Interesting Internal Cheat Detection menu

These ads disappear when you log in.

Results 1 to 5 of 5
  1. #1
    Jadd's Avatar 🐸 CoreCoins User
    Reputation
    1391
    Join Date
    May 2008
    Posts
    2,336
    Thanks G/R
    76/240
    Trade Feedback
    0 (0%)

    Interesting Internal Cheat Detection

    I dunno how well old this information is, since I'm new to albion, but here's some "detection" methods I found. There are two which I have found and are both obscured using reflection methods. It creates a list of hashed assemblies that are loaded in the game, which is included each time a SelectCharacter and/or ChangeCluster packet is sent. Be careful when running public cheats! Most likely the server maintains a blacklist of hashes of publicly available assemblies.

    Below you can find the detection methods and their reversed counterparts respectively.

    are constructor

    Code:
    public are()
    {
        object obj = Type.GetType(ara.g[9]).GetMethod(ara.g[10]).Invoke(null, null);
        object obj2 = obj.GetType().GetType().GetMethod(ara.g[18], new Type[]
        {
            typeof(string)
        }).Invoke(obj.GetType(), new string[]
        {
            ara.g[11]
        });
        Type type = (Type)obj2.GetType().GetProperty(ara.g[16]).GetGetMethod().Invoke(obj2, null);
        IEnumerable<ParameterInfo> parameters = type.GetMethod(ara.g[12]).GetParameters();
        if (are.b == null)
        {
            are.b = new Func<ParameterInfo, int, ParameterExpression>(are.a);
        }
        ParameterExpression[] parameters2 = parameters.Select(are.b).ToArray<ParameterExpression>();
        MethodCallExpression body = Expression.Call(Expression.Constant(aq9.aj()), aq9.aj().GetType().GetMethod(ara.g[13], new Type[]
        {
            typeof(string)
        }), new Expression[]
        {
            Expression.Constant(string.Empty, typeof(string))
        });
        Delegate @delegate = Expression.Lambda(type, body, parameters2).Compile();
        MethodInfo method = obj2.GetType().GetMethod(ara.g[17]);
        method.Invoke(obj2, new object[]
        {
            obj,
            @delegate
        });
    }
    Code:
    public are() {
        AppDomain.CurrentDomain.AssemblyLoad += (sender, args) => aq9.au(string.Empty);
    }
    aq9.au
    Code:
    public void au(string A_0)
    {
        EventData a_ = ara.a(new adr
        {
            a5k = aq9.z,
            a5l = "Horst" + (long.MaxValue - aq9.z),
            a5m = 0,
            a5n = 0,
            a5s = Guid.Empty.ToByteArray(),
            a5r = "",
            a5w = new float[2],
            a5x = GameTimeStamp.Zero,
            a5y = 180f,
            a50 = 0L,
            a5z = 0f,
            a51 = 1000f,
            a52 = 1000f,
            a53 = 0f,
            a54 = GameTimeStamp.Zero,
            a55 = 100f,
            a56 = 100f,
            a57 = 0f,
            a58 = GameTimeStamp.Zero,
            a6g = null,
            a6h = null
        });
        this.az(a_);
    }
    aq9.az
    Code:
    public void az(EventData A_0)
    {
        try
        {
            object obj = Type.GetType(ara.g[9]).GetMethod(ara.g[10]).Invoke(null, null);
            object[] array = (object[])obj.GetType().GetMethod(ara.g[14]).Invoke(obj, null);
            int i = 0;
            while (i < array.Length)
            {
                object obj2 = array[i];
                string text = (string)obj2.GetType().GetProperty(ara.g[15]).GetGetMethod().Invoke(obj2, null);
                ConstructorInfo constructor = ajy.a(ara.g[8]).GetConstructor(new Type[]
                {
                    typeof(string),
                    ajy.a(ara.g[7]),
                    ajy.a(ara.g[6]),
                    ajy.a(ara.g[5])
                });
                object obj3 = Enum.ToObject(ajy.a(ara.g[7]), 3);
                object obj4 = Enum.ToObject(ajy.a(ara.g[6]), 1);
                object obj5 = Enum.ToObject(ajy.a(ara.g[5]), 3);
                object obj6 = null;
                try
                {
                    obj6 = constructor.Invoke(new object[]
                    {
                        text,
                        obj3,
                        obj4,
                        obj5
                    });
                }
                catch (Exception)
                {
                    aop.a.Add(-1);
                    goto IL_2AD;
                }
                goto IL_178;
                IL_2AD:
                i++;
                continue;
                IL_178:
                ConstructorInfo constructor2 = ajy.a(ara.g[4]).GetConstructor(new Type[]
                {
                    ajy.a(ara.g[8])
                });
                object obj7 = constructor2.Invoke(new object[]
                {
                    obj6
                });
                PropertyInfo property = ajy.a(ara.g[4]).GetProperty(ara.g[3]);
                object value = property.GetValue(obj7, null);
                Type type = value.GetType();
                PropertyInfo property2 = type.GetProperty(ara.g[2]);
                long num = (long)property2.GetValue(value, null);
                int num2 = (int)num;
                MethodInfo method = ajy.a(ara.g[4]).GetMethod(ara.g[1]);
                byte[] a_ = (byte[])method.Invoke(obj7, new object[]
                {
                    num2
                });
                MethodInfo method2 = ajy.a(ara.g[4]).GetMethod(ara.g[0]);
                method2.Invoke(obj7, null);
                aop.a.Add(ara.a(a_));
                goto IL_2AD;
            }
        }
        catch (Exception)
        {
        }
    }
    Code:
    // aop.a
    public static HashSet<int> _assemblyHashes = new HashSet<int>();
    
