Bypassing Anti-cheat systems

So I want to look into building a custom, extremely simplified version of Cheat Engine that may hopefully be able to bypass some anti-cheat systems by using limited access rights to only scan for memory and not edit it.

At first I thought although it's still fairly complex getting everything nice and smooth, the general process should be quite simple right? Scan for memory and compare it against a scan parameter, then store all valid results, so just like CE you can iterate down to the variable's location.

Now here's a few things I didn't think about...
Firstly, CE is capable of finding an address, then using a debugger to find where an address is accessed (the debugger alone will probably foil the anti-anti-cheat plan, but still...) and look at the registers to find out whether the current address is directly pointed to, or if it's calculated with an offset and a pointer. I currently have no idea how I'd find out if a variable is directly pointed to unless I found a piece of memory with that addresses location, and that could just be a chance value that has nothing to do with this bit of memory.

Secondly, CE is capable of identifying static addresses, another crucial part which I currently have no idea how to go about doing.

While I am going to continue trying to find these out myself I was hoping that someone may have some greater knowledge to share straight off?
There is one thing that I could attempt in order to find out how this is achieved since CE source code is given out freely, however there's so much I don't have a clue where to start, and I've also not done anything with Lua or Pascal so I'd have to learn those first. And then of course with viewing the src there's countless libraries that I will be unaware of that I may be simply wasting time searching through thinking it's part of what I require to be proven otherwise.

Also if their's any other obvious holes that you know of that I've missed let me at least know of those too please, even if you can't help in solving them.

Thanks for any help/advice

EDIT: I should mention that by bypassing anti-cheat, I know that I won't be able to edit the memory locations once I've found them, and the point is I don't want to. I want to make an app for my Logitech G13 that can take application variables and display them on the LCD, and I'm only really interested in variables that are shown to you in games anyway... I'm not planning on actually trying to find a way around anti-cheat for cheating in online games.
(and the particular game I'll be testing this on if I get it working will be Smite, maybe I'll try some other anti-cheats too)
Last edited on
SatsumaBenji wrote:
I currently have no idea how I'd find out if a variable is directly pointed to unless I found a piece of memory with that addresses location, and that could just be a chance value that has nothing to do with this bit of memory.

Try doing what Valgrind does; create a wrapper for malloc/free and force the process to load your wrapper. Then maintain your own list of allocated memory.
I spent quite some time working on this: here's a small head start. Half the fun was figuring it out!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
char getbytefromprocess(DWORD pid, uint64_t loc) {
  HANDLE pHandle;
  SYSTEM_INFO si;
  MEMORY_BASIC_INFORMATION mbi;
  LPVOID lpMem;
  DWORD ret, totalRead;

  pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
  if (pHandle == NULL) {
    return false;
  }

  lpMem = (void*)loc;

  char buf;
  ReadProcessMemory(pHandle, lpMem, (LPVOID)(&buf), 1, &totalRead);

  CloseHandle(pHandle);
  return buf;
}


Good luck friend.
@ultifinitus, that's the easy part XD
I've already used windows api for reading process memory before, and I'm hoping that by changing PROCESS_ALL_ACCESS into read only then i might get let in... perhaps I should test that alone before working hard on something else... however i am still interested in how CE can do what it does even if i can't make it work for my custom app.

@Chrisname, that's actually quite a cool idea, I can see some more problems with that but perhaps more easily solved than scanning for the differences. However i have also read up on anti cheat mechanisms and one of the key ones is stopping dll injection, so getting the process to load this wouldn't be easily possible.

I have actually thought about simply along HiRez for permission to actually work on their game and to give them my source and app in return... however i can't imagine they'd be so up for it... still worth a try i suppose (they've responded to my emails within about a week when I've reported bugs)
Last edited on
SatsumaBenji wrote:
I've already used windows api for reading process memory before, and I'm hoping that by changing PROCESS_ALL_ACCESS into read only then i might get let in...


If you want to do more then reading memory on the target process then give this a shot:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HANDLE CurrentProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
HANDLE CurrentToken = NULL;

LUID PrivValue;

TOKEN_PRIVILEGES tPriv[1];
        tPriv[0].PrivilegeCount = 1;

OpenProcessToken(CurrentProc, TOKEN_ADJUST_PRIVILEGES, &CurrentToken);
LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &PrivValue);

tPriv[0].Privileges[0].Luid = PrivValue;
tPriv[0].Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(CurrentToken, FALSE, tPriv, 0, NULL, NULL);



Do you think it would be possible to perform static disassembly on the game, find where the anti cheat lies (hopefully a dll) and simply replace that a custom one that says everything is fine?

Although I've looked at reverse engineering software I've not learned how to actually do so yet.
Last edited on
Topic archived. No new replies allowed.