Today we are going to look at another way to bypass integrity checks. Thx to Dark Byte we will make a duplicate of the game and point the checks to it.
Do not forget to dealloc all addresses, I forgot to show that In the vid.
Cheat The Game on Facebook: https://www.facebook.com/groups/CheatTheGame
CTG Discord Channel: https://discordapp.com/invite/ndn4pqs
Become a Cheat The Game Partner at Patreon: https://www.patreon.com/cheatthegame
Donation Paypal: https://paypal.me/CheatTheGame
===================================================
====Template to Make Duplicate of Game====
alloc(copyOfModule,$40A000) //change bytes to size of your process
alloc(addressOfModuleStart,8)
alloc(addressOfModuleEnd,8)
alloc(addressOfCopy,8)
registersymbol(copyOfModule)
copyOfModule:
readmem($process,$40A000) //change bytes to size of your process
addressOfModuleStart:
dq $process
addressOfModuleEnd:
dq $process+getModuleSize(process)
addressOfCopy:
dq $copyOfModule
[DISABLE]
dealloc(copyOfModule addressOfModuleStart addressOfModuleEnd addressOfCopy )
unregistersymbol(copyOfModule)
================================================
===Full Script From Video=========================
[ENABLE]
alloc(copyOfModule,$40A000)
alloc(addressOfModuleStart,8)
alloc(addressOfModuleEnd,8)
alloc(addressOfCopy,8)
registersymbol(copyOfModule)
copyOfModule:
readmem($process,$40A000)
addressOfModuleStart:
dq $process
addressOfModuleEnd:
dq $process+getModuleSize(process)
addressOfCopy:
dq $copyOfModule
alloc(newmem6,2048,"gtutorial-x86_64.exe"+38E8F)
label(returnhere6)
label(originalcode6)
label(exit6)
newmem6:
push rax
lea rax,[r9+rcx*2]
cmp rax,[addressOfModuleStart]
jb originalcode6
cmp rax,[addressOfModuleEnd]
ja originalcode6
sub rax,[addressOfModuleStart]
add rax,[addressOfCopy]
movzx ecx,word ptr [rax]
jmp exit6
originalcode6:
movzx ecx,word ptr [r9+rcx*2]
exit6:
pop rax
jmp returnhere6
"gtutorial-x86_64.exe"+38E8F:
jmp newmem6
returnhere6:
///////////////////////////////////////////////////////////
alloc(newmem2,2048,"gtutorial-x86_64.exe"+38E4F)
label(returnhere2)
label(originalcode2)
label(exit2)
newmem2:
push rax
lea rax,[r9+rcx*2]
cmp rax,[addressOfModuleStart]
jb originalcode2
cmp rax,[addressOfModuleEnd]
ja originalcode2
sub rax,[addressOfModuleStart]
add rax,[addressOfCopy]
movzx ecx,word ptr [rax]
jmp exit2
originalcode2:
movzx ecx,word ptr [r9+rcx*2]
exit2:
pop rax
jmp returnhere2
"gtutorial-x86_64.exe"+38E4F:
jmp newmem2
returnhere2:
//////////////////////////////////////////////////////////
alloc(newmem,2048,"gtutorial-x86_64.exe"+38DFF)
label(returnhere)
label(originalcode)
label(exit)
newmem:
push rax
lea rax,[r9+rcx*2]
cmp rax,[addressOfModuleStart]
jb originalcode
cmp rax,[addressOfModuleEnd]
ja originalcode
sub rax,[addressOfModuleStart]
add rax,[addressOfCopy]
movzx ecx,word ptr [rax]
jmp exit
originalcode:
movzx ecx,word ptr [r9+rcx*2]
exit:
pop rax
jmp returnhere
"gtutorial-x86_64.exe"+38DFF:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem6)
"gtutorial-x86_64.exe"+38E8F:
movzx ecx,word ptr [r9+rcx*2]
//Alt: db 41 0F B7 0C 49
dealloc(newmem2)
"gtutorial-x86_64.exe"+38E4F:
movzx ecx,word ptr [r9+rcx*2]
//Alt: db 41 0F B7 0C 49
dealloc(newmem)
"gtutorial-x86_64.exe"+38DFF:
movzx ecx,word ptr [r9+rcx*2]
//Alt: db 41 0F B7 0C 49
dealloc(copyOfModule addressOfModuleStart addressOfModuleEnd addressOfCopy )
unregistersymbol(copyOfModule)
![Nanjing Locked Down, Kris Wu Arrested, and Private Tutoring Outlawed [Bilingual Stream]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tKMMJjlvs4W7px25B9_YpqHmBpIKy3K95xNH25L1sLXIwDN5jFaW2t4Vq4bzTN39Hwg9GuRvoqU-MNrTDHtRZ82wreg5K20jdP1igzt3sJ6WmhmA=w680)
0 Comments