[Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside) menu

User Tag List

Page 1 of 24 12345 ... LastLast
Results 1 to 15 of 357
  1. #1
    Ouariasse's Avatar Active Member
    Reputation
    34
    Join Date
    Jan 2015
    Posts
    65
    Thanks G/R
    0/15
    Trade Feedback
    2 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)

    Offsets for patch 1.3.0j:
    Code:
    check7                           .text 009C60B0 0000003D R . . . . T .
    LaunchAndCommunicateWithACThread .text 009C60F0 00000084 R . . . . T .
    CheckForDebuggerThread           .text 009C6180 0000009D R . . . . . .
    CheckForCheatThread              .text 009C6250 000000DD R . . . . T .
    LoadAC                           .text 009C63C0 00000052 R . . . . . .
    LoadCryptedModulename            .text 009C6420 00000078 R . . . . . .
    loadModules                      .text 009C64A0 00000263 R . . . . . .
    SomeHashFunction                 .text 009C6710 00000022 R . . . . T .
    GetFlags                         .text 009C6740 00000034 R . . . . . .
    CheckThreadEvent                 .text 009C6780 00000079 R . . . . . .
    CheckExceptionEvent              .text 009C6800 00000061 R . . . . . .
    getDecryptedModuleName           .text 009C6870 0000004D R . . . . T .
    GetPoeHandle                     .text 009C68C0 0000005E R . . . . . .
    GetSuspiciousProcessHandle       .text 009C6920 00000093 R . . . . . .
    randomBetween1And15              .text 009C69C0 0000004A R . . . . . .
    decrypt                          .text 009C6A10 00000061 R . . . . . .
    GetFlagForAction                 .text 009C6A80 000001A1 R . . . . T .
    check1                           .text 009C6C30 00000082 R . . . . T .
    check2                           .text 009C6CC0 0000004D R . . . . . .
    check3                           .text 009C6D10 0000004D R . . . . . .
    check4                           .text 009C6D60 00000052 R . . . . . .
    check5                           .text 009C6DC0 0000004C R . . . . . .
    check6                           .text 009C6E10 00000050 R . . . . . .
    CheckModule                      .text 009C6E60 000000CD R . . . . . .
    CheckForExeFileName              .text 009C6F30 000000B3 R . . . . . .
    PatternScanner                   .text 009C6FF0 000000A9 R . . . B . .
    CheckForModifiedMemory           .text 009C70A0 00000065 R . . . . . .
    CheckExternalApplicationMemory   .text 009C7110 000000DD R . . . . . .
    CheckForWindowText               .text 009C71F0 000000C3 R . . . . . .
    CheckForForeignArea              .text 009C72C0 000000AB R . . . . . .
    Reversed source of the anticheat :

    http://www.privatepaste.com/aeb4877e02 +
    Code:
    signed __int32 __cdecl SomeFunc1(void *a1, int a2)
    {
    signed __int32 result; // eax@1
    
    dword_C8EE08 = a1;
    dword_C8EE04 = a2;
    result = _InterlockedExchange(&a1, a1);
    dword_C905F4 = 1;
    return result;
    }
    The anticheat is real.
    Last edited by Ouariasse; 01-16-2015 at 02:01 AM.

    [Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)
  2. #2
    maper's Avatar Elite User __readgsqword(0x188); CoreCoins Purchaser
    Reputation
    496
    Join Date
    Nov 2013
    Posts
    356
    Thanks G/R
    26/353
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Interesting find so far.

  3. #3
    Sklug's Avatar ★ Elder ★
    Reputation
    1081
    Join Date
    Mar 2008
    Posts
    1,209
    Thanks G/R
    209/221
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting. This is a maybe... will need to be confirmed. Good idea to halt until confirmed though

  4. #4
    Ouariasse's Avatar Active Member
    Reputation
    34
    Join Date
    Jan 2015
    Posts
    65
    Thanks G/R
    0/15
    Trade Feedback
    2 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Update : It's getting a list of active process, window name, if there is a attached debugger as well. Those lib are loaded dynamically.
    Everything is detected. ExileBuddy (albeit the process won't ever be on if poe is off so props to the dev for preventing its users being flagged), Exiled Bot, AHK stuff, everything.

  5. #5
    FrankTheCrazy's Avatar Member
    Reputation
    11
    Join Date
    Nov 2008
    Posts
    122
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So you are saying I should rename Notepad.exe to be ExileBuddy.exe and see if I get banned? deal

    EDIT: for those wondering what those functions do:
    http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
    http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

    EDIT 2: process enumeration would be quicker right? why use the above api commands instead?

    lasteditiswear: revision i has 751 imports and 54010 functions, an older version that I had sitting around has 749 imports with 53942 functions. GetModuleHandle is in both. GetMappedFileName is NOT in the older one but IS in the newer one. I am too lazy to huntdown what the other new imported function is or even what the 70 new functions are
    Last edited by FrankTheCrazy; 01-13-2015 at 12:56 AM. Reason: added

  6. #6
    Valderic's Avatar Member
    Reputation
    2
    Join Date
    Jan 2015
    Posts
    7
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Long time lurker, first time poster.

    GetMappedFileName(), while clearly referenced in the executable, does not appear to be called at this time. They are definitely reading memory in the game, but it's unclear what some of the other code is for or if it is even used. Perhaps this is only the first round in a series of updates?

  7. #7
    Ouariasse's Avatar Active Member
    Reputation
    34
    Join Date
    Jan 2015
    Posts
    65
    Thanks G/R
    0/15
    Trade Feedback
    2 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valderic View Post
    Long time lurker, first time poster.

