To overwatch cheats detection (and the ignorance of creators)

[VapeNation]

Ive seen far too much misinformation about how cheats are detected and how to make them undetected again
BLIZZARD DOES NOT USE INTRUSIVE SCANNING METHODS
I feel like i need to say this after all the "ima sue blizzard" bs

Ive made cheats for games with VAC and let me explain how VAC works (very similar to BAC)
VAC scans the memory of your computer and looks for programs SIGNATURES
The signature is basicly the complied form of code and if VAC finds a signature that it deems as malicious
It will trigger a ban
Sorta like this

[ ] = byte of data [D] = detected byte of data

What VAC sees
[ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ]
[D][D][D][D][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ]
[D][D][D][D][D][D][D][D][ ][ ][ ][ ]

This is a small example but it shows what VAC does

Now with blizzard they seem to also have a internal code checker for internal/memory cheats
But ill focus on external ones for now
Blizzard anti cheat will scan the signatures and ban detected ones

Now for creators out there that add a few things and change the process name and think that will make it undetected well i hope you have another $40

A thread on MPGH explains everything you need to do to change your programs signature
Link:[Info] Signatures - What Are They and How Can They Be Changed - MPGH - MultiPlayer Game Hacking & Cheats

I hope i was a help and i hope i cleared up everything in terms of Blizzard anti cheat :P

[DvASystems]

This is common information. The cheat developers currently have the problem in which all of them getting banned within a day after changing things up.
Soldier82 and Highnoon both said they changed things up and then upon release got banned. Either
A) Blizzard is watching them like a hawk
B) They are using different ways to catch cheaters.

As we all know: Not everyone gets caught which means there's much much more to it compared to a normal VAC ban that will catch everyone running on the same signature.

[ownedscrub3]

Well they are detecting external hacks so of course they have intrusive methods. How else can you detect something that doesnt interact directly with the game at all. Everything you explained is cool and dandy but it only applies to injected hacks. Those signatures are in the memory of the game when the scan is being made, ahk scripts are completely external. Apples to oranges my friend.

And last but not least this is your first post, nice try Blizzard employee kappa.

This is common information. The cheat developers currently have the problem in which all of them getting banned within a day after changing things up.
Soldier82 and Highnoon both said they changed things up and then upon release got banned. Either
A) Blizzard is watching them like a hawk
B) They are using different ways to catch cheaters.

Its actually pretty easy to guess: the blizzard employees are subscribed to those cheats, they get the updates as soon as they are released thats how new versions get detected asap. At least thats what I would do.

As we all know: Not everyone gets caught which means there's much much more to it compared to a normal VAC ban that will catch everyone running on the same signature

I agree at some point but I think theres a huge difference between "Hey what are you injecting into the memory of my game" (VAC and memory hacks in general) and "Hey what programs are you running in your computer while you play our game?". Thats kinda crossing the line and no, Im not saying this because I got banned (in fact ai never got banned because common sense) and am salty, but it doesnt sound like something legal at all.

[DvASystems]

You have a good point, they clearly could just be subscribed but banning something instantly means you'd have to sub to 20 different cheats and constantly monitor them every 24 hours then release a banwave each time. And this is pretty much a "wall" operated and maintained by humans, which seems very inefficient even though it catches cheaters however:
1) Less people will end up getting banned as you can just skip a few days and wait until it's over.
2) Weekly/Monthly Banwaves work for a good reason, they catch as much people as possible, compared to a few banned users every 24 hours that will then warn others.
3) It takes much more time and money to maintain an anti-cheat group to act as a 24/7 protective"wall" against cheats when subversive methods are gradually cheaper, more effective and requires much much less work which is kinda why Valve only has a few VAC employees.
4) Whilst they are stuffing their resources actively banning all cheats, private cheats instead thrive as they wont get banned as the anti-cheat team is unable to focus on them.
5) Sooner or less, due to their excellent work they will have less work to do and be labeled as overfunded and get replaced or relocated to some other project which requires more help.

The only winning move is not to play in this scenario.

[VapeNation]

just wanting to post this as i continue to see stuff like "just change the process name" in replys

[DvASystems]

just wanting to post this as i continue to see stuff like "just change the process name" in replys

It's a very informative thread, it's good that you partake in this community and educate people.

[ownedscrub3]

@DvASystems You are missing the most important thing here: they just need to know the name of the current build so they can add it to their blacklist and ban em automatically. They dont need to reverse engineer anything, is way simpler than that. In fact you know what should we do? (I say "we" because I dont have a spare account right now so I expect someone else to do it for the science):
We should just create an empty ahk script and name the process "StinkyJoint v9". Thats it. If the account gets banned, Blizzard is indeed checking our proccesses list and the media would go crazy just like they did with the Capcom rootkit this year (google it). And then they will probably say "we only scan for these particular names of known ahk hacks". And then the question would be: How do we know?
If you are reading this and want to become famous, do this experiment and post the results on reddit. Thank me later.

EDIT: Just to be 100% sure. Every single cheater that got banned was running a .exe version of an ahk script right? Not just a .ahk script. Is this correct?

EDIT2:

just wanting to post this as i continue to see stuff like "just change the process name" in replys

Thats because there are a lot of ignorant people here who think that changing the name of the proccess is changing the name of the file so they post "Hey guys I changed the name of the process and still got banned" no you didnt you just changed the name of the .exe.

[DvASystems]

EDIT: Just to be 100% sure. Every single cheater that got banned was running a .exe version of an ahk script right? Not just a .ahk script. Is this correct?

No. "Overjoint V9".exe was the only AHK to get detected, V7 version is said to be undetected or rather have no bans since no one barely uses it anymore. All other cheats that got detected are non-ahk.

[TheLordJesusHimself]

No. "Overjoint V9".exe was the only AHK to get detected, V7 version is said to be undetected or rather have no bans since no one barely uses it anymore. All other cheats that got detected are non-ahk.

he means if v9 was run as a AHK rather then in exe format

[R4zyel]

@DvASystems You are missing the most important thing here: they just need to know the name of the current build so they can add it to their blacklist and ban em automatically. They dont need to reverse engineer anything, is way simpler than that. In fact you know what should we do? (I say "we" because I dont have a spare account right now so I expect someone else to do it for the science):
We should just create an empty ahk script and name the process "StinkyJoint v9". Thats it. If the account gets banned, Blizzard is indeed checking our proccesses list and the media would go crazy just like they did with the Capcom rootkit this year (google it). And then they will probably say "we only scan for these particular names of known ahk hacks". And then the question would be: How do we know?
If you are reading this and want to become famous, do this experiment and post the results on reddit. Thank me later.

EDIT: Just to be 100% sure. Every single cheater that got banned was running a .exe version of an ahk script right? Not just a .ahk script. Is this correct?

EDIT2:

Thats because there are a lot of ignorant people here who think that changing the name of the proccess is changing the name of the file so they post "Hey guys I changed the name of the process and still got banned" no you didnt you just changed the name of the .exe.

Changing exe's name it indeed changes the process name. Always, since Windows Nt.

[ownedscrub3]

Changing exe's name it indeed changes the process name. Always, since Windows Nt.

No, you gotta edit the script,

[DvASystems]

he means if v9 was run as a AHK rather then in exe format

Isn't overjoint v9 in exe form instaban now? Can't someone just run the source with some modified strings?

[Perplexity]

I modified the v9 source a little bit, changed the process name etc and I haven't been banned yet. (Since around the 2nd/3rd December)

[blr69]

could just running v9 in ahk version be enough? how much of source has to be changed for it to register as different signature?

[ownedscrub3]

could just running v9 in ahk version be enough? how much of source has to be changed for it to register as different signature?

This is what I asked above and what I really care about since I never run .exes on my PC.
Running just the .ahk version shouldnt get you banned but unfortunately the .ahk version/source code of Stinkyjoint v9 has to be decompiled and no one posted it here (or at least I didnt see it) so it might be harder to get this comparison done.