Solved Unhooking a hooked function (function was hooked by nProtect GameGuard)

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

kk0kk

Full Member
Mar 22, 2020
2
108
0
Game Name
Flyff
Anticheat
nProtect GameGuard
How long you been coding/hacking?
Coding: 3 years, hacking: some mounths
Coding Language
C/C++
I try to send input to a Flyff window with the SendInput function of the Windows API. The problem is that GG gets into every running process and hooks this function.
What I did is monitoring the first 5 bytes at the SendInput address (basically just printing them in a console app). So now when I start the game/GG the bytes change (GG hooks function).


Now I try to unhook the function (writing the original bytes back). I tried two approaches:

1)
C++:
byte* addr = (byte*)SendInput;
DWORD op;
VirtualProtect(SendInput, 5, PAGE_EXECUTE_READWRITE, &op);
addr[0] = 0xe9;
addr[1] = 0x25;
addr[2] = 0x40;
addr[3] = 0x3c;
addr[4] = 0x89;
VirtualProtect(SendInput, 5, op, &op);
2)
C++:
DWORD op;
VirtualProtect(SendInput, 5, PAGE_EXECUTE_READWRITE, &op);
if (WriteProcessMemory(GetCurrentProcess(), GetProcAddress(GetModuleHandle(L"user32"), "SendInput"), "\xe9\x25\x40\x3c\x89", 5, NULL) == NULL) {
    printf("WriteProcessMemory failed: %d", GetLastError());
}
VirtualProtect(SendInput, 5, op, &op);
The problem of the first approach: After I wrote back the bytes successfully, my application terminates. I guess GG kills the process. (Edit: Wrong! Check my own reply.)
The problem of the second approach: Suddenly after GG startup I can't use the function WriteProcessMemory on my own process. Last error code is 5 (Access denied).

Btw: VirtualProtect and WriteProcessMemory are not hooked by GG.


So what else can I try?

I have some ideas:
1) When I want to use the SendInput function I somehow load the user32.dll manually, call the function and unload it immediately. Or clone/rename user32.dll so GG can't find SendInput.
2) Writing a kernel driver to hide my application completely from GG that it can't inject a dll and hook SendInput (I think GG is just operating in usermode).
 
Last edited:

XdarionX

Dying Light Hacker
Dank Tier VIP
Trump Tier Donator
Dank Tier Donator
Mar 30, 2018
893
24,908
117
2) Writing a kernel driver to hide my application completely from GG that it can't inject a dll and hook SendInput (I think GG is just operating in usermode).
idk GameGuard but if it is usermode anticheat than there is no single reason going to kernel

1) When I want to use the SendInput function I somehow load the user32.dll manually, call the function and unload it immediately. Or clone/rename user32.dll so GG can't find SendInput.
its good idea but if GG is hooking SendInput only at function start than its simplier to call directly the gateway. I mean VirtualAlloc some memory, write there original 5 bytes and than put jmp SendInput+5
To call original SendInput just call the allocated memory. Disasm of jump is:
E9 ?? ?? ?? ?? - jmp reladdr
where reladdr is relative address computed: reladdr = WhereToJump - CurrentAddressFromWhereYaWantToJump - 0x5
C++:
//alloc mem
PBYTE gateway = VirtualAlloc(nullptr, PAGE_SIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

//write original bytes
gateway[0] = 0xe9; //are you sure this is correct ? because e9 is jmp, looks like this is hook and not original code, anyway this wont work since reladdr for this opcode is broken now
gateway[1] = 0x25;
gateway[2] = 0x40;
gateway[3] = 0x3c;
gateway[4] = 0x89;

//write jump
gateway[5] = 0xE9;

//write rel addr
*(DWORD*)(&gateway[6]) = GetProcAddress(GetModuleHandle(L"user32"), "SendInput") - &gateway[6];

//call SendInput without executing hook at its start
typedef UINT (__stdcall *fnSendInput)(UINT, LPINPUT, int);
fnSendInput gSendInput = gateway;
gSendInput(cInputs, pInputs, cbSize);
 
Last edited:

kk0kk

Full Member
Mar 22, 2020
2
108
0
First of all, my first approach under 1) failed, because VirtualProtect stops working if GG is running. It shows the same error message as
WriteProcessMemory (Access denied). Then when I try to write to an address that is not writable, an unhandled exception is thrown and my program crashes. Always remember checking return values of windows API functions!

Thanks to XdarionX's reply, I managed to unhook functions without overriding existing memory and solved this problem.

In addition I unhooked the wrong function. SendInput is actually just calling NtUserSendInput, which is also hooked by GG. So I applied the gateway method for unhooking NtUserSendInput and it worked as expected. In the end I unhooked PostMessageW to send input even if the destination window is minimized or in background.


Here are the important code sections:

C++:
typedef BOOL(__stdcall* PostMessageWT)(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam);
PostMessageWT PostMessageW_Gateway = NULL;


void* createFunctionGateway(void* function, byte* bytes, int numBytes) {
    byte* gateway = (byte*)VirtualAlloc(NULL, numBytes + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (gateway == NULL) return NULL;
   
    for (int i = 0; i < numBytes; i++) {
        gateway[i] = bytes[i];
    }
    gateway[numBytes] = 0xe9;
    *(unsigned int*)&gateway[numBytes + 1] = ((byte*)(function) + numBytes) - &gateway[numBytes + 5];   // write jump offset
    return gateway;
}


void in_some_function() {
    byte bytes[] = { 0x8b, 0xff, 0x55, 0x8b, 0xec };   // original bytes of PostMessageW
    PostMessageW_Gateway = (PostMessageWT)createFunctionGateway(PostMessageW, bytes, 5);
}
 
Last edited:
  • Like
Reactions: XdarionX and Rake
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods