EMO Style ForumPro - Hos Geldiniz
Giriş yap

Şifremi unuttum

Istatistikler
Toplam 203 kayıtlı kullanıcımız var
Son kaydolan kullanıcımız: posta59

Kullanıcılarımız toplam 1186 mesaj attılar bunda 862 konu
Tarıyıcı
 Kapı
 Indeks
 Üye Listesi
 Profil
 SSS
 Arama
Arama
 
 

Sonuç :
 


Rechercher çıkıntı araştırma

RSS akısı


Yahoo! 
MSN 
AOL 
Netvibes 
Bloglines 


Anahtar-kelime

Kimler hatta?
Toplam 4 kullanıcı online :: 0 Kayıtlı, 0 Gizli ve 4 Misafir :: 1 Arama motorları

Yok

[ Bütün listeye bak ]


Sitede bugüne kadar en çok 217 kişi C.tesi Tem. 29, 2017 1:46 am tarihinde online oldu.
En son konular
» İnternetten Para Kazandıran Oyun ! Ödeme Alt Limiti Yok ! DEV KONU
Cuma Ağus. 29, 2014 8:33 am tarafından Hello EMO

» goldenchase.net maden yaparak para kazanma
Cuma Ağus. 29, 2014 8:18 am tarafından Hello EMO

» etichal hacker görsel egitim seti
Çarş. Ağus. 06, 2014 4:57 am tarafından Hello EMO

» KO TBL Source C#
Ptsi Ara. 09, 2013 6:36 am tarafından Hello EMO

» x86 Registers
C.tesi Ağus. 24, 2013 5:02 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de WYD
Çarş. Tem. 10, 2013 7:25 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de CS Metodo²
Çarş. Tem. 10, 2013 7:23 am tarafından Hello EMO

» [Tutorial] Aprendendo basico deASM OLLYDBG
Çarş. Tem. 10, 2013 7:22 am tarafından Hello EMO

» Basic C# DLL injector
Ptsi Tem. 08, 2013 7:48 am tarafından Hello EMO

Reklam

[TUTS] Making UCE

Önceki başlık Sonraki başlık Aşağa gitmek

[TUTS] Making UCE

Mesaj tarafından Hello EMO Bir C.tesi Ocak 15, 2011 3:09 am

1.To make a UCE, you have to DOWNLOAD these.
- Delphi 7 Enterprise
(After you finish downloading both open D7E.part1.rar and extract. NOTE:Part1 and Part2 must be in the same folder)
- Actual Search and Replace: (Actual Search & Replace - File Find/Replace Utility, Tool for Text Files)
NOTE: I do not have a crack for it, so I suggest finishing this Tutorial in 30 days.

Using Actual Search and Replace (I put this in because many of you like to use ASR)

Under "file" select "settings> Editor" Browse and select "C:\Program
Files\Borland\Delphi7\Bin\delphi32.exe" (This must be done or it WON'T
read .dpr and .pas files.)

Then under the "OPTIONS" Tab, "tick/untick" "include Subfolders".

Then Under "MASKS" you enter for example:

"bla.pas; cat.pas; dog.dpr" (';' separates them) (Masks mean if you put
*.dpr it will search all .dpr files, or if you put *.* it will search
every single file.)

For everything that uses ASR tick whole words unless I say otherwise.

2. Ok, now for the practical part . Making the DBK32.sys.

Open Driver.dat in the Main Source Folder 'C:\CheatEngineDelphi' (If it asks you what to open it with, select notepad.)

You will see this, change it to ANY WORD YOU WANT, BUT DO NOT use WHATEVER : (THIS GOES FOR EVERY STRING, DO NOT USE WHATEVER)

CEDRIVER53 ----> Whatever1
DBKPROCLIST53----> Whatever2
DBKTHREADLIST53 ---> Whatever3
dbk32.sys ---> whatever32.sys

2a. Go into the DBKKernel folder and Open DBKDrvr.c.

(Skip 2a If you are using the latest source)
Find (CTRL+F) hideme
(NOTE: It should be the second hideme you find)

You will see something like //hideme(DriverObject); //ok, for those that see this....................

Remove the //(This is called uncommenting strings) so it becomes
hideme(DriverObject); //ok, for those that see this....................
(For some this may cause a BSOD(Blue Screen of Death), but it has not happened to me before. If it causes a BSOD,
Try making a CE without hideme. There is a topic about it in the Cheat Engine Forums.)