    // aq9.az
    public void StoreLoadedAssemblies(EventData eventData) {
        foreach (var assembly in AppDomain.CurrentDomain.GetAssemblies()) {
            try {
                var fileStream = new FileStream(assembly.Location, FileMode.Open, FileAccess.ReadWrite, FileShare.Read);
                var binaryReader = new BinaryReader(fileStream);
                
                var assemblyLength = binaryReader.BaseStream.Length;
                var assemblyBytes = binaryReader.ReadBytes(assemblyLength);
                var assemblyHash = Hash(assemblyBytes);
                
                binaryReader.Close();
                
                _assemblyHashes.Add(assemblyHash);
            }
            catch (Exception) {
                _assemblyHashes.Add(-1);
            }
        }
    }
    
    // ara.a
    public static int Hash(byte[] bytes) {
        var hash = -0x7EE3623B;
    
        foreach (var @byte in bytes) {
            hash ^= @byte;
            hash *= 0x01000193;
        }
    
        hash += hash << 13;
        hash ^= hash >> 07;
        hash += hash << 03;
        hash ^= hash >> 17;
        hash += hash << 05;
    
        return hash;
    }
    *Update* 13 November 2017 (patch 1.0.340.102503:
    are -> as9
    aq9.au -> as4.au
    aq9.az -> as4.a2
    Last edited by Jadd; 11-13-2017 at 07:43 AM.

  2. Thanks Willy, bingotheclowno, Inject, V-X (4 members gave Thanks to Jadd for this useful post)
  3. #2
    bingotheclowno's Avatar Member
    Reputation
    2
    Join Date
    Jan 2009
    Posts
    7
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Thanks.
    Out of curiosity, how did you come across it? I'm guessing not by manually looking at everything in the PhotonClient assembly

  4. #3
    superseani's Avatar Member
    Reputation
    1
    Join Date
    Apr 2016
    Posts
    12
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Any way of Disabling this security?
    do you think there is any security Looking forward to see if that security is safely enabled or not. ?
    I couldnt understand a byte of logic in that code but.. . ow well better be prepared, as i seen about i dont know maybe 25-50% of the players Gathering WAAAAAAAAAYAYYY too fast around -_-... ANd bots... and So much.

  5. #4
    lassdas's Avatar Member
    Reputation
    2
    Join Date
    Aug 2014
    Posts
    7
    Thanks G/R
    0/1
    Trade Feedback
    1 (100%)
    The detection is not perfect.

    <Deleted>
    Last edited by lassdas; 08-24-2017 at 07:11 AM.

  6. #5
    Jadd's Avatar 🐸 CoreCoins User
    Reputation
    1391
    Join Date
    May 2008
    Posts
    2,336
    Thanks G/R
    76/240
    Trade Feedback
    0 (0%)
    Originally Posted by superseani View Post
    Any way of Disabling this security?
    Since we are running internally (this detection only regards internal assemblies) it is quite easy. Just remove any assemblies you're running from the HashSet.
    Code:
    // Just an example - this only removes the executing assembly, not including any additional dependencies.
    var assemblyHashes = (HashSet<int>) typeof(aop).GetField("a").GetValue(null);
    var assemblyBytes = File.ReadAllBytes(Assembly.GetExecutingAssembly().Location);
    var assemblyHash = ara.a(assemblyBytes);
    assemblyHashes.Remove(assemblyHash);
    Something else you may want to consider: if you have modified Assembly-CSharp or any other assembly for whatever reason, you should remove those hashes too and replace them with hashes of the unmodified files.

  7. Thanks ChrisIsMe (1 members gave Thanks to Jadd for this useful post)

Similar Threads

  1. [Buying] Have a memory cheat? Detected or Not? Want to play with it making money?
    By kitpandy in forum Overwatch Buy Sell Trade
    Replies: 0
    Last Post: 03-16-2017, 04:57 PM
  2. [Guide] To overwatch cheats detection (and the ignorance of creators)
    By VapeNation in forum Overwatch Chat
    Replies: 22
    Last Post: 02-12-2017, 02:49 PM
  3. [Selling] [RedEyeCheats] CSGO Internal Cheat [Paid and Free Versions]
    By SmurfingAround in forum Counter Strike: Global Offensive Buy Sell Trade
    Replies: 27
    Last Post: 05-26-2016, 11:10 AM
  4. Need to turn off cheat detection
    By kaitsusora in forum World of Warcraft Emulator Servers
    Replies: 0
    Last Post: 09-14-2007, 04:09 PM
All times are GMT -5. The time now is 07:05 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search