|
06-23-07
| #1 (permalink) |
| Member  Join Date: May 2007
Posts: 20
Rep Power: 4  | How d Gameguard work This is what gameguard doing first 00000011 오전 10:10:03 Type : Create 00000012 오전 10:10:03 Parent ID : 0xA78 00000013 오전 10:10:03 Process ID : 0x848 00000014 오전 10:10:03 EPROCESS : 0x82E45DA0 00000015 오전 10:10:03 Process Name : Loader.exe usually Gameguard is loading before game 00000016 오전 10:10:04 Type : Create 00000017 오전 10:10:04 Parent ID : 0x848 – Loader.exe 00000018 오전 10:10:04 Process ID : 0x6B8 00000019 오전 10:10:04 EPROCESS : 0x83FC4DA0 00000020 오전 10:10:04 Process Name : game.exe Lorder is runing game.exe 00000021 오전 10:10:04 Type : Destroy 00000022 오전 10:10:04 Parent ID : 0xA78 00000023 오전 10:10:04 Process ID : 0x848 00000024 오전 10:10:04 EPROCESS : 0x82E45DA0 00000025 오전 10:10:04 Process Name : Loader.exe After Game.exe is run Lorder is destroyed 00000034 오전 10:10:05 Type : Create 00000035 오전 10:10:05 Parent ID : 0x6B8 – game.exe 00000036 오전 10:10:05 Process ID : 0x1C4 00000037 오전 10:10:05 EPROCESS : 0x819BBB28 00000038 오전 10:10:05 Process Name : GameGuard.des i think GameGuard.des is resetting something. that is ran by game.exe 00000039 오전 10:10:08 Type : Create 00000040 오전 10:10:08 Parent ID : 0x6B8 – game.exe 00000041 오전 10:10:08 Process ID : 0x4A4 00000042 오전 10:10:08 EPROCESS : 0x829D0DA0 00000043 오전 10:10:08 Process Name : GameMon.des gameMon.des is somekind of obseve process. when this thing load to memory. they starting SDT Restore. 00000044 오전 10:10:16 Type : Destroy 00000045 오전 10:10:16 Parent ID : 0x6B8 – game.exe 00000046 오전 10:10:16 Process ID : 0x1C4 00000047 오전 10:10:16 EPROCESS : 0x819BBB28 00000048 오전 10:10:16 Process Name : GameGuard.des After that, gameMon.des is ran , GameGuard.des is destroyed 00000292 오전 10:11:02 Type : Destroy 00000293 오전 10:11:02 Parent ID : 0x848 00000294 오전 10:11:02 Process ID : 0x6B8 00000295 오전 10:11:02 EPROCESS : 0x83FC4DA0 00000296 오전 10:11:02 Process Name : game.exe 게임이 먼저 사용자의 요구에 따라 파괴된다. 00000297 오전 10:11:09 Type : Destroy 00000298 오전 10:11:09 Parent ID : 0x6B8 – game.exe 00000299 오전 10:11:09 Process ID : 0x4A4 00000300 오전 10:11:09 EPROCESS : 0x829D0DA0 00000301 오전 10:11:09 Process Name : GameMon.des they do Injectionand , they inload npggNT.des and that u use device . they unload that. and destroy GameMon.des 2. Hook Chain GameGuard is trying to hooking 2.1 User Level GameGuard is trying to injection all process . and npggNT.des help them + [0x7C930000] ntdll.dll - target : 0x458AA5D0 ( npggNT.des), func : NtLoadDriver - target : 0x458AA720 ( npggNT.des), func : NtOpenProcess - target : 0x458AA020 ( npggNT.des), func : NtProtectVirtualMemory - target : 0x458AD6A0 ( npggNT.des), func : NtQuerySystemInformatio - target : 0x458AA270 ( npggNT.des), func : NtReadVirtualMemory - target : 0x458AB9D0 ( npggNT.des), func : NtSuspendProcess - target : 0x458AB5A0 ( npggNT.des), func : NtSuspendThread - target : 0x458AB860 ( npggNT.des), func : NtTerminateProcess - target : 0x458AB6F0 ( npggNT.des), func : NtTerminateThread - target : 0x458AA430 ( npggNT.des), func : NtWriteVirtualMemory - target : 0x458AD6A0 ( npggNT.des), func : RtlGetNativeSystemInfor - target : 0x458AA5D0 ( npggNT.des), func : ZwLoadDriver - target : 0x458AA720 ( npggNT.des), func : ZwOpenProcess - target : 