Using CE (or favourite debugger) without getting banned? menu

User Tag List

Results 1 to 9 of 9
  1. #1
    xhulic's Avatar Member
    Reputation
    2
    Join Date
    Oct 2020
    Posts
    11
    Thanks G/R
    3/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Using CE (or favourite debugger) without getting banned?

    Hi there,

    I'm new to reversing and POE, however not new to r/w memory. I have written several cheats/overlays/bots in the past but I have always just stolen the offsets from some public source/forum. So now I want to learn to get the offsets for myself. It doesn't seem to complicated, and I will be cheating and using the patterns for GameState etc as a starting point

    I have seen on reddit and the official POE forums that people have been banned for having Cheat Engine open on their computer. So my question is how do you debug the game and find offsets without getting banned?

    Is it as simple as using this technique and restricted access by user? (Run PoE as a limited user) Or do I need to modify + compile cheat engine myself to change the sig? Or just change the window title?

    Any info would be appreciated thanks!

    Using CE (or favourite debugger) without getting banned?
  2. #2
    pushedx's Avatar Contributor
    Reputation
    257
    Join Date
    Nov 2009
    Posts
    137
    Thanks G/R
    8/135
    Trade Feedback
    0 (0%)
    Mentioned
    12 Post(s)
    Tagged
    0 Thread(s)
    You won't get banned for simply having a debugger running on your PC while PoE is open or actively debugging PoE.

    I've yet to see a single person who has gotten banned from this specifically since 2012, and I myself have actively used PoE in a debugger since 2012 on a daily basis and have never run into any issues. You do want to spoof IsDebuggerPresent though, but that is to avoid exception issues where the debugger catches something the client does and crashes the client because you pass the exception to the client where it's not actually handled.

    The people who've gotten banned from using CheatEngine were most likely using a public table that did a client modification that was then easily detected. Maphacks, Fullbright, Zoomhacks, etc... when done via client patches are trivial for GGG to detect, and they've had a long history for warning and banning people for doing it. If you use client modifications that are publicly known, you run a high risk of getting banned. If you do private client modifications, those are still technically detectable, but unless it's related to a public cheat, you're still very unlikely to get banned unless something changes in the future and they actively start scanning the client for modifications.

    I've not seen any such behavior recently myself, but that doesn't mean it isn't possible. The client is massive in size now, so it's pretty much impossible anymore to know all of what goes on in there. They could easily sneak in stuff between patches and there's no real sane way to catch it. There's a lot of things they "could" do, but they just don't have a record of doing them. For example, client sided file modifications would be easy for them to detect, but I've never seen them actually ban for that. I kind of expected them to possibly start that after the filesystem changes in 3.11.2, but so far I've not seen anyone who is doing it on these forums report bans for it.

    It's always a good idea to be cautious though, so take whatever steps you feel most comfortable with. Limited user is perceived as being safe, as it worked around an older detection method, but I'm very confident they could still detect tools using that, but I never finished a prototype to verify that or not. In either case, just don't use public tools as-is is a better rule of thumb in the cheating world. However, it's impossible to be 100% safe, other than by not doing anything in the first place. If you're doing private development though, you shouldn't really run into any issues with any type of client sided detection. In other games, this is certainly not the case, but PoE has never been that intrusive when it comes to that stuff, because it was designed as a game-as-a-service.

    If you make a private bot or assist tool that performs client actions though, it's possible you can run into issues with potential server sided detections (but you shouldn't during the dev phases of things). I've heard GGG has been going ham on wiping out a lot of botters/rmt'ers as of the recently, so keep that in mind. If you're just doing a private hud that makes no client modifications and you're not going to inject anything into the client and doesn't trigger actions in the client, I feel you have a 99.9% chance of not running into any issues, as that's been my own experience over the years.

    My "dev rules" so to speak are basically:
    - No sending packets
    - Don't call client functions (this is not 100% possible for everything, so at least don't call client functions that generate actions or can cause side effects)
    - Emulate input/hook APIs
    - Modify memory, not physical files
    - High level code should be external, low level power lifting shellcode can be internal. Don't inject/map an entire DLL into the process.

    This way, I only really have to worry about server sided behavior detection more than anything else. If you mess with packets and/or client functions, you have a lot of server sided technical detection issues to worry about.

