Stupid Question regarding Gunz Hacks

lvlyone · 10-28-2009, 12:58 PM

Smart guys,

I would like to know how GameGuard Pattern Detect/Block works.

Suppose that we have Soure Codes of DLL and injector which was already blocked by GameGuard.

If I change a lot of variable and function names, then that might bypass GameGuard Pattern Detect/Block?
If not, how can we bypass that? Should we add and delete more function calls?

Please give me your generosity to explain anything. Thanks a lot.

Brandon-Bmx · 10-28-2009, 01:00 PM

Quote:

Originally Posted by lvlyone

Smart guys,

I would like to know how GameGuard Pattern Detect/Block works.

Suppose that we have Soure Codes of DLL and injector which was already blocked by GameGuard.

If I change a lot of variable and function names, then that might bypass GameGuard Pattern Detect/Block?
If not, how can we bypass that? Should we add and delete more function calls?

Please give me your generosity to explain anything. Thanks a lot.

I just renamed stuff to bypass GG's detection.
But there are other methods I suppose, renaming them is probably the easiest way.

hitachihex · 10-28-2009, 01:10 PM

Detection is done via signature automatically gathered\or manually gathered, such as certain blocks of native assembly that would prove to be unique to the hack in question.

Thus, depending on the project's size (the hack) leaving the creator with the job of finding out what parts of code he needs to revamp\change.

Most of the time, a simple change in addition\subtraction does the trick, granted you turn off code optimization, to prevent it from taking the shortest way around.

ex 1:

Code:

int a  = 5;

ex 2:

Code:

int a = 0;
for(a = 0; a < 6; a++);

Tedious? Yes. But assembly output, without compiler optimizations would not be the same.

ex1:

Code:

mov [reg], 5;

ex2:

Code:

mov [reg], 0
__step:
cmp [reg], 5
je __finish;
inc [reg]
jmp __step;
__finish:

Aesmade · 10-28-2009, 01:11 PM

Changing variable and function names would change absolutely nothing in the compiled DLL. So no, that wouldn't work. I've injected DLLs that exit as soon as they're loaded and GG still detected them after a while, so I'm thinking it might detect the DLL module itself. Perhaps a different injection method would work. **** me, I dunno.
Edit ~ Just saw hitachi's post. Could my empty DLL get detected cause of the code visual studio generates? I thought of making a DLL in assembly and injecting that, so it doesn't have any extra crap, but I couldn't be arsed.

lvlyone · 10-28-2009, 04:10 PM

What if Most of source codes were ASMs?

Then we don't have any options to bypass that signature detection?

:)

Thanks.

Stupid Question regarding Gunz Hacks

Gunz Hacks/Bots Discussion