The Cow Anti Cheat

[theunknownguy]

fenix you know if theres a way to track packets without anti virus detect it as a virus?
though maybe instead of adding all those cheats will be much better to allow packets to send only from main.exe
still not the best protection but with few more addons to server side+main.exe it might be enoght

1.- Why should an anti virus detect hooking methods has virus?, even microsoft on some patchs uses hook on APIs.
2.- Yes you can add an special ID on every packet that represents that is being sended by main. Problem is that you can fake every method and still be sending with a bot
3.- No, its not the best protection or near to be a good one

Ill add the protections that i want to add, remember this is not something official and i can drop it everyday, its just an hobby.

PS: Today i dont work on this, probably tomorrow.

Thanks.

 

[slipkorn13]

Exelente trabajo compadre
Como siempre, trayendo grandes proyecto de forma gratuita y open source para esta comunidad que dia a dia esta mas por el suelo.
Un gran saludo desde Chile

 

[goldenfox]

Ill add the protections that i want to add, remember this is not something official and i can drop it everyday, its just an hobby.

PS: Today i dont work on this, probably tomorrow.

Thanks.

Thanks for releasing something worth learning man. Thought I can ask to add additional settings like anti-suspend process.

Thanks.

 

[theunknownguy]

Thanks for releasing something worth learning man. Thought I can ask to add additional settings like anti-suspend process.

Thanks.

Yes thats a nice suggestions ill add it

 

[buffon]

im noob in asm, so what i must to do for adding new cheat in base and make dll?

 

[theunknownguy]

im noob in asm, so what i must to do for adding new cheat in base and make dll?

Learn ASM... But dont worry i will released a compiled version and in time more i will released as a library for C++ coders.

For now on just look at it and do nothing lol... Wait till compiled.

PS: Right now i am testing compiled version.

 

[theunknownguy]

Updated:

     - Source all bug fixed + compiled DLL
     - Database added with a signature example

You must be registered to see links

Left alot of things

 

[theunknownguy]

Some times for check at what speed the anti cheat runs:

ScanSystem: 10 signatures - all process in 0 - 15 milliseconds
FullAntiCheat: All protections + ScanSystem in 0-18 milliseconds

 

[HeLMaX]

Thank you sir.

 

[theunknownguy]

Adding:

    - Option to scan full memory
    - * Probably a new method for scan

---------- Post added 19-11-10 at 01:07 AM ---------- Previous post was 18-11-10 at 11:43 PM ----------

Updated !

 - Improved system for scan (Full memory in base of RVA)
 - Compiled DLL (not ready for use yet, just testing mode)

Download:

You must be registered to see links

Time testing:

New scan (full memory + RVA) = 516 ms to 1.451 ms
Full anti cheat (Everything executed = 532 ms to 1.489 ms

Let me explain how this method work:

First you pick the offset of the signature you want to detect, to that offset you need to sub the image base (can view it with any PE editor). Example:

 004013ED (Offset for my signature)
 00400000 (Image Base)
 13ED     (RVA)

Now what happen if for example a cheat load a DLL that have the main core signature you want to detect? Well Image base will be loaded on other place making the offset useless... Thats why i pick an RVA and calculate the position in memory.

Now whats the new system?. Well the scanner take all memory from a process and detect all modules in a PE header format, in base of that module take the image base and add it to the RVA for detect signature. (If you dont understand a poop read below)

So you can add multiples signatures for multiples modules on a single process to detect !.

This is an example:

"TestExe.exe" 57C685F8CFFFFF00B9FF03000033C08DBDF9CFFFFFF3AB66ABAAC685F8DFFFFF 136D

"TestExe.exe" 57C685F8CFFFFF00B9FF03000033C08DBDF9CFFFFFF3AB66ABAAC685F8DFFFFF 12120

The first signature references to RVA 136D (from main module)
But the second signature its refered to RVA 12120 (loaded DLL)

So scanner will detect both signature or will detect one in case cheat maker find out your first signature. tt1:

PS: Ill do a detailed guide once its finished. -.-

 

[Mulegend]

Fenix, maybe u must make a tool to generate encripted DB (Server side)

 

[theunknownguy]

Fenix, maybe u must make a tool to generate encripted DB (Server side)

Meaby i dont care... no mean to offence, i will do whatever i like :laugh:

 

[|ARIES|]

Work whit a simple hook? or have process? thanks for your work

 

[theunknownguy]

Work whit a simple hook? or have process? thanks for your work

Hook with LoadLibrary nothing more. And its a test version DB not encrypted.

 

[Mulegend]

Meaby i dont care... no mean to offence, i will do whatever i like :laugh:

JAJAJ wn.. not for me, but if u make decrypted DB i can edit and remove cheats xD

 

[Bason4ik]

full agree with MuLegend make his ideas ^_^

 

[theunknownguy]

JAJAJ wn.. not for me, but if u make decrypted DB i can edit and remove cheats xD

Lol if you could read better, like i say the last step is to encrypt DB.

What kind of the part "TESTING" you guys dont figure out :laugh::laugh:

TESTING = Not ready for use = T.E.S.T.I.N.G (gosh)

 

[theunknownguy]

Updated !

Downloads:

You must be registered to see links

Whats New:

     - Tool for Encryption/Decryption Database (RC4 algo)
     - Decryption added on COW anti cheat
     - Minor fixups
     - Everything inside Data folder of Tool will be encrypted

Can i start using it?! = NO ! (still things to be done)

FAQ about encryption tool:

- Can i encrpt more files?
  R: Yes ofcourse put all the files you want to encrypt on Data folder

- How can i change RC4 password?
  R: Enter here https://www.grc.com/passwords.htm and take a new generated password of random alphanumeric, set on source code and compile again (on COW anti cheat as on tool)

- Why RC4?
  R: Caused thats what i wanted...

- Why key cant be long?
  R: It can be as long as you want, just dont forget to edit source code constants before doing it so.

- Why isnt with interface?
  R: Caused i dont give a f*ck.

Enjoy.

 

[bet0x]

Good Job Felipe

 

[theunknownguy]

Official icon of the anti cheat.

You must be registered to see links