guide on making cheat engine undetected

(for rev 641, first edition)

by chen john l.
john0312@gmail.com
 content

part i: introduction
- chapter 1: how nprotect works
- chapter 2: how cheat engine works

part ii: practical

- chapter 3: things you need
- chapter 4: the traditional way
- chapter 5: the modern way – easy way
- chapter 6: compiling & debugging

part iii: appendix

- appendix a: detected strings for ui
– appendix b: ms-dos guide
–
part i: introduction
imagine that you are fighting a war, but you do not know what your army is planning or
what they have already done. so, do you think you can win the war. the answer a definite
no. same with bypassing nprotect, cheat engine and nprotect is fighting against each other,
so to learn how to bypass it, we'll have to learn how nprotect works and cheat engine wor
ks.

chapter 1: how nprotect works

what nprotect do are:
1.
hijack kernel function: for hacking application (eg cheat engine) to modify a game, it'll ha
ve to call some system function (eg openprocess()) to modify the game. so what nprotect do
is it hijacks the system functions. here is a monologue if you don't understand: nprote
ct: let me hijack the system first....
kernel32.dll: arghh...... (terminated)
nprotect: put a fake one there....
fake kernel32.dll: kernel32.dll at your service!
cheatengine: hello kernel32.dll, may i call openprocess(..)....
fake kernel32.dll: my foot, get lost!

2.
scan for suspicious program: thanks to dark byte, that he wrote a kernel that bypass the hi
jackation. again, the inca (nprotect company) got angry, and they decided to do revenge. so
what they did is search through the memory and if they found an array of bytes that is uniq
uely cheat engine, they'll make your computer reboot. so that is why we got to change detec
ted strings.

3.
 misc: since nprotect have already done so many evil things, it does not hurt to do more. as t
here are too many, i won't elaborate too much on this. a few examples are: hiding maplestor
y.exe, change setting of processguard for us, disabling compatibility mode for use.....etc
i think after reading this chapter, you already have some knowledge on how nprot
ect works.

chapter 2: how cheat engine works

visualization is a very good method to learn:
although visualization is good, but i will still do some explanation here. cheateng
ine.exe is mainly user interface, that means that it does not do much modification
to the target, its job is mainly to communicate with you and dbk32.dll, although it
still do some modification like use kernel32.dll to do modification if dbk32.* die
d. dbk32.dll help dbk32.sys to communicate with cheatengine.exe. dbk32.sys doe
s most modification and debugging.

part ii: practical

i can feel that you are getting excited, finally some practical... ok, let's get started.
chapter 3: things you need
there are three things that you need:

name description
delphi (version 7 or above, as you know, this software is not free, you got to buy it, or pirate it( at
borland developer studio your own risk, i am not responsible :p). but heres a link ;) -
also can) http://www.megaupload.com/?d=hk31x8l5 and for the serial and auth.
key go here http://www.mscracks.com
ddk (bundled in kdmf) go to m$ (microsoft) and download kdmf, it's bundled in there.( it will
give you instructions on how to install kdmf)
note: you will need a blank cd and some sort of burning software
cheat engine source there is two ways to download it, either download the rar version,
which might be outdated, or download from cvs. i strongly recommend
you to download it from cvs, the reason being there is a lot of bug fix in
the newer version in cvs. eg. the cvs version support multi-breakpoint
without the patch.

some ask me how to get cheat engine source from cvs, so i'll elaborate a bit:
1. go to http://www.wincvs.org/download.html and download wincvs ( binar
y installer )
2. install it
 3. open command prompt
4. change to the directory you want the ce
5. type “cvs -d :pserver:cvsanon@heijnen1.demon.nl:/cecvs login“ and
press enter. note: password is “cvsanon”
6. type 'cvs -d :pserver:cvsanon@heijnen1.demon.nl:/cecvs checkout "cheat
engine delphi” ', press enter and wait for it to finish.
7. done

chapter 4: the traditional way

this chapter is basically just telling you how it's done if you do not have the detec
ted strings & code.
1. comment out every thing.
2. compile and check if detect. should not be detected.
3. uncomment some things.
4. compile and check if detected. if detected somethings in the things that yo
u just uncommented contain detected string/code. if not detected, go to ste
p 3. if everything is uncommented you are done.

