[Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)

[pootisbb]

Let's be real though, if the mule account only transacts with the main account, or has a steady stream of loot coming from the main account with little going back to the main account, it's still really easy to connect them.

You're absolutely correct, especially if you goldfarm. What I suggested will save him from a chainban if he doesn't interact with his main and just wants to try out hacks for racing/a new league, though.

[lolp1]

And if they just run the request over and over again? The game would be unplayable.

You could get a legitimate result and then pass that result back.

[pootisbb]

You could get a legitimate result and then pass that result back.

Yes, but in the original post he was responding to I stated that I did not want to modify the function, as there could be a hidden check that a less experienced programmer like me could miss. The safest thing to do in my case upon activation of the anticheat would be to simply terminate PoE upon the function being called and wait until GGG has deactivated the anticheat (or simply play without hacks for the time being).

[elyas10]

7-11-2015

Decrypted strings from 2.0.0c
0xa26c18 => ntdll.dll
0xa26c24 => kernel32.dll
0xa26c34 => user32.dll
0xa26c44 => advapi32.dll
0xa26c54 => LdrGetDllHandle
0xa26c68 => LdrGetProcedureAddress
0xa26c84 => LdrQueryProcessModuleInformation
0xa26ca8 => NtAllocateVirtualMemory
0xa26cc4 => NtCreateFile
0xa26cd4 => NtDuplicateObject
0xa26ce8 => NtFreeVirtualMemory
0xa26d00 => NtGetTickCount
0xa26d14 => NtQueryInformationFile
0xa26d30 => NtQueryInformationProcess
0xa26d4c => NtQueryObject
0xa26d5c => NtQueryPerformanceCounter
0xa26d78 => NtQuerySystemInformation
0xa26d94 => NtQueryVirtualMemory
0xa26dac => NtReadFile
0xa26dbc => NtSetInformationThread
0xa26dd8 => AdjustTokenPrivileges
0xa26df0 => CloseHandle
0xa26e00 => ContinueDebugEvent
0xa26e18 => CreateThread
0xa26e28 => CreateToolhelp32Snapshot
0xa26e44 => DebugActiveProcess
0xa26e5c => GetCurrentProcess
0xa26e70 => GetCurrentProcessId
0xa26e88 => GetCurrentThread
0xa26e9c => GetProcessId
0xa26eac => GetNativeSystemInfo
0xa26ec4 => LookupPrivilegeValueA
0xa26edc => Module32First
0xa26eec => Module32Next
0xa26efc => OpenProcessToken
0xa26f10 => WaitForDebugEvent
(rebased at 0xC0000)

This is outdated, half of these functions are no longer used. Either that or I can't find them but I did extensive research.

I decrypted the new strings and reversed the entire anti cheat, module32first, module32next, and NtQueryInformationProcess are still among the encrypted strings and those are big red flags for detecting injected dlls.

IsDebuggerPresent doesn't have a GetProcAddress with an encrypted string but also is a problem.

Someone made a suggestion about closing PoE if the anticheat got run, I think that is a great approach, but the game could close over and over if the anti cheat gets run often.

I checked whether the very suspicious functions ever get run and I found that they don't at the moment. However there is a wrapper function that CAN call the anticheat, but doesn't, the wrapper function gets called right before you see the main menu and might be run at another time but who knows. So far I hooked the wrapper function and injected a dll AFTER the main menu, I will see when the wrapper function gets called and go from there.

Code:

Detecting AntiCheat:
	- the decryption function is the same as the encryption function and vice versa
		- involution

	(Assuming base is 0x0)
	Fishy GetProcAddress:
		25DE8F
			NtGetTickCount

		25E7E3
			NtQueryInformationProcess
		25E874
			NtCreateFile
		25E8FB
			CloseHandle
		25E95F
			NtQueryInformationFile
		25E9CE
			CloseHandle
		25EA4E
			NtReadFile

		25ED8C
			Module32Next
		25F097
			NtQueryVirtualMemory
		25F25C
			CloseHandle

		25F3E2
			NtQuerySystemInformation
		25F4DA
			GetCurrentProcess
		25F538
			NtDuplicateObject
		25F7DE - GetProcAddressWrapper
			-Wrapper for GetProcAddress
			-Encrypts or decrypts it seems

		74C99F
			- Hard to decrypt
			- Seems to be twitch_sdk / openal related
			 v12 = (char *)&word_2 +
			 		*(_DWORD *)&v7[(Arguments -
			 		(_DWORD)v6) & 0xFFFFFFFC];

Now there is also a wrapper for GetProcAddress, I had to check every single call made to it and here are the results:

Code:

-25F7DE is the wrapper for getprocaddress, here are interesting addresses that call on it:
	258D91
		-CreateThread
	25DFE9
		-GetCurrentProcess
	25DFFE
		-NtAllocateVirtualMemory
	25E2D0
		-GetCurrentProcess
	25E2E5
		-NtAllocateVirtualMemory
	25E30B
		-GetCurrentProcess
	25E320
		-NtAllocateVirtualMemory
	25E334
		-NtGetTickCount
	25E410
		-NtFreeVirtualMemory
	25E425
		-NtAllocateVirtualMemory
	25E445
		-NtFreeVirtualMemory
	25E45A
		-NtAllocateVirtualMemory
	25E4B7
		-GetCurrentProcess
	25E4CC
		-NtAllocateVirtualMemory
	25E566
		-GetCurrentProcess
	25E57B
		-NtAllocateVirtualMemory
	25E655
		-GetCurrentProcess
	25E57B
		-NtAllocateVirtualMemory
	25E6F5
		-GetCurrentProcess
	25E70A
		-NtAllocateVirtualMemory

	25EAB9
		-CloseHandle
	25EACF
		-CloseHandle
	25EB89
		-CloseHandle
	25EB9B
		-CloseHandle
	25EBFD
		-CloseHandle
	25EC19
		-CloseHandle

	25EC76
		-CreateToolhelp32Snapshot
	25ECC7
		-Module32First
	25EDEC
		-CloseHandle

	25F023
		-GetCurrentProcess
	25F03A
		-GetCurrentProcessId

	-Used for authentication
	25F2F5
		-GetCurrentProcess
	25F30A
		-OpenProcessToken
	25F32A
		-LookupPrivilegeValueA
	25F37B
		-AdjustTokenPrivileges

	-For playing media?
	25F5A9
		-CloseHandle
	25F5E6
		-NtQueryObject
	25F60D
		-CloseHandle
	25F662
		-GetCurrentProcessId
	25F67D
		-GetProcessId
	25F68F
		-GetProcessId
	25F6D9
		-CloseHandle
	25F6E9
		-CloseHandle
	25F72A
		-CloseHandle
	25F745
		-CloseHandle
	25F768
		-CloseHandle

	-To generate random numbers?
	25F82C
		-NtGetTickCount

Wrapper function for the anticheat is:
25DE30

and isDebuggerPresent:
74D909

NOTE: I haven't reversed the parameters for GetProcAddress at 74C99F yet so who knows what that is! It could be numerous other red flag functions based on the parameters it gets, I also have to look into this. So far all I see before the call to the function that calls on this address is twitchsdk and openal related, but it is never too safe to assume this.

Also these should be ALL the fishy anti cheat that path of exile has, if this can be exploited with a bypass we should be good.

[enaf3n]

Code:

	-To generate random numbers?
	25F82C
		-NtGetTickCount

The primary purpose for NtGetTickCount is to monitor the anti-cheat's execution time, presumably for detours or breakpoints, in what's called a "timing attack."

[datz]

ahhhhhhhhhhhhhhhhh

[elyas10]

There was an update, and I checked the anticheat, it got changed!

Here is the decrypted strings:

Code:

ntdll.dll
kernel32.dll
user32.dll
advapi32.dll
LdrGetDllHandle
LdrGetProcedureAddress
LdrQueryProcessModuleInformation
NtAllocateVirtualMemory
NtCreateFile
NtDuplicateObject
NtFreeVirtualMemory
NtGetTickCount
NtQueryInformationFile
NtQueryInformationProcess
NtQueryObject
NtQueryPerformanceCounter
NtQuerySystemInformation
NtQueryVirtualMemory
NtReadFile
NtSetInformationThread
AdjustTokenPrivileges
CloseHandle
ContinueDebugEvent
CreateThread
CreateToolhelp32Snapshot
DebugActiveProcess
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetProcessId
GetNativeSystemInfo
LookupPrivilegeValueA
Module32First
Module32Next
OpenProcessToken
WaitForDebugEvent
wine_get_version

wine_get_version is most notably added (not anti cheat related? linux support? GGG wants to know how many players use wine? what does this mean?)

also the addresses where these get called changed as well but I am too lazy to update the addresses since for the most part everything seems the same

The entry function of the anti cheat can be found by searching this array of bytes:

Code:

FF D7 8A 55 00 8D 75 01 BF 0F 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 45 09 83 C0 EF 83 F8 33

The question marks mean those bytes can be anything (apply a mask)

[alexandrubenza]

There was an update, and I checked the anticheat, it got changed!

The question marks mean those bytes can be anything (apply a mask)

lazy google search and it seems like wine is windows emulator? perhaps trying to detect multibot VM farming?

also, do these changes mean the HUD's not safe?

[elyas10]

lazy google search and it seems like wine is windows emulator? perhaps trying to detect multibot VM farming?

also, do these changes mean the HUD's not safe?

I honestly don't know 100%.

My opinion/speculation is that they didn't really change anything from last patch in terms of detection

edit:

ok ok I also noticed

LdrGetDllHandle
LdrGetProcedureAddress

but when I decrypted last time this didn't come up,
what I figure is that these strings never actually get used by PoE but it is there in the binary which the program I wrote caught onto.

another edit:

also I hooked the function that decrypts the strings and the only strings decrypted after the game runs for about a few minutes is:
(hooked at PathOfExile.exe + 25EB83 which is the end of the decrypt function, offset valid as of 1.21.16)

Code:

ntdll.dll
wine_get_version
kernel32.dll
GetCurrentProcess
advapi32.dll
OpenProcessToken
advapi32.dll
LookupPrivilegeValueA
advapi32.dll
AdjustTokenPrivileges
kernel32.dll
CreateThread

so I don't think the anti cheat is even running in this patch/time

[jps42]

wine_get_version is most notably added (not anti cheat related? linux support? GGG wants to know how many players use wine? what does this mean?)

There is a wine wrapper to play POE on Mac. It's been around for a long time. Probably GGG wants to get an idea of how many ppl using it.
https://www.pathofexile.com/forum/view-thread/48708

[elyas10]

I spent yesterday looking into the wine_get_version, here is what it does:

Path of exile uses

Code:

GetProcAddress(encrypted_wine_get_version_string)

and if the computer running path of exile has an emulated ntdll, it WILL find the function pointer to wine_get_version and GetProcAddress returns a non-zero value (pointer to the function). If the computer is on windows it WON'T find the address and GetProcAddress returns 0!

There are two places in the code where the client uses

Code:

GetProcAddress(encrypted_wine_get_version_string)

(where it checks if you are on a non-windows machine):
1. Right before it starts the anti-cheat thread (PathOfExile.exe + 25E993)
2. Right before it gets the packet to arm the anti-cheat (PathOfExile.exe + 25EA00 <-- check inside the function call there for the GetProcAddress)

I had help from another member in the forums, and the way the anti-cheat thread works is as follows:
(very rough sudo code)

Code:

void StartAntiCheatThread()
{
	// shouldKillAntiCheat = 0
	while (!shouldKillAntiCheat)
	{
		if (antiCheatIsArmed)
		{
			RunAntiCheat1234();
		}
	}
}

so the anticheat doesn't run unless antiCheatIsArmed is non-zero, which is when the server sends a packet to the client to set antiCheatIsArmed = 1

But the underline problem here is that the anti cheat will fail to get accurate data on what processes your system is running if you are on Mac/Linux, because some Windows calls will fail / don't give relevant data if you are on a non-windows machine.

In this recent patch they added a check to see if your running wine, if you are, it doesn't even bother running the anti-cheat!
This means if the server sends you a packet to arm the anti cheat and you DON'T send anything back, they assume you are running on a non-windows machine and won't flag you. Otherwise every Mac/Linux user would be banned by GGG.

There are 1000 ways to bypass the anti-cheat (patching other areas of the anti cheat), I wrote a two patches (at the two locations mentioned earlier) that assumes you are running wine, if you patch it before the game reaches the main menu, the game won't even run the anti-cheat thread.

[NDKilla]

I've noticed several posts on the banning of linked accounts, all the way back from page 2 to this page.

I actually emailed GGG, and unless you are intentionally sharing between a hack account and the public (which can ruin the economy), they usually don't ban accounts that aren't used at the time of hacking.

Partial copy/paste of my email to support@ggg

I switched to PoEHUD after receiving the warning, not really caring if I got banned or not.
Honestly, hacks aside, PoEHUD has some other features that are really nice.
It was kind of a give and take.
I usually ran PoEHUD with maphack disabled, but I also disabled particles and enabled full bright. I found this really awesome, because I don't know why, BUT RAIN MAKES ME LAG.
Rain is BS on my computer apparently. I desync sometimes but never get frame drops except when it's raining.
Sadly disabling particles also, yknow, disabled other particles like devourer attacks.
Anyways. I'd love to see an option to disable rain in all zones, and some other advanced graphics options!
Anyways, back to the hacking.
Sorry about that, but I'm honestly really glad you guys are trying to crack down on it. I feel a little bad hacking actually. I'm not upset you guys banned that account and I'm actually happy you did.
I was trying not to **** up your guys economys on a great game. When I did roll zones (I did roll the library a few times for arcanist boxes, but only got 2. I'll be honest c:) I didn't sell or give away anything that I got. All the shit that I got is now locked away in my banned account, I didn't wanna screw you guys up.
Anyways, assuming my new accounts don't get banned for old crimes, I'm planning on playing the game, with no hacks, on another account.
I'm not upset I was banned. It actually really shows how dedicated you all are and I'll be glad to play in a hack-free Path of Exile.

GGG's only response on the matter:

Hi Justin,

Thanks for your feedback regarding this, and your honesty with what has occurred previously. There are some Quality of life changes that will be implemented in the future, but we can't confirm which ones until they have been officially announced and incorporated into the game. With regards to action being taken against your new account, so long as you stick to the terms of service, we will not take action against the account.

If you have any further queries, please don't hesitate to contact us.

Kind regards,
Gary

I've had 3-4 PoE accounts and 2 of them were hacked. I used hacks with both of those accounts. The other accounts ran on the exact same computer where the hacks were and never got banned or even warned for hacking.

This is cool :p On Heroes & Generals I had 3 accounts permanently banned b/c of a HWID ban when I never even hacked it -.-