The professional version of the software (available later) and costs $479 USD (a one-time payment for lifetime updates). This thread is the primary support for the software.

Every order of the software is subject to manual approval/processing. The approval process may take anywhere from 12 hours up to 3 weeks when using PayPal. Read this post for more information: https://overlayhack.com/hex-deref-support/984

Official site: https://hexderef.com/
Current version: v1.09
May 15th, 2022

Payment methods: PayPal (business users only with a legitimate company). Cryptocurrency (Bitcoin or ETH) is the only payment method for individual customers.

As of 06/2022 the software has been developed for (5) years, usually on a daily basis. There is no trial version of the software. Use the free version of the software to find out if the software meets your requirements.

MEMORY SCANNING OPTIONS: https://overlayhack.com/hex-deref-support/985

HOW TO / TERMINOLOGY: https://overlayhack.com/hex-deref-support/983

If your task is to test or "bypass" kernel level anti-cheats. That can be easily done with the software as shown in https://hexderef.com/how-to-make-cheat-engine-undetectable

Changelog: https://hexderef.com/#changelog

Q: How the professional version differs from the free version?

1) No thread limitation in multi-threaded disassembler (use as many threads as your CPU support)
2) Commercial use of the software is allowed
3) An unsigned version of the kernel driver is included which enables arbitrary kernel memory to be read and written through the driver. This functionality enables an unattainable level of analysis and disclosure of information from the kernel and loaded modules memory

For example:

In terms of AV, advanced malware or kernel level anti-cheat evasion and testing, every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth. The result could be a loss of business profit for no real reason.

Therefore the kernel features of the software cannot be provided for free. The PRO version of the software has a different control flow obfuscation and the DKOM functionality in the kernel driver is provided as a solution for your researching task.

The HEX DEREF software does not do anything without the user consent.

Please watch the introduction video of the kernel features at the official site: https://hexderef.com/ and try out the free version before you purchase because all payments are final and non refundable.

The following Windows 10 64-bit (Home or Pro) versions are supported in the kernel driver

Windows 10 21H1 Build: 19043
Windows 10 21H2 Build: 19044
Windows 10 22H2 Build: 19045

Any other windows version is subject to a custom software work.


Able to read and write (RW) protected user mode process arbitrary memory
Arbitrary kernel memory read or write (RW) without the need to enable kernel debugging
Handle elevation DKOM that bypasses EAC/Battleye
Process hiding functionality

A customized version of the kernel driver costs $499 - $4,999 USD depending on your needs.

You can verify your windows version by typing "winver" in the search.

You can sign the driver with your OV or EV code signing certificate. The more expensive EV code signing certificate (works with secure boot on Windows 11) is purchasable for corporate users as it requires a verified company.

Leave a comment with your contact details in the thread (every comment is subject to manual approval) if you want to pay in cryptocurrency (Bitcoins or ETH)

If you host a quality forum or security research related blog and write related articles. It may be possible to get the PRO version for advertising the software in your articles.

Title: HEX DEREF v1.07
01/31/2022 12:41 - 866 days 8 hours 49 minutes
Implemented a page table walk which is pretty much effectively able to find every allocated user or kernel memory page in a matter of few seconds.

That feature enables dumping strings from the kernel memory (e.g from kernel driver). Try out the free version Tools->Dump strings feature.
Title: HEX DEREF v1.08
04/01/2022 23:36 - 805 days 22 hours 54 minutes
Main view:

- Fixed logic issue with automatic process attach
- Fixed unhandled exceptions with protected processes where an anti-cheat stripped handle access
- Added an option in settings to refresh the process list automatically

"C" kernel driver:

Added process handle elevation feature. You can attach your favorite tool to any protected user mode process with PROCESS_ALL_ACCESS (0x1FFFFF) handle.

Memory viewer:

- Minor UI optimizations (a slightly less lag when drawing user process memory)
- By default show the values as unsigned
- When you modify a value in memory, the value entered can also be a hexadecimal number
- Fixed various unhandled exceptions with protected processes
Title: How to / Terminology in the software
04/01/2022 23:39 - 805 days 22 hours 50 minutes
Kernel mode (KM)
Kernel driver interface (KDI)

How to use the handle elevation DKOM feature with a game that's protected by a kernel level anti-cheat?

1) Enter the process names in the fields. If you want to elevate a handle for Cheat Engine (CE). Enter "cheatengine-x86_64-SSE4-AVX2.exe" in the "Elevate handle from process" field. Then you enter the executable name of the game in the field below.


2) KDI->Load
3) KDI->Hide driver
3) Start a game that's protected by a kernel level anti-cheat
4) Right-click to elevate the handle or use the KDI->Elevate the handle

The handle will be elevated with all possible access rights for a process object (PROCESS_ALL_ACCESS 0x1FFFFF).

Once you've elevated the handle. Do the following:

KDI->Unhide driver

How to hide the process?

1) KDI->Load the driver
2) Left-click on the process you want to hide. The selected process is highlighted
3) Right-click to hide the process

Every time when you reboot your computer or VM. Before you can browse the kernel memory. You need to enable KM in the settings and load the driver.
Title: PayPal payments are no longer accepted
05/04/2022 19:02 - 773 days 3 hours 27 minutes
As of 12/2023 PayPal payments are no longer accepted. No matter whether the customer is an individual or a business user. The only acceptable payment method is Bitcoin (BTC) or ETH. I use blockchain.com. Software work is paid in advance. If this is not according to your requirements. Please move on to another site. Thank you.

For all custom software work, you must confirm the agreement with your email before you send any payment. If you have a business, our contract confirmation email must originate from "payments@yourbusiness.com". Free email providers are only accepted for individual users.
Title: Kernel physical memory scanner
05/17/2022 20:20 - 760 days 2 hours 10 minutes
The professional version of the software includes physical memory scanner.

Memory scanning is in user mode by default. The process you opened from the process list by left-clicking on the process name. When you scan your PC or laptop physical memory through the kernel driver, there is no need to open a handle to any process.

The options for kernel driver must be initialized and the driver loaded using the KDI before you can scan kernel memory.

KERNEL_MEMORY: The memory allocated by the kernel and the loaded kernel modules is scanned.
KERNEL_MODULES: The kernel and drivers data and discardable sections are checked.
USER_MEMORY: The memory allocated by all user mode processes is checked. Scanning also includes all protected processes.

The above three together are the same as a computer's physical memory. The more narrowed the scan is, the better results you will get and needless to even mention, you get the results you was after faster as well.
Title: How to use the kernel driver interface (KDI)?
05/24/2022 16:00 - 753 days 6 hours 30 minutes
Each time you restart your computer or virtual machine (VM).

1) KDI->Initialize
2) KDI->Load the driver

Before you can unload the driver, you have to stop it's system thread.

KDI->Stop thread
KDI->Unload driver

Title: You have plans to sell HEX DEREF and from a business perspective, what can your tool offer that free tools can't?
10/18/2022 21:39 - 606 days 0 hours 50 minutes
If we compare vs Cheat Engine 7.4. Kernel memory scanner is more mature. It just works exactly as you expect it to work without any hassle.
CE does not convert physical addresses to virtual addressess. You will have to use WinDbg which will require you to enable kernel debugging as well. This is usually a no go with kernel level anti cheats. This is not a personal attack towards CE's author but the memory viewer in HEX DEREF is literally decades ahead.

Usually two options is better than just one. CE is the only tool I know what with I can even compare physical memory scan results. Kernel physical memory scanner in HEX DEREF is also notably faster.

Every publicly released software or kernel driver may be eventually detected, blacklisted, deemed as an unwanted software and so forth:


>> What's the difference vs the competition?

As far I tested the most of the competitive software. The memory viewer is the most advanced ever released up to the current date. You can switch on the fly between user and kernel mode in the same instance. The kernel driver in the paid version enables kernel memory scans and may other DKOM functionality.

Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. When you report an issue: Always mention which version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y