[Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)

[pauldousen]

where is banwave?

[Ouariasse]

Case 0x4C (76) is the only one called for now no matter what you do, the server decides when each function are called.Basically if the system thinks you're botting, it'll call the other checks. That's why none of us caught them while debugging, they're active it's just that we arn't suspected because we're just idling in town trying to catch the event.

0x4C has two pattern check for now :
21 D9 21 00 21 8B 21 0C 21 24 21 D9 21 19 21 8B 21 0C 21 24 21 03 21 CA 21 89 21 0C 21 24 21 D9 21

And the one evozer posted earlier. For the AC to not flag you, this one has to return the address of the map lookup when your maphack is off, and the other one should always return null even if maphack is on. Basically what this does is randomly decide "is maphack off?" -> you answer by original map lookup ptr, if it asks "is maphack on?" you return null. You can't just nop the functions, they're required for the game to not flag you.

Best way to implement this in a patcher is to hook that function, blacklist a few pattern to always return null then the other are passed to the original function.

They might do this for other checks as well so you need a blacklist/whitelist of hash to block and not to block.


What does this mean? It means the hash/signature your client checks are decided by the server and they're server sided. Which means they don't need to update the client to update their "hack tool" database.

tl;dr: maphack is checked for everyone, other checks are only called if you do suspicious activities.

[TehStupidDog]

Case 0x4C (76) is the only one called for now no matter what you do, the server decides when each function are called.Basically if the system thinks you're botting, it'll call the other checks. That's why none of us caught them while debugging, they're active it's just that we arn't suspected because we're just idling in town trying to catch the event.

0x4C has two pattern check for now :
21 D9 21 00 21 8B 21 0C 21 24 21 D9 21 19 21 8B 21 0C 21 24 21 03 21 CA 21 89 21 0C 21 24 21 D9 21

And the one evozer posted earlier. For the AC to not flag you, this one has to return the address of the map lookup when your maphack is off, and the other one should always return null even if maphack is on. Basically what this does is randomly decide "is maphack off?" -> you answer by original map lookup ptr, if it asks "is maphack on?" you return null. You can't just nop the functions, they're required for the game to not flag you.

Best way to implement this in a patcher is to hook that function, blacklist a few pattern to always return null then the other are passed to the original function.

They might do this for other checks as well so you need a blacklist/whitelist of hash to block and not to block.


What does this mean? It means the hash/signature your client checks are decided by the server and they're server sided. Which means they don't need to update the client to update their "hack tool" database.

tl;dr: maphack is checked for everyone, other checks are only called if you do suspicious activities.

Sounds like they've almost completely copied Warden :/ Awesome findings though dude, I have a light understanding of coding/hacking and I barely understand most of this but you've dumbed it down enough for me to understand the basics

[Tonsil_tom]

Case 0x4C (76) is the only one called for now no matter what you do, the server decides when each function are called.Basically if the system thinks you're botting, it'll call the other checks. That's why none of us caught them while debugging, they're active it's just that we arn't suspected because we're just idling in town trying to catch the event.

0x4C has two pattern check for now :
21 D9 21 00 21 8B 21 0C 21 24 21 D9 21 19 21 8B 21 0C 21 24 21 03 21 CA 21 89 21 0C 21 24 21 D9 21

And the one evozer posted earlier. For the AC to not flag you, this one has to return the address of the map lookup when your maphack is off, and the other one should always return null even if maphack is on. Basically what this does is randomly decide "is maphack off?" -> you answer by original map lookup ptr, if it asks "is maphack on?" you return null. You can't just nop the functions, they're required for the game to not flag you.

Best way to implement this in a patcher is to hook that function, blacklist a few pattern to always return null then the other are passed to the original function.

They might do this for other checks as well so you need a blacklist/whitelist of hash to block and not to block.


What does this mean? It means the hash/signature your client checks are decided by the server and they're server sided. Which means they don't need to update the client to update their "hack tool" database.

tl;dr: maphack is checked for everyone, other checks are only called if you do suspicious activities.

so in layman terms, does this mean that everyone using poehud will get banned? i stoped using poehud the day this post came up

[doragon]

Code:

int __fastcall GetFlags(int a1, int a2)
{
  int result; // eax@1
  int v3; // esi@2
  int v4; // eax@3
  int v5; // ecx@3

  result = 0;
  if ( a1 )
  {
    v3 = a1;
    do
    {
      v4 = *a2 + 16 * result;
      v5 = v4 & 0xF0000000;
      if ( v4 & 0xF0000000 )
        v4 ^= v5 >> 24;
      result = ~v5 & v4;
      ++a2;
      --v3;
    }
    while ( v3 );
  }
  return result;
}

PHP Code:

int __fastcall sub_9C66E0(int titleLength, char* titleName)
{
  int result; // eax@1
  int v3; // esi@2
  int v4; // eax@3
  int v5; // ecx@3

  result = 0;
  if ( titleLength )
  {
    v3 = titleLength;
    do
    {
      v4 = *titleName + 16 * result;
      v5 = v4 & 0xF0000000;
      if ( v4 & 0xF0000000 )
        v4 ^= v5 >> 24;
      result = ~v5 & v4;
      ++titleName;
      --v3;
    }
    while ( v3 );
  }
  return result;
} 


it's crc32 of titleName

---
lSomeFunc1 it's pointer on

PHP Code:

signed __int32 __cdecl sub_8722A0(void *a1, int a2)
{
  signed __int32 result; // eax@1

  dword_C8EDF8 = a1;
  dword_C8EDF4 = a2;
  result = _InterlockedExchange(&a1, a1);
  dword_C905E4 = 1;
  return result;
} 


[SpaceGuy119]

I don't understand what any of this means. Is it likely that there will eventually be a public HUD that has similar risks as the one we were using a month ago (eg bypasses to these measures)?

[Ouariasse]

ty doragon, the code makes even more sense now.

Anyway to make a patcher for the memory scanner, it might be a bit tricky doing it implementingg the blacklist cause then they might scan for the patcher itself and since the patcher doesn't know it's a hack pattern it'll return 1 and you'll get flagged for using a AC desactiver.
Best way is to make a dynamic malicious pattern whitelist AKA check if the pattern is present in the original exe, if yes return the address, if not returrn 0 cause it's a cheat that added that in.

I won't make a patcher because tbh I don't use any of these hacks and I can't maintain a public tool. I just reverse engineered it for fun and wanted to share findings, if someone makes a AC bypass/patcher though i'll be happy to look at it and tell you if it's safe to use or not.

[enaf3n]

Best way is to make a dynamic malicious pattern whitelist AKA check if the pattern is present in the original exe, if yes return the address, if not returrn 0 cause it's a cheat that added that in.

I like this idea. It would probably solve the signature scanning, but what if they fired one of the other detection methods instead? I imagine we would have to try to write something which would parse each type of request and send a legitimate response (based on the rules in the AC code.)

[Ouariasse]

I'm only talking about the 0x4C case, the other bypass are easy to implement as they're not game memory based at all. It's explicitly looking for foreign data.
And maybe they'll check if you nopped their check by asking the AC to check for a PathOfExile.exe hash and if you return null it's suspicious, how can u not have that exe running when you're running the game? Oh probably forced the check method to return 0. Which is why a whitelist to force 0 works on the other checks, the memory scanner one is the one where you need the trick i mentionned.

[doragon]

I'm only talking about the 0x4C case, the other bypass are easy to implement as they're not game memory based at all. It's explicitly looking for foreign data.
And maybe they'll check if you nopped their check by asking the AC to check for a PathOfExile.exe hash and if you return null it's suspicious, how can u not have that exe running when you're running the game? Oh probably forced the check method to return 0. Which is why a whitelist to force 0 works on the other checks, the memory scanner one is the one where you need the trick i mentionned.

check4 [case 76]:

Src = CheckExternalApplicationMemory(*this, (this + 4));
replace to
Src = 0

[Ouariasse]

check4 [case 76]:

Src = CheckExternalApplicationMemory(*this, (this + 4));
replace to
Src = 0

What if they wanna check for something that they want to have a match? Aka a clean memory on pathofexile.exe, you're gonna return 0 which means your poe is modified. Need filters to make sure they won't trick around the bypass.

[HvC]

Couldn't we just monitor a clean poe to get the clean returns, and use that, although I suppose they could have set it up where they want specific clean responses depending on a variety of factors, like a different signature per zone + time or any other number of normally occurring events in game. Well good luck to those of you that want to attack the AC directly I'd rather operate under the radar for as long as possible.

[Ouariasse]

Couldn't we just monitor a clean poe to get the clean returns, and use that, although I suppose they could have set it up where they want specific clean responses depending on a variety of factors, like a different signature per zone + time or any other number of normally occurring events in game. Well good luck to those of you that want to attack the AC directly I'd rather operate under the radar for as long as possible.

100% safe mechanism to bypass self scan memory
if (pattern is a hack pattern) {
return no match
} else if (pattern is unknown) {
match1 = scan(exe());
if (match1)
return match1
return scan(currentmemory());
}

first case is in case it's a known hack pattern we wanna bypass, we return not found.
If they wanna check if it can find original poe memory it'll return match1 from a clean exe and last case is in case it's checking for something that is not in .exe at runtime but comes later, we just proceed as it normally would.

[tobmaps]

Fast question: Is it safe to debug game proccess right now or they made some kind of debug detection and flag your account? Passive anticheat is the worst of what can happen cuz you always can't be sure that you was detected or not.

[milkbananas]

Fast question: Is it safe to debug game proccess right now or they made some kind of debug detection and flag your account? Passive anticheat is the worst of what can happen cuz you always can't be sure that you was detected or not.

Flagged 100% sure