  3. Thanks xhulic, Sychotix, Aimladen (3 members gave Thanks to pushedx for this useful post)
  4. #3
    xhulic's Avatar Member
    Reputation
    2
    Join Date
    Oct 2020
    Posts
    11
    Thanks G/R
    3/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @pushedx Wow. Thanks for the detailed reply.

    ... The people who've gotten banned from using CheatEngine were most likely using a public table that did a client modification that was then easily detected. ...
    Okay fair enough, that makes sense. This is an example of a post of I was talking about (which obvs had me worried): Don'''t make the same mistake as me - having cheat engine up for other offline games WILL get you banned : pathofexile

    don't use public tools
    Yep. It helps I write all my cheat related side project code in python (interacting with winapi via ctypes), so I'm not using the same pasted c/c++/c# code as most people

    Limited user is perceived as being safe, as it worked around an older detection method ...
    I found it interesting that it would stop anything. They are obviously not hooking ReadProcessMemory so I assume the detection vectors are just process names, sig scanning and the like

    I don't really plan to be writing anything to memory, as I don't really see a use case yet besides automation. However if I was going to automate I would use keyboard/mouse events. My personal input lib uses hardware emulation (via serial to 32u4 board as HID) to bypass input related AC, however that seems overkill with POE?


    So it sounds like getting flagged server side (assuming based on player behaviour) is my biggest issue. Which definitely shouldn't be a problem as most of the things I plan to write are visual in nature

    Thanks again for your help, I've seen you post gold on other threads as well, so super appreciate it.
    Last edited by xhulic; 10-05-2020 at 01:50 AM.

  5. #4
    pushedx's Avatar Contributor
    Reputation
    257
    Join Date
    Nov 2009
    Posts
    137
    Thanks G/R
    8/135
    Trade Feedback
    0 (0%)
    Mentioned
    12 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xhulic View Post
    Okay fair enough, that makes sense. This is an example of a post of I was talking about (which obvs had me worried): Don'''t make the same mistake as me - having cheat engine up for other offline games WILL get you banned : pathofexile
    Yea, that's a BS post, pay it no attention.

    If you see threads like these start filling up with posts about people getting banned, then you can start to worry about a banwave that's going on:
    mmo...hack-more.html
    mmo...e-3-12-ct.html
    https://www.ownedcore.com/forums/mmo...-ce-table.html

    I don't really plan to be writing anything to memory, as I don't really see a use case yet besides automation. However if I was going to automate I would use keyboard/mouse events. My personal input lib uses hardware emulation (via serial to 32u4 board as HID) to bypass input related AC, however that seems overkill with POE?
    Input has always been tricky in PoE.

    You either have to allow your program to take control over the system so you have 0 hooks in the client to work around window foreground/activation checks, or you have to hook api functions to allow your program to interact with the client when it's in the background. I don't think that is overkill, but I don't think it'll really avoid any of the issues you can run into in this game.

    For example, the client has always been poorly coded. You used to be able to get kicked from the server for performing too many actions at a time using a skill like Cyclone and getting stuck on terrain, and that's playing legit with no tools whatsoever. Things are better now, but the client's input design is terrible. It doesn't correctly rate limit actions, so if your input logic is wrong, you'll be sending an "inhuman" amount of actions per second that either will get you kicked or potentially flagged if you're above a certain threshold.

    That's why people using macro tools can get banned. They can track and monitor actions being performed too fast and while a lot of people get away with it, there's certainly been times where blatantly obvious behaviors have been banned if they affect the game servers. There might be some client sided stuff going on, but hard to say for sure as I've not gotten back to the point of setting up tools to track that down, but if you check the current ban reports: Help and Information - Forum - Path of Exile you'll see most people admitting to using some sort of 3rd party trade related macro program.

    While it's always possible some innocents get banned due to flaws in the system, I'd say 99% of the people posting were breaking the rules in some way, and got caught. That's the thing about cheaters who plead their ban cases online. You just can't trust what any of them say. To get an idea of what really is going on, it's best to just search for ban related posts that have GGG comments in them, such as this one: https://www.reddit.com/r/pathofexile...ed_for_use_of/

    Edit: I asked one of our team members about this and the account locks related to the Overlay recently have been due to it "hammering the ever-living shit out of our website".
    It's an older post now, but it's no coincidence that people using trade related tools/bots are getting banned. Besides the fact trade is important to GGG and they're anti-RMT/tradebot, some of these tools are actually causing them operational issues, which is a big no-no. By that extension of logic, it's possible people getting caught using various private tools could also indirectly be affecting the servers.

