[Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside) menu

Shout-Out

User Tag List

Page 24 of 24 FirstFirst ... 2021222324
Results 346 to 357 of 357
  1. #346
    pootisbb's Avatar Member
    Reputation
    2
    Join Date
    Nov 2013
    Posts
    38
    Thanks G/R
    2/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Maper View Post
    Let's be real though, if the mule account only transacts with the main account, or has a steady stream of loot coming from the main account with little going back to the main account, it's still really easy to connect them.
    You're absolutely correct, especially if you goldfarm. What I suggested will save him from a chainban if he doesn't interact with his main and just wants to try out hacks for racing/a new league, though.

    [Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)
  2. #347
    lolp1's Avatar Site Donator CoreCoins Purchaser
    Reputation
    190
    Join Date
    Feb 2013
    Posts
    210
    Thanks G/R
    43/77
    Trade Feedback
    3 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Maper View Post
    And if they just run the request over and over again? The game would be unplayable.
    You could get a legitimate result and then pass that result back.

  3. #348
    pootisbb's Avatar Member
    Reputation
    2
    Join Date
    Nov 2013
    Posts
    38
    Thanks G/R
    2/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by lolp1 View Post
    You could get a legitimate result and then pass that result back.
    Yes, but in the original post he was responding to I stated that I did not want to modify the function, as there could be a hidden check that a less experienced programmer like me could miss. The safest thing to do in my case upon activation of the anticheat would be to simply terminate PoE upon the function being called and wait until GGG has deactivated the anticheat (or simply play without hacks for the time being).

  4. #349
    elyas10's Avatar Corporal
    Reputation
    36
    Join Date
    Jun 2013
    Posts
    32
    Thanks G/R
    0/23
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SeUbZer0 View Post
    7-11-2015

    Decrypted strings from 2.0.0c
    0xa26c18 => ntdll.dll
    0xa26c24 => kernel32.dll
    0xa26c34 => user32.dll
    0xa26c44 => advapi32.dll
    0xa26c54 => LdrGetDllHandle
    0xa26c68 => LdrGetProcedureAddress
    0xa26c84 => LdrQueryProcessModuleInformation
    0xa26ca8 => NtAllocateVirtualMemory
    0xa26cc4 => NtCreateFile
    0xa26cd4 => NtDuplicateObject
    0xa26ce8 => NtFreeVirtualMemory
    0xa26d00 => NtGetTickCount
    0xa26d14 => NtQueryInformationFile
    0xa26d30 => NtQueryInformationProcess
    0xa26d4c => NtQueryObject
    0xa26d5c => NtQueryPerformanceCounter
    0xa26d78 => NtQuerySystemInformation
    0xa26d94 => NtQueryVirtualMemory
    0xa26dac => NtReadFile
    0xa26dbc => NtSetInformationThread
    0xa26dd8 => AdjustTokenPrivileges
    0xa26df0 => CloseHandle
    0xa26e00 => ContinueDebugEvent
    0xa26e18 => CreateThread
    0xa26e28 => CreateToolhelp32Snapshot
    0xa26e44 => DebugActiveProcess
    0xa26e5c => GetCurrentProcess
    0xa26e70 => GetCurrentProcessId
    0xa26e88 => GetCurrentThread
    0xa26e9c => GetProcessId
    0xa26eac => GetNativeSystemInfo
    0xa26ec4 => LookupPrivilegeValueA
    0xa26edc => Module32First
    0xa26eec => Module32Next
    0xa26efc => OpenProcessToken
    0xa26f10 => WaitForDebugEvent
    (rebased at 0xC0000)
    This is outdated, half of these functions are no longer used. Either that or I can't find them but I did extensive research.

    I decrypted the new strings and reversed the entire anti cheat, module32first, module32next, and NtQueryInformationProcess are still among the encrypted strings and those are big red flags for detecting injected dlls.

    IsDebuggerPresent doesn't have a GetProcAddress with an encrypted string but also is a problem.

    Someone made a suggestion about closing PoE if the anticheat got run, I think that is a great approach, but the game could close over and over if the anti cheat gets run often.

    I checked whether the very suspicious functions ever get run and I found that they don't at the moment. However there is a wrapper function that CAN call the anticheat, but doesn't, the wrapper function gets called right before you see the main menu and might be run at another time but who knows. So far I hooked the wrapper function and injected a dll AFTER the main menu, I will see when the wrapper function gets called and go from there.

    Code:
    Detecting AntiCheat:
    	- the decryption function is the same as the encryption function and vice versa
    		- involution
    
    	(Assuming base is 0x0)
    	Fishy GetProcAddress:
    		25DE8F
    			NtGetTickCount
    
    		25E7E3
    			NtQueryInformationProcess
    		25E874
    			NtCreateFile
    		25E8FB
    			CloseHandle
    		25E95F
    			NtQueryInformationFile
    		25E9CE
    			CloseHandle
    		25EA4E
    			NtReadFile
    
    		25ED8C
    			Module32Next
    		25F097
    			NtQueryVirtualMemory
    		25F25C
    			CloseHandle
    
    		25F3E2
    			NtQuerySystemInformation
    		25F4DA
    			GetCurrentProcess
    		25F538
    			NtDuplicateObject
    		25F7DE - GetProcAddressWrapper
    			-Wrapper for GetProcAddress
    			-Encrypts or decrypts it seems
    
    		74C99F
    			- Hard to decrypt
    			- Seems to be twitch_sdk / openal related
    			 v12 = (char *)&word_2 +
    			 		*(_DWORD *)&v7[(Arguments -
    			 		(_DWORD)v6) & 0xFFFFFFFC];
    Now there is also a wrapper for GetProcAddress, I had to check every single call made to it and here are the results:

    Code:
    -25F7DE is the wrapper for getprocaddress, here are interesting addresses that call on it:
    	258D91
    		-CreateThread
    	25DFE9
    		-GetCurrentProcess
    	25DFFE
    		-NtAllocateVirtualMemory
    	25E2D0
    		-GetCurrentProcess
    	25E2E5
    		-NtAllocateVirtualMemory
    	25E30B
    		-GetCurrentProcess
    	25E320
    		-NtAllocateVirtualMemory
    	25E334
    		-NtGetTickCount
    	25E410
    		-NtFreeVirtualMemory
    	25E425
    		-NtAllocateVirtualMemory
    	25E445
    		-NtFreeVirtualMemory
    	25E45A
    		-NtAllocateVirtualMemory
    	25E4B7
    		-GetCurrentProcess
    	25E4CC
    		-NtAllocateVirtualMemory
    	25E566
    		-GetCurrentProcess
    	25E57B
    		-NtAllocateVirtualMemory
    	25E655
    		-GetCurrentProcess
    	25E57B
    		-NtAllocateVirtualMemory
    	25E6F5
    		-GetCurrentProcess
    	25E70A
    		-NtAllocateVirtualMemory
    
    	25EAB9
    		-CloseHandle
    	25EACF
    		-CloseHandle
    	25EB89
    		-CloseHandle
    	25EB9B
    		-CloseHandle
    	25EBFD
    		-CloseHandle
    	25EC19
    		-CloseHandle
    
    	25EC76
    		-CreateToolhelp32Snapshot
    	25ECC7
    		-Module32First
    	25EDEC
    		-CloseHandle
    
    	25F023
    		-GetCurrentProcess
    	25F03A
    		-GetCurrentProcessId
    
    	-Used for authentication
    	25F2F5
    		-GetCurrentProcess
    	25F30A
    		-OpenProcessToken
    	25F32A
    		-LookupPrivilegeValueA
    	25F37B
    		-AdjustTokenPrivileges
    