2c. Open up Sources and Sources.ce in the DBKKernel folder. (Select notepad when it asks you what to open it with)

You will replace:
"TARGETNAME=DBK32" to "TARGETNAME=Whatever32" in both of the folders.

2d. Replacing the KeStackAttachProcess and IOCTL (This has to be done if you want to use pointers and memory view)
(Note: For the KeStackAttachProcess, if you are using the latest source,
change it only for DBKDrvr.c because memscan.c is already changed)

Use Actual Search and Replace, Path ( Main Source Folder) with the mask
(memscan.c; DBKDrvr.c), search and replace the followings. (Include
Subfolders)(TICK WHOLE WORDS)

KeStackAttachProcess((PKPROCESS)selectedprocess,&a pc_state); ----> KeAttachProcess((PEPROCESS)selectedprocess);
KeUnstackDetachProcess(&apc_state); ----> KeDetachProcess();

Then the IOCTL

Using Actual Search and Replace, Path (Main Source Folder) with the mask
(DBKDrvr.c; dbk32functions.pas), search and replace the followings.
(Include Subfolders) (For this ONLY, untick the "Whole Word" function)

0x080 ---> 0x08A
0x081 ---> 0x08B
0x082 ---> 0x08C
(So if your A is 7, then your B MUST BE 8(It cannot be 9, numbers go as
1,2,3 and not 1,3,4) C will be 9)(Use 7, 8 and 9 because some say the
earlier numbers and detected)
(DO NOT USE LETTERS, ONLY NUMBERS)
$080 ---> $08A
$081 ---> $08B
$082 ---> $08C
(So if your A is 7, then your B will be 8 and C will be 9)(Use 7, 8 and 9 because some say the earlier numbers and detected)

BONUS STEP, Fixing your pointers and enabling you to use memory view.


Memory view and Pointer fix:
1. Download the jumper files from here http://cheatengine.4dwebhosting.com/jumper.rar and put them into your DBKKernel folder.
Next you add this line: #include "jumper.h" to the end of the other
#include of DBKdrvr.c and memscan.c so DBKdrvr.c will look like

#include "DBKFunc.h"
#include "rootkit.h"
#include "processlist.h"
#include "memscan.h"
#include "threads.h"
#include "jumper.h"

And memscan.c will look like

#include "ntifs.h"
#include
#ifdef CETC
#include "tdiwrapper.h"
#include "kfiles.h"
#endif
#include "memscan.h"
#include "DBKFunc.h"
#include "jumper.h"


After that, add jumper.c to sources.ce so it looks like

SOURCES=DBKDrvr.c DBKFunc.c rootkit.c processlist.c memscan.c threads.c jumper.c



Hook NTGetContextThread(to enable usage of GodMode, and all other debugger hacks.)
Cheat Engine ::


2e. DDK is needed for this part. Compiling your whatever32.sys.

Go into your DBKKernel folder and copy the address bar. Example : C:CheatEngineDelphi\DBKKernel

Open up Win2k or WinXP Free Build Environment(It should be in
Start>Programs>Development Kits>Windows DDK 3790.1830>Build
Enviroments

Type in 'cd C:CheatEngineDelphi\DBKKernel' (without the quotes) (or whatever your main source folder is)

MAKE SURE no antivirus programs are ON (I'm serious)

Then type in 'ce' without the quotes and press enter.
Some code should come out and at the end should be something like

9 files compiled
1 executable build
.\objfre_wxp_x86\i386\google32.sys
1 file(s) copied.

If it has any errors I recommend putting your source folder in C:\
Example: C:CheatEngineDelphi\DBKKernel(Because having spaces in your
file name like C:\Documents and settings\ will create errors)
(DO NOT PUT IT ON YOUR DESKTOP)


Once you are done, your whatever32.sys should be in your main source folder.

3.Now we open dbk32.dpr in the dbk32 Directory with Delphi.

Then we open the "Project Manager" under "VIEW" and expand(click on the +
sign)"dbk32.dll" and double click on "DBK32functions" to open it.

Replace the following in DBK32functions. (Replace in delphi = CTRL+R) (Remember to tick entire scope)
CEDRIVER52 ---> Whatever1 (This is the original CEDRIVER53)
DBKProcList51 ---> Whatever2 (This is the original DBKProcList53)
DBKThreadList51 ---> Whatever3 (This is the original DBKThreadList53)

Now save all and close all.

Next using Actual Search and Replace, Path (Main Source Folder) with the
mask (*.*)(* is shift+Cool, search and replace the followings. (Include
Subfolders)
dbk32.sys ---> Whatever32.sys
dbk32.dll ---> Whatever32.dll

3. Renaming strings.

3a. Now for the long part. Open dbk32.dpr in the dbk32 Directory with Delphi.

