Thread: Gameguard Issues im having

So I finally found a game protected by gameguard whose executable is not packed and my goal is only to prevent the game from initializing gameguard (I am not going to disclose the name of the game in case their devs find this and decide to update its protection).
I searched for referenced text strings and found a couple with gameguard errors for message boxes inside and thats how I located exactly which function initializes it. Now I will show you where gameguard initializes and explain what my problem is.

Code:

004539F2  |. 6A 00          PUSH 0                                        /lParam 
004539F4  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]                  |
004539F7  |. 51             PUSH ECX                                      |hInst
004539F8  |. 6A 00          PUSH 0                                        |hMenu 
004539FA  |. 6A 00          PUSH 0                                        |hParent 
004539FC  |. 8B55 E8        MOV EDX,DWORD PTR SS:[EBP-18]                 |
004539FF  |. 0355 F4        ADD EDX,DWORD PTR SS:[EBP-C]                  |
00453A02  |. 52             PUSH EDX                                      |Height
00453A03  |. 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-14]                 |
00453A06  |. 0345 F8        ADD EAX,DWORD PTR SS:[EBP-8]                  |
00453A09  |. 50             PUSH EAX                                      |Width 
00453A0A  |. 6A 00          PUSH 0                                        |Y 
00453A0C     68 00000080    PUSH 80000000                                 |X
00453A11  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]                 |
00453A14  |. 51             PUSH ECX                                      |Style
00453A15  |. 68 603C9C00    PUSH GAMEClie.009C3C60                        |WindowName 
00453A1A  |. 68 F83B9C00    PUSH GAMEClie.009C3BF8                        |Class
00453A1F  |. 6A 00          PUSH 0                                        |ExtStyle 
00453A21  |. FF15 587C8B00  CALL DWORD PTR DS:[<&USER32.CreateWindowExA>] \CreateWindowExA
00453A27  |. 3BF4           CMP ESI,ESP
00453A29  |. E8 020D3A00    CALL GAMEClie.007F4730
00453A2E  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
00453A31  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]
00453A34  |. 8915 F43B9C00  MOV DWORD PTR DS:[9C3BF4],EDX
00453A3A  |. 837D FC 00     CMP DWORD PTR SS:[EBP-4],0
00453A3E  |. 75 04          JNZ SHORT GAMEClie.00453A44
00453A40  |. 33C0           XOR EAX,EAX
00453A42  |. EB 7D          JMP SHORT GAMEClie.00453AC1
00453A44  |> A1 F43B9C00    MOV EAX,DWORD PTR DS:[9C3BF4]
00453A49     50             PUSH EAX                                     
00453A4A     B9 280C9F00    MOV ECX,GAMEClie.009F0C28                         
00453A4F     E8 DC8E2A00    CALL GAMEClie.006FC930   <---------GG Initializer          
00453A54  |. 85C0           TEST EAX,EAX
00453A56  |. 75 04          JNZ SHORT GAMEClie.00453A5C

After NOPing the GG intializing call I had to modify 2 JNZs which check if GG is on and thats it. I hit the run button for the last time and I heard the intro sound of the game playing normally while the game and olly were running without problems, except for one... the window of the game never showed up... I am sure that CreateWindowExA call above the GG initializer is the game's window because I checked the width and height that was passed to the call and they match the size of the game's window ran without olly.
So this is where I am at, GG is stopped from initializing and the game runs just that the window is not visible. Any ideas ?

---------- Post added at 06:42 AM ---------- Previous post was at 05:54 AM ----------

I think I figured out why the window doesn't show, the first JNZ I was talking about is the one 2 lines under the GG Initializer function and this is what the area after the one I posted looks like.

Code:

00453A58  |. 33C0           XOR EAX,EAX
00453A5A  |. EB 65          JMP SHORT GAMEClie.00453AC1
00453A5C  |> 8BF4           MOV ESI,ESP
00453A5E  |. 68 10254500    PUSH GAMEClie.00452510                                       ; /pTopLevelFilter 
00453A63  |. FF15 AC748B00  CALL DWORD PTR DS:[<&KERNEL32.SetUnhandledExceptionFilter>]  ; \SetUnhandledExceptionFilter
00453A69  |. 3BF4           CMP ESI,ESP
00453A6B  |. E8 C00C3A00    CALL GAMEClie.007F4730
00453A70  |. 8BF4           MOV ESI,ESP
00453A72  |. 8B4D 0C        MOV ECX,DWORD PTR SS:[EBP+C]
00453A75  |. 51             PUSH ECX                                                     ; /ShowState
00453A76  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]                                 ; |
00453A79  |. 52             PUSH EDX                                                     ; |hWnd
00453A7A  |. FF15 547C8B00  CALL DWORD PTR DS:[<&USER32.ShowWindow>]                     ; \ShowWindow
00453A80  |. 3BF4           CMP ESI,ESP
00453A82  |. E8 A90C3A00    CALL GAMEClie.007F4730
00453A87  |. 8BF4           MOV ESI,ESP
00453A89  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
00453A8C  |. 50             PUSH EAX                                                     ; /hWnd
00453A8D  |. FF15 507C8B00  CALL DWORD PTR DS:[<&USER32.UpdateWindow>]                   ; \UpdateWindow
00453A93  |. 3BF4           CMP ESI,ESP
00453A95  |. E8 960C3A00    CALL GAMEClie.007F4730
00453A9A  |. 8BF4           MOV ESI,ESP
00453A9C  |. 6A 01          PUSH 1                                                       ; /Show = TRUE
00453A9E  |. FF15 4C7C8B00  CALL DWORD PTR DS:[<&USER32.ShowCursor>]                     ; \ShowCursor
00453AA4  |. 3BF4           CMP ESI,ESP
00453AA6  |. E8 850C3A00    CALL GAMEClie.007F4730
00453AAB  |. 8BF4           MOV ESI,ESP
00453AAD  |. 6A 00          PUSH 0
00453AAF  |. FF15 487D8B00  CALL DWORD PTR DS:[<&ole32.CoInitialize>]                    ;  ole32.CoInitialize
00453AB5  |. 3BF4           CMP ESI,ESP

I kept modifying that JNZ in order to skip this block because I remember it used to crash the game so I never looked at it again and I always missed the ShowWindow call
I think that has to be why the window never showed, I will work on it and let you know how it goes.

---------- Post added at 06:56 AM ---------- Previous post was at 06:42 AM ----------

It seems I didn't have to modify the second JNZ either, NOPing the GG Initializer is all thats needed and the game runs just fine without GameGuard. I haven't registered an account yet in order to play but according to what I've read there is some sort of server which sends some values to the game which are sent to GameGuard decrypted then re-encrypted , sent back to the game and then back to the server in order to stay connected.
But im good for now anyway, I will try to write this "emulator" later on when I get better at reversing in general.

Lmao, i must admit for finding everything out on yourself you did do a great job!

I think you are a real bot writter in progres..

Thumbs up man!
If you need help, ill be here ^^,

I think the reason explosioninthe did this is cause he wants to grow in the GG bypass scene..

So that he will understand the way GG works..
Just using a EMU or CE from someone wont help you understand what you just did..

Atleast thats what i think he was doing:$
hehe

Originally Posted by pkedpker

you can bypass that without even writing emulator, or keeping it from loading just use cheat engine

Cheat Engine 6 is detectable (at least by the GG build Alliance of Valiant Arms is using), its just GG shuts the game down not when it detects it but later on in order to fool people. If you read a GG analysis thread Dwar has opened you'll see this mechanism is presented as a feature by nProtect.
If you want to see it for yourself attach CE 6 to the game do a search and wait for 10 minutes , GG will eventually crash the game and notify that it's found a tool.

Originally Posted by makradesh

So that he will understand the way GG works..
Just using a EMU or CE from someone wont help you understand what you just did..
hehe

Couldn't have said it better myself, I usually get obsessed with how stuff works which is why I hate it when I read tutorials that look like "do this then that and then that" without explaining why all this is done. If I don't understand every bit of how something works and why I am doing something I get really uncomfortable with myself

Now on to my GG adventure, while I was in a bus with a headache reaching my hometown I thought there should be a more efficient way to find out how games communicate with GG. I then remembered a tutorial I read where WPE Pro was used to sniff packets sent from an mmorpg to its server. Apart from that I registered an account for the game and logged in, I reached the character creation screen and after a minute I was disconnected from the server which means that earlier than that (the problem is I don't know how earlier that was) the server sent those encrypted values to the game so GG could work on them and send them back.
If I could use that disconnected from server message in order to figure out which packets sent to my client were those 4 values intended for GG I should be able to trace that data and find how the game attemts to send it to it.

Hehe, finnally i am liking this forum!!
After my complain pm that i send to Dwar, this really cheers me up!!

I really hope i can help both of you, i dont care how far you are with c++..
If your having a hard time ill help you out !!

And like i said: the best way to learn is to do it yourself.

Dont forget to perform back ups, If u screw things up.. You always got a back up