    	-For playing media?
    	25F5A9
    		-CloseHandle
    	25F5E6
    		-NtQueryObject
    	25F60D
    		-CloseHandle
    	25F662
    		-GetCurrentProcessId
    	25F67D
    		-GetProcessId
    	25F68F
    		-GetProcessId
    	25F6D9
    		-CloseHandle
    	25F6E9
    		-CloseHandle
    	25F72A
    		-CloseHandle
    	25F745
    		-CloseHandle
    	25F768
    		-CloseHandle
    
    	-To generate random numbers?
    	25F82C
    		-NtGetTickCount
    Wrapper function for the anticheat is:
    25DE30

    and isDebuggerPresent:
    74D909

    NOTE: I haven't reversed the parameters for GetProcAddress at 74C99F yet so who knows what that is! It could be numerous other red flag functions based on the parameters it gets, I also have to look into this. So far all I see before the call to the function that calls on this address is twitchsdk and openal related, but it is never too safe to assume this.

    Also these should be ALL the fishy anti cheat that path of exile has, if this can be exploited with a bypass we should be good.
    Last edited by elyas10; 01-10-2016 at 08:50 PM.

  5. Thanks TehCheat, Treasure_Box, Zestro (3 members gave Thanks to elyas10 for this useful post)
  6. #350
    enaf3n's Avatar Elite User i like game security stuff CoreCoins Purchaser
    Reputation
    496
    Join Date
    Nov 2013
    Posts
    356
    Thanks G/R
    26/353
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by elyas10 View Post
    Code:
    	-To generate random numbers?
    	25F82C
    		-NtGetTickCount
    The primary purpose for NtGetTickCount is to monitor the anti-cheat's execution time, presumably for detours or breakpoints, in what's called a "timing attack."

  7. #351
    datz's Avatar Active Member
    Reputation
    23
    Join Date
    Aug 2013
    Posts
    538
    Thanks G/R
    170/19
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ahhhhhhhhhhhhhhhhh

  8. #352
    elyas10's Avatar Corporal
    Reputation
    36
    Join Date
    Jun 2013
    Posts
    32
    Thanks G/R
    0/23
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There was an update, and I checked the anticheat, it got changed!

    Here is the decrypted strings:

    Code:
    ntdll.dll
    kernel32.dll
    user32.dll
    advapi32.dll
    LdrGetDllHandle
    LdrGetProcedureAddress
    LdrQueryProcessModuleInformation
    NtAllocateVirtualMemory
    NtCreateFile
    NtDuplicateObject
    NtFreeVirtualMemory
    NtGetTickCount
    NtQueryInformationFile
    NtQueryInformationProcess
    NtQueryObject
    NtQueryPerformanceCounter
    NtQuerySystemInformation
    NtQueryVirtualMemory
    NtReadFile
    NtSetInformationThread
    AdjustTokenPrivileges
    CloseHandle
    ContinueDebugEvent
    CreateThread
    CreateToolhelp32Snapshot
    DebugActiveProcess
    GetCurrentProcess
    GetCurrentProcessId
    GetCurrentThread
    GetProcessId
    GetNativeSystemInfo
    LookupPrivilegeValueA
    Module32First
    Module32Next
    OpenProcessToken
    WaitForDebugEvent
    wine_get_version
    wine_get_version is most notably added (not anti cheat related? linux support? GGG wants to know how many players use wine? what does this mean?)

    also the addresses where these get called changed as well but I am too lazy to update the addresses since for the most part everything seems the same

    The entry function of the anti cheat can be found by searching this array of bytes:

    Code:
    FF D7 8A 55 00 8D 75 01 BF 0F 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 45 09 83 C0 EF 83 F8 33
    The question marks mean those bytes can be anything (apply a mask)
    Last edited by elyas10; 01-21-2016 at 03:10 AM.

  9. #353
    alexandrubenza's Avatar Member
    Reputation
    4
    Join Date
    Mar 2014
    Posts
    65
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by elyas10 View Post
    There was an update, and I checked the anticheat, it got changed!

