-
Private
To overwatch cheats detection (and the ignorance of creators)
Ive seen far too much misinformation about how cheats are detected and how to make them undetected again
BLIZZARD DOES NOT USE INTRUSIVE SCANNING METHODS
I feel like i need to say this after all the "ima sue blizzard" bs
Ive made cheats for games with VAC and let me explain how VAC works (very similar to BAC)
VAC scans the memory of your computer and looks for programs SIGNATURES
The signature is basicly the complied form of code and if VAC finds a signature that it deems as malicious
It will trigger a ban
Sorta like this
[ ] = byte of data [D] = detected byte of data
What VAC sees
[ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ]
[D][D][D][D][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ]
[D][D][D][D][D][D][D][D][ ][ ][ ][ ]
This is a small example but it shows what VAC does
Now with blizzard they seem to also have a internal code checker for internal/memory cheats
But ill focus on external ones for now
Blizzard anti cheat will scan the signatures and ban detected ones
Now for creators out there that add a few things and change the process name and think that will make it undetected well i hope you have another $40
A thread on MPGH explains everything you need to do to change your programs signature
Link:[Info] Signatures - What Are They and How Can They Be Changed - MPGH - MultiPlayer Game Hacking & Cheats
I hope i was a help and i hope i cleared up everything in terms of Blizzard anti cheat :P
-
Post Thanks / Like - 1 Thanks
EvidenceAA (1 members gave Thanks to VapeNation for this useful post)
-
This is common information. The cheat developers currently have the problem in which all of them getting banned within a day after changing things up.
Soldier82 and Highnoon both said they changed things up and then upon release got banned. Either
A) Blizzard is watching them like a hawk
B) They are using different ways to catch cheaters.
As we all know: Not everyone gets caught which means there's much much more to it compared to a normal VAC ban that will catch everyone running on the same signature.
-
Post Thanks / Like - 1 Thanks
VapeNation (1 members gave Thanks to DvASystems for this useful post)
-
Banned
Well they are detecting external hacks so of course they have intrusive methods. How else can you detect something that doesnt interact directly with the game at all. Everything you explained is cool and dandy but it only applies to injected hacks. Those signatures are in the memory of the game when the scan is being made, ahk scripts are completely external. Apples to oranges my friend.
And last but not least this is your first post, nice try Blizzard employee kappa.
Originally Posted by
DvASystems
This is common information. The cheat developers currently have the problem in which all of them getting banned within a day after changing things up.
Soldier82 and Highnoon both said they changed things up and then upon release got banned. Either
A) Blizzard is watching them like a hawk
B) They are using different ways to catch cheaters.
Its actually pretty easy to guess: the blizzard employees are subscribed to those cheats, they get the updates as soon as they are released thats how new versions get detected asap. At least thats what I would do.
As we all know: Not everyone gets caught which means there's much much more to it compared to a normal VAC ban that will catch everyone running on the same signature
I agree at some point but I think theres a huge difference between "Hey what are you injecting into the memory of my game" (VAC and memory hacks in general) and "Hey what programs are you running in your computer while you play our game?". Thats kinda crossing the line and no, Im not saying this because I got banned (in fact ai never got banned because common sense) and am salty, but it doesnt sound like something legal at all.
Last edited by ownedscrub3; 12-07-2016 at 05:41 PM.
-
Post Thanks / Like - 1 Thanks
DvASystems (1 members gave Thanks to ownedscrub3 for this useful post)
-
You have a good point, they clearly could just be subscribed but banning something instantly means you'd have to sub to 20 different cheats and constantly monitor them every 24 hours then release a banwave each time. And this is pretty much a "wall" operated and maintained by humans, which seems very inefficient even though it catches cheaters however:
1) Less people will end up getting banned as you can just skip a few days and wait until it's over.
2) Weekly/Monthly Banwaves work for a good reason, they catch as much people as possible, compared to a few banned users every 24 hours that will then warn others.
3) It takes much more time and money to maintain an anti-cheat group to act as a 24/7 protective"wall" against cheats when subversive methods are gradually cheaper, more effective and requires much much less work which is kinda why Valve only has a few VAC employees.
4) Whilst they are stuffing their resources actively banning all cheats, private cheats instead thrive as they wont get banned as the anti-cheat team is unable to focus on them.
5) Sooner or less, due to their excellent work they will have less work to do and be labeled as overfunded and get replaced or relocated to some other project which requires more help.
The only winning move is not to play in this scenario.
-
Post Thanks / Like - 1 Thanks
EvidenceAA (1 members gave Thanks to DvASystems for this useful post)
-
Private
just wanting to post this as i continue to see stuff like "just change the process name" in replys
-
Post Thanks / Like - 2 Thanks
-
Originally Posted by
VapeNation
just wanting to post this as i continue to see stuff like "just change the process name" in replys
It's a very informative thread, it's good that you partake in this community and educate people.
-
Banned
@DvASystems You are missing the most important thing here: they just need to know the name of the current build so they can add it to their blacklist and ban em automatically. They dont need to reverse engineer anything, is way simpler than that. In fact you know what should we do? (I say "we" because I dont have a spare account right now so I expect someone else to do it for the science):
We should just create an empty ahk script and name the process "StinkyJoint v9". Thats it. If the account gets banned, Blizzard is indeed checking our proccesses list and the media would go crazy just like they did with the Capcom rootkit this year (google it). And then they will probably say "we only scan for these particular names of known ahk hacks". And then the question would be: How do we know?
If you are reading this and want to become famous, do this experiment and post the results on reddit. Thank me later.
EDIT: Just to be 100% sure. Every single cheater that got banned was running a .exe version of an ahk script right? Not just a .ahk script. Is this correct?
EDIT2:
Originally Posted by
VapeNation
just wanting to post this as i continue to see stuff like "just change the process name" in replys
Thats because there are a lot of ignorant people here who think that changing the name of the proccess is changing the name of the file so they post "Hey guys I changed the name of the process and still got banned" no you didnt you just changed the name of the .exe.
Last edited by ownedscrub3; 12-07-2016 at 06:20 PM.
-
Originally Posted by
ownedscrub3
EDIT: Just to be 100% sure. Every single cheater that got banned was running a .exe version of an ahk script right? Not just a .ahk script. Is this correct?
No. "Overjoint V9".exe was the only AHK to get detected, V7 version is said to be undetected or rather have no bans since no one barely uses it anymore. All other cheats that got detected are non-ahk.
-
Originally Posted by
DvASystems
No. "Overjoint V9".exe was the only AHK to get detected, V7 version is said to be undetected or rather have no bans since no one barely uses it anymore. All other cheats that got detected are non-ahk.
he means if v9 was run as a AHK rather then in exe format
-
Active Member
Originally Posted by
ownedscrub3
@DvASystems You are missing the most important thing here: they just need to know the name of the current build so they can add it to their blacklist and ban em automatically. They dont need to reverse engineer anything, is way simpler than that. In fact you know what should we do? (I say "we" because I dont have a spare account right now so I expect someone else to do it for the science):
We should just create an empty ahk script and name the process "StinkyJoint v9". Thats it. If the account gets banned, Blizzard is indeed checking our proccesses list and the media would go crazy just like they did with the Capcom rootkit this year (google it). And then they will probably say "we only scan for these particular names of known ahk hacks". And then the question would be: How do we know?
If you are reading this and want to become famous, do this experiment and post the results on reddit. Thank me later.
EDIT: Just to be 100% sure. Every single cheater that got banned was running a .exe version of an ahk script right? Not just a .ahk script. Is this correct?
EDIT2:
Thats because there are a lot of ignorant people here who think that changing the name of the proccess is changing the name of the file so they post "Hey guys I changed the name of the process and still got banned" no you didnt you just changed the name of the .exe.
Changing exe's name it indeed changes the process name. Always, since Windows Nt.
Last edited by DvASystems; 12-07-2016 at 11:09 PM.
Reason: Keep cool attitude
-
Banned
Originally Posted by
R4zyel
Changing exe's name it indeed changes the process name. Always, since Windows Nt.
No, you gotta edit the script,
Last edited by DvASystems; 12-07-2016 at 11:09 PM.
-
Originally Posted by
Stinkyjoint
he means if v9 was run as a AHK rather then in exe format
Isn't overjoint v9 in exe form instaban now? Can't someone just run the source with some modified strings?
-
Member
I modified the v9 source a little bit, changed the process name etc and I haven't been banned yet. (Since around the 2nd/3rd December)
-
Member
could just running v9 in ahk version be enough? how much of source has to be changed for it to register as different signature?
-
Banned
Originally Posted by
blr69
could just running v9 in ahk version be enough? how much of source has to be changed for it to register as different signature?
This is what I asked above and what I really care about since I never run .exes on my PC.
Running just the .ahk version shouldnt get you banned but unfortunately the .ahk version/source code of Stinkyjoint v9 has to be decompiled and no one posted it here (or at least I didnt see it) so it might be harder to get this comparison done.
Last edited by ownedscrub3; 12-08-2016 at 08:56 AM.