UCE Making Tutorial
- Delphi 7 Enterprise Link: Delphi Part1
Delphi Part2
(After you finish downloading both open D7E.part1.rar and extract. NOTE:Part1 and Part2 must be in the same folder)
Password for Delphi 7: http://forum.x-torrez.com
- DDK:
- Actual Search and Replace: (For replacing strings easily)
NOTE: I do not have a crack for it, so I suggest finishing this Tutorial in 30 days. :D
- Cheat Engine Source: http://forum.cheatengine.org/viewtopic.php?t=15948 (I get mine from here)
Using Actual Search and Replace (I put this in because many of you like to use ASR)
Under "file" select "settings> Editor" Browse and select "C:\Program Files\Borland\Delphi7\Bin\delphi32.exe" (This must be done or it WON'T read .dpr and .pas files.)
Then under the "OPTIONS" Tab, "tick/untick" "include Subfolders".
Then Under "MASKS" you enter for example:
"bla.pas; cat.pas; dog.dpr" (';' separates them) (Masks mean if you put *.dpr it will search all .dpr files, or if you put *.* it will search every single file.)
For everything that uses ASR tick whole words unless I say otherwise.
2. Ok, now for the practical part :D. Making the DBK32.sys.
Open Driver.dat in the Main Source Folder 'C:\CheatEngineDelphi\' (If it asks you what to open it with, select notepad.)
You will see this, change it to ANY WORD YOU WANT, BUT DO NOT use WHATEVER : (THIS GOES FOR EVERY STRING, DO NOT USE WHATEVER)
CEDRIVER53 ----> Whatever1
DBKPROCLIST53----> Whatever2
DBKTHREADLIST53 ---> Whatever3
dbk32.sys ---> whatever32.sys
2a. Go into the DBKKernel folder and Open DBKDrvr.c.
(Skip 2a If you are using the latest source)
Find (CTRL+F) hideme
(NOTE: It should be the second hideme you find)
You will see something like //hideme(DriverObject); //ok, for those that see
this....................
Remove the //(This is called uncommenting strings) so it becomes hideme(DriverObject); //ok, for those that see
this....................
(For some this may cause a BSOD(Blue Screen of Death), but it has not happened
to me before. If it causes a BSOD,
Try making a CE without hideme. There is a topic about it in the Cheat Engine
Forums.)
2c. Open up Sources and Sources.ce in the DBKKernel folder. (Select notepad when
it asks you what to open it with)
You will replace:
"TARGETNAME=DBK32" to "TARGETNAME=Whatever32" in both of the folders.
2d. Replacing the KeStackAttachProcess and IOCTL (This
has to be done if you want to use pointers and memory view)
(Note: For the KeStackAttachProcess, if you are using the latest source, change
it only for DBKDrvr.c because memscan.c is already changed)
Use Actual Search and Replace, Path ( Main Source Folder) with the mask (memscan.c;
DBKDrvr.c), search and replace the followings. (Include Subfolders)(TICK WHOLE
WORDS)
KeStackAttachProcess((PKPROCESS)selectedprocess,&apc_state); ---->
KeAttachProcess((PEPROCESS)selectedprocess);
KeUnstackDetachProcess(&apc_state); ----> KeDetachProcess();
Then the IOCTL
Using Actual Search and Replace, Path (Main Source Folder) with the mask (DBKDrvr.c;
dbk32functions.pas), search and replace the followings. (Include Subfolders)
(For this ONLY, untick the "Whole Word" function)
0x080 ---> 0x08A
0x081 ---> 0x08B
0x082 ---> 0x08C
(So if your A is 7, then your B MUST BE 8(It cannot be 9, numbers go as 1,2,3
and not 1,3,4) C will be 9)(Use 7, 8 and 9 because some say the earlier numbers
and detected)
(DO NOT USE LETTERS, ONLY NUMBERS)
$080 ---> $08A
$081 ---> $08B
$082 ---> $08C
(So if your A is 7, then your B will be 8 and C will be 9)(Use 7, 8 and 9
because some say the earlier numbers and detected)
BONUS STEP, Fixing your pointers and enabling you to use memory view.
Memory view and Pointer fix:
1. Download the jumper files from here http://cheatengine.4dwebhosting.com/jumper.rar and put them into your DBKKernel folder.Next you add this line: #include "jumper.h" to the end of the other #include of DBKdrvr.c and memscan.c so DBKdrvr.c will look like
#include "DBKFunc.h"
#include "rootkit.h"
#include "processlist.h"
#include "memscan.h"
#include "threads.h"
#include "jumper.h"
And memscan.c will look like
#include "ntifs.h"
#include <windef.h>
#ifdef CETC
#include "tdiwrapper.h"
#include "kfiles.h"
#endif
#include "memscan.h"
#include "DBKFunc.h"
#include "jumper.h"
After that, add jumper.c to sources.ce so it looks like
SOURCES=DBKDrvr.c DBKFunc.c rootkit.c processlist.c memscan.c threads.c
jumper.c
Hook NTGetContextThread(to enable usage of GodMode, and all other debugger
hacks.)
http://forum.cheatengine.org/viewtopic.php?t=18062
2e. DDK is needed for this part. Compiling your whatever32.sys.
Go into your DBKKernel folder and copy the address bar. Example :
C:CheatEngineDelphi\DBKKernel
Open up Win2k or WinXP Free Build Environment(It should be in
Start>Programs>Development Kits>Windows DDK 3790.1830>Build Enviroments
Type in 'cd C:CheatEngineDelphi\DBKKernel' (without the quotes) (or whatever your
main source folder is)
MAKE SURE no antivirus programs are ON (I'm serious)
Then type in 'ce' without the quotes and press enter.
Some code should come out and at the end should be something like
9 files compiled
1 executable build
.\objfre_wxp_x86\i386\google32.sys
1 file(s) copied.
If it has any errors I recommend putting your source folder in C:\
Example: C:CheatEngineDelphi\DBKKernel(Because having spaces in your file name
like C:\Documents and settings\ will create errors)
(DO NOT PUT IT ON YOUR DESKTOP)
Once you are done, your whatever32.sys should be in your main source folder.
3.Now we open dbk32.dpr in the dbk32 Directory with Delphi.
Then we open the "Project Manager" under "VIEW" and expand(click on the +
sign)"dbk32.dll" and double click on "DBK32functions" to open it.
Replace the following in DBK32functions. (Replace in delphi = CTRL+R) (Remember
to tick entire scope)
CEDRIVER52 ---> Whatever1 (This is the original CEDRIVER53)
DBKProcList51 ---> Whatever2 (This is the original DBKProcList53)
DBKThreadList51 ---> Whatever3 (This is the original DBKThreadList53)
Now save all and close all.
Next using Actual Search and Replace, Path (Main Source Folder) with the mask
(*.*)(* is shift+8), search and replace the followings. (Include Subfolders)
dbk32.sys ---> Whatever32.sys
dbk32.dll ---> Whatever32.dll
3. Renaming strings.
3a. Now for the long part. Open dbk32.dpr in the dbk32 Directory with Delphi.
Then we open "DBK32functions" from the project manager.
After that, click "OPEN" under "FILE" and open newkernelhandler.pas in the main
source folder.
Now there should be 3 files opened in delphi : dbk32.dpr, DBK32functions.pas and
newkernelhandler.pas
Go to dbk32.dpr, see all those exports? You have to rename them all in
dbk32.dpr, DBK32Functions.pas and newkernelhandler.pas
(IMPORTANT: Just now at the beginning you renamed CEDRIVER53 ---> Whatever1.
Now I want you to use a different string rather
than the one you used just now.
For Example, you changed CEDRIVER53 into Apple1.
Now do not change VQE into apple 1, use a different name, like Orange1. (can be substituted for another word)
So,
VQE ---> Whatever1
OP ---> Whatever2
OT ---> Whatever3
NOP ---> Whatever4
RPM ---> Whatever5
WPM ---> Whatever6
VAE ---> Whatever7
And more till you reach Whatever52. WAIT, don't start yet.
This is the way I rename them.
First highlight VQE, press CTRL+C then type orange1. Now you've copied the word VQE
and renamed it into orange1.
Then, go into DBK32Functions.pas and press CTRL+R, paste (CTRL+V) VQE into the first
box then type Orange1 into the second box.
Tick prompt on replace, then click replace all. Usually u can just replace all
without looking in DBK32Functions.pas
but maybe you might accidentaly replace NOT when you are replacing OT so its
safer to look through it one by one.
After that, click on newkernelhandler and CTRL+R again, this time just copy VQE
into the first box,
as the second box will already have orange1 in it.
IMPORTANT: Only replace the ones in quotes in newkernelhandler.pas. Example, 'VQE'
do not replace the VQEs that are not in quotes.
Continue till the end. DO NOT CLOSE DBK32functions.pas and DBK32.dpr yet, but
save and close newkernelhandler.pas
Bonus Step: Pchar all the windowskernelstrings in NewKernelHandler. (Just in case or
if you still get detected)
Example:
var
A : string ;
B : string ;
procedure DontUseDBKQueryMemoryRegion;
begin
A := 'VirtualQu';
B := 'eryEx';
VirtualQueryEx:=GetProcAddress(WindowsKernel,pchar(A+B));
usedbkquery:=false;
if usephysical then DbkPhysicalMemory;
if usefileasmemory then dbkfileasmemory;
end;
Pchar all these strings:
WriteProcessMemory =
OpenProcess =
readprocessmemory =
VirtualQueryEx =
SuspendThread =
DebugActiveProcess =
NtOpenProcess =
SetWindowsHookEx =
VirtualAllocEx =
VirtualAlloc =
SetWindowsHookExA =
ResumeThread =
VirtualProtectEx =
VirtualProtect =
CreateRemoteThread =
WaitForDebugEvent =
ContinueDebugEvent =
OpenThread =
GetThreadContext =
SetThreadContext =
NtOpenThread =
Test Application =
MS-DOS Prompt =
Ordinal =
Cardinal =
NtDLL.dll =
Courier =
Courier New =
3b. Save the DBK32functions.pas and DBK32.dpr in new names.
With DBK32functions.pas and DBK32.dpr opened in Delphi. Go "FILE> Save As".
(These are only my changes, you can change to other names)
DBK32.dpr ---> Whatever32.dpr (Save in dbk32 folder) This whatever32 is what you
renamed dbk32.dll with earlier. For Example,
dbk32.dll ---> Apple32.dll, so I'll change
DBK32.dpr into Apple32.dpr
You will see that the "library DBK32;" has been changed to "library Whatever32;"
DBK32functions.pas ---> Whatever32functions.pas (Save in dbk32 folder)
After this you will see that Whatever32.dpr's "uses" and Project Manager,
DBK32functions.pas will be changed to whatever32functions.pas.
Open up project manager, you will see dbk32.dll become whatever32.dll
Now save all and close all.
Just in case you don't want to make make mistakes, go into the dbk32 folder and
delete dbk32.dpr and dbk32functions.pas
Ok once the editing is done, lets move on.
Now open Whatever32.dpr in Delphi, you compile Whatever32.dll.
Go "Project> compile whatever" or Ctrl+F9.
Its ok to get "Hint" or "Warning", but if you get "Error" go recheck your steps
again, because you have made a mistake or forgot to change something somewhere.
If you do not get any Errors, your Whatever32.dll will be at the main CE Source
Directory.
3c. Find and replace myhook with Actual Search and Replace. (Tick Subfolders)
Rename the myhook in CEHook.dpr and hypermode.pas only to Whatever53. Continuing from the exports that finish at Whatever52
Now open up CEHook.dpr in CEHook Directory with Delphi
(For some of you, you might have to delete 'system' in uses first.
Then Compile CEHooK.dpr.
3d. Next, open up stealth.dpr in the stealth Directory with delphi and compile
it. Don't change anything.
3e. Ok, open up cheatengine.dpr in the main source folder with Delphi.
Go to the Project Manager and look for newkernelhandler.pas and
CeFuncProc.pas and open both up.
Then, save them as:
newkernelhandler.pas ---> Whateverhandler.pas
CeFuncProc.pas ---> Whatever54.pas
Just in case, delete the old newkernelhandler and CeFuncProc.
3f. Replacing the strings
Ok, these come first because they are numbers and are easy to mess up.
00400000
7fffffff
80000000
Using Actual Search and Replace, Path (Main Source Folder) with the mask
(*.*)(Include subfolders)(MAKE SURE WHOLE WORDS IS TICKED)
Use your windows calculator(Start>Programs>Accessories>Calculator. Select "View>
Scientific>", select "HEX"
Enter the values. Then select "Dec". Then you + "any value".
Then you change it back to "Hex" and use this value for these changes.
Example, I select Hex, enter 00400000. After selecting Dec it becomes 4194304.
4194304+2 = 4194306
4194306 changed back to Hex = 400002
Search and replace the 3 values with the new value you calculated.
Note: You must change it to a different value!
Eg:+2 from the value (Do not use -, as some may get errors)
3g. Now using Actual Search and Replace, Path (Main Source Folder) with the mask
(*.*)(Do not include subfolders).(Tick Whole Words)
nextscanbutton ---> Whatever55
scanvalue ---> Whatehver56 (Make sure do not change scanvalue2 by mistake.)
scanvalue2 ---> Whatever57
ScanType ---> Whatever58
VarType ---> Whatever59
newscan ---> Whatever60
ScanText ---> Whatever61
syndiv.com/ce ---> Maplesea.com (any website)
CheatEngine ---> WhateverEngine (Do not change for cheatengine.bpg, or will
not be able to open cheatengine.bpg later.
cheat engine ---> Whatever Engine
Taken from detected strings.
If you want to release your UCE with the tutorial or if you want it for yourself, do this part.