    The question marks mean those bytes can be anything (apply a mask)
    lazy google search and it seems like wine is windows emulator? perhaps trying to detect multibot VM farming?

    also, do these changes mean the HUD's not safe?

  10. #354
    elyas10's Avatar Corporal
    Reputation
    36
    Join Date
    Jun 2013
    Posts
    32
    Thanks G/R
    0/23
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by alexandrubenza View Post
    lazy google search and it seems like wine is windows emulator? perhaps trying to detect multibot VM farming?

    also, do these changes mean the HUD's not safe?
    I honestly don't know 100%.

    My opinion/speculation is that they didn't really change anything from last patch in terms of detection

    edit:

    ok ok I also noticed

    LdrGetDllHandle
    LdrGetProcedureAddress

    but when I decrypted last time this didn't come up,
    what I figure is that these strings never actually get used by PoE but it is there in the binary which the program I wrote caught onto.

    another edit:

    also I hooked the function that decrypts the strings and the only strings decrypted after the game runs for about a few minutes is:
    (hooked at PathOfExile.exe + 25EB83 which is the end of the decrypt function, offset valid as of 1.21.16)
    Code:
    ntdll.dll
    wine_get_version
    kernel32.dll
    GetCurrentProcess
    advapi32.dll
    OpenProcessToken
    advapi32.dll
    LookupPrivilegeValueA
    advapi32.dll
    AdjustTokenPrivileges
    kernel32.dll
    CreateThread
    so I don't think the anti cheat is even running in this patch/time
    Last edited by elyas10; 01-21-2016 at 03:34 AM.

  11. #355
    jps42's Avatar Member
    Reputation
    6
    Join Date
    Jul 2014
    Posts
    38
    Thanks G/R
    14/4
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by elyas10 View Post

    wine_get_version is most notably added (not anti cheat related? linux support? GGG wants to know how many players use wine? what does this mean?)
    There is a wine wrapper to play POE on Mac. It's been around for a long time. Probably GGG wants to get an idea of how many ppl using it.
    https://www.pathofexile.com/forum/view-thread/48708

  12. #356
    elyas10's Avatar Corporal
    Reputation
    36
    Join Date
    Jun 2013
    Posts
    32
    Thanks G/R
    0/23
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I spent yesterday looking into the wine_get_version, here is what it does:

    Path of exile uses
    Code:
    GetProcAddress(encrypted_wine_get_version_string)
    and if the computer running path of exile has an emulated ntdll, it WILL find the function pointer to wine_get_version and GetProcAddress returns a non-zero value (pointer to the function). If the computer is on windows it WON'T find the address and GetProcAddress returns 0!

    There are two places in the code where the client uses
    Code:
    GetProcAddress(encrypted_wine_get_version_string)
    (where it checks if you are on a non-windows machine):
    1. Right before it starts the anti-cheat thread (PathOfExile.exe + 25E993)
    2. Right before it gets the packet to arm the anti-cheat (PathOfExile.exe + 25EA00 <-- check inside the function call there for the GetProcAddress)

    I had help from another member in the forums, and the way the anti-cheat thread works is as follows:
    (very rough sudo code)
    Code:
    void StartAntiCheatThread()
    {
    	// shouldKillAntiCheat = 0
    	while (!shouldKillAntiCheat)
    	{
    		if (antiCheatIsArmed)
    		{
    			RunAntiCheat1234();
    		}
    	}
    }
    so the anticheat doesn't run unless antiCheatIsArmed is non-zero, which is when the server sends a packet to the client to set antiCheatIsArmed = 1

    But the underline problem here is that the anti cheat will fail to get accurate data on what processes your system is running if you are on Mac/Linux, because some Windows calls will fail / don't give relevant data if you are on a non-windows machine.