Then we open "DBK32functions" from the project manager.

After that, click "OPEN" under "FILE" and open newkernelhandler.pas in the main source folder.

Now there should be 3 files opened in delphi : dbk32.dpr, DBK32functions.pas and newkernelhandler.pas

Go to dbk32.dpr, see all those exports? You have to rename them all in dbk32.dpr, DBK32Functions.pas and newkernelhandler.pas
(IMPORTANT: Just now at the beginning you renamed CEDRIVER53 ---> Whatever1.

Now I want you to use a different string rather than the one you used just now.
For Example, you changed CEDRIVER53 into Apple1.

Now do not change VQE into apple 1, use a different name, like Orange1. (can be substituted for another word)

So,

VQE ---> Whatever1
OP ---> Whatever2
OT ---> Whatever3
NOP ---> Whatever4
RPM ---> Whatever5
WPM ---> Whatever6
VAE ---> Whatever7
And more till you reach Whatever52. WAIT, don't start yet.
This is the way I rename them.
First highlight VQE, press CTRL+C then type orange1. Now you've copied the word VQE and renamed it into orange1.
Then, go into DBK32Functions.pas and press CTRL+R, paste (CTRL+V) VQE into the first box then type Orange1 into the second box.
Tick prompt on replace, then click replace all. Usually u can just replace all without looking in DBK32Functions.pas
but maybe you might accidentaly replace NOT when you are replacing OT so its safer to look through it one by one.
After that, click on newkernelhandler and CTRL+R again, this time just copy VQE into the first box,
as the second box will already have orange1 in it.
IMPORTANT: Only replace the ones in quotes in newkernelhandler.pas.
Example, 'VQE' do not replace the VQEs that are not in quotes. Continue
till the end. DO NOT CLOSE DBK32functions.pas and DBK32.dpr yet, but
save and close newkernelhandler.pas

Bonus Step: Pchar all the windowskernelstrings in NewKernelHandler. (Just in case or if you still get detected)

Example:
var
A : string ;
B : string ;
procedure DontUseDBKQueryMemoryRegion;
begin
A := 'VirtualQu';
B := 'eryEx';
VirtualQueryEx:=GetProcAddress(WindowsKernel,pchar (A+B));
usedbkquery:=false;
if usephysical then DbkPhysicalMemory;
if usefileasmemory then dbkfileasmemory;
end;

Pchar all these strings:

WriteProcessMemory =
OpenProcess =
readprocessmemory =
VirtualQueryEx =
SuspendThread =
DebugActiveProcess =
NtOpenProcess =
SetWindowsHookEx =
VirtualAllocEx =
VirtualAlloc =
SetWindowsHookExA =
ResumeThread =
VirtualProtectEx =
VirtualProtect =
CreateRemoteThread =
WaitForDebugEvent =
ContinueDebugEvent =
OpenThread =
GetThreadContext =
SetThreadContext =
NtOpenThread =
Test Application =
MS-DOS Prompt =
Ordinal =
Cardinal =
NtDLL.dll =
Courier =
Courier New =

3b. Save the DBK32functions.pas and DBK32.dpr in new names.

With DBK32functions.pas and DBK32.dpr opened in Delphi. Go "FILE> Save As".

(These are only my changes, you can change to other names)

DBK32.dpr ---> Whatever32.dpr (Save in dbk32 folder) This whatever32 is what you renamed dbk32.dll with earlier. For Example,

dbk32.dll ---> Apple32.dll, so I'll change DBK32.dpr into Apple32.dpr

You will see that the "library DBK32;" has been changed to "library Whatever32;"

DBK32functions.pas ---> Whatever32functions.pas (Save in dbk32 folder)
After this you will see that Whatever32.dpr's "uses" and Project
Manager, DBK32functions.pas will be changed to whatever32functions.pas.
Open up project manager, you will see dbk32.dll become whatever32.dll
Now save all and close all.
Just in case you don't want to make make mistakes, go into the dbk32 folder and delete dbk32.dpr and dbk32functions.pas

Ok once the editing is done, lets move on.

Now open Whatever32.dpr in Delphi, you compile Whatever32.dll.
Go "Project> compile whatever" or Ctrl+F9.

Its ok to get "Hint" or "Warning", but if you get "Error" go recheck
your steps again, because you have made a mistake or forgot to change
something somewhere.

