Misplaced Pages

NProtect GameGuard: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 01:31, 30 November 2006 editラコリニヒニラミ (talk | contribs)5 edits Bypassing GameGuard← Previous edit Revision as of 02:58, 30 November 2006 edit undoNeoChaosX (talk | contribs)Extended confirmed users16,250 edits rv spamNext edit →
Line 21: Line 21:


== Bypassing GameGuard == == Bypassing GameGuard ==
While it is not impossible, the many techniques used by GameGuard make this a very involved process that requires a fair amount of ] skill and optional ] knowledge. The changing nature of GameGuard makes it nearly impossible to make a public bypass or program for a GameGuard protected game. When a public bypass is created, GameGuard merely patches the hole it exploits. Often after a hack program is released to the public, GameGuard adds it to it's blacklist after a few days. Programs able to bypass GameGuard are Game Resistance 2.8 (GR), GameGuard Killer (GGK), Undetected Cheat Engine (UCE), and more. www.mpcforum.com MPCForums] While it is not impossible, the many techniques used by GameGuard make this a very involved process that requires a fair amount of ] skill and optional ] knowledge. The changing nature of GameGuard makes it nearly impossible to make a public bypass or program for a GameGuard protected game. When a public bypass is created, GameGuard merely patches the hole it exploits. Often after a hack program is released to the public, GameGuard adds it to it's blacklist after a few days.


== Criticisms == == Criticisms ==

Revision as of 02:58, 30 November 2006

GameGuard is a rootkit developed by nProtect. It is bundled with many multiplayer online games specifically to reduce or elimate cheating. It hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and nProtect to be cheats, blocks certain calls to DirectX functions, Windows APIs and auto-updates itself to change as new threats surface.

Stealth and Anti-Cheat Methods

Anti-Debugging

GameGuard modules and game executables are protected from debugging, reportedly using polymorphism to make reverse-engineering GameGuard and the game even more difficult. It is packed with a modified version of UPX.

Process cloaking

GameGuard cloaks GameMon.des and the game process by Direct Kernel Object Manipulation (DKOM) in order to fend-off the average cheater.

Hooking

Userland

GameGuard hooks many functions in the Windows userland, including ReadProcessMemory, WriteProcessMemory, OpenProcess, and SendKeys. These hooked functions are determined to be commonly used by bots or hacks to read or modify the game, or to send input to and from the game. GameGuard hooks these functions by injecting the file npggNT.des on Windows NT and npgg9x.des on Windows 9x.

Kernel

GameGuard hooks NtDeviceIoControlFile, NtOpenProcess, NtProtectVirtualMemory, NtReadVirtualMemory, NtWriteVirtualMemory, and by extension the Zw<*> stubs of these functions.

Detection

Memory Detection

One method of detection is to periodically scanning the computer's RAM (without using ReadProcessMemory) for certain string of bytes that are known to be in blacklisted programs. This is a real problem for public programs, and is not easy to defend against.

Detected Programs

When a "malicious" program is detected, GameGuard will usually reboot the user's computer. If there is an unspecified modification to GameGuard or its modules, it will close the game with an error. Rebooting the computer is a very aggressive method, but can cause corruption, errors, or system instability.

Bypassing GameGuard

While it is not impossible, the many techniques used by GameGuard make this a very involved process that requires a fair amount of reverse-engineering skill and optional rootkit knowledge. The changing nature of GameGuard makes it nearly impossible to make a public bypass or program for a GameGuard protected game. When a public bypass is created, GameGuard merely patches the hole it exploits. Often after a hack program is released to the public, GameGuard adds it to it's blacklist after a few days.

Criticisms

GameGuard, though noble in its essential goals, resorts to very sketchy means to accomplish its goals. It stoops down to the level of a trojan and rootkit, and does many invasive things like inject DLLs into every running process, communicate semi-personal information to nProtect, cloak it's process, as well as read and write memory.

Sources


Categories: