Yes, but in the original post he was responding to I stated that I did not want to modify the function, as there could be a hidden check that a less experienced programmer like me could miss. The safest thing to do in my case upon activation of the anticheat would be to simply terminate PoE upon the function being called and wait until GGG has deactivated the anticheat (or simply play without hacks for the time being).
This is outdated, half of these functions are no longer used. Either that or I can't find them but I did extensive research.
I decrypted the new strings and reversed the entire anti cheat, module32first, module32next, and NtQueryInformationProcess are still among the encrypted strings and those are big red flags for detecting injected dlls.
IsDebuggerPresent doesn't have a GetProcAddress with an encrypted string but also is a problem.
Someone made a suggestion about closing PoE if the anticheat got run, I think that is a great approach, but the game could close over and over if the anti cheat gets run often.
I checked whether the very suspicious functions ever get run and I found that they don't at the moment. However there is a wrapper function that CAN call the anticheat, but doesn't, the wrapper function gets called right before you see the main menu and might be run at another time but who knows. So far I hooked the wrapper function and injected a dll AFTER the main menu, I will see when the wrapper function gets called and go from there.
Now there is also a wrapper for GetProcAddress, I had to check every single call made to it and here are the results:Code:Detecting AntiCheat: - the decryption function is the same as the encryption function and vice versa - involution (Assuming base is 0x0) Fishy GetProcAddress: 25DE8F NtGetTickCount 25E7E3 NtQueryInformationProcess 25E874 NtCreateFile 25E8FB CloseHandle 25E95F NtQueryInformationFile 25E9CE CloseHandle 25EA4E NtReadFile 25ED8C Module32Next 25F097 NtQueryVirtualMemory 25F25C CloseHandle 25F3E2 NtQuerySystemInformation 25F4DA GetCurrentProcess 25F538 NtDuplicateObject 25F7DE - GetProcAddressWrapper -Wrapper for GetProcAddress -Encrypts or decrypts it seems 74C99F - Hard to decrypt - Seems to be twitch_sdk / openal related v12 = (char *)&word_2 + *(_DWORD *)&v7[(Arguments - (_DWORD)v6) & 0xFFFFFFFC];
Wrapper function for the anticheat is:Code:-25F7DE is the wrapper for getprocaddress, here are interesting addresses that call on it: 258D91 -CreateThread 25DFE9 -GetCurrentProcess 25DFFE -NtAllocateVirtualMemory 25E2D0 -GetCurrentProcess 25E2E5 -NtAllocateVirtualMemory 25E30B -GetCurrentProcess 25E320 -NtAllocateVirtualMemory 25E334 -NtGetTickCount 25E410 -NtFreeVirtualMemory 25E425 -NtAllocateVirtualMemory 25E445 -NtFreeVirtualMemory 25E45A -NtAllocateVirtualMemory 25E4B7 -GetCurrentProcess 25E4CC -NtAllocateVirtualMemory 25E566 -GetCurrentProcess 25E57B -NtAllocateVirtualMemory 25E655 -GetCurrentProcess 25E57B -NtAllocateVirtualMemory 25E6F5 -GetCurrentProcess 25E70A -NtAllocateVirtualMemory 25EAB9 -CloseHandle 25EACF -CloseHandle 25EB89 -CloseHandle 25EB9B -CloseHandle 25EBFD -CloseHandle 25EC19 -CloseHandle 25EC76 -CreateToolhelp32Snapshot 25ECC7 -Module32First 25EDEC -CloseHandle 25F023 -GetCurrentProcess 25F03A -GetCurrentProcessId -Used for authentication 25F2F5 -GetCurrentProcess 25F30A -OpenProcessToken 25F32A -LookupPrivilegeValueA 25F37B -AdjustTokenPrivileges -For playing media? 25F5A9 -CloseHandle 25F5E6 -NtQueryObject 25F60D -CloseHandle 25F662 -GetCurrentProcessId 25F67D -GetProcessId 25F68F -GetProcessId 25F6D9 -CloseHandle 25F6E9 -CloseHandle 25F72A -CloseHandle 25F745 -CloseHandle 25F768 -CloseHandle -To generate random numbers? 25F82C -NtGetTickCount
25DE30
and isDebuggerPresent:
74D909
NOTE: I haven't reversed the parameters for GetProcAddress at 74C99F yet so who knows what that is! It could be numerous other red flag functions based on the parameters it gets, I also have to look into this. So far all I see before the call to the function that calls on this address is twitchsdk and openal related, but it is never too safe to assume this.
Also these should be ALL the fishy anti cheat that path of exile has, if this can be exploited with a bypass we should be good.
Last edited by elyas10; 01-10-2016 at 08:50 PM.
ahhhhhhhhhhhhhhhhh
There was an update, and I checked the anticheat, it got changed!
Here is the decrypted strings:
wine_get_version is most notably added (not anti cheat related? linux support? GGG wants to know how many players use wine? what does this mean?)Code:ntdll.dll kernel32.dll user32.dll advapi32.dll LdrGetDllHandle LdrGetProcedureAddress LdrQueryProcessModuleInformation NtAllocateVirtualMemory NtCreateFile NtDuplicateObject NtFreeVirtualMemory NtGetTickCount NtQueryInformationFile NtQueryInformationProcess NtQueryObject NtQueryPerformanceCounter NtQuerySystemInformation NtQueryVirtualMemory NtReadFile NtSetInformationThread AdjustTokenPrivileges CloseHandle ContinueDebugEvent CreateThread CreateToolhelp32Snapshot DebugActiveProcess GetCurrentProcess GetCurrentProcessId GetCurrentThread GetProcessId GetNativeSystemInfo LookupPrivilegeValueA Module32First Module32Next OpenProcessToken WaitForDebugEvent wine_get_version
also the addresses where these get called changed as well but I am too lazy to update the addresses since for the most part everything seems the same
The entry function of the anti cheat can be found by searching this array of bytes:
The question marks mean those bytes can be anything (apply a mask)Code:FF D7 8A 55 00 8D 75 01 BF 0F 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 45 09 83 C0 EF 83 F8 33
Last edited by elyas10; 01-21-2016 at 03:10 AM.