    GetMappedFileName(), while clearly referenced in the executable, does not appear to be called at this time. They are definitely reading memory in the game, but it's unclear what some of the other code is for or if it is even used. Perhaps this is only the first round in a series of updates?
    dword_C8FF38(0, 0, sub_9C6140, 0, 0, 0) is a CreateRemoteThread on sub_9C6140 which is a AttachDebugProcess + WaitForDebugEvent loop with a few switch case, if you debug the application you will never be able to see what it really does.

  8. #8
    Valderic's Avatar Member
    Reputation
    2
    Join Date
    Jan 2015
    Posts
    7
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ouariasse View Post
    dword_C8FF38(0, 0, sub_9C6140, 0, 0, 0) is a CreateRemoteThread on sub_9C6140 which is a AttachDebugProcess + WaitForDebugEvent loop with a few switch case, if you debug the application you will never be able to see what it really does.
    You can start the executable through the debugger, thereby preventing the anti-cheat from registering itself as the debugger and allowing you to inspect things and set breakpoints. Of course, this can easily be detected by virtue of the fact that the anti-cheat will no longer be able to receive debug events or register itself, so the account will likely be flagged.

  9. Thanks Parog (1 members gave Thanks to Valderic for this useful post)
  10. #9
    @Home's Avatar Private
    Reputation
    10
    Join Date
    Jan 2015
    Posts
    11
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hold the thread patch the function itself always pass the flag.
    Doesn't look difficult to bypass.

  11. #10
    Ouariasse's Avatar Active Member
    Reputation
    34
    Join Date
    Jan 2015
    Posts
    65
    Thanks G/R
    0/15
    Trade Feedback
    2 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by @Home View Post
    Hold the thread patch the function itself always pass the flag.
    Doesn't look difficult to bypass.
    It makes some sort of checksum of your memory and sends it to GGG. If you don't send it you get flagged.

  12. Thanks Parog (1 members gave Thanks to Ouariasse for this useful post)
  13. #11
    Ouariasse's Avatar Active Member
    Reputation
    34
    Join Date
    Jan 2015
    Posts
    65
    Thanks G/R
    0/15
    Trade Feedback
    2 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://puu.sh/eseu5/0c51666a9c.png Every new function this patch i believe. The two import are
    http://puu.sh/erMcZ/3fda1ca448.png
    It's the ANSI version, not the unicode one.
    I can post all those functions in a .c file if you guys are interested in fiddling.

    I believe i found some new packets/struct as well that are related to the flagging:
    http://puu.sh/eseRp/7e7b5f5b79.png
    http://puu.sh/eseX3/a4f106e42c.png
    http://puu.sh/eseZx/c636b1a943.png
    http://puu.sh/esf2P/c5a2ffdd57.png
    http://puu.sh/esf6P/9606dd622f.png
    http://puu.sh/esf93/73b65c641c.png
    http://puu.sh/esff5/853e087db9.png // this one kills the connection, it's new
    and probably more but i can't really go through them atm.
    Last edited by Ouariasse; 01-13-2015 at 03:50 AM.

  14. #12
    FrankTheCrazy's Avatar Member
    Reputation
    11
    Join Date
    Nov 2008
    Posts
    122
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ouariasse View Post
    I can post all those functions in a .c file if you guys are interested in fiddling.
    please do. ill take a look tomorrow if I have more time

  15. #13
    Valderic's Avatar Member
    Reputation
    2
    Join Date
    Jan 2015
    Posts
    7
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ouariasse View Post
    http://puu.sh/eseu5/0c51666a9c.png Every new function this patch i believe. The two import are
    http://puu.sh/erMcZ/3fda1ca448.png
    It's the ANSI version, not the unicode one.
    I can post all those functions in a .c file if you guys are interested in fiddling.
    Wouldn't mind seeing what you've found. Maybe I can help make sense of it.

  16. #14
    @Home's Avatar Private
    Reputation
    10
    Join Date
    Jan 2015
    Posts
    11
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ouariasse View Post
    It makes some sort of checksum of your memory and sends it to GGG. If you don't send it you get flagged.
    If it's a static scan it's pretty pointless.

    You said the scan is once per second, it's not like you receive an encrypted packet which tells you what part of the memory you have to scan, creating numerous checksums and your IDA snippets don't look like it either.

    They most likely have a whitelist and if you checksum is not on the whitelist you are flagged.

    Not responding might as well be a false positive due to packet loss. I highly doubt the will ban you for not responding. They will use "Suspicious activities" if they ban you and you can get yourself unbanned quiet fast.

  17. #15
    Ouariasse's Avatar Active Member
    Reputation
    34
    Join Date
    Jan 2015
    Posts
    65
    Thanks G/R
    0/15
    Trade Feedback
    2 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well that's great i found their packet builder code while checking for this, if you patch it at packet level you're fine.

  18. Thanks Parog (1 members gave Thanks to Ouariasse for this useful post)
Page 1 of 24 12345 ... LastLast

Similar Threads

  1. [Selling] Warden disabler (use any hack you want)
    By Beaving in forum Diablo 3 Buy Sell Trade
    Replies: 6
    Last Post: 06-19-2012, 06:50 AM
  2. Any Hack/Bot Crashes WoW Upon Attaching
    By Faulen in forum WoW Bots Questions & Requests
    Replies: 5
    Last Post: 01-25-2011, 09:07 PM
  3. Replies: 23
    Last Post: 12-12-2008, 10:14 AM
  4. Stop using hacks/Any Programs..
    By Tayo in forum World of Warcraft Bots and Programs
    Replies: 94
    Last Post: 10-15-2006, 10:34 PM
All times are GMT -5. The time now is 03:17 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search