- Joined
- Jul 15, 2004
- Messages
- 1,207
- Reaction score
- 689
This is the way GG and all other anticheats detect CE / UCE
Here is some snipets from my old Anticheat called INDIGO (after feniks talksh!ts about label INDIGO) i renamed it to ORION.. whatever here is part of source
Source:
@DecryptStr its simply decrypt an encrypted string in memory
TerminateProcess not good option, so we uses a games API`s
Simply and best way how detect speedhack
@IsHooked_asm func cant share, but left this here as tip
Good luck with it, coded it more then one r two year/s ago i tt1:
Added:
Here is simple way how to block WPEPro and other crap like it
Its simply check Send and Receive func on WSock xD and restore original opcodes (unhook if hooked)
Ps. u can also write down bytes so can learn what kind a hooks used ( maybe hooks by AV and Firewall )
@DecryptStr is simply function ( i store all strings encrypted and decrypt only when need)
sample:
@this part, i never used memdumb scan or caption search, but coded it.. xD
so i share it to so some AH developer can use it
and yes, u can detect somesh!t by its threadID
For this creits goes not only to me, but also to my rolle model Paulo94
Here is some snipets from my old Anticheat called INDIGO (after feniks talksh!ts about label INDIGO) i renamed it to ORION.. whatever here is part of source
Source:
Code:
unit uCE;
{
push Cheat_En_005fba58 ; ASCII "CE_ENTRY"
call RegisterClipboardFormatA ;<= Jump/Call Address Not Resolved
mov dword ptr ds:[ebx+06e8h],eax
push Cheat_En_005fba64 ; ASCII "CEHYPERSCANSETTINGS"
push 0450h
push 0
push 4
push 0
push -1
call CreateFileMappingA ;<= Jump/Call Address Not Resolved
push Sora_Eng_0057dca8 ; ASCII "CE_ENTRY"
call RegisterClipboardFormatA ;<= Jump/Call Address Not Resolved
mov dword ptr ds:[ebx+0640h],eax
push Sora_Eng_0057dcb4 ; ASCII "lengendx90"
push 0450h
push 0
push 4
push 0
push -1
call CreateFileMappingA ;<= Jump/Call Address Not Resolved
}
interface
uses
Windows, SysUtils;
function CheckFor_CE(P: Pointer): Cardinal; stdcall;
var
CheckForCE_Handle : Integer = 0;
CheckForCE_ID : Cardinal = 0;
implementation
uses
uLoger, uLogStr, Hook;
function CheckFor_CE(P: Pointer): Cardinal; stdcall;
var
Ce: Cardinal;
begin
EnterCriticalSection(CriticalSection);
while True do
begin
Sleep(1024);
Ce := OpenFileMapping(FILE_MAP_ALL_ACCESS, False,PChar(DecryptStr(@Str_CEHYPERSCANSETTINGS, SizeOf(Str_CEHYPERSCANSETTINGS))));
if Ce <> 0 then
begin
gLog.Log(DecryptStr(@Str_CHEATENGINE, SizeOf(Str_CHEATENGINE)),lgHack);
try
TerminateProcess(GetCurrentProcess, DWORD(-1))
finally
asm
mov eax, $006E21F0
call eax
end;
end;
end
else
Ce := OpenFileMapping(FILE_MAP_ALL_ACCESS, False,PChar(DecryptStr(@Str_lengendx90, SizeOf(Str_lengendx90))));
if Ce <> 0 then
begin
gLog.Log(DecryptStr(@Str_sora, SizeOf(Str_sora)),lgHack);
try
TerminateProcess(GetCurrentProcess, DWORD(-1))
finally
asm
mov eax, $006E21F0
call eax
end;
end;
end
else
Ce := OpenFileMapping(FILE_MAP_ALL_ACCESS, False,PChar(DecryptStr(@Str_CE_HYPER_SCAN_SETTING, SizeOf(Str_CE_HYPER_SCAN_SETTING))));
if Ce <> 0 then
begin
gLog.Log(DecryptStr(@Str_MoonLight, SizeOf(Str_MoonLight)),lgHack);
try
TerminateProcess(GetCurrentProcess, DWORD(-1))
finally
asm
mov eax, $006E21F0
call eax
end;
end;
end;
Ce := OpenFileMapping(FILE_MAP_ALL_ACCESS, False,PChar(DecryptStr(@Str_KUHYPERSETTING, SizeOf(Str_KUHYPERSETTING))));
if Ce <> 0 then
begin
gLog.Log(DecryptStr(@Str_kiki, SizeOf(Str_kiki)),lgHack);
try
TerminateProcess(GetCurrentProcess, DWORD(-1))
finally
asm
mov eax, $006E21F0
call eax
end;
end;
end;
Sleep(512);
end;
LeaveCriticalSection(CriticalSection);
EndThread(0);
end;
initialization
InitializeCriticalSection(CriticalSection);
finalization
DeleteCriticalSection(CriticalSection);
end.
