harakirinox

Introduction: The problem

To develop your cheats you probably use some tools and software to reverse engineer the game your are hacking by digging in its memory.
It's so convenient to be able to see with your own eyes the values in memory while the game is running so you can locate and use your location and other player's coordinates to make your ESP, right?
Whether you use ReClass, Cry Search, Cheat Engine, or any other tool, this help us quite a lot for the development phase of our cheats.
One problem though: Most reverse engineering programs that allow you to conveniently explore memory generally need a handle to the process they want to examine, which mean that they will fail on anti-cheat protected games.

I thought that I could develop my own little tools to reverse games myself from scratch, but that would require a lot of time and energy (and it would be sort of reinventing the wheel, since these tools are already made, and by more experienced people).
Some of these programs are open source, so I thought that I could modify them to include my bypass in them... but understanding and modifying another person's big software is both challenging and daunting.
Actually I think that most of the time it is harder to understand other people's code than simply writing code myself.

Does that means that I am condemned to learn how to reverse an entire game in assembly and reverse everything in IDA, without even taking a glance on that precious memory? She is so talkative and revealing, that would be too bad.

Fortunately, there is a solution.

The principle.
Suspend the game process, kill the anti cheat processes/services, then attach your tools

It is possible to suspend a process.
This means that all instructions will be suspended and the process will just freeze in the state it is at that moment, and so will be its memory.
You can do this with the well known Process Hacker, but you can also do this without any external tool, by using the Resource Monitor that comes with Windows (you can execute "resmon" or just hit the Start button and search "Resource Monitor").
In Process Hacker, just right click your game's process and click "Suspend" as shown in the following image:



If you do it with the Resource Monitor, same thing, on the main window right click the process of your game and click Suspend process as shown in the following image:



Once the process is suspended, you can safely kill the Anti Cheat process, stop its service or anything else required to turn it off.
Then, now that the anti-cheat is gone, you can attach your tools to your game and explore its (frozen) memory.

The main downside of this method is that you have only access to a snapshot of the memory, at the moment you froze the process, but you can simply take several snapshots to check the differences.

Demonstration
Accessing DayZ SA network manager (up to date, online)

DayZ hackers are lucky, we have lots of information available thank to the numerous years of research and experiments, and in addition to that we have the offline editor, that basically allow us to start the game without its anti cheat and simulate the game locally.
Extremely convenient to locate your coordinates, find items, etc...
One problem though, all the network functions are disabled, the base pointer to the network manager is even null, impossible to reverse this with the offline editor (and also, the game behaves differently on many other things).
So, let's access the memory while playing live.

Start the game normally, and join a server to load interesting things in memory.
If you feel like it, you can try to attach your tool (e.g. ReClass) to the game to make sure that the anti cheat just won't let you.
Start Process Hacker or Resource Monitor, right click DayZ.exe, suspend the process.
Now start the task manager, go to the details tab, kill DayZ_BE.exe, go to the service tab, stop the service BEService. Bye bye BattlEye.
Now, try again to attach your tool to the game and enjoy your access to the memory.
You can now dereference the network manager and follow the chain of pointers to access the scoreboard and see other players in memory with all their properties.

Credit: @iB07.
This technique has been given to me by @iB07 who savagely raped killed me on public DayZ server with his awesome cheat before we started talking.
Do not hesitate to +rep him for this incredibly useful trick!

Have a good one, and enjoy hacking

__________________

Dark1027

To suspend/kill the anticheat processes or threads should be general knowledge but thanks nonetheless. Will add this to the wiki

__________________

harakirinox

I agree, it should be.
However, I did not read about it before hearing it from iB07 and after discussing with other people from the forum I noticed that I wasn't an isolated case and that many do not know it.
That's why I decided to write this little guide.
And yes, this definitely belongs in the wiki!

__________________

Nov

__________________

Dark1027

Okay i created a wiki page: https://www.unknowncheats.me/wiki/At...rotected_games
You might want to take a look at it. I also added the procedure to suspend anticheat threads

__________________

father00

can i use it to stop faceit anti cheat client and inject my dll into csgo?

Souper

A topic I was searching for. Thanks friend

__________________

yamaha

I am struggling with the anti debug system of codww2, if i try launching CE it crashes the game. This method probably wont work for anti debug system right ?

Souper

To my understanding you need your own UCE for this game. Meaning your own exe, sigs etc. I believe the DBVM(?) mode worked during the beta but I doubt it would work any more.

__________________

yamaha

Ye that worked in the beta, changing CE sigs and use DBVM mode etc. However there are additional anti debug measurements that make my game crash while running CE.

Souper

Yeah I figured. There might be some information out there but I haven't seen much in terms of cheats about the new cod. And I certainly don't know enough about it to help you. Sorry, friend.

__________________