    In this recent patch they added a check to see if your running wine, if you are, it doesn't even bother running the anti-cheat!
    This means if the server sends you a packet to arm the anti cheat and you DON'T send anything back, they assume you are running on a non-windows machine and won't flag you. Otherwise every Mac/Linux user would be banned by GGG.

    There are 1000 ways to bypass the anti-cheat (patching other areas of the anti cheat), I wrote a two patches (at the two locations mentioned earlier) that assumes you are running wine, if you patch it before the game reaches the main menu, the game won't even run the anti-cheat thread.

  13. Thanks doccccc, TehCheat (2 members gave Thanks to elyas10 for this useful post)
  14. #357
    NDKilla's Avatar Member
    Reputation
    1
    Join Date
    Jan 2016
    Posts
    1
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've noticed several posts on the banning of linked accounts, all the way back from page 2 to this page.

    I actually emailed GGG, and unless you are intentionally sharing between a hack account and the public (which can ruin the economy), they usually don't ban accounts that aren't used at the time of hacking.

    Partial copy/paste of my email to support@ggg
    I switched to PoEHUD after receiving the warning, not really caring if I got banned or not.
    Honestly, hacks aside, PoEHUD has some other features that are really nice.
    It was kind of a give and take.
    I usually ran PoEHUD with maphack disabled, but I also disabled particles and enabled full bright. I found this really awesome, because I don't know why, BUT RAIN MAKES ME LAG.
    Rain is BS on my computer apparently. I desync sometimes but never get frame drops except when it's raining.
    Sadly disabling particles also, yknow, disabled other particles like devourer attacks.
    Anyways. I'd love to see an option to disable rain in all zones, and some other advanced graphics options!
    Anyways, back to the hacking.
    Sorry about that, but I'm honestly really glad you guys are trying to crack down on it. I feel a little bad hacking actually. I'm not upset you guys banned that account and I'm actually happy you did.
    I was trying not to **** up your guys economys on a great game. When I did roll zones (I did roll the library a few times for arcanist boxes, but only got 2. I'll be honest c:) I didn't sell or give away anything that I got. All the shit that I got is now locked away in my banned account, I didn't wanna screw you guys up.
    Anyways, assuming my new accounts don't get banned for old crimes, I'm planning on playing the game, with no hacks, on another account.
    I'm not upset I was banned. It actually really shows how dedicated you all are and I'll be glad to play in a hack-free Path of Exile.
    GGG's only response on the matter:
    Hi Justin,

    Thanks for your feedback regarding this, and your honesty with what has occurred previously. There are some Quality of life changes that will be implemented in the future, but we can't confirm which ones until they have been officially announced and incorporated into the game. With regards to action being taken against your new account, so long as you stick to the terms of service, we will not take action against the account.

    If you have any further queries, please don't hesitate to contact us.

    Kind regards,
    Gary
    I've had 3-4 PoE accounts and 2 of them were hacked. I used hacks with both of those accounts. The other accounts ran on the exact same computer where the hacks were and never got banned or even warned for hacking.

    This is cool :p On Heroes & Generals I had 3 accounts permanently banned b/c of a HWID ban when I never even hacked it -.-

Page 24 of 24 FirstFirst ... 2021222324

Similar Threads

  1. [Selling] Warden disabler (use any hack you want)
    By Beaving in forum Diablo 3 Buy Sell Trade
    Replies: 6
    Last Post: 06-19-2012, 06:50 AM
  2. Any Hack/Bot Crashes WoW Upon Attaching
    By Faulen in forum WoW Bots Questions & Requests
    Replies: 5
    Last Post: 01-25-2011, 09:07 PM
  3. Replies: 23
    Last Post: 12-12-2008, 10:14 AM
  4. Stop using hacks/Any Programs..
    By Tayo in forum World of Warcraft Bots and Programs
    Replies: 94
    Last Post: 10-15-2006, 10:34 PM
All times are GMT -5. The time now is 08:36 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search