chapter 5: the modern way – easy way

this chapter is what you all are waiting for – a tutorial. so let's wait no more and g
ets started. i would divide the whole modification process into three parts: ( in rec
ommended modification sequence. )
1. kernel driver handler:
luckily dark byte wrote a tutorial on this: (so i can save my time. :p)
get the windows ddk and delphi for the device driver part
(.sys). you need to edit dbkkernel\dbkdrvr.c and change ce
driver52 , dbkthreadlist51 and dbkproclist51 to something
else and edit dbk32 in sources to something else so it creat
es a differently names .sys file

for the dll part edit dbk32\dbk32functions.pas and rename

the texts cedriver52 , dbkthreadlist51 and dbkproclist51 to
the same you named them in the driver and edit dbk32.sys
to the new name of the .sys. and rename the .dll to someth
ing else.dll

then for cheat engine, edit newkernalhandler.pas and rena

me the string dbk32.dll to the renamed.dll, then compile t
 he driver using the win2k free build environment and then
run ce.bat and the dll and cheat engine itself using delphi

2. dbk32.dll export names:

this is more troublesome. not only does it takes time (around an
hour), there are also no tutorial on it. as you know, function names are removed
when then program is being compiled. but this is not true for dll, functions that ar
e "exported" in a dll will have its name in the exported functions section in the dll.

the nprotect detects the export function names in dbk32.dll, so we got to change i
t. but when ce load the dbk32.dll, it call the functions inside it by its function nam
e. so, there are three files to change:
1. dbk32/dbk32.dpr
2. dbk32/dbk32functions.pas
3. newkernelhandler.pas
the functions you have to change are the lines that starts with "export" in dbk32.d
pr. the modification to the three files must be consistent, that means if you change
op to oooopppp in dbk32.dpr, all op in dbk32functions.pas and newkernelhandler.
pas must be changed to nothing but oooopppp. this is because dbk32.dpr defines
what functions to export, dbk32functions.pas contains the implementation of the
functions and its definition that this function exist, newkernelhandler.pas find out
the address of the function in dll by its name.

3. misc
these are some string that nprotect detects in ce user interface. refer to appendix f
or a list of detected strings for user interface. all you have to do is use find in file
function to look for them in the source code and change them. but please take not
e that for this part, do not change any function name or variable names, change o
nly those in quotes.

chapter 6: compiling & debugging

to compile the whole thing, follow the steps:
1. open ddk 2000 free build env
2. change to your source directory
3. type “compile” and press <enter>

to find out which part is detected, follow the steps:

1. run your ce, close it. run maplestory.exe. if reboot, dbk32.sys (dbkkernel/)
is detected.
2. remove dbk32.sys and dbk32.dll. run ce, run maplestory, if reboot, user in
terface is detected.
3. what else can be detected? obviously it's the dbk32.dll
part iii: appendix

appendix a: detected strings for ui

syndiv.com
peprocess
00400000
7fffffff
os prompt
80000000
current
newscan
new scan
vartype
scantype
nextscanbutton

appendix b: ms-dos guide

as ms-dos is very oftenly used, it's recommended you learn it. here is a simple gui
de.

command/syntax description example

cd <directory> change directory (does not chang cd c:\windows
e drive)
<drive name> change drive e:
del <file name> delete a file, can use wildchar del *.exe
rename <from, in absolute pat rename a file. rename c:\windows\system32\ex
h> <to, relative path> plorer.exe whatever.exe
@echo off start of a bat file, for .bat file onl @echo off.
y.