[Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)

[FrankTheCrazy]

but since today is a calm day i can reverse at work without my boss getting mad hehe

Let's hope it remains calm

[Ouariasse]

Code:

signed int __usercall checkExceptionDebugEvent<eax>(int lpDebugEvent<eax>)
{
  int ExceptionCode; // eax@1
  void *flag; // eax@3
  void *v4; // eax@6

  ExceptionCode = *(_DWORD *)(lpDebugEvent + 12);// Windows MSDN
  // EXCEPTION_BREAKPOINT
  if ( ExceptionCode == -2147483645 )
  {
    v4 = flagStruct;
    if ( !flagStruct )
    {
      v4 = malloc(4u);
      flagStruct = v4;
      *(_DWORD *)v4 = 0;
    }
    *(_BYTE *)v4 = 1;
    return 65538;
  }
  if ( ExceptionCode != -2147483644 )           // EXCEPTION_SINGLE_STEP
    return 65538;
  flag = flagStruct;
  if ( !flagStruct )
  {
    flag = malloc(4u);
    flagStruct = flag;
    *(_DWORD *)flag = 0;
  }
  *((_BYTE *)flag + 3) = 1;
  return 65538;
}

Debugger detection on two type of exception

[Ouariasse]

The signature scanner :

Code:

int __userpurge sub_9C70B0<eax>(int eax0<eax>, int a1)
{
  int v2; // eax@1
  int v3; // ebx@2
  int v4; // ebp@4
  int v5; // edi@4
  int v6; // eax@6
  unsigned int v7; // esi@6
  int v8; // eax@6
  int v10; // [sp+4Ch] [bp-1Ch]@1
  __int64 v11; // [sp+50h] [bp-18h]@1
  _DWORD v12[2]; // [sp+58h] [bp-10h]@1
  __int64 v13; // [sp+60h] [bp-8h]@1

  v10 = 0;
  _mm_storel_epi64((__m128i *)&v11, 0);
  _mm_storel_epi64((__m128i *)v12, 0);
  _mm_storel_epi64((__m128i *)&v13, 0);
  v2 = sub_9C68C0(eax0);
  if ( !v2 || (v3 = lOpenProcess(1040, 0, v2)) == 0 || !lVirtualQueryEx(v3, 0, &v10, 28) )
    return 0;
  while ( 1 )
  {
    v4 = v10;
    v5 = v12[0];
    if ( !(v12[1] & 0x1000) || !(BYTE4(v11) & 0xD0) )
      goto LABEL_8;
    v6 = lVirtualAlloc(0, v12[0], 4096, 4);
    v7 = v6;
    v8 = lReadProcessMemory(v3, v4, v6, v5, 0);
    if ( sigscanner(v8, v7, v5, a1) )
      return v4;
    lVirtualFree(v7, 0, 32768);
LABEL_8:
    if ( !lVirtualQueryEx(v3, v4 + v5, &v10, 28) )
      return 0;
  }
}

[miyazawa]

you guys/grilz r awesome im not into any coding but when i read the stuff u post and try to understand whats goin on, more exciting than a book.

[Ouariasse]

Compares checksum of opened process name/window name and flags you if there's a match 90% sure. If this is true even using poehud with readprocessmemory will get you flagged
Detects if process is being debugged and flags you100% confirmed
Detects dll injection and flags you 100% confirmed
Detects thread creation and flags you 100% confirmed
Detects memory change and flags you 100% confirmed
Has a sigscanner to detect known hack pattern and flags you 100% confirmed

The flagging is complex as in they can see exactly what you were flagged for and use their judgment on whether to ban you or not.
If you're flagged for creating a dll process inside their game but no other flag were detected, chance are you won't be banned and they'll think it's just some addon software injecting itself. Done debugging for now if someone has more code to share/info to share go ahead.

Code:

int __stdcall sub_9C6E00(int a1)
{
  int v1; // eax@1
  int v2; // edi@1
  int result; // eax@2
  char *v4; // eax@3
  char v5; // cl@4
  int v6; // eax@5
  char *v7; // esi@5
  int v8; // edx@5
  int v9; // ecx@6
  int v10; // esi@11
  int v11; // [sp+10h] [bp-224h]@1
  char v12; // [sp+30h] [bp-204h]@3
  _BYTE v13[3]; // [sp+31h] [bp-203h]@5

  v1 = lGetCurrentProcessId();
  v2 = lCreateToolhelp32Snapshot(8, v1);
  v11 = 548;
  if ( lModule32First(v2, &v11) )
  {
    while ( 1 )
    {
      v4 = &v12;
      do
        v5 = *v4++;
      while ( v5 );
      v6 = v4 - v13;
      v7 = &v12;
      v8 = 5381;
      if ( v6 )
      {
        v9 = v6;
        do
        {
          v8 = 33 * v8 + *v7++;
          --v9;
        }
        while ( v9 );
      }
      if ( v8 == a1 )
        break;
      if ( !lModule32Next(v2, &v11) )
      {
        lCloseHandle(v2);
        return 0;
      }
    }
    v10 = sub_9C66E0(v6, &v12);
    lCloseHandle(v2);
    result = v10;
  }
  else
  {
    lCloseHandle(v2);
    result = 0;
  }
  return result;
}

module flagger

Code:

int __usercall sub_9C68C0<eax>(int a1<edi>)
{
  int v1; // esi@1
  char *v2; // eax@2
  char v3; // cl@3
  int v4; // eax@4
  char *v5; // edx@4
  int i; // ecx@4
  int result; // eax@8
  int v8; // [sp+10h] [bp-12Ch]@1
  int v9; // [sp+18h] [bp-124h]@9
  char v10; // [sp+34h] [bp-108h]@2
  _BYTE v11[3]; // [sp+35h] [bp-107h]@4

  v1 = lCreateToolhelp32Snapshot(2, 0);
  v8 = 296;
  if ( lProcess32First(v1, &v8) )
  {
    while ( 1 )
    {
      v2 = &v10;
      do
        v3 = *v2++;
      while ( v3 );
      v4 = v2 - v11;
      v5 = &v10;
      for ( i = 5381; v4; --v4 )
        i = 33 * i + *v5++;
      if ( i == a1 )
        break;
      if ( !lProcess32Next(v1, &v8) )
        goto LABEL_8;
    }
    result = v9;
  }
  else
  {
LABEL_8:
    lCloseHandle(v1);
    result = 0;
  }
  return result;
}

Process flagger

I'm not gonna make any patcher because i'm not 100% sure all my info are enough to circumvent it but i hope all of this is helpful for someone making a bypass.

[Fulkol]

What if we resrict the clients permissions before using hacks with some tool? Linked in the reddit thread:

[TehStupidDog]

Awesome work on the reversing of this guys. Personally, I use poehud and since finding out about these new functions I plan to carry on using it. If I get banned then I'll just stop playing the game because quite honestly, most of PoEhud should already be part of the game itself. I also wouldn't be able to carry on playing a game which ignores the rubber banding and shitty boss fights in favour of banning people for trying to make the horrible standard hud better. I just can't play this game at default zoom as its far to close to my character, I also don't want to play a game which is SUPER dark most of the time and doesn't even have a gamma correction option in game.

Quite honestly, I didn't make a new account to store anything on, because I just don't care that much if I get banned. I won't go back to it if I get the ban and I'm completely prepared to get one if it happens.

I don't use PoEhud to cheat, I use it to make my game look nicer and fix some things that I just don't like (e.g are you really going to make someone be so zoomed in and not let them know that an elemental/physical reflect is near? It's not like you're able to easily mouse over 1 mob in about 50 to check in the middle of combat. That alert is something that SHOULD be there by default, otherwise the player has no way of knowing until it's usually too late. And there's NO WAY I'm having item alerts disabled, I simply don't want to sit and look through the thousands of pieces of loot that drop to identify 1 thing I might want. The screen loot is already a complete cluster**** and there's still no display toggle button for loot, only a momentary one.

I guess at the end of the day, I just hope GGG have some sense and look at this rationally. People WANT most of these things in game, I certainly don't want to use third party stuff to play the game but I use PoEhud, stash sorter and the autopot program for various reasons, none of which are to cheat, just make the experience of the game better (in fact, imho how it should be). However, if I get a ban from it then it'll prove to me that GGG have no intention of making the game nicer to play and want to keep archaic and lame mechanics like manual sorting of backpacks, or not give the player enough info to be able to make decisions on how to handle an encounter (and just ending up getting them killed through no fault of their own).

I think what irks me most though, is the fact that the rubber banding in this game is so horribly bad, and while I don't suffer the constant and random disconnects, I know many people who do and GGG just refuse to address it. To hear that I might receive a ban soon because of this new detection and knowing that they're maybe doing this OVER fixing the dc's and rubber banding is a little annoying. I don't know.... I hope that GGG are going to be sensible about this, I played in really early beta and got bored of the constant character wipes and only recently came back, I'd like to keep playing but I just have a feeling I wont be real soon.

