pszenica (wheat) AntiCheat

**mirraseq** · 19-12-10

Hi, I want to share my sh!t anticheat I wrote. It may be useless but I just want to release or share something :D

Read !README! before ask for something ;)

Advantages:

simple creator, you won't miss any step
AntiCheat in main, not DLL
unlimited cheat dumps and captions to add
checking for player.bmd file

Disadvantages:

AntiCheat is not scanning hidden processes
AntiCheat is not preventing checksum bypass (2 min and bypassed)
AntiCheat is not checing code/function hooks and dll injections

AntiCheat tested on:

main CHS 0.97d
main ENG 1.02c
main CHS 1.02k
main JPN 1.03k (season 4)
main JPN 1.03.25 (season 5)
main JPN 1.03l

Changelog:

v. 1.0.0.8: adding main.exe kill code after cheat detecting (3 seconds)
v. 1.0.0.8: translated cheat database editboxes captions
increased dump database (copied from someone here (this 400+ cheat dumps, I don't remember his nickname, sry)
v. 1.0.0.9: fix IAT reading (by OriginalFirstThunk and ThunkValue)

I'll continue this project but when I'll get more time. If you won't like, I don't care. It's training for me :P

**MentaL**

**Dios** · 19-12-10

Approved.

**mauka** · 19-12-10

gratz MirraseQ, why new name of AH?

Edited: ok, i noted thats its not same ah :]]

**palco** · 19-12-10

Thanks, mirraseq, for your free release!

Check why after detecting cheat main.exe continuing to work, but not be closed or killed.

**LoveMU** · 19-12-10

does this release include speed hack ?

**Mulegend** · 19-12-10

WOW, so nice :)

**anniston** · 20-12-10

Originally Posted by palco

Thanks, mirraseq, for your free release!

Check why after detecting cheat main.exe continuing to work, but not be closed or killed.

+1
After detecting cheat - main not be closed.

**Phant0m** · 21-12-10

This is a very interesting piece of work.
Would you mind posting the code? I'd like to see how it works, and maybe if you make it open source more features can be added. :)

**Mulegend** · 21-12-10

Yep buy i think he dont share Src code

**mirraseq** · 21-12-10

Updated tooday, it's now closing main.exe :P (3 seconds after detecting).

@Mulegend: I cannot answer on your PM (need 15 posts) so I'll answer here, thank you for offering me help but I'll try to do hidden process scan by myself ;)

@LoveMu, only if you will add speedhack dump or caption

@darckalan, it's too big code mess to be released ^_^ anticheat code creation is not attractive (stupid method).

So how it works? I hardcoded functions as binary (x86). Then just recalculate calls outside current function. It's also allcoating in the same section all constans and variables. Because of lacking some functions in main IAT I created additional table for anticheat imports and it's filling it at the beginning (you can see lot of calls to loadlibrary and getprocaddress on the beginning). I know it's also stupid and better way is using game IAT then restore it but I'm still learning :P I'm gonna make 2nd version with this feature too ;)

Following asm pseudo-code is used:

Spoiler:

Code:

;it's pseudo-code

;void KillMainThread
KillMainThread:
	PUSH 0BB8h ;3000 dec
	CALL DWORD PTR DS:[Sleep] ;Sleep is pointer to Kernel32.Sleep
	PUSH 1
	CALL DWORD PTR DS:[ExitProcess] ;same as sleep
	MOV EAX, DWORD PTR DS:[RandomValue] ;EAX = random value, generated while creating code
	CALL EAX ;crash thread
	RETN
	
;void CheatDetected
CheatDetected:
	PUSH ESP
	PUSH 0
	PUSH 0
	PUSH KillMainThread
	PUSH 0
	PUSH 0
	CALL DWORD PTR DS:[CreateThread]
	PUSH 10h ;MB_ICONERROR
	PUSH msgTitle
	PUSH msgText
	PUSH strMU
	PUSH 0
	CALL DWORD PTR DS:[FindWindowA]
	PUSH EAX
	CALL DWORD PTR DS:[MessageBoxA]
	MOV EAX, DWORD PTR DS:[RandomValue] ;same as KillMainThread
	CALL EAX ;and also crash
	RETN
	
;void ScanWindowThread	
ScanWindowThread:
	PUSH EBX
	PUSH ESI
ThreadLoop:
	MOV ESI, NumberOfAllCaptions
	MOV EBX, FirstCaption ;beginning of caption table
@Loop:
	MOV EAX, DWORD PTR DS:[EBX]
	PUSH EAX
	PUSH 0
	CALL DWORD PTR DS:[FindWindowA]
	TEST EAX, EAX
	JE SHORT Continue
	CALL CheatDetected
Continue:
	ADD EBX, 4
	DEC ESI
	JNZ SHORT @Loop
	PUSH ScanWindowThreadDelay
	CALL DWORD PTR DS:[Sleep]
	JMP SHORT ThreadLoop
	POP ESI
	POP EBX
	RETN
	
;bool ScanProcessMemory(DWORD hHandle)
;Dump in table: 4 bytes for address, 32 bytes for dump data = 36 bytes total
ScanProcessMemory:
	PUSH EBP
	MOV EBP, ESP
	ADD ESP, -8 ;3 dwords on stack to use
	PUSH EBX
	PUSH ESI
	PUSH EDI
	XOR EBX, EBX
	MOV DWORD PTR SS:[EBP-4], NumberOfDumps
	MOV ESI, FirstDump ;table beginning
DumpCheck:
	LEA EAX, DWORD PTR SS:[EBP-8]
	PUSH EAX ;dwRead
	PUSH 20h ;32 dec = buf size
	PUSH WorkBuf ;allocated 32 bytes
	MOV EAX, DWORD PTR DS:[ESI] 
	PUSH EAX ;current dump address
	MOV EAX, DWORD PTR SS:[EBP+8]
	PUSH EAX ;hHandle
	CALL DWORD PTR DS:[ReadProessMemory]
	MOV DWORD PTR SS:[EBP-8], 20h ;dwRead = 32, it's used to decrease len if compared byte is same
	MOV EDI, 20h ;loop- for (i = 32;...)
	LEA EAX, DWORD PTR DS:[ESI+4] ;current dump bytes
	MOV EDX, WorkBuf ;begining of buf (WorkBuf[j], EDX = j
Compare:
	MOV CL, BYTE PTR DS:[EAX] ;CL = Dump[i]->DumpBytes[j]
	CMP CL, BYTE PTR DS:[EDX] ;if (Dump[i]->DumpBytes[j] == WorkBuf[j])
	JNZ SHORT NotEqual
	DEC DWORD PTR SS:[EBP-8] ;--dwRead
NotEqual:
	INC EDX
	INC EAX
	DEC EDI
	JNZ SHORT Compare
	CMP DWORD PTR SS:[EBP-8], 0 ;if (dwRead = 0) { return true }
	JNZ SHORT CheckNext
	MOV BL, 1 ;result = true
	JMP SHORT ScanProcessMemoryEnd
	ADD ESI, 24h ;increase ESI size by 36 bytes
	DEC DWORD PTR SS:[EBP-4] ;--i
	JNZ SHORT DumpCheck
	MOV EAX, EBX ;return result
	POP EDI
	POP ESI
	POP EBX
	POP ECX
	POP ECX
	POP EBP
	RETN 4 ;one dword as argument on stack
	

;void ScanProcessThread
ScanProcessThread:
	PUSH EBX
	PUSH ESI
	PUSH EDI
	ADD ESP, -128 ;PROCESSENTRY32 pe
	MOV EDI, ESP
SPThreadLoop:
	PUSH 0
	PUSH 2
	CALL DWORD PTR DS:[CreateToolhelp32Snapshot]
	MOV EBX, EAX ;hHandle = CreateToolhelp32Snapshot
	CMP EAX, -1
	JE SHORT InvalidSnapshot ;if (hHandle == INVALID_HANDLE_VALUE) goto InvalidSnapshot
	MOV DWORD PTR DS:[EDI], 128 ;pe->dwSize = sizeof(PROCESSENTRY32)
	PUSH EDI ;pe
	PUSH EBX ;hHandle
	CALL DWORD PTR DS:[Process32First]
	TEST AL, AL
	JE NoMoreProcesses
SnapLoop:
	MOV EAX, DWORD PTR DS:[EDI+8] ;EAX = pe->th32ProcessID
	PUSH EAX    ;pe->th32ProcessID
	PUSH 0      ;false
	PUSH 1F0FFF ;PROCESS_ALL_ACCESS
	CALL DWORD PTR DS:[OpenProcess]
	MOV ESI, EAX ;hProcess = OpenProcess
	TEST ESI, ESI
	JE SHORT OpenProcessFail
	PUSH ESI
	CALL ScanProcessMemory
	TEST AL, AL
	JE SHORT ProcessClear
	CALL CheatDetected
ProcessClear:
	PUSH EDI ;pe
	PUSH EBX ;hHandle
	CALL DWORD PTR DS:[Process32Next]
	TEST AL, AL
	JNZ SHORT SnapLoop
InvalidSnapshot:
	PUSH EBX ;hHandle
	CALL DWORD PTR DS:[CloseHandle]
	PUSH ScanProcessThreadDelay
	CALL DWORD PTR DS:[Sleep]
	JMP SHORT SPThreadLoop
	ADD ESP, 128
	POP EDI
	POP ESI
	POP EBX
	RETN
	

;void PlayerBMDCheck
PlayerBMDCheck:
	PUSH EBX       ;hHandle
	PUSH ESI       ;fSize
	PUSH 0         ;0
	PUSH 80h       ;NORMAL
	PUSH 3         ;OPEN_EXISTING
	PUSH 0         ;0
	PUSH 11h       ;FILE_SHARE_READ
	PUSH 80000000h ;GENERIC_READ
	PUSH PlayerBMDPath ;Data\Player\player.bmd
	CALL DWORD PTR DS:[CreateFileA]
	MOV EBX, EAX ;hHandle = CreateFileA
	PUSH 0   ;0
	PUSH EBX ;hHandle
	CALL DWORD PTR DS:[GetFileSize]
	MOV ESI, EAX ;fSize = GetFileSize
	PUSH EBX ;hHandle
	CALL DWORD PTR DS:[CloseHandle]
	CMP ESI, DWORD PTR DS:[PlayerBMDSize] ;PlayerBMDSize const
	JE PlayerCheckSuccess
	PUSH 10h ;MB_ICONERROR
	PUSH playermsgTitle
	PUSH playermsgText
	PUSH strMU
	PUSH 0
	CALL DWORD PTR DS:[FindWindowA]
	PUSH EAX
	CALL DWORD PTR DS:[MessageBoxA]
	PUSH 1
	CALL DWORD PTR DS:[ExitProcess]
	POP ESI
	POP EBX
	RETN
	

;void AntiCheatStartup
AntiCheatStartup:
	PUSH ECX
	PUSH strKernel32
	CALL DWORD PTR DS:[LoadLibraryA] ;LoