PoEHUD - Overlay for Path of Exile (Updated for 3.0)

[noneyatemp]

Discovering the anti-cheat method of detection is key.
If no path exists to discover the anti-cheat methods.
Then updating POE-HUD to support anti-cheat methods (current/future) cant happen.
If all is true POE-HUD will probably die.

[lincoln6echo]

The Autoflasker saved one or the other time my life, removing freezes and bleeds lets me play completely one handed. Well, I could play without it, but THEY have to insert mobs on minimap dots and perma lifebars. I want to clear efficiently in this grinding simulator 3000. Never used a bot but when they dont change this shit that mobs only show HP when you actually hit them + The forced dark shit with DX11 client (where you barely see darker monsters), then I will stop playing completely, if the HuD cant get fixed.

I want to thank TehCheat and the other contributors who fixed and cared about this HuD, for the 2 years I have used it, I also donated 2 times, but without it PoE is dead for me...

[Cush]

Caught in the act:



After 1hr 20 mins of running around on a new char with PoEHUD on, jumping in and out of the coast/lioneye's watch and closely watching what the game was doing it suddenly queried the POEHuD process and immediately attempted to open the a handle to the file to read it.

It was denied access because I have the game running under a limited account. I relogged and no warning but that doesn't mean much...

I can try to repeat this again allowing the game access to the folder and see what it does when it makes a successful read on the file. Based on this it looks like my original assumption of it just signature scanning at least for memory reading programs is correct, but seeing what it does when it gets access to the hud .exe will tell more.

Interestingly enough when I first started the game up before I ran the hud it tried to query the shadowplay process, then 59 mins 49s later it noticed the hud, so potentially it could be doing a scan every hour.

[Sychotix]

I can try to repeat this again allowing the game access to the folder and see what it does when it makes a successful read on the file. Based on this it looks like my original assumption of it just signature scanning at least for memory reading programs is correct, but seeing what it does when it gets access to the hud .exe will tell more.

Each PoeHUD.exe should have a different signature thanks to this code. PoEHUD/Scrambler.fs at 7f7ddf0cc47362572c341f44830d83a4add38b7a . TehCheat/PoEHUD . GitHub

It only randomizes 4 bytes though, so it wouldn't help much for pattern scanning.

[xCROv]

Each PoeHUD.exe should have a different signature thanks to this code. PoEHUD/Scrambler.fs at 7f7ddf0cc47362572c341f44830d83a4add38b7a . TehCheat/PoEHUD . GitHub

It only randomizes 4 bytes though, so it wouldn't help much for pattern scanning.

Wouldn't it have already bypassed this though if it's finding the HUD and trying to grab info about it. Looks like self compiling and changing the HUD would get around signature checks or adding more robust variations to signature changes.

[Cush]

Each PoeHUD.exe should have a different signature thanks to this code. PoEHUD/Scrambler.fs at 7f7ddf0cc47362572c341f44830d83a4add38b7a . TehCheat/PoEHUD . GitHub

It only randomizes 4 bytes though, so it wouldn't help much for pattern scanning.

Wouldn't it have already bypassed this though if it's finding the HUD and trying to grab info about it. Looks like self compiling and changing the HUD would get around signature checks or adding more robust variations to signature changes.

It's likely that it has found the HUD because the HUD has an open handle reading its memory as well as possibly not being a 'trusted' program and it's trying to probe it to find out more. I say this because some anticheats do stuff like just combing through every process running scanning for known cheat signatures.

Signature scanning usually involves scanning for a premade pattern which is unlikely to change, rather than looking at the uniqueness of the file otherwise the above method would stop it.

It's difficult without knowing exactly what it's looking for, but like I said it has been denied access outright because of the user permissions. EAC or BattlEye wouldn't have this issue because they have drivers running at a lower level but VAC for example would probably kick you from the server if it was denied access in this way and didn't like it.

The question is how POE handles this, because by rights they shouldn't ban or flag people simply because their AC can't access a file to check for cheats, but at the same time they don't automatically kick. It's also relevant what they do with the information they are able to glean from the queries they can do and whether or not they try to use that to determine if the application is a cheat (Filename, size etc)

[TehCheat]

Wouldn't it have already bypassed this though if it's finding the HUD and trying to grab info about it. Looks like self compiling and changing the HUD would get around signature checks or adding more robust variations to signature changes.

I'm honestly not convinced their signature scanning is what is getting people flagged at this point (though I thought it was at first). Maybe they're working around our really crappy hash changing, but I think it's far more likely people are leaving "poehud" in their path, or modifying memory/ggpk files, or something along those lines. The reasoning for this is because far more people should have been flagged if it was simply a signature getting matched. Unless I grossly underestimate how many users would take extra precautions to prevent hud from getting scanned.

I'd love to know if someone has gotten flagged while running hud without a path that contains "poehud" and without anything that would modify memory (map hacks, hooks of any kind, etc.) and without any modifications to the ggpk file. It's just hard to track things down when people are doing more than just running hud. And we don't have the luxury of being told "yeah, that program that was accessing poe matched a signature".

If it's just signatures, then running poe as a lower level user and hud as another user should prevent signature detection (the turbohud method). But if you do that and have poehud in the path, you might still get detected.

There are also some other things that would make detection very simple (perhaps not with the turbohud method) that would be low hanging fruit for the next batch of anti-cheat tactics.

[Cush]

I'm honestly not convinced their signature scanning is what is getting people flagged at this point (though I thought it was at first). Maybe they're working around our really crappy hash changing, but I think it's far more likely people are leaving "poehud" in their path, or modifying memory/ggpk files, or something along those lines. The reasoning for this is because far more people should have been flagged if it was simply a signature getting matched. Unless I grossly underestimate how many users would take extra precautions to prevent hud from getting scanned.

I'd love to know if someone has gotten flagged while running hud without a path that contains "poehud" and without anything that would modify memory (map hacks, hooks of any kind, etc.) and without any modifications to the ggpk file. It's just hard to track things down when people are doing more than just running hud. And we don't have the luxury of being told "yeah, that program that was accessing poe matched a signature".

If it's just signatures, then running poe as a lower level user and hud as another user should prevent signature detection (the turbohud method). But if you do that and have poehud in the path, you might still get detected.

There are also some other things that would make detection very simple (perhaps not with the turbohud method) that would be low hanging fruit for the next batch of anti-cheat tactics.

I got the warning and have never had POEhud in the path - I used a .exe compiled myself and always kept it in an inconspicuous place.

I also have never used any other third party POE programs nor modified the content file because I always considered those far more risky than a hud, and coming from previously using TurboHud I was just happy with the functionality/QOL poehud gave me.

[boterang]

If it's just signatures, then running poe as a lower level user and hud as another user should prevent signature detection (the turbohud method). But if you do that and have poehud in the path, you might still get detected.

Hi, in my personal experience, in the last few months I have used PoEHud, modified ggpk and a my own ahk flask macro.
I haven't received any warning.
As I wrote in other post I always used the Thud method where in addition to starting the game with a limited user he advises to deny the permissions of the "HUD" folder to this user.

[BasserFax]

I never had "poehud" in any directory name leading to poehud exe
* I used autoflask and ninjapricer, along with some stuff included in poehud (health bars, preload warnings, etc)
* I did NOT use maphack or anything like that
* I did NOT make PoE run as another account and restrict access to poehud folder(which was named something else of c)

[xCROv]

@Cush & @TehCheat

I was not here for the previous bans that have happened so I dont know what changed up to that point. Do you think this is another round of banning where it will be forgotten about for awhile after everything calms down or with the new changes with GGG that this will be a more permanent stance? I haven't seen any posts yet for bans from PoEHud but it was only announced several days ago with the vague "in a few days" time frame.

[TehCheat]

I got the warning and have never had POEhud in the path - I used a .exe compiled myself and always kept it in an inconspicuous place.

I also have never used any other third party POE programs nor modified the content file because I always considered those far more risky than a hud, and coming from previously using TurboHud I was just happy with the functionality/QOL poehud gave me.

Did you make any changes to the code, or did you just compile it as is? Any plugins?

From what you're saying, they're almost certainly doing a signature scan. And the turbohud method will hide/protect from that. I imagine with a few other safeguards (don't be dumb with the pathing, don't modify memory/ggpk/etc.) we could use hud/other cheats fairly safely. At least for now.

[Cush]

@Cush & @TehCheat

I was not here for the previous bans that have happened so I dont know what changed up to that point. Do you think this is another round of banning where it will be forgotten about for awhile after everything calms down or with the new changes with GGG that this will be a more permanent stance? I haven't seen any posts yet for bans from PoEHud but it was only announced several days ago with the vague "in a few days" time frame.

Anyone's guess.

There's a lot of speculation that they are looking at bringing competitive races back which is why they are making this move as hacks are OP in these and there are rewards at stake.

It takes time and effort to keep making sure your anticheat works though so it depends how committed they are to this. It could be that they are just trying to put the scare on to slow the rate of cheating and make people think twice and won't update again in a while, it could be that they are only going to update semi regularly or it could be that they are on a full on offensive against cheats.

Did you make any changes to the code, or did you just compile it as is? Any plugins?

From what you're saying, they're almost certainly doing a signature scan. And the turbohud method will hide/protect from that. I imagine with a few other safeguards (don't be dumb with the pathing, don't modify memory/ggpk/etc.) we could use hud/other cheats fairly safely. At least for now.

Compiled as is, with a few plugins running.

The account I did the test on above where the client was denied access to the folder I might leave as a control and see if it gets warned or banned eventually as it was obviously picked up. I can make a new poe account and run it as full admin and see if I can get any more info about what poe is doing when it accesses the process.

As I originally said I really don't think their anticheat as far as detecting huds, maphacks etc is going to be anything special or sophisticated without external processes or drivers and controls in place to stop people interfering with them detecting cheats. Doing it from the client itself is very limiting to them and they are probably just using a basic combination of sig scanning and things like you said (Checking known file metadata that they can get ahold of etc) but really it just depends how much effort they put into this as they probably had to cover quite a few hacks.

[MACROS4LIFE]

Discovering the anti-cheat method of detection is key.
If no path exists to discover the anti-cheat methods.
Then updating POE-HUD to support anti-cheat methods (current/future) cant happen.
If all is true POE-HUD will probably die.

Dude, nothing is impossible in this world, and on the cheating world - and specially talking about GGG ( they never were so dedicated on anti-cheats building ) bypass this anticheat must be easy pz to anyone that understand about it.

all games in this planet have anti-cheat, still, all games have plenty of tons of dozens of cheats availables. Have you seen VAC? Almight Valve anti-cheat? pfff amateur hackers bypass it all the time.

Let's hope poehud developers can learn about anticheat stuff and fix it. They probably never touch on anticheats cause poe never had one, but well, it must be not so hard to learn. I hope so.

[kissmy4ss]

Officially banned.
Using POEhud only.
Thanks for everything.