-
Active Member
[Warning] Anti-cheat implemented, stop using any hack/bot (Proof inside)
Offsets for patch 1.3.0j:
Code:
check7 .text 009C60B0 0000003D R . . . . T .
LaunchAndCommunicateWithACThread .text 009C60F0 00000084 R . . . . T .
CheckForDebuggerThread .text 009C6180 0000009D R . . . . . .
CheckForCheatThread .text 009C6250 000000DD R . . . . T .
LoadAC .text 009C63C0 00000052 R . . . . . .
LoadCryptedModulename .text 009C6420 00000078 R . . . . . .
loadModules .text 009C64A0 00000263 R . . . . . .
SomeHashFunction .text 009C6710 00000022 R . . . . T .
GetFlags .text 009C6740 00000034 R . . . . . .
CheckThreadEvent .text 009C6780 00000079 R . . . . . .
CheckExceptionEvent .text 009C6800 00000061 R . . . . . .
getDecryptedModuleName .text 009C6870 0000004D R . . . . T .
GetPoeHandle .text 009C68C0 0000005E R . . . . . .
GetSuspiciousProcessHandle .text 009C6920 00000093 R . . . . . .
randomBetween1And15 .text 009C69C0 0000004A R . . . . . .
decrypt .text 009C6A10 00000061 R . . . . . .
GetFlagForAction .text 009C6A80 000001A1 R . . . . T .
check1 .text 009C6C30 00000082 R . . . . T .
check2 .text 009C6CC0 0000004D R . . . . . .
check3 .text 009C6D10 0000004D R . . . . . .
check4 .text 009C6D60 00000052 R . . . . . .
check5 .text 009C6DC0 0000004C R . . . . . .
check6 .text 009C6E10 00000050 R . . . . . .
CheckModule .text 009C6E60 000000CD R . . . . . .
CheckForExeFileName .text 009C6F30 000000B3 R . . . . . .
PatternScanner .text 009C6FF0 000000A9 R . . . B . .
CheckForModifiedMemory .text 009C70A0 00000065 R . . . . . .
CheckExternalApplicationMemory .text 009C7110 000000DD R . . . . . .
CheckForWindowText .text 009C71F0 000000C3 R . . . . . .
CheckForForeignArea .text 009C72C0 000000AB R . . . . . .
Reversed source of the anticheat :
http://www.privatepaste.com/aeb4877e02 +
Code:
signed __int32 __cdecl SomeFunc1(void *a1, int a2)
{
signed __int32 result; // eax@1
dword_C8EE08 = a1;
dword_C8EE04 = a2;
result = _InterlockedExchange(&a1, a1);
dword_C905F4 = 1;
return result;
}
The anticheat is real.
Last edited by Ouariasse; 01-16-2015 at 02:01 AM.
-
-
★ Elder ★
Interesting. This is a maybe... will need to be confirmed. Good idea to halt until confirmed though
-
Active Member
Update : It's getting a list of active process, window name, if there is a attached debugger as well. Those lib are loaded dynamically.
Everything is detected. ExileBuddy (albeit the process won't ever be on if poe is off so props to the dev for preventing its users being flagged), Exiled Bot, AHK stuff, everything.
-
Member
So you are saying I should rename Notepad.exe to be ExileBuddy.exe and see if I get banned? deal
EDIT: for those wondering what those functions do:
http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx
EDIT 2: process enumeration would be quicker right? why use the above api commands instead?
lasteditiswear: revision i has 751 imports and 54010 functions, an older version that I had sitting around has 749 imports with 53942 functions. GetModuleHandle is in both. GetMappedFileName is NOT in the older one but IS in the newer one. I am too lazy to huntdown what the other new imported function is or even what the 70 new functions are
Last edited by FrankTheCrazy; 01-13-2015 at 12:56 AM.
Reason: added
-
Member
Long time lurker, first time poster.
GetMappedFileName(), while clearly referenced in the executable, does not appear to be called at this time. They are definitely reading memory in the game, but it's unclear what some of the other code is for or if it is even used. Perhaps this is only the first round in a series of updates?
-
Active Member
Originally Posted by
Valderic
Long time lurker, first time poster.
GetMappedFileName(), while clearly referenced in the executable, does not appear to be called at this time. They are definitely reading memory in the game, but it's unclear what some of the other code is for or if it is even used. Perhaps this is only the first round in a series of updates?
dword_C8FF38(0, 0, sub_9C6140, 0, 0, 0) is a CreateRemoteThread on sub_9C6140 which is a AttachDebugProcess + WaitForDebugEvent loop with a few switch case, if you debug the application you will never be able to see what it really does.
-
Member
Originally Posted by
Ouariasse
dword_C8FF38(0, 0, sub_9C6140, 0, 0, 0) is a CreateRemoteThread on sub_9C6140 which is a AttachDebugProcess + WaitForDebugEvent loop with a few switch case, if you debug the application you will never be able to see what it really does.
You can start the executable through the debugger, thereby preventing the anti-cheat from registering itself as the debugger and allowing you to inspect things and set breakpoints. Of course, this can easily be detected by virtue of the fact that the anti-cheat will no longer be able to receive debug events or register itself, so the account will likely be flagged.
-
Post Thanks / Like - 1 Thanks
Parog (1 members gave Thanks to Valderic for this useful post)
-
Private
Hold the thread patch the function itself always pass the flag.
Doesn't look difficult to bypass.
-
Active Member
Originally Posted by
@Home
Hold the thread patch the function itself always pass the flag.
Doesn't look difficult to bypass.
It makes some sort of checksum of your memory and sends it to GGG. If you don't send it you get flagged.
-
Post Thanks / Like - 1 Thanks
Parog (1 members gave Thanks to Ouariasse for this useful post)
-
Active Member
http://puu.sh/eseu5/0c51666a9c.png Every new function this patch i believe. The two import are
http://puu.sh/erMcZ/3fda1ca448.png
It's the ANSI version, not the unicode one.
I can post all those functions in a .c file if you guys are interested in fiddling.
I believe i found some new packets/struct as well that are related to the flagging:
http://puu.sh/eseRp/7e7b5f5b79.png
http://puu.sh/eseX3/a4f106e42c.png
http://puu.sh/eseZx/c636b1a943.png
http://puu.sh/esf2P/c5a2ffdd57.png
http://puu.sh/esf6P/9606dd622f.png
http://puu.sh/esf93/73b65c641c.png
http://puu.sh/esff5/853e087db9.png // this one kills the connection, it's new
and probably more but i can't really go through them atm.
Last edited by Ouariasse; 01-13-2015 at 03:50 AM.
-
Member
Originally Posted by
Ouariasse
I can post all those functions in a .c file if you guys are interested in fiddling.
please do. ill take a look tomorrow if I have more time
-
Member
Originally Posted by
Ouariasse
Wouldn't mind seeing what you've found. Maybe I can help make sense of it.
-
Private
Originally Posted by
Ouariasse
It makes some sort of checksum of your memory and sends it to GGG. If you don't send it you get flagged.
If it's a static scan it's pretty pointless.
You said the scan is once per second, it's not like you receive an encrypted packet which tells you what part of the memory you have to scan, creating numerous checksums and your IDA snippets don't look like it either.
They most likely have a whitelist and if you checksum is not on the whitelist you are flagged.
Not responding might as well be a false positive due to packet loss. I highly doubt the will ban you for not responding. They will use "Suspicious activities" if they ban you and you can get yourself unbanned quiet fast.
-
Active Member
Well that's great i found their packet builder code while checking for this, if you patch it at packet level you're fine.
-
Post Thanks / Like - 1 Thanks
Parog (1 members gave Thanks to Ouariasse for this useful post)