If you do not get any Errors, your Whatever32.dll will be at the main CE Source Directory.

3c. Find and replace myhook with Actual Search and Replace. (Tick Subfolders)

Rename the myhook in CEHook.dpr and hypermode.pas only to Whatever53. Continuing from the exports that finish at Whatever52

Now open up CEHook.dpr in CEHook Directory with Delphi
(For some of you, you might have to delete 'system' in uses first.

Then Compile CEHooK.dpr.

3d. Next, open up stealth.dpr in the stealth Directory with delphi and compile it. Don't change anything.

3e. Ok, open up cheatengine.dpr in the main source folder with Delphi.
Go to the Project Manager and look for newkernelhandler.pas and
CeFuncProc.pas and open both up.

Then, save them as:
newkernelhandler.pas ---> Whateverhandler.pas
CeFuncProc.pas ---> Whatever54.pas
Just in case, delete the old newkernelhandler and CeFuncProc.

3f. Replacing the strings
Ok, these come first because they are numbers and are easy to mess up.

00400000
7fffffff
80000000

Using Actual Search and Replace, Path (Main Source Folder) with the mask
(*.*)(Include subfolders)(MAKE SURE WHOLE WORDS IS TICKED)


Use your windows calculator(Start>Programs>Accessories>Calculator. Select "View> Scientific>", select "HEX"

Enter the values. Then select "Dec". Then you + "any value".
Then you change it back to "Hex" and use this value for these changes.

Example, I select Hex, enter 00400000. After selecting Dec it becomes 4194304. 4194304+2 = 4194306
4194306 changed back to Hex = 400002


Search and replace the 3 values with the new value you calculated.

Note: You must change it to a different value!

Eg:+2 from the value (Do not use -, as some may get errors)

3g. Now using Actual Search and Replace, Path (Main Source Folder) with
the mask (*.*)(Do not include subfolders).(Tick Whole Words)

nextscanbutton ---> Whatever55
scanvalue ---> Whatehver56 (Make sure do not change scanvalue2 by mistake.)
scanvalue2 ---> Whatever57
ScanType ---> Whatever58
VarType ---> Whatever59
newscan ---> Whatever60
ScanText ---> Whatever61
syndiv.com/ce ---> Maplesea.com (any website)
CheatEngine ---> WhateverEngine (Do not change for cheatengine.bpg, or will not be able to open cheatengine.bpg later.
cheat engine ---> Whatever Engine

Taken from detected strings.

If you want to release your UCE with the tutorial or if you want it for yourself, do this part.

3h. Open up MainUnit.pas in the Main Source Folder with Delphi and find the following:

if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes then
shellexecute(0,'open','Tutorial.exe','','',sw_show );

Replace the "Tutorial" with "Project1" so it becomes:

if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes then
shellexecute(0,'open','Project1.exe','','',sw_show );

(DO NOT change anything else here)

Now save and close it.

Now open up OpenSave.pas in the main source folder with Delphi and find the following:

7 "Tutorial.exe":Application processname

Replace "Tutorial" with "Project1" so it becomes:

7 "Project1.exe":Application processname

Then find the following:
(When Finding Replace WhateverEngine with what you have replaced CheatEngine with just now or you won't be able to find this)

if x<>'WhateverEngine' then
raise exception.Create('This is not a valid Whatever Engine table');

Now comment it out:

//if x<>'WhateverEngine' then
//raise exception.Create('This is not a valid Whatever Engine table');

Doing this will enable your UCE to open other Cheat Table(s)(.CT), which are posted on the internet, and there will be no
('This is not a valid Whatever Engine Table')error.

Save and close it.

3i. Now for checking part. Open up cheatengine.dpr in the main source folder.





You should be able to see the GUI (Graphic User Interface), nothing to change here. Now in the object treeview expand panel5.

You should be able to see that the strings you've changed just now have become whatever55 and so on.



Now see the protectme2 and crash me and so on..




Delete it by clicking on it then deleting the caption in the Object
Inspector. DO NOT delete the whole thing by clicking on it then pressing
del.

Just delete the caption.

Now for the settings and about section for you UCE, open up formsettingsunit and aboutunit inside the project manager.

If you want to change anything, click on it then change the caption.

3j. Changing project group and cheatengine.exe into Whateverengine. *Credits to rolling dice*

(Note: Make a copy of your edited source before you proceed)

- Changing project group name.

Open cheatengine.bpg from the main directory, then "save as"
Whateverengine.bpg in the main directory. Close and open
whateverengine.bpg to test it.

- Changing the cheatengine.exe name.

Open Whateverengine.bpg from the main directory and in the project
manager, "Right click" on cheatengine.exe and select "View Source" like
so.



Then you save Cheatengine.dpr as Whateverengine.dpr in the main ce source folder.

Now repeat this for the followings:
Cheatengine.DEU (Save as Whateverengine.dpr and save it in the DEU Folder)
Cheatengine.NLD (Save as Whateverengine.dpr and save it in the NLD Folder)
Cheatengine.RUS (Save as Whateverengine.dpr and save it in the RUS Folder)

*Credits to rolling dice*

4. Compiling your cheatengine.

4a. Open up your whateverengine.dpr in your main source folder and press CTRL+F9.

OOPS, I forgot...go into your main source folder and double
click>new>text document, then rename it into
trainerwithassembler.exe

Now compile it, there shouldn't be any errors.

If
there are errors like undeclared identifier, that means you didn't
completely change a detected string.

For example, we changed VQE to whatever1 in dbk32.dpr and
dbk32functions.pas but if you forgot to change it in
newkernelhandler.pas this error will come out.

If there are still errors, keep changing it till it compiles successfully.

Ok, now there are a few more projects to compile before testing your new
UCE. (Don't worry, its just compiling, no changing strings or anything
else), after compiling each project, copy the .dll or .exe file into a
new folder.

- emptydll.dll (emptydll.dpr in SystemcallRetriever folder)

- emptyprocess.exe (emptyprocess.dpr in SystemcallRetriever folder)

- Kernelmoduleunloader.exe
(Kernelmoduleunloader.dpr in kernelmoduleunloader folder in dbk32 folder)

- Pscan.dll (Pscan.dpr in injectedpointerscan folder)

-Project1.exe (Project1.dpr in Tutorial folder)

- systemcallsignal.exe (systemcallsignal.dpr in SystemcallRetriever folder)

- Systemcallretriever.exe(change anything if needed) (IMPORTANT: Open up
systemcallretriever.dpr and look in uses...see newkernelhandler?
change it to whateverhandler and you're good to go.
(Systemcallretriever.dpr in SystemcallRetriever folder)

Ok, now your new folder has all these files, time to test your UCE.

In the codefinder tab in your UCE's settings, tick try to prevent detection of the debugger,

In the assembler tab tick the same thing

And in the Extra tab tick everything except stealth mode.

You might notice theres a blank space in the middle in Extra. Its supposed to be like that, I think DB took out the 2 functions.

Ok, now follow these steps to test your UCE. *credits to John*

1. Run your CE, close it. Run maplestory.exe. If reboot, dbk32.sys (DBKKernel/) is detected.

2. Remove dbk32.sys and dbk32.dll. Run CE, run maplestory, if reboot, user interface is detected.

3. What else can be detected? Obviously it's the dbk32.dll.

*credits to John*

FAQ

1. I can't understand this Tutorial. HELP! or Help! I am Stuck! or any of those stupid questions.

Answer: What don't you understand, state it clearly or you won't be the only one who doesn't understand something.

2. Do you have a UCE?

Answer: Yes, and everything works except debug registers because I just
can't get how to hook, I've managed to compile the hook but it only
works for 5 secs then MS closes. If there is anyone that likes this
tutorial and has a working hook.c, kindly share it with me. Thanks in
advance.

3. How often are you going to update this tutorial?

Answer: I'm not sure yet but maybe every 2 or 3 weeks.

Ok, I've done my best and I'm tired. When more questions come in I'll add them into the FAQ.

If there is any part in this tutorial that is wrong, correct it and I will put it in when I update this tutorial.

If you want to put this tutorial anywhere, just give credits to me


Hello Kitty
vs
eMoStyLe



avatar
Hello EMO
EMO Team
EMO Team

Cinsiyet : Erkek
Burçlar : Yay
Yılan
Mesaj Sayısı : 935
Puan : 254793
Rep Puanı : 18
Doğum tarihi : 28/11/89
Kayıt tarihi : 21/07/09
Yaş : 27
Nerden : EMO WorlD
İş/Hobiler : RCE Student / Game Hacking / Learn Beginner C#,C++,Delphi
Lakap : EMO

Kullanıcı profilini gör http://emostyle.myforumpro.com

Sayfa başına dön Aşağa gitmek

Önceki başlık Sonraki başlık Sayfa başına dön


 
Bu forumun müsaadesi var:
Bu forumdaki mesajlara cevap veremezsiniz