[pauldousen]

Awesome work on the reversing of this guys. Personally, I use poehud and since finding out about these new functions I plan to carry on using it. If I get banned then I'll just stop playing the game because quite honestly, most of PoEhud should already be part of the game itself. I also wouldn't be able to carry on playing a game which ignores the rubber banding and shitty boss fights in favour of banning people for trying to make the horrible standard hud better. I just can't play this game at default zoom as its far to close to my character, I also don't want to play a game which is SUPER dark most of the time and doesn't even have a gamma correction option in game.

Quite honestly, I didn't make a new account to store anything on, because I just don't care that much if I get banned. I won't go back to it if I get the ban and I'm completely prepared to get one if it happens.

I don't use PoEhud to cheat, I use it to make my game look nicer and fix some things that I just don't like (e.g are you really going to make someone be so zoomed in and not let them know that an elemental/physical reflect is near? It's not like you're able to easily mouse over 1 mob in about 50 to check in the middle of combat. That alert is something that SHOULD be there by default, otherwise the player has no way of knowing until it's usually too late. And there's NO WAY I'm having item alerts disabled, I simply don't want to sit and look through the thousands of pieces of loot that drop to identify 1 thing I might want. The screen loot is already a complete cluster**** and there's still no display toggle button for loot, only a momentary one.

I guess at the end of the day, I just hope GGG have some sense and look at this rationally. People WANT most of these things in game, I certainly don't want to use third party stuff to play the game but I use PoEhud, stash sorter and the autopot program for various reasons, none of which are to cheat, just make the experience of the game better (in fact, imho how it should be). However, if I get a ban from it then it'll prove to me that GGG have no intention of making the game nicer to play and want to keep archaic and lame mechanics like manual sorting of backpacks, or not give the player enough info to be able to make decisions on how to handle an encounter (and just ending up getting them killed through no fault of their own).

I think what irks me most though, is the fact that the rubber banding in this game is so horribly bad, and while I don't suffer the constant and random disconnects, I know many people who do and GGG just refuse to address it. To hear that I might receive a ban soon because of this new detection and knowing that they're maybe doing this OVER fixing the dc's and rubber banding is a little annoying. I don't know.... I hope that GGG are going to be sensible about this, I played in really early beta and got bored of the constant character wipes and only recently came back, I'd like to keep playing but I just have a feeling I wont be real soon.

+1, just +1.

[Evozer]

Are they actually doing anything other than pattern matching using the maphack pattern right now? Been logging the scans for a few hours now (code based on sub_9C6210) but the only thing I've seen is case 59 in the switch statement with the same pattern (the one for maphack) every time. The code for enumerating processes/windows/modules does not seem to run at all.

[Satin]

Been doing mostly the same, I've had it enumerate processes several times but I can't for the life of me figure out why.
Do we know what it does with rpm ?

[Evozer]

The case 76 does this if I'm not mistaken:

1. Enumerate processes to find a process with matching hash
2. OpenProcess with PROCESS_QUERY_INFORMATION | PROCESS_VM_READ
3. Call VirtualQueryEx on the opened process
4. Allocate RegionSize (from VirtualQueryEx result) using VirtualAlloc inside the poe process
5. Read RegionSize bytes from the opened process using RPM into the allocated memory region inside the poe process
6. Do a pattern scan on these read bytes

Haven't had it happen on my end yet so no clue what hashes they are looking for and what pattern they are trying to find

[Satin]

I think it's looking for bots, happened to me when I did a lot of zone switching, I think they are either looking for exilebot or exilebuddy, since those two have consistant checksums (whereas it's fairly easy to change up poehud's) (haven't used either but it seems to me that it's what that would scan for.)

[FrankTheCrazy]

I think it's looking for bots, happened to me when I did a lot of zone switching, I think they are either looking for exilebot or exilebuddy, since those two have consistant checksums (whereas it's fairly easy to change up poehud's) (haven't used either but it seems to me that it's what that would scan for.)

If its looking for bots why it is only scanning for the maphack? On my end it has only done that

[Satin]

Case 76 is in my opinion looking for bots, I'm not talking about the whole anticheat just the one part that enumerates processes, See Evozer's post.

[Ouariasse]

Case 76 is in my opinion looking for bots, I'm not talking about the whole anticheat just the one part that enumerates processes, See Evozer's post.

the debugprocess fails if there's a debugger attached so maybe some process aren't working while you're running poe inside a debugger