3h. Open up MainUnit.pas in the Main Source Folder with Delphi and find the
following:
if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes
then
shellexecute(0,'open','Tutorial.exe','','',sw_show);
Replace the "Tutorial" with "Project1" so it becomes:
if messagedlg('Do you want to try out the tutorial?',mtconfirmation,[mbyes,mbno],0)=mryes
then
shellexecute(0,'open','Project1.exe','','',sw_show);
(DO NOT change anything else here)
Now save and close it.
Now open up OpenSave.pas in the main source folder with Delphi and find the
following:
7 "Tutorial.exe":Application processname
Replace "Tutorial" with "Project1" so it becomes:
7 "Project1.exe":Application processname
Then find the following:
(When Finding Replace WhateverEngine with what you have replaced CheatEngine
with just now or you won't be able to find this)
if x<>'WhateverEngine' then
raise exception.Create('This is not a valid Whatever Engine table');
Now comment it out:
//if x<>'WhateverEngine' then
//raise exception.Create('This is not a valid Whatever Engine table');
Doing this will enable your UCE to open other Cheat Table(s)(.CT), which are posted on the
internet, and there will be no
('This is not a valid Whatever Engine Table')error.
Save and close it.
3i. Now for checking part. Open up cheatengine.dpr in the main source folder.
You should be able to see the GUI (Graphic User Interface), nothing to change
here. Now in the object treeview expand panel5.
You should be able to see that the strings you've changed just now have become whatever55 and so on.
Now see the protectme2 and crash me and so on..
Delete it by clicking on it then deleting the caption in the Object Inspector.
DO NOT delete the whole thing by clicking on it then pressing del.
Just delete the caption.
Now for the settings and about section for you UCE, open up formsettingsunit and aboutunit inside the project manager.
If you want to change anything, click on it then change the caption.
3j. Changing project group and cheatengine.exe into Whateverengine. *Credits to rolling dice*
(Note: Make a copy of your
edited source before you proceed)
- Changing project group name.
Open cheatengine.bpg from the main directory, then "save as" Whateverengine.bpg
in the main directory. Close and open whateverengine.bpg to test it.
- Changing the cheatengine.exe name.
Open Whateverengine.bpg from the main directory and in the project manager,
"Right click" on cheatengine.exe and select "View Source" like so.
Then you save Cheatengine.dpr as Whateverengine.dpr in the main ce source
folder.
Now repeat this for the followings:
Cheatengine.DEU (Save as Whateverengine.dpr and save it in the DEU Folder)
Cheatengine.NLD (Save as Whateverengine.dpr and save it in the NLD Folder)
Cheatengine.RUS (Save as Whateverengine.dpr and save it in the RUS Folder)
*Credits to rolling dice*
4. Compiling your cheatengine.
4a. Open up your whateverengine.dpr in your main source folder and press CTRL+F9.
OOPS, I forgot...go into your main source folder and double click>new>text document, then rename it into trainerwithassembler.exe
Now compile it, there shouldn't be any errors. If there are errors like undeclared identifier, that means you didn't completely change a detected string.
For example, we changed VQE to whatever1 in dbk32.dpr and dbk32functions.pas but if you forgot to change it in newkernelhandler.pas this error will come out.
If there are still errors, keep changing it till it compiles successfully.
Ok, now there are a few more projects to compile before testing your new UCE. (Don't worry, its just compiling, no changing strings or anything else), after compiling each project, copy the .dll or .exe file into a new folder.
- emptydll.dll (emptydll.dpr
in SystemcallRetriever folder)
- emptyprocess.exe (emptyprocess.dpr in SystemcallRetriever folder)
- Kernelmoduleunloader.exe
(Kernelmoduleunloader.dpr in kernelmoduleunloader folder in dbk32 folder)
- Pscan.dll (Pscan.dpr in
injectedpointerscan folder)
-Project1.exe (Project1.dpr in Tutorial folder)
- systemcallsignal.exe (systemcallsignal.dpr
in SystemcallRetriever folder)
- Systemcallretriever.exe(change anything if needed) (IMPORTANT: Open up
systemcallretriever.dpr and look in uses...see newkernelhandler?
change it to whateverhandler and you're good to go. :D
(Systemcallretriever.dpr in SystemcallRetriever folder)
Ok, now your new folder has all these files, time to test your UCE.
In the codefinder tab in your UCE's settings, tick try to prevent detection of the debugger,
In the assembler tab tick the same thing
And in the Extra tab tick everything except stealth mode.
You might notice theres a blank space in the middle in Extra. Its supposed to be like that, I think DB took out the 2 functions.
Ok, now follow these steps to test your UCE. *credits to John*
1. Run your CE, close it.
Run maplestory.exe. If reboot, dbk32.sys (DBKKernel/) is detected.
2. Remove dbk32.sys and dbk32.dll. Run CE, run maplestory, if reboot, user
interface is detected.
3. What else can be detected? Obviously it's the dbk32.dll.