    That's not to say they flat out ban for everything, as a lot of people can attest to never having issues using various programs, so it's not a black and white issue as much as just how people are using the tools, and if the tools themselves have issues. In either case, unless you do something really wrong or are botting at a time where they are actively trying to detect that, you really shouldn't run into ban issue during development.

  6. #5
    NoobToken's Avatar Member CoreCoins Purchaser
    Reputation
    8
    Join Date
    Nov 2010
    Posts
    52
    Thanks G/R
    11/9
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xhulic View Post
    @pushedx Wow. Thanks for the detailed reply.

    They are obviously not hooking ReadProcessMemory
    "Global hook on ReadProcessMemory/CreateRemoteThread/VirtualAlloc/etc to monitor the calls"

    https://www.ownedcore.com/forums/mmo...of-inside.html

  7. #6
    xhulic's Avatar Member
    Reputation
    2
    Join Date
    Oct 2020
    Posts
    11
    Thanks G/R
    3/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by NoobToken View Post
    "Global hook on ReadProcessMemory/CreateRemoteThread/VirtualAlloc/etc to monitor the calls"

    https://www.ownedcore.com/forums/mmo...of-inside.html ([Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside))
    Oh interesting. I said obviously because I'm not banned. I'm straight up reading memory with no bypass. Can anyone explain if they have anti-cheat in place why I'm not banned?

  8. #7
    Sychotix's Avatar Moderator Authenticator enabled
    Reputation
    1415
    Join Date
    Apr 2006
    Posts
    3,942
    Thanks G/R
    285/571
    Trade Feedback
    1 (100%)
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xhulic View Post
    Oh interesting. I said obviously because I'm not banned. I'm straight up reading memory with no bypass. Can anyone explain if they have anti-cheat in place why I'm not banned?
    Their anti-cheat is enabled whenever they want it to be, and I would assume they could target an individual depending on suspicious activity. Multiple people have attempted to dump the anti-cheat payload, but it just never got delivered to them. Whether it was turned off at the time or they just didn't meet the conditions needed to trigger it we'll never know.

    Also, forcing the game to run as a limited user should pretty much prevent them from detecting external cheats. I'm sure it isn't 100% safe... but windows does a pretty good job of ensuring PoE is locked down on it's own. One of the suspected reasons for PoEHUD's detection in the past is that they detected a suspicious program (open handles to the window), ran some windows API calls to find the path of the suspicious binary, opened it up and did some signature scanning.

    Windows blocks it at each step. At least to my knowledge, they can't check for programs with hooks open to yours. While I think they can SEE the process in a process list... they can't get it's path. Even if they could get the path, the user should (in theory) be denied access to the binary assuming a correct setup.

    That said, as pushedx mentioned... none of that matters for server sided/heuristic detection.
    Last edited by Sychotix; 10-09-2020 at 04:50 PM.

  9. #8
    XianPoE's Avatar Active Member
    Reputation
    27
    Join Date
    Apr 2019
    Posts
    38
    Thanks G/R
    0/23
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    As of recent heist there is literally no client checking anymore. Modify away to your heart's content. I've done thorough network scans to see if they are even checking a modified game client... and nope!
    selling private PoE programs
    thank you mister president

  10. #9
    Sychotix's Avatar Moderator Authenticator enabled
    Reputation
    1415
    Join Date
    Apr 2006
    Posts
    3,942
    Thanks G/R
    285/571
    Trade Feedback
    1 (100%)
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by XianPoE View Post
    As of recent heist there is literally no client checking anymore. Modify away to your heart's content. I've done thorough network scans to see if they are even checking a modified game client... and nope!
    Their anti-cheat can be enabled/disabled at will. They may have not considered you to be suspicious... or it is temporarily disabled.

Similar Threads

  1. Replies: 25
    Last Post: 08-23-2009, 03:45 PM
  2. how to farm BG marks and honor while sleep, work or school without getting banned!
    By Dybberg in forum World of Warcraft Bots and Programs
    Replies: 7
    Last Post: 05-14-2009, 05:44 PM
  3. Replies: 3
    Last Post: 03-24-2007, 05:04 AM
  4. Do Not Use Hacks Right Now You Will Get Banned/suspended
    By Tayo in forum World of Warcraft Bots and Programs
    Replies: 20
    Last Post: 09-21-2006, 10:11 PM
All times are GMT -5. The time now is 09:35 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search