0x458AA020 ( npggNT.des), func : ZwProtectVirtualMemory - target : 0x458AD6A0 ( npggNT.des), func : ZwQuerySystemInformatio - target : 0x458AA270 ( npggNT.des), func : ZwReadVirtualMemory - target : 0x458AB9D0 ( npggNT.des), func : ZwSuspendProcess - target : 0x458AB5A0 ( npggNT.des), func : ZwSuspendThread - target : 0x458AB860 ( npggNT.des), func : ZwTerminateProcess - target : 0x458AB6F0 ( npggNT.des), func : ZwTerminateThread - target : 0x458AA430 ( npggNT.des), func : ZwWriteVirtualMemory + [0x7C800000] kernel32.dll - target : 0x458A70E0 ( npggNT.des), func : CreateProcessInternalW - target : 0x458AAB80 ( npggNT.des), func : DebugActiveProcess - target : 0x458AACA0 ( npggNT.des), func : DeviceIoControl - target : 0x458ABB10 ( npggNT.des), func : GetProcAddress - target : 0x458AAFA0 ( npggNT.des), func : LoadLibraryExW - target : 0x458AD0B0 ( npggNT.des), func : MapViewOfFile - target : 0x458AD310 ( npggNT.des), func : MapViewOfFileEx - target : 0x458ABC50 ( npggNT.des), func : MoveFileW - target : 0x458AA970 ( npggNT.des), func : OpenProcess - target : 0x458A8F80 ( npggNT.des), func : ReadProcessMemory - target : 0x458A96D0 ( npggNT.des), func : VirtualProtect - target : 0x458A9DB0 ( npggNT.des), func : VirtualProtectEx - target : 0x458A9240 ( npggNT.des), func : WriteProcessMemory + [0x77F50000] ADVAPI32.dll - target : 0x458AB4D0 ( npggNT.des), func : CreateProcessWithLogonW + [0x77E20000] GDI32.dll - target : 0x458ABE40 ( npggNT.des), func : GetPixel + [0x77CF0000] USER32.dll - target : 0x458AC080 ( npggNT.des), func : GetWindowThreadProcessI - target : 0x458A7FE0 ( npggNT.des), func : PostMessageA - target : 0x458A8350 ( npggNT.des), func : PostMessageW - target : 0x458A7410 ( npggNT.des), func : SendInput - target : 0x458A87F0 ( npggNT.des), func : SendMessageA - target : 0x458A8A10 ( npggNT.des), func : SendMessageW - target : 0x458A8A40 ( npggNT.des), func : SetCursorPos - target : 0x458A8BA0 ( npggNT.des), func : SetWindowsHookExA - target : 0x458A8DF0 ( npggNT.des), func : SetWindowsHookExW - target : 0x458A78B0 ( npggNT.des), func : keybd_event - target : 0x458A7D70 ( npggNT.des), func : mouse_event + [0x762B0000] WINSTA.dll - target : 0x458AD570 ( npggNT.des), func : WinStationTerminateProc * -usually they do detect macro,hacks 2.2 Kernel Level GameGuard use this sys file "dump_wmimmc.sys" they trying to run SSDT Hooking service number______________ : 31 + related nt function list_ - NtConnectPort - ZwConnectPort - hook_type________________ : entry hooking - redirected address_______ : 0x848B2560 * hook module information__ - not found. maybe it is on the nonpaged pool area. service number______________ : 122 + related nt function list_ - NtOpenProcess - ZwOpenProcess - hook_type________________ : entry hooking - redirected address_______ : 0xF7A6C682 * hook module information__ - not found. maybe it is on the nonpaged pool area. service number______________ : 128 service number______________ : 137 + related nt function list_ - NtProtectVirtualMemory - ZwProtectVirtualMemory - hook_type________________ : entry hooking - redirected address_______ : 0xF7A6C7FA * hook module information__ - not found. maybe it is on the nonpaged pool area. service number______________ : 186 + related nt function list_ - NtReadVirtualMemory - ZwReadVirtualMemory - hook_type________________ : entry hooking - redirected address_______ : 0xF7A6C702 * hook module information__ - not found. maybe it is on the nonpaged pool area. service number______________ : 277 + related nt function list_ - NtWriteVirtualMemory - ZwWriteVirtualMemory - hook_type________________ : entry hooking - redirected address_______ : 0xF7A6C77E * hook module information__ - not found. maybe it is on the nonpaged pool area. service number______________ : 502 + related function list____ - SendInput - hook_type________________ : entry hooking - redirected address_______ : 0xF7A6C962 * hook module information__ - not found. maybe it is on the nonpaged pool area. module name______________________ : ntoskrnl.exe - base address__________________ : 0x804D9000 - entry point address___________ : 0x806AE2BE - module full path______________ : \WINDOWS\system32\ntoskrnl.exe + hooked function list__________ + hooked function name_______ : KeAttachProcess - hook type_______________ : opcode patching - redirected address______ : 0xF79A513E - hook module information_ : not found. + hooked function name_______ : KeStackAttachProcess - hook type_______________ : opcode patching - redirected address______ : 0xF79A5038 - hook module information_ : not found. * 보호하는 Process로의 메모리 공간전환을 근본적으로 차단하고자 설치한 Hook으로 보인다. 3. Miscellaneous GameMon.des는 C:\MyDocuments\Local Settings\Temp에 they make these file np5A.tmp np5B.tmp np5C.tmp np5D.tmp np5E.tmp np5F.tmp np60.tmp np61.tmp they are all diffrent file , they are PE format ggscan.des << this file is only load by GameMon.des omg that was hard ;; uhh. i cant speak english not that well so ;; srry for that ; thats all i can explain that to u
__________________ This is my Freaken maple Account Man lol KMS-Account Lvl 200- Bishop (KMS) Lvl 111- Fire Mage (KMS) Lvl 80 -Hermit (KMS) Lvl 72 -Theif Master (KMS) GMS-Account Lvl 24 -Archer (GMS)  Click that to get free NX cash... sign up and do surveys. You will get money rite after that |
|  |
|
06-26-07
| #7 (permalink) | |
| Great member  Join Date: Jun 2006 Location: California
Posts: 134
Rep Power: 5  | Quote:
It's probably for people who aren't 100% leechers and want to know how gameguard works, in an effort to maybe develop a bypass or to understand how hacking actually works. Just a thought 
__________________ If I've helped you please rep me, don't just download/follow my guides and then never return, rep is for a purpose, and that is to thank someone for something they have done that benefited the best forum of all time...NT  | |
|
| |
|
06-27-07
| #8 (permalink) |
| I'm Waiting For Nothing  Join Date: Aug 2006
Posts: 791
Rep Power: 10  | I know this kid in real life, Usually people have to know something general about hacking to post something useful. But I gave this kid all of his hacks and he knows aboslutely nothing about hacking. I know he leeched this from somewhere but I dont know for what reason
__________________ This is my very original signature  |
|
| |
|
06-27-07
| #9 (permalink) | |
| (>^.^)> ^(^.^)^ <(^.^<)  Join Date: Apr 2007 Location: Hell
Posts: 58
Rep Power: 4 | Quote:
__________________  List of Morons ------------------ Coldie  | |
|
| |
 |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
 |
Linear Mode
