2 gunz.exe.....

[pootytang9]

i found something interesting about gunz latly.i found out that wile gunz is running its has 2 gunz.exe.

see i was useing moonlight engine and niticed that during process, watch while gunz was fully loaded there is 2 gunz.exe.

turns out that the first one that shows up is sort of a fake. whenever u tryed scanning memory, or useind memory viewer, no memory would show up it was sort of like a blank.

but when i attached to the other gunz.exe it had memory and was scannable.

[x1nixmzeng]

Read up on GameGuard, and how it attempts to 'hide' Gunz from programs like CE, or even Task Manager.

Quote:

Injects driver which terminates all process watchers - sends fake process id's to programs which bypass this and messes with your task manager though physical memory. In a nutshell - takes complete control of your system to protect certain processes. Also loads a bunch or temporary files under their own extension (just renamed DLLs and EXE files)

So one process will be the real Gunz.exe, and the one you can't scan may be the fake one (or the other way round because of GG..)

Quote is my understanding of [Only registered and activated users can see links. ]

[pootytang9]

well gamegaurd complety failed at its attempt in hiding gunz from ce, yet other programs with bad magde procces watchers basicly got owned.

so im wondering u a very good programmer rite?

cant u use ce"s source code, available at its site to biuld an injector that has that kind of process watch.???

im not a programmer, so i cant do it, and im not sure the limit of ur skill,so just wondering if u can do it, or if its even possible

[medigra]

what if you told a program to look for it by terms of its memory usage? or something like that... maybe the gg doesn't destroy the strange threads but tricks them to look for a fake gunz.exe

[x1nixmzeng]

If you want to test GameGuard's ability to control your computer, open up command prompt, a bat file with the line 'pause' and your Task Manager.

@pootytang9: You can inject things into Gunz and get the handle of the process (used for API stuff), but GameGuard destroys suspicous threads like this, so you can't get very far.

GG doesn't completely fail: attemping to load the entire list of processes when Gunz has started with CE will crash Gunz entirely. I've got to look into Moonlight.

[pootytang9]

@medigre i understand wat u mean, basicly thats how proces watch works for ce. see its shows proccess as the run, and a number next to them indicating how much its working. see when u open process watch in start of gunz, ull see gunz launcher.exe(2) i beliave, then u press start game, and its goes away, and gunz.exe(2) and of course then gamegaurd des, then once u get to server screen gamegaurd mon shows up des goes away. once u pass charecter select and in lobby, gunz.exe(2) turns into gunz.exe(7), and a totally new gunz.exe(2) shows up. basicly the fake gunz was active based on the 2 once that game done loading no need for fake gunz.exe anymore and its oes to 7 and the new gunz.exe that runs the game shows up. so h process watch is used in terms of memroy usage already.

@x1nixmzeng i under stand well that u can inject into gunz still, its just that gg detects the process,rite, well im not sure if ur aware of this but all uce's contain a little extra in it that allows u to hide a process, to the point that the uce aswell cant detect the process.

but u didnt answewr my quistion.

wat i was asking if u can make an injector that has the same process watch as ce useing ce's source code. so u can find origanl gunz.exe. and useing moonlght to hide the process. iv tryed like 20 injectors and none can detect gunz.exe(2) real one. since they all have type procces name and itll autoattach to procces, and in this case now its garbage. they all attach to the first one.which is fake.

[x1nixmzeng]

I apologise. I will try to answer to the best of my knowledge.

Gunz.exe is called from GunzLauncher. Gunz then launches GameGuard, which then makes all the changes (creates fake processes, hides real Gunz.exe). By having the injector open before Gunz is started, it will get the handle of Gunz process before GameGuard is loaded, so it will be the right one.

An injector then uses this handle to inject.. ect ect. So it isn't the problem of finding the real Gunz.exe, it's a case of attaching a process without GameGuard detecting it, so it has to run inconspiciously before GameGuard starts.

Getting the whole list of processes would be helpful though. I'd like how to test how Gunz would function when GameGuard has been terminated.

Thinking again (and I've left my reaoning above) - maybe the first instance of Gunz is fake.. this is interesting. I would like to see which gunz process is real, and which isn't. I'm expecting the second instance to be created by GG, and the first one to be 'real'. I'm off to download Moonlight.

[pootytang9]

thank u now we getting somewhere.

see ur reason makes total sense,i understand wat u mean about the first process, should be the origanl,but also keep in mind this ijji has access to gamerzplanet forums, and no every stepp we take, and of course how the injectors work 0.o

and heres my theory which contridicts ur reasoning,srry not trying to seem like i no everything.

so here this is wat i do,which led me to my theory.

first off i open injector and moonlight, i hide injectors process,load dll and do the guz.exe thing for injector.

then i start up launcher, i leave moonlight open but im not useing it for anything other then hide process.(if u want just to check wat i mean leave process watcher open as everythin is happening)

i start gunz, and heres the interesting part, injector succsfuly injects dll to gunz.exe, and gamegaurd is clueless.

theni w8 till gunz loads,and enter lobby. and of course activate dll,but w8 when i activated dll nothing happens, but i mean seriosly nothing as if dll was nvr there. then i check process watch and geuss wat i see. 2 gunz.exe 0.o and so attach to first,and gues wat theres no memory in the first one,a fake?
then attach to secound one,wtf theres memory in this one.

so thers my reasoning.

also since u getting moonlgiht heres the link to the most recent moonlght 1129.1,+ bypass for 1133, and some codes i found on gunz yet to lazy to do anything about it.
[Only registered and activated users can see links. ]

and heres a link to my youtube page which contains all u need to no for setting up moonliht and how to use.
[Only registered and activated users can see links. ]
reccomend u watch ,mle settings, mle, and step 1

to use bypass just open the file,if it ask to open with use moolight engien.
u should see moonligh open up with 1 addres then attach moonlight to itself.(moonlight.exe on procces list not process watch)the value of addres should turn into Dark Byte, change that into Star Tear (exactly as written dont change anything,) p.s i do use the bypass

[x1nixmzeng]

Firstly - what are you injecting into Gunz? If you're trying Dark or something similar, the addresses have changed (you probally know this) and it's bound not to work.

Assuming processes are listed in order of creation time, the first one should hold all the memory allocated for the files it's loaded. So what's interesting is how you say it's the fake version.

Thanks for the links.

[pootytang9]

(dark destrutction)yes i understand wat u mean that the dll might end up useless,yet the activation of the dll is not related to gunz. so even if addres change the activaton shouldnt be affected,also when dll activated all comands should be able to be enabled becuase the addres may have changed yet the dll will still edit the addres it was ment to change,and in most cases result in a crash, but like i said i got nothing.im doing this to do s test and see if its possible to inject,rite now the goal is to succsfuly inject a dll, later i could find address and someone will make that into dll.

ok lets assume that the proces r listed in order of creation rite.

ok with this assumption itll change the way a percive this extra exe but here:

ok if the process are listed in order of creation then i can say( correct me if this is not any way in hell possible) this see the first gunz process will act as a loader, all this process does is loads gun up and compiles the info into a game quickly, so that process can be consirded a "fake" becuase it was given the name of the origanl game process and yet has no memory, and this little exrtra was added just as a simple counter measure o stop the injection of dlls since the injector will attach to a uselss process called gunz.exe.

once all game info has been loaded, like charecter,,server and other things that run game, and ur in lobby the seound process gunz.exe will show up and this is the game. while the other process of gunz is not terminated it just becomes in-active and uselss since its 2 reason for existing are over, which is starting up loading the game,and distracting the injectors.

this new theory explains y the first gunz.exe is a "fake" instead of holding the memory it transfer memory into a game. so if u inject dll into the first procces ur not injecting into the game just into something that transfer. like saying ur injecting the dll into the gunz launcher and expecting to have hacked gunz.

so u see "fake"gunz.exe is just acts as middle man for loading gunz,liiike gunz launcher, and thats y also the secound "real" gunz.exe shows up once u pass the charecter select screen since all game info has been finally transfered.

hope this helps u with how i think.

and ur welcome with links hope they help

srry for my extra long and boring post next time ill make them more fun to look at