@DecryptStr its simply decrypt an encrypted string in memory
Code:
try
TerminateProcess(GetCurrentProcess, DWORD(-1))
finally
asm
mov eax, $006E21F0
call eax
end;
TerminateProcess not good option, so we uses a games API`s
Simply and best way how detect speedhack
Code:
unit uSpeedHack;
interface
uses
Windows;
procedure SpeedHack; stdcall;
var
SpeedHackHandle : Integer = 0;
SpeedHackID : Cardinal = 0;
implementation
uses
Hook_Ids_asm_Sht, uLoger, uLogStr;
procedure SpeedHack; stdcall;
var
Result: Boolean;
begin
Result := False;
while True do
begin
Sleep(1024);
Result := (IsHooked_asm(PChar(DecryptStr(@Str_winmm, SizeOf(Str_winmm))),PChar(DecryptStr(@Str_TimeGetTime, SizeOf(Str_TimeGetTime))))
or IsHooked_asm(PChar(DecryptStr(@Str_kernel32, SizeOf(Str_kernel32))),PChar(DecryptStr(@Str_Query, SizeOf(Str_Query))))
or IsHooked_asm(PChar(DecryptStr(@Str_kernel32, SizeOf(Str_kernel32))),PChar(DecryptStr(@Str_GetTickCount, SizeOf(Str_GetTickCount)))));
if Result then
gLog.Log(DecryptStr(@Str_SpeedHack,SizeOf(Str_SpeedHack)),lgHack);
Sleep(128);
end;
end;
end.
Good luck with it, coded it more then one r two year/s ago i tt1:
Added:
Here is simple way how to block WPEPro and other crap like it
Code:
unit uWsock;
interface
uses
Windows, SysUtils;
procedure AntiHook(P: Pointer); stdcall;
var
AntiHookHandle : Integer = 0;
AntiHookThreadID : Cardinal = 0;
implementation
uses
uVar, uLoger, uLogStr;
function ToHex(Buffer:PByteArray; Len: Integer):String;
const
HexCode: Array [$0 .. $F] Of AnsiChar = '0123456789ABCDEF';
var
i:integer;
begin
SetLength(Result,0);
{$WARNINGS OFF}
for i := 0 to Len - 1 do
begin
Result := Result + HexCode[Buffer[i] shr 4]+HexCode[Buffer[i] and $0F];
end;
{$WARNINGS ON}
end;
procedure AntiHook(P: Pointer); stdcall;
var
PSend,PRecv : Pointer;
OldProtect : DWord;
i : Integer;
Buffer : array [0 .. 7] of Byte;
LogByteStr : string;
begin
while True do
begin
LogByteStr := '';
PSend := GetProcAddress(GetModuleHandle(PChar(DecryptStr(@Str_ws2_32, SizeOf(Str_ws2_32)))),PAnsiChar(AnsiString(DecryptStr(@Str_Send, SizeOf(Str_Send)))));
PRecv := GetProcAddress(GetModuleHandle(PChar(DecryptStr(@Str_ws2_32, SizeOf(Str_ws2_32)))),PAnsiChar(AnsiString(DecryptStr(@Str_Recv, SizeOf(Str_Recv)))));
if(VirtualProtect(PSend,8,PAGE_EXECUTE_READWRITE, OldProtect)) then
begin
CopyMemory(@Buffer,PSend,8);
for i := 0 to 7 Do
if not (Buffer[i] = WOffset[i]) then
begin
gLog.Log(Format(DecryptStr(@Str_Client_S, SizeOf(Str_Client_S)),[ToHex(@Buffer[0],8)]),lgHack);
CopyMemory(PSend,@WOffset,8);
VirtualProtect(PSend,8,OldProtect,OldProtect);
asm
mov eax, $006E21F0
call eax
end;
Break;
end;
VirtualProtect(PSend,8,OldProtect,OldProtect);
end;
if(VirtualProtect(PRecv,8,PAGE_EXECUTE_READWRITE, OldProtect)) then
begin
CopyMemory(@Buffer,PRecv,8);
for i := 0 to 7 do
if not (Buffer[i] = WOffset[i]) then
begin
gLog.Log(Format(DecryptStr(@Str_Client_R, SizeOf(Str_Client_R)),[ToHex(@Buffer[0],8)]),lgHack);
CopyMemory(PRecv,@WOffset,8);
VirtualProtect(PRecv,8,OldProtect,OldProtect);
asm
mov eax, $006E21F0
call eax
end;
Break;
end;
VirtualProtect(PRecv,8,OldProtect,OldProtect);
end;
Sleep(100);
end;
end;
end.
Its simply check Send and Receive func on WSock xD and restore original opcodes (unhook if hooked)
Ps. u can also write down bytes so can learn what kind a hooks used ( maybe hooks by AV and Firewall )
@DecryptStr is simply function ( i store all strings encrypted and decrypt only when need)
sample:
Code:
const
Str_MuIcon : array [0 .. 5] of Byte = ($5E, $3F, $63, $16, $6E, $2B); // MuIcon
Str_GraveYard : array [0 .. 14] of Byte = ($54, $32, $46, $26, $54, $26, $68, $2B, $4E, $6C, $2C, $49, $2C, $46, $3B); // GraveYard Cabal
Str_MUTEX : array [0 .. 22] of Byte = ($50, $25, $52, $25, $5E, $2A, $44, $1B, $6E, $5, $59, $19, $71, $F, $7C, $23, $7E, $1D, $73, $7, $6F, $18, $66); // Cabal_Anti_Double_Start
Str_TMainFrm : array [0 .. 7] of Byte = ($47, $1E, $6A, $15, $6C, $1, $5C, $0); // TMainFrm
Str_Start : array [0 .. 4] of Byte = ($40, $20, $54, $30, $53); // Start
Str_open : array [0 .. 3] of Byte = ($7C, $18, $68, $10); // open
Str_user32 : array [0 .. 9] of Byte = ($66, $1, $71, $15, $31, $28, $29, $7C, $11, $7F); // user32.dll
Str_ws2_32 : array [0 .. 9] of Byte = ($64, $3, $24, $6D, $49, $50, $51, $4, $69, $7); // ws2_32.dll
Str_connect : array [0 .. 6] of Byte = ($70, $B, $70, $8, $7A, $32, $69); // connect
Str_GetFocus : array [0 .. 7] of Byte = ($54, $25, $44, $14, $6C, $24, $7E, $3C); // GetFocus
Str_CreateWindowExA : array [0 .. 14] of Byte = ($50, $36, $46, $31, $52, $1C, $64, $3C, $53, $35, $59, $2A, $68, $1B, $4B); // CreateWindowExA
Str_Err_Txt : array [0 .. 19] of Byte = ($4F, $14, $73, $C, $74, $31, $42, $36, $65, $35, $79, $2F, $74, $3A, $59, $18, $E, $46, $3, $77); // \Orion\ERROR\Err.txt
Str_GNetworks_ini : array [0 .. 13] of Byte = ($4F, $1C, $47, $34, $57, $B, $4B, $8, $62, $13, $3E, $53, $3A, $58); // \GNetworks.ini
Str_AH_3_Failed : array [0 .. 13] of Byte = ($48, $7F, $59, $6F, $39, $5A, $28, $39, $7E, $1D, $77, $1F, $7D, $12); // [#3 AH] Failed
Str_AH_3_Success : array [0 .. 14] of Byte = ($48, $7F, $59, $6F, $39, $5A, $28, $39, $6B, $1C, $7C, $1B, $79, $1, $63); // [#3 AH] Success
Str_AH_2_Failed : array [0 .. 13] of Byte = ($48, $7F, $58, $6E, $38, $5B, $29, $38, $7F, $1C, $76, $1E, $7C, $13); // [#2 AH] Failed
Str_AH_2_Success : array [0 .. 14] of Byte = ($48, $7F, $58, $6E, $38, $5B, $29, $38, $6A, $1D, $7D, $1A, $78, $0, $62); // [#2 AH] Success
Str_AH_1_Failed : array [0 .. 13] of Byte = ($48, $7F, $5B, $6D, $3B, $58, $2A, $3B, $7C, $1F, $75, $1D, $7F, $10); // [#1 AH] Failed
Str_AH_1_Success : array [0 .. 14] of Byte = ($48, $7F, $5B, $6D, $3B, $58, $2A, $3B, $69, $1E, $7E, $19, $7B, $3, $61); // [#1 AH] Success
Str_WINDOWS_Failed : array [0 .. 15] of Byte = ($48, $B, $57, $F, $5C, $38, $40, $22, $7E, $5C, $19, $7C, $12, $75, $1, $56); // [WINDOWS] Failed
Str_WINDOWS_Success : array [0 .. 16] of Byte = ($48, $B, $57, $F, $5C, $38, $40, $22, $7E, $5C, $C, $7D, $19, $71, $5, $45, $E); // [WINDOWS] Success
Str_FOCUSS_Failed : array [0 .. 14] of Byte = ($48, $1A, $40, $15, $57, $2F, $53, $3F, $1E, $5A, $38, $55, $3E, $50, $25); // [FOCUSS] Failed
Str_FOCUSS_Success : array [0 .. 15] of Byte = ($48, $1A, $40, $15, $57, $2F, $53, $3F, $1E, $4F, $39, $5E, $3A, $54, $36, $76); // [FOCUSS] Success
Str_initialization_begins : array [0 .. 46] of Byte = ($48, $13, $74, $B, $73, $36, $39, $20, $57, $30, $41, $36, $58, $3C, $43, $50, $59, $4B, $46, $68, $51, $7A, $43, $72, $B9, $C3, $B9, $C5, $A7, $D9, $93, $D0, $88, $F3, $90, $E7, $8A, $E2, $87, $B6, $E7, $BA, $E1, $B5, $DB, $A1, $F9); // [Orion (version 1.0.0.3) initialization begins]
Str_OnLoadSettings : array [0 .. 36] of Byte = ($34, $7B, $2D, $69, $37, $48, $2E, $5C, $1C, $52, $71, $30, $65, $3C, $62, $3, $66, $7A, $8, $66, $23, $49, $22, $5E, $E6, $90, $F0, $91, $EE, $97, $DB, $87, $96, $CC, $EB, $9B, $C2); // '[CRITICAL ERROR] OnLoadSettings [%s]
Str_OnDecompress : array [0 .. 33] of Byte = ($48, $1F, $58, $7, $44, $26, $4A, $3A, $77, $55, $13, $45, $10, $54, $17, $79, $61, $12, $41, $5, $69, $F, $6A, $1F, $84, $E5, $94, $F2, $97, $A0, $D0, $DA, $98, $C4); // [CRITICAL ERROR] OnDecompress [%s]
{uLoger.pas}
Str_Session_started : array [0 .. 24] of Byte = ($30, $4, $42, $31, $55, $D, $4B, $15, $7A, $58, $28, $58, $3E, $47, $22, $74, $28, $34, $68, $1C, $2F, $A, $25, $4E, $9E); // # Session started at: %s;
Str_HACKING_SOFTWARE_DETECTED : array [0 .. 32] of Byte = ($48, $7, $49, $4, $5B, $31, $5D, $27, $6F, $23, $67, $43, $17, $53, $4, $63, $C, $71, $1E, $5B, $72, $33, $7C, $30, $9E, $CE, $8E, $DE, $8C, $C6, $B0, $C2, $AE); // [[[[HACKING SOFTWARE DETECTED]]]]
Str_cheats1 : array [0 .. 49] of Byte = ($50, $2B, $50, $32, $4C, $9, $53, $7, $26, $51, $21, $4C, $25, $49, $78, $28, $78, $21, $7D, $9, $73, $56, $31, $48, $DA, $E9, $8F, $FF, $9A, $F8, $BF, $E4, $F5, $9D, $F1, $D2, $A6, $C4, $BD, $C1, $93, $C6, $9F, $CC, $B8, $91, $F6, $9D, $EB, $21); // Continue using cheats may result in permament ban!
