[Sort-Of-Release] Gameguard NProtect Bypass

Helpful script writing tricks and HowTo's
tommmmmm
Posts: 1
Joined: 13 Nov 2015, 13:22

[Sort-Of-Release] Gameguard NProtect Bypass

13 Nov 2015, 13:48

After countless threads most notably http://autohotkey.com/board/topic/785-a ... utohotkey/

and some serious posts by serious people, most notably this one by Autohotkey moderator Gamergirl:
There are any number of people even here on these boards that could do a task like that. The big question is why bother? Spend 200+ hours reverse engineering an anti-hack to see what it's doing then anot\her 40-80+ hours coding and testing a wrapper around it only to have it update itself after a week or so and anti-rootkit your anti-rootkit and then you start all over again. For a single game that is essentially a freebie? The reason people write anti-hacks like GameGuard is to make sure the game stays balanced and that gold farmers don't auto-bot the game to the point where the drive off their core set of gamers. Sure some stuff like AutoHotkey gets caught in the net but there are a LOT of people who want to be able to farm gold while they go off and have a life outside the game while still having their characters run around and soak up loot and mats. And then there are the asian gold farmers who run bots in shifts 24/7 (where and when they can get away with it). Not only that but when the devs update their anti-hack and your anti-anti-hack breaks who you gonna yell at to get it fixed? Does that individual want to spend the next 5 years maintaining code that makes them essentially no money at all for a massive investment in time, effort, and the potential cost of tools like post-mortem debuggers, OS system API sniffers, High level coding language like C++ and some low level Assembler stuff to hack into the PC BIOS routines?. No, I'll wager whoever has the skill to do that would rather get paid a pretty decent salary working for an engineering firm coding the anti-hacks in the first place. I know I would. I did. And made a good living at it too but that was in another life. And the company bought all my tools. Personally I think you'd be wasting your time trying to find someone good enough to do the work but do it essentially free of charge. If you're interested in commercial automation tools that can do a bit of what you're looking for there are commercial ventures that may be able to help.Be aware there are a lot of wormy hacks out there that will be more than willing to put some malware on your machine if you get sloppy. That's another big gotcha you might want to take into consideration if you go for the "I need a freebie" kind of thing.

You might want to read this LINK to get some idea of what you may need to do for a game Like Ragnarok. Or check out this LINK and this LINK for some other ideas about automating MMO stuff. There are reliable and honest programmers out there but you have to search to find them.
And the fact that most known sources of information are 5-8 years old anyone who tries to make a bypass will not even know the scale of a challange.

Well folks I've done it. It took me 100 hours, true. And I had good programming background in java and a tiny little miniscule bit of ASM.

I can't tell you exactly the steps how to, because the people from Gameguard are watching and as Gamergirl stated I don't want my 100 hours to go to waste, but I will give you a general idea.

First things first, there are 2 ways to make it working:
1. Fight Gameguard, decrypt it, unhook ring 3 and ring 0 functions, change the way it searches memory (and no, you can't just nop the CreateProcessA in olly)
2. Slip unnoticed

After 40 hours of way 1 I gave up.

So, slipping unnoticed for me means using follwing tools and techniques:
1. Process Hacker. The youtube video is patched, BUT the tool isn't completly useless
2. Themida. Yes. You heard it good. All the compiled AHK files (and unpacked afterwards - google it) can be obfuscated with some old cracked Themida version still available out there
3. Using Direct I/O library. Preferably one that gives NO results when googled "name_of_library gameguard" I found at least 6 or 7 open libraries
4. For god's sake at least change the names of output dlls when you compile said above

For step 3 there are gotcha's that will make you go crazy:
a) You have to enable ps/2 keyboard - simple regedit fix
b) You have to enable ps/2 mouse - super hard. You must force windows to install mouse you don't have using port you don't have. That's the hardest thing in windows itself that I pulled off.
c) You must enable windows to use UNSIGNED drivers. Also, suprisingly hard.
c) read this https://courses.engr.illinois.edu/ece39 ... H20-2.html at least 10 times. And test test test test. Best hint ever: wait for the control bit
d) Read this http://wiki.osdev.org/Mouse_Input#PS2_M ... mpliant.29 at least 10 times. And test test test. Best hint ever: for double clicks UNPLUG your usb mouse.

And then you will make it.

----
ps: playing with VMware and Sanboxie leads to nowhere. Both are crazy patched.
User avatar
WAZAAAAA
Posts: 73
Joined: 13 Jan 2015, 19:48

Re: [Sort-Of-Release] Gameguard NProtect Bypass

03 Apr 2016, 03:17

tommmmmm wrote:ps: playing with VMware and Sanboxie leads to nowhere. Both are crazy patched.
Not really. I've had a certain degree of success using 2 different virtualizer programs.

It appears that GameGuard injects itself into every running process with the purpose of limiting them.
But I've made a macro work correctly on a GameGuard protected game with literally 2 clicks: Right Click > Run in COMODO Sandbox. Sandboxed processes through COMODO's free antivirus seem to be immune to npggNT64.des injections... and the hotkey Send functions still work.
This is not the first time that COMODO helps me bypass an anticheat protection. No, this is not an advertisement and I don't work for COMODO haha.

I understand that "just get COMODO" is not exactly the best suggestion, so I searched for a more "portable" alternative. Evalaze (software similar to VMWare ThinApp just for reference) kinda worked for me: the virtualized AutoHotkey compiled script would work for the first seconds, and then it would crash, but that's probably my fault since I'm not really familiar with such programs. Enigma Protector(s) didn't work for me so don't bother.

More information about my successful tests. Was tested on:
3/APRIL/2016
nProtect GameMon Rev 2390
Elsword (Italian version)
worked only on Windowed and not Full Screen
YOU'RE NOT ALEXANDER

Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 10 guests