I honestly don't know 100%.
My opinion/speculation is that they didn't really change anything from last patch in terms of detection
edit:
ok ok I also noticed
LdrGetDllHandle
LdrGetProcedureAddress
but when I decrypted last time this didn't come up,
what I figure is that these strings never actually get used by PoE but it is there in the binary which the program I wrote caught onto.
another edit:
also I hooked the function that decrypts the strings and the only strings decrypted after the game runs for about a few minutes is:
(hooked at PathOfExile.exe + 25EB83 which is the end of the decrypt function, offset valid as of 1.21.16)
so I don't think the anti cheat is even running in this patch/timeCode:ntdll.dll wine_get_version kernel32.dll GetCurrentProcess advapi32.dll OpenProcessToken advapi32.dll LookupPrivilegeValueA advapi32.dll AdjustTokenPrivileges kernel32.dll CreateThread
Last edited by elyas10; 01-21-2016 at 03:34 AM.
There is a wine wrapper to play POE on Mac. It's been around for a long time. Probably GGG wants to get an idea of how many ppl using it.
https://www.pathofexile.com/forum/view-thread/48708
I spent yesterday looking into the wine_get_version, here is what it does:
Path of exile usesand if the computer running path of exile has an emulated ntdll, it WILL find the function pointer to wine_get_version and GetProcAddress returns a non-zero value (pointer to the function). If the computer is on windows it WON'T find the address and GetProcAddress returns 0!Code:GetProcAddress(encrypted_wine_get_version_string)
There are two places in the code where the client uses(where it checks if you are on a non-windows machine):Code:GetProcAddress(encrypted_wine_get_version_string)
1. Right before it starts the anti-cheat thread (PathOfExile.exe + 25E993)
2. Right before it gets the packet to arm the anti-cheat (PathOfExile.exe + 25EA00 <-- check inside the function call there for the GetProcAddress)
I had help from another member in the forums, and the way the anti-cheat thread works is as follows:
(very rough sudo code)
so the anticheat doesn't run unless antiCheatIsArmed is non-zero, which is when the server sends a packet to the client to set antiCheatIsArmed = 1Code:void StartAntiCheatThread() { // shouldKillAntiCheat = 0 while (!shouldKillAntiCheat) { if (antiCheatIsArmed) { RunAntiCheat1234(); } } }
But the underline problem here is that the anti cheat will fail to get accurate data on what processes your system is running if you are on Mac/Linux, because some Windows calls will fail / don't give relevant data if you are on a non-windows machine.
In this recent patch they added a check to see if your running wine, if you are, it doesn't even bother running the anti-cheat!
This means if the server sends you a packet to arm the anti cheat and you DON'T send anything back, they assume you are running on a non-windows machine and won't flag you. Otherwise every Mac/Linux user would be banned by GGG.
There are 1000 ways to bypass the anti-cheat (patching other areas of the anti cheat), I wrote a two patches (at the two locations mentioned earlier) that assumes you are running wine, if you patch it before the game reaches the main menu, the game won't even run the anti-cheat thread.
I've noticed several posts on the banning of linked accounts, all the way back from page 2 to this page.
I actually emailed GGG, and unless you are intentionally sharing between a hack account and the public (which can ruin the economy), they usually don't ban accounts that aren't used at the time of hacking.
Partial copy/paste of my email to support@ggg
GGG's only response on the matter:I switched to PoEHUD after receiving the warning, not really caring if I got banned or not.
Honestly, hacks aside, PoEHUD has some other features that are really nice.
It was kind of a give and take.
I usually ran PoEHUD with maphack disabled, but I also disabled particles and enabled full bright. I found this really awesome, because I don't know why, BUT RAIN MAKES ME LAG.
Rain is BS on my computer apparently. I desync sometimes but never get frame drops except when it's raining.
Sadly disabling particles also, yknow, disabled other particles like devourer attacks.
Anyways. I'd love to see an option to disable rain in all zones, and some other advanced graphics options!
Anyways, back to the hacking.
Sorry about that, but I'm honestly really glad you guys are trying to crack down on it. I feel a little bad hacking actually. I'm not upset you guys banned that account and I'm actually happy you did.
I was trying not to **** up your guys economys on a great game. When I did roll zones (I did roll the library a few times for arcanist boxes, but only got 2. I'll be honest c:) I didn't sell or give away anything that I got. All the shit that I got is now locked away in my banned account, I didn't wanna screw you guys up.
Anyways, assuming my new accounts don't get banned for old crimes, I'm planning on playing the game, with no hacks, on another account.
I'm not upset I was banned. It actually really shows how dedicated you all are and I'll be glad to play in a hack-free Path of Exile.
I've had 3-4 PoE accounts and 2 of them were hacked. I used hacks with both of those accounts. The other accounts ran on the exact same computer where the hacks were and never got banned or even warned for hacking.Hi Justin,
Thanks for your feedback regarding this, and your honesty with what has occurred previously. There are some Quality of life changes that will be implemented in the future, but we can't confirm which ones until they have been officially announced and incorporated into the game. With regards to action being taken against your new account, so long as you stick to the terms of service, we will not take action against the account.
If you have any further queries, please don't hesitate to contact us.
Kind regards,
Gary
This is cool :p On Heroes & Generals I had 3 accounts permanently banned b/c of a HWID ban when I never even hacked it -.-