Str_cheats2 : array [0 .. 56] of Byte = ($52, $28, $52, $30, $4F, $1, $5C, $4D, $38, $52, $38, $4E, $2D, $6, $67, $35, $7F, $37, $73, $53, $A, $7D, $18, $67, $FE, $8C, $F5, $8D, $BB, $DB, $98, $D2, $91, $F5, $D7, $B5, $D2, $B6, $D8, $BA, $FA, $AB, $F9, $A3, $83, $FE, $94, $BE, $D2, $51, $27, $13, $61, $16, $6C, $22, $23); // Another third party Programm where accessing to the game.
Str_cheats3 : array [0 .. 86] of Byte = ($5A, $28, $1D, $7E, $49, $A, $44, $3, $67, $45, $27, $4D, $33, $18, $6D, $31, $7C, $22, $6B, $18, $3D, $18, $62, $16, $98, $EA, $8D, $FD, $CB, $BF, $FB, $BA, $FF, $9F, $FE, $89, $AD, $D9, $A7, $C6, $85, $D2, $9C, $D5, $F5, $BC, $FE, $95, $FF, $62, $14, $59, $2D, $49, $3A, $31, $70, $24, $51, $24, $48, $3E, $52, $79, $E, $52, $18, $4, $5F, $2A, $57, $27, $5F, $22, $E9, $93, $E9, $9A, $E3, $86, $C0, $8E, $CB, $A3, $CE, $A3, $86); // If u have any doubts, please contact support @GarveYard network for future information!
Str_ORION : array [0 .. 4] of Byte = ($5C, $1A, $46, $1F, $46); // ORION
{uGRestore}
Str_CRACKING_ATEMP : array [0 .. 31] of Byte = ($48, $7, $49, $4, $52, $37, $4C, $34, $76, $3C, $7A, $3F, $6C, $47, $15, $74, $D, $72, $4, $4D, $A, $48, $62, $3B, $84, $D2, $8B, $CE, $85, $CF, $B9, $CB); // [[[[ANTICHEAT CRACKING ATEMP]]]]
{uWsock}
Str_Client_S : array [0 .. 93] of Byte = ($50, $28, $54, $27, $5E, $1, $6, $64, $4C, $6E, $A, $6F, $5, $6B, $5A, $1, $56, $5, $53, $73, $57, $72, $C, $66, $E2, $9B, $EE, $95, $AF, $98, $C5, $83, $C0, $B4, $C5, $E6, $8D, $F8, $D3, $AD, $EA, $BA, $E3, $AC, $8C, $B6, $C1, $AF, $97, $C, $7E, $18, $79, $16, $21, $7A, $27, $79, $1F, $6F, $D, $64, $E, $25, $40, $1, $40, $5C, $0, $63, $9, $69, $10, $7B, $B0, $D7, $AC, $99, $EE, $D9, $95, $DB, $87, $E3, $DA, $F9, $B9, $DF, $A0, $D0, $B8, $A5, $EA, $8A); // Client(S) game hook - trojan, virus or other 3rd party programm try access to a game; Data[%s]
Str_Client_R : array [0 .. 93] of Byte = ($50, $28, $54, $27, $5E, $1, $6, $65, $4D, $6F, $B, $6E, $4, $6A, $5B, $0, $57, $4, $52, $72, $56, $73, $D, $67, $E3, $9A, $EF, $94, $AE, $99, $C4, $82, $C1, $B5, $C4, $E7, $8C, $F9, $D2, $AC, $EB, $BB, $E2, $AD, $8D, $B7, $C0, $AE, $96, $D, $7F, $19, $78, $17, $20, $7B, $26, $78, $1E, $6E, $C, $65, $F, $24, $41, $0, $41, $5D, $1, $62, $8, $68, $11, $7A, $B1, $D6, $AD, $98, $EF, $D8, $94, $DA, $86, $E2, $DB, $F8, $B8, $DE, $A1, $D1, $B9, $A4, $EB, $8B); // Client(R) game hook - trojan, virus or other 3rd party programm try access to a game; Data[%s]
Str_Send : array [0 .. 3] of Byte = ($60, $11, $6A, $18); // send
Str_Recv : array [0 .. 3] of Byte = ($61, $10, $66, $6); // recv
{uSpeedHack}
Str_TimeGetTime : array [0 .. 10] of Byte = ($67, $1A, $62, $11, $41, $F, $54, $31, $59, $36, $50); // timeGetTime
Str_GetTickCount : array [0 .. 11] of Byte = ($54, $25, $44, $6, $78, $30, $74, $6, $68, $1F, $72, $2); // GetTickCount
Str_Query : array [0 .. 22] of Byte = ($42, $23, $53, $37, $59, $22, $68, $2B, $4C, $21, $50, $39, $5F, $3A, $48, $1E, $65, $36, $7E, $10, $6D, $D, $75); // QueryPerformanceCounter
Str_winmm : array [0 .. 8] of Byte = ($64, $19, $62, $19, $63, $66, $2D, $70, $1D); // winmm.dll
Str_kernel32 : array [0 .. 11] of Byte = ($78, $9, $6E, $16, $64, $23, $3F, $3C, $13, $75, $1A, $72); // kernel32.dll
Str_SpeedHack : array [0 .. 22] of Byte = ($54, $21, $59, $2A, $1D, $7E, $1E, $60, $2A, $8, $26, $2, $56, $D, $59, $2F, $53, $4F, $3A, $7B, $31, $7F, $54); // Game HOOK - SPEED HACK!
{uCE}
Str_MoonLight : array [0 .. 28] of Byte = ($50, $C, $5C, $B, $48, $26, $47, $31, $79, $35, $73, $57, $7D, $56, $12, $62, $1F, $3, $13, $33, $77, $1D, $78, $E, $A9, $D3, $A0, $DD, $BF); // CHEATENGINE - UCE - MoonLight
Str_CE_HYPER_SCAN_SETTING : array [0 .. 21] of Byte = ($50, $1, $4B, $15, $5B, $20, $4A, $29, $77, $26, $66, $23, $6A, $3E, $7C, $A, $66, $E, $7A, $34, $7A, $2C); // CE_HYPER_SCAN_SETTINGS
Str_Sora : array [0 .. 23] of Byte = ($50, $C, $5C, $B, $48, $26, $47, $31, $79, $35, $73, $57, $7D, $56, $12, $62, $1F, $3, $13, $33, $69, $3, $7B, $2); // CHEATENGINE - UCE - Sora
Str_lengendx90 : array [0 .. 9] of Byte = ($7F, $E, $75, $4, $76, $33, $78, $31, $9, $3B); // lengendx90
Str_CHEATENGINE : array [0 .. 18] of Byte = ($50, $C, $5C, $B, $48, $26, $47, $31, $79, $35, $73, $57, $14, $7A, $D, $5F, $12, $42, $B); // CHEATENGINE Default
Str_CEHYPERSCANSETTINGS : array [0 .. 18] of Byte = ($50, $1, $5C, $13, $54, $3A, $47, $25, $67, $24, $69, $3E, $7C, $23, $66, $1C, $6A, $11, $7F); // CEHYPERSCANSETTINGS
Str_KUHYPERSETTING : array [0 .. 13] of Byte = ($58, $19, $44, $B, $4C, $22, $5F, $3D, $79, $2F, $78, $35, $7C, $30); // KUHYPERSETTING
Str_kiki : array [0 .. 23] of Byte = ($50, $C, $5C, $B, $48, $26, $47, $31, $79, $35, $73, $57, $7D, $56, $12, $62, $1F, $3, $13, $33, $71, $1D, $7C, $D); // CHEATENGINE - UCE - Kiki
{uWindows}
Str_GraveYard_CABAL_ONLINE : array [0 .. 23] of Byte = ($54, $32, $46, $26, $54, $26, $68, $2B, $4E, $6C, $42, $66, $22, $68, $3B, $49, $3D, $21, $53, $1D, $58, $14, $50, $D); // GraveYard - CABAL ONLINE
Str_D3D_Window : array [0 .. 9] of Byte = ($57, $70, $21, $17, $57, $15, $54, $1, $6F, $1A); // D3D Window
Str_CABAL : array [0 .. 4] of Byte = ($50, $5, $52, $5, $5E); // CABAL
@this part, i never used memdumb scan or caption search, but coded it.. xD
so i share it to so some AH developer can use it
Code:
unit uVar;
interface
uses
Windows;
type
TMemDump = array[0..31] of Byte;
TCheatList = packed record
Offset : Cardinal;
MemDump : TMemDump;
CheatID : Word;
end;
TCaptionList = packed record
C_Name : PAnsiChar;
W_Name : PAnsiChar;
CheatID: Word;
end;
TModuleList = packed record
Name : string;
MD5: string;
RVA: Word;
Dump: TMemDump;
end;
TThreadList = packed record
TID: Cardinal;
end;
var
// HackDetected : Boolean = False;
// SpeedHack : Boolean = False;
IP,IP2 : AnsiString; {Server IP}
ServerPort : Word; {Server Port}
LogID : Word; {Cheat FingerPrint}
OffsetSerial : Cardinal = $00000000;
PlayerMD5 : AnsiString; {Player.bmd}
LauncherMD5 : AnsiString; {Check Launcher from DLL?}
Serial : array [0..15] of byte = ($00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
WOffset : array [0..7] of byte = ($8B,$FF,$55,$8B,$EC,$83,$EC,$10);
const
CheatThreads: packed array[0 .. 6] of TThreadList =
(
(TID : $05fe864), //Cheat Engine 5.5
(TID : $051cf40c), //Cheat Engine 5.4
(TID : $044e90), //Cheat Engine 5.6.1
(TID : $062105d4), //Cheat Engine 5.6.1
(TID : $064fe0), //Cheat Engine 5.6.1
(TID : $0611a98), //Sora Engine 2.3
(TID : $4e80) //Sora Engine 2.3
);
ModuleDumbs: packed array[0 .. 1] of TModuleList =
(
(Name : 'File_CEHook.dll';
MD5 : '106df2d64aeb5588cd1a2608ae81097b';
RVA : $BB67;
Dump : ($33, $C0, $5A, $59, $59, $64, $89, $10, $68, $84, $BB, $16, $00, $8D, $45, $FC, $E8, $2C, $8B, $FF, $FF, $C3, $E9, $1E, $84, $FF, $FF, $EB, $F0, $8B, $C6, $5E)),
(Name : 'File_speedhack.dll';
MD5 : '287ababfc0a90c1b02d666c2224409c4';
RVA : $3932;
Dump : ($74, $0A, $85, $C0, $74, $06, $50, $E8, $72, $D8, $FF, $FF, $E8, $5D, $FC, $FF, $FF, $80, $7B, $28, $01, $75, $03, $FF, $53, $24, $80, $7B, $28, $00, $74, $05))
);
Dumbs: packed array[0..42] of TCheatList =
((Offset : $4C8259; //Catastrophe
MemDump :($A1, $38, $BD, $4C, $00, $8B, $00, $8B, $4D, $FC, $BA, $C0, $82, $4C, $00, $E8, $1F, $F1, $FF, $FF, $33, $DB, $E8, $F8, $BE, $F3, $FF, $33, $C0, $5A, $59, $59);
CheatID : 0),
(Offset : $4C8259; //Catastrophe
MemDump :($7C, $23, $8B, $45, $FC, $80, $38, $C1, $75, $1B, $8B, $45, $FC, $80, $78, $02, $F3, $75, $12, $8B, $45, $FC, $80, $78, $03, $00, $75, $09, $8B, $45, $FC, $80);
CheatID : 1),
(Offset : $4CCB71; //Catastrophe
MemDump :($A1, $40, $FD, $4C, $00, $8B, $00, $8B, $4D, $FC, $BA, $D8, $CB, $4C, $00, $E8, $AB, $F2, $FF, $FF, $33, $DB, $E8, $E0, $75, $F3, $FF, $33, $C0, $5A, $59, $59);
CheatID : 3),
(Offset : $44E08C; //WPePro
MemDump :($64, $89, $25, $00, $00, $00, $00, $83, $EC, $58, $53, $56, $57, $89, $65, $E8, $FF, $15, $04, $F4, $48, $00, $33, $D2, $8A, $D4, $89, $15, $D8, $0A, $4D, $00);
CheatID : 4),
(Offset : $4851C2; //WPePro
MemDump :($75, $1C, $53, $8B, $CE, $FF, $75, $E4, $FF, $75, $E0, $57, $E8, $90, $01, $FE, $FF, $EB, $0B, $53, $57, $FF, $76, $1C, $FF, $15, $9C, $F5, $48, $00, $8B, $86);
CheatID : 5),
(Offset : $4307BE; //WPePro
MemDump :($75, $0A, $6A, $1C, $E8, $49, $01, $00, $00, $83, $C4, $04, $E8, $B1, $30, $00, $00, $85, $C0, $75, $0A, $6A, $10, $E8, $36, $01, $00, $00, $83, $C4, $04, $C7);
CheatID : 6),
(Offset : $44397B; //WPePro
MemDump :($75, $07, $8B, $CF, $E8, $F8, $F2, $FF, $FF, $5F, $5E, $C2, $08, $00, $53, $56, $8B, $74, $24, $0C, $57, $FF, $76, $04, $FF, $15, $C4, $9B, $49, $00, $8B, $D8);
CheatID : 7),
(Offset : $402190; //WPePro
MemDump :($55, $8B, $EC, $53, $56, $57, $BB, $00, $60, $40, $00, $66, $2E, $F7, $05, $1E, $28, $40, $00, $04, $00, $0F, $85, $DB, $00, $00, $00, $6A, $00, $FF, $15, $18);
CheatID : 8),
(Offset : $48F5AE; //T Search
MemDump :($55, $8B, $EC, $6A, $FF, $68, $90, $8A, $4E, $00, $68, $8C, $44, $49, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $58);
CheatID : 9),
(Offset : $48F619; //T Search
MemDump :($E8, $CE, $2D, $00, $00, $85, $C0, $75, $08, $6A, $10, $E8, $B2, $00, $00, $00, $59, $33, $F6, $89, $75, $FC, $E8, $63, $7A, $00, $00, $FF, $15, $68, $44, $4D);
CheatID : 10),
(Offset : $40970E; //Speed Gear 5
MemDump :($68, $B4, $98, $40, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68, $53, $56, $57, $89, $65, $E8, $33, $DB, $89, $5D);
CheatID : 11),
(Offset : $568E9A; //Speed Gear 6
MemDump :($68, $B8, $F9, $85, $13, $E8, $9D, $53, $01, $00, $B6, $94, $70, $4B, $E8, $87, $E5, $43, $E4, $43, $21, $7B, $18, $B7, $BB, $79, $6D, $3E, $F9, $1E, $5C, $7F);
CheatID : 12),
(Offset : $512134; //WildProxy v1.0 Public
MemDump :($75, $05, $8A, $16, $46, $12, $D2, $73, $EA, $02, $D2, $75, $05, $8A, $16, $46, $12, $D2, $73, $4F, $33, $C0, $02, $D2, $75, $05, $8A, $16, $46, $12, $D2, $0F);
CheatID : 13),
(Offset : $512014; //WildProxy v1.0 Public
MemDump :($B8, $00, $00, $00, $00, $60, $0B, $C0, $74, $68, $E8, $00, $00, $00, $00, $58, $05, $53, $00, $00, $00, $80, $38, $E9, $75, $13, $61, $EB, $45, $DB, $2D, $37);
CheatID : 14),
(Offset : $401320; //WildProxy v1.0 Public
MemDump :($EB, $10, $66, $62, $3A, $43, $2B, $2B, $48, $4F, $4F, $4B, $90, $E9, $98, $90, $46, $00, $A1, $8B, $90, $46, $00, $C1, $E0, $02, $A3, $8F, $90, $46, $00, $52);
CheatID : 15),
(Offset : $4013F9; //WildProxy v1.0 Public
MemDump :($E8, $1A, $21, $06, $00, $A3, $8B, $90, $46, $00, $83, $F8, $00, $73, $91, $B8, $FC, $00, $00, $00, $E8, $7A, $FF, $FF, $FF, $C3, $83, $3D, $8B, $90, $46, $00);
CheatID : 16),
(Offset : $401320; //WildProxy v1.2 Public
MemDump :($EB, $10, $66, $62, $3A, $43, $2B, $2B, $48, $4F, $4F, $4B, $90, $E9, $98, $20, $47, $00, $A1, $8B, $20, $47, $00, $C1, $E0, $02, $A3, $8F, $20, $47, $00, $52);
CheatID : 17),
(Offset : $4013B0; //WildProxy v1.2 Public
MemDump :($E8, $D7, $FF, $FF, $FF, $B9, $B4, $00, $00, $00, $51, $6A, $08, $E8, $F4, $00, $07, $00, $50, $E8, $60, $01, $07, $00, $0B, $C0, $75, $0A, $B8, $FD, $00, $00);
CheatID : 18),
(Offset : $401350; //WildProxy v0.3 Public
MemDump :($EB, $10, $66, $62, $3A, $43, $2B, $2B, $48, $4F, $4F, $4B, $90, $E9, $98, $C0, $47, $00, $A1, $8B, $C0, $47, $00, $C1, $E0, $02, $A3, $8F, $C0, $47, $00, $52);
CheatID : 19),
(Offset : $40C0B0; //Speed Hack Simplifier 1.0
MemDump :($70, $6C, $69, $63, $61, $74, $69, $6F, $6E, $31, $5C, $6F, $62, $6A, $5C, $52, $65, $6C, $65, $61, $73, $65, $5C, $53, $70, $65, $65, $64, $20, $48, $61, $63);
CheatID : 20),
(Offset : $4320F0; //CE
MemDump :($53, $00, $5F, $00, $56, $00, $45, $00, $52, $00, $53, $00, $49, $00, $4F, $00, $4E, $00, $5F, $00, $49, $00, $4E, $00, $46, $00, $4F, $00, $00, $00, $00, $00);
CheatID : 21),
(Offset : $440020; //Cheat Happens v3.96b2
MemDump :($5F, $E4, $AD, $60, $36, $56, $43, $4D, $92, $BD, $C8, $6F, $F8, $DE, $E1, $BD, $01, $00, $00, $00, $46, $3A, $5C, $44, $6F, $63, $75, $6D, $65, $6E, $74, $73);
CheatID : 22),
(Offset : $41F001; //!xSpeed.net 2
MemDump :($60, $E8, $03, $00, $00, $00, $E9, $EB, $04, $5D, $45, $55, $C3, $E8, $01, $00, $00, $00, $EB, $5D, $BB, $ED, $FF, $FF, $FF, $03, $DD, $81, $EB, $00, $F0, $01);
CheatID : 23),
(Offset : $4217E0; //!xSpeed.net 3
MemDump :($60, $BE, $00, $D0, $41, $00, $8D, $BE, $00, $40, $FE, $FF, $57, $EB, $0B, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11);
CheatID : 24),
(Offset : $420630; //!xSpeed.net 6
MemDump :($60, $BE, $00, $C0, $41, $00, $8D, $BE, $00, $50, $FE, $FF, $57, $EB, $0B, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11);
CheatID : 25),
(Offset : $5674D4; //Cheat Engine 5.0
MemDump :($55, $8B, $EC, $83, $C4, $EC, $53, $33, $C0, $89, $45, $EC, $B8, $2C, $70, $56, $00, $E8, $C6, $FA, $E9, $FF, $8B, $1D, $98, $D8, $56, $00, $33, $C0, $55, $68);
CheatID : 26),
(Offset : $574EC0; //Cheat Engine 5.1.1
MemDump :($55, $8B, $EC, $83, $C4, $EC, $53, $33, $C0, $89, $45, $EC, $B8, $E0, $49, $57, $00, $E8, $CE, $20, $E9, $FF, $8B, $1D, $F8, $B8, $57, $00, $33, $C0, $55, $68);
CheatID : 27),
(Offset : $574EEC; //Cheat Engine 5.1.1
MemDump :($E8, $8B, $EA, $F1, $FF, $8D, $45, $EC, $E8, $33, $56, $FF, $FF, $E8, $5A, $1F, $FD, $FF, $8B, $03, $BA, $68, $50, $57, $00, $E8, $6A, $E6, $F1, $FF, $8B, $03);
CheatID : 28),
(Offset : $4CBD70; //Cheat Engine 5.1.1
MemDump :($8D, $85, $7C, $FE, $FF, $FF, $BA, $03, $00, $00, $00, $E8, $B0, $8F, $F3, $FF, $8D, $85, $88, $FE, $FF, $FF, $BA, $04, $00, $00, $00, $E8, $A0, $8F, $F3, $FF);
CheatID : 29),
(Offset : $591F94; //Cheat Engine 5.2
MemDump :($55, $8B, $EC, $83, $C4, $EC, $53, $33, $C0, $89, $45, $EC, $B8, $5C, $1A, $59, $00, $E8, $26, $50, $E7, $FF, $8B, $1D, $20, $89, $59, $00, $33, $C0, $55, $68);
CheatID : 30),
(Offset : $5839E7; //Cheat Engine 5.2
MemDump :( $8D, $45, $B0, $50, $6A, $08, $8D, $85, $78, $FF, $FF, $FF, $50, $A1, $B0, $A1, $59, $00, $8B, $55, $A4, $8B, $04, $90, $50, $A1, $28, $A1, $59, $00, $50, $A1);
CheatID : 31),
(Offset : $4CBE2B; //Cheat Engine 5.3
MemDump :($8D, $55, $F0, $B9, $04, $00, $00, $00, $8B, $C7, $E8, $02, $15, $F5, $FF, $8B, $55, $F0, $8B, $C3, $E8, $8C, $F7, $FD, $FF, $8D, $55, $F0, $B9, $04, $00, $00);
CheatID : 32),
(Offset : $5FECF4; //Cheat Engine 5.5
MemDump :($55, $8B, $EC, $83, $C4, $EC, $53, $33, $C0, $89, $45, $EC, $B8, $E4, $E4, $5F, $00, $E8, $9E, $89, $E0, $FF, $8B, $1D, $EC, $62, $60, $00, $33, $C0, $55, $68);
CheatID : 33),
(Offset : $12C5B8; //UoPilot
MemDump :($75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $72, $ED, $B8, $01, $00, $00, $00, $01, $DB, $75, $07, $8B, $1E, $83, $EE, $FC, $11, $DB, $11, $C0, $01, $DB, $73);
CheatID : 34),
(Offset : $401414; //Speed Hack 99.62t
MemDump :($68, $A4, $22, $40, $00, $E8, $EE, $FF, $FF, $FF, $00, $00, $00, $00, $00, $00, $30, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00, $18, $8E, $F7, $08);
CheatID : 35),
(Offset : $401E04; //SpotHack 1.1 <-- MiraseQ LOL!
MemDump :($68, $28, $20, $41, $00, $E8, $EE, $FF, $FF, $FF, $00, $00, $00, $00, $00, $00, $30, $00, $00, $00, $40, $00, $00, $00, $00, $00, $00, $00, $E3, $90, $67, $9A);
CheatID : 36),
(Offset : $454181; //MJB Perfect DL Bot
MemDump :($BE, $00, $90, $43, $00, $8D, $BE, $00, $80, $FC, $FF, $57, $83, $CD, $FF, $EB, $10, $90, $90, $90, $90, $90, $90, $8A, $06, $46, $88, $07, $47, $01, $DB, $75);
CheatID : 37),
(Offset : $59F001; //HahaMu 1.16
MemDump :($E8, $00, $00, $00, $00, $5D, $50, $51, $EB, $0F, $B9, $EB, $0F, $B8, $EB, $07, $B9, $EB, $0F, $90, $EB, $08, $FD, $EB, $0B, $F2, $EB, $F5, $EB, $F6, $F2, $EB);
CheatID : 38),
(Offset : $40FBB6; //Game Speed Changer
MemDump :($55, $8B, $EC, $6A, $FF, $68, $48, $3D, $41, $00, $68, $3C, $FD, $40, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68);
CheatID : 39),
(Offset : $438510; //eXpLoRer
MemDump :($60, $BE, $00, $20, $42, $00, $8D, $BE, $00, $F0, $FD, $FF, $57, $83, $CD, $FF, $EB, $10, $90, $90, $90, $90, $90, $90, $8A, $06, $46, $88, $07, $47, $01, $DB);
CheatID : 40),
(Offset : $4BCFA4; //Xelerator 1.4
MemDump :($55, $8B, $EC, $83, $C4, $F0, $53, $56, $57, $B8, $C4, $CC, $4B, $00, $E8, $B1, $9B, $F4, $FF, $8B, $3D, $B0, $03, $4C, $00, $68, $DC, $D0, $4B, $00, $6A, $04);
CheatID : 41),
(Offset : $473BBC; //Capotecheat(deltacholl)
MemDump :($55, $8B, $EC, $83, $C4, $F4, $B8, $04, $3A, $47, $00, $E8, $E0, $26, $F9, $FF, $A1, $1C, $5C, $47, $00, $8B, $00, $E8, $04, $BE, $FC, $FF, $8B, $0D, $E4, $5C);
CheatID : 42),
(Offset : $55DE8C; //Cheat4Fun v0.9 Beta
MemDump :($87, $DE, $F7, $FA, $9F, $CA, $05, $5D, $83, $67, $02, $86, $59, $BF, $F1, $B6, $5B, $1F, $04, $6E, $79, $00, $18, $57, $8A, $D0, $A6, $FA, $8E, $5A, $E0, $D8);
CheatID : 42)); {here i got bored.. damn}
implementation
end.
and yes, u can detect somesh!t by its threadID
Code:
const
CheatThreads: packed array[0 .. 6] of TThreadList =
(
(TID : $05fe864), //Cheat Engine 5.5
(TID : $051cf40c), //Cheat Engine 5.4
(TID : $044e90), //Cheat Engine 5.6.1
(TID : $062105d4), //Cheat Engine 5.6.1
(TID : $064fe0), //Cheat Engine 5.6.1
(TID : $0611a98), //Sora Engine 2.3
(TID : $4e80) //Sora Engine 2.3
);
For this creits goes not only to me, but also to my rolle model Paulo94
Last edited: