Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 39

Thread: New Anticheat Idea + Source of "Anti-Thirdperson"

  1. #21

    Default

    To bypass the anti-cheat I would just modify the code that points to cg_3rd_person to point to another variable, or even bypass the checks, this way I lure the anti-cheat by telling it "Oh, cg_3rd_person is still 0, I'm safe!".
    For a programmer it will be hard to establish an algorithm that avoid false informations like these.

    P.S : An anti-cheat won't even be able to check for ReadProcessMemory/WriteProcessMemory, I'm not even sure if an anti-cheat like that exists on the internet. It would probably check if any of running programs on the client computer have an handle to the game process, but it can turn into a false positive, plus, the handle can be closed as soon as possible. And if you call NtSuspendProcess on the game that contains the anti-cheat code then do hacky code, then call NtResumeProcess then the anti-cheat won't even be able to see anything for sure.

    Everything is bypassable once you know how to send legit informations.

  2. #22
    Developer RyBack's Avatar
    Join Date
    Apr 2014
    Location
    In Front of the screen
    Posts
    1,603

    Default

    Shut up ur ruining my soon™ to be released AC
    Last edited by RyBack; October 23rd, 2017 at 07:22 AM.

  3. #23
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    Ley0k is on the ball though. That's how I remember a lot of stuff bypassed exactly that way. You make the AC think it's clean by sending false negatives. (in this case negative = you're clean). I'm just excited to see people digging in and trying this stuff. This is exactly how I learned and I highly encourage this because it's a great way to understand "conceptually" how "stuff" works. That's what makes a great programmer. Someone that is fascinated and curious to go into unknown territory and experiment with different things. Also I know I've said this before, but best way to "fix" and issue is understanding how it works. I think this is why Reborn was such a success. We knew the "internals" of how cheats work and we were able to prevent them. This also why Ley0k is such a great asset to the team and community because he understands it as well. Anyway, keep it up man!

    btw, when I was initially looking at the code you posted I never saw a function like VAMemory before, so it spiked my interest. I was curious how it differs than RPM & WPM. From what I read it might be faster since RPM & WPM needs virtualProtectEx twice; but also in terms of memory access I guess it's better to just write your own custom function that basically does exactly the same thing.

  4. #24

    Default

    I think that VAMemory is just an helper class, that ends up internally calling ReadProcessMemory/WriteProcessMemory. These functions are obviously slower than using a DLL Injection, but is by far the most undetectable way to hack the game.
    Another way would be to inject the DLL, and Detour Windows API that enumerates the list of threads (ThreadFirst/ThreadNext and NtQuerySystemInformation if I'm not wrong), and return all threads except the one that is the injected, then detour Windows API that enumerates list of modules for the current process and return all modules except the injected DLL.

    AC mostly relies on analyzing threads/modules, and then comparing modules signature against a database of banned signatures, I think that's what Steam VAC does I'm not sure, this is why experimented cheaters buy private cheats instead of using public ones.

  5. #25
    Über Prodigy & Developer Razo[R]apiD's Avatar
    Join Date
    May 2010
    Location
    Poland, Lublin
    Posts
    3,257

    Default

    To catch the changes like that AC could do an MD5 of code section to detect any alterations like detours, code patches and etc. It could also compare on disk image with in-memory image to find injected modules, without need to enumerate threads or anything like that.

    Stopping the game thread and starting can be detected with time signatures. You could hook time functions, but I can use RDTSC assembler instruction to get cycles from processor. In the end you would need to hack into my AC to fool it etc.

    You can also protect the game from WriteMemoryAddress if you go to ring0 and take away access privileges to the process. Then you need to write your own driver to hack into the game. The problem starts in ring0 because once we all are there, hacker will always win.

  6. #26
    Über Prodigy & Developer Razo[R]apiD's Avatar
    Join Date
    May 2010
    Location
    Poland, Lublin
    Posts
    3,257

    Default

    Also if you release a new game and there isn't an unprotected version of it, you can also release it with your custom VM which is bascially a virtual processor with it's own instruction set, that runs parts of code inside the game.
    What is more - the instruction set can be mutated each time with your CD-Key so every copy of the game has unique/random set of instructions in that VM and you have to reverse engineer VM itself and decode parts of code first, before you can even understand the internals of the game and begin to write hacks and you have to do this for every copy of the game, unless you figure out the mutating algorithm that help you automate the process.

  7. #27
    Developer RyBack's Avatar
    Join Date
    Apr 2014
    Location
    In Front of the screen
    Posts
    1,603

    Default

    Guys this amount of cheat detection mechanisms is what i did in the AC.
    This could compromise my yet-to-be-released AC.

  8. #28
    Client Beta Testers Appelpitje's Avatar
    Join Date
    Jan 2012
    Location
    Belgium
    Posts
    571

    Default

    Then its not an AC.. lol

  9. #29

    Default

    Yes, theres too mutch information in here to tell a hacker how to hack a anti-cheat....
    This information needs to be private.
    Last edited by DoubleKill; October 24th, 2017 at 06:35 AM.

  10. #30
    Client Beta Testers Appelpitje's Avatar
    Join Date
    Jan 2012
    Location
    Belgium
    Posts
    571

    Default

    I dont know, since the internet contains so much information these days, you just have to find it...

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •