depending on how much companies are willed to spend, gameguard will give them different builds of it that might "protect" better or less. I believe in the cheapest, gameguard it isn't incoporated into the game and won't detect changes in the memory or loaded modules.

Anyway, GameGuard (And like most of these "Anti Cheat") have a rootkit-like behavior, they hook windows API functions to its own kernel driver and completly block it depending on which occasion or let it pass through (You can use Cheat Engine or such to find out which functions are hooked by which driver). Like the admin explained, you have alot of ways to tackle this, but given that you want to make a generic bypasser you ultimatively have to make a kernel driver yourself and reconstruct the winapi functions that your bot should use. A better solution would be to abuse the gameguard trampoline, but like he said, this is quite a long long long task to accomplish and will only work for the current game.

Wikipedia does a better job at explaining it than me though: http://en.wikipedia.org/wiki/NProtect_GameGuard

And to express it in a few words: GameGuard, as opposed to VAC or Punkbuster, intends to take away users rights over their software and isn't really made to be userfriendly at all.

elapidd82
Posts: 6
Joined: Tue Jan 26, 2010 10:10 am

Re: GameGuard ByPass

#9 Post by elapidd82 » Sat Jan 30, 2010 4:09 pm

Thank you Admin and 3cmSailorfuku. Let me take a step back and ask you this question then.
Instead of taking such an ambitious step, what if I only target a low end GG license, where as 3cmSailorfuku said doesn't detect changes in memory or loaded modules", do you think which way would work :
1. detour
2. check to see if codes for winapi functions such as postmessage are changed, if they are changed, i can try to revert the code back :
DWORD DLLFunc = (DWORD)GetProcAddress( LoadLibraryW(L"User32.dll" ), "PostMessageA" ) + 5;
__declspec(naked) BOOL WINAPI PM(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{
__asm
{
mov edi, edi
push ebp
mov ebp, esp
jmp dword ptr ds:[DLLFunc]
}
}

User avatar
3cmSailorfuku
Posts: 354
Joined: Mon Jan 21, 2008 6:25 pm

Re: GameGuard ByPass

#10 Post by 3cmSailorfuku » Sat Jan 30, 2010 7:54 pm

elapidd82 wrote:Thank you Admin and 3cmSailorfuku. Let me take a step back and ask you this question then.
Instead of taking such an ambitious step, what if I only target a low end GG license, where as 3cmSailorfuku said doesn't detect changes in memory or loaded modules", do you think which way would work :
1. detour
2. check to see if codes for winapi functions such as postmessage are changed, if they are changed, i can try to revert the code back :
DWORD DLLFunc = (DWORD)GetProcAddress( LoadLibraryW(L"User32.dll" ), "PostMessageA" ) + 5;
__declspec(naked) BOOL WINAPI PM(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{
__asm
{
mov edi, edi
push ebp
mov ebp, esp
jmp dword ptr ds:[DLLFunc]
}
}
You are taking it too far already, what you are attempting won't be a generic bypass, it has to be adjusted to each release, subversion and game executable you wan't to have GameGuard bypassed (Where you will get stuck with ASProtect as in your example). The admin explained already that it is a very complicated and tiring task.

If its a budget level license, you could just load your dll as a library into the game, this worked many times in the past already and still does.
And I believe a VTable hook won't be detected by GameGuard ever unless the file gets reported.

In your case you can't simply deny or revert the "code changes" GameGuard does, it will most likely quit the game. Worked in the past though, you could reserve various functions without GG going all bitchy on you. Anyway, you have to use GameGuards trampoline function and detour your function into it, making GameGuard believe everything still works according to plan heahhehhae.

But yeah, there are hundreds of ways, maybe you can figure yourself something out but this is as far as my knowledge goes.

elapidd82
Posts: 6
Joined: Tue Jan 26, 2010 10:10 am

Re: GameGuard ByPass

#11 Post by elapidd82 » Sat Jan 30, 2010 8:23 pm

Thank you again 3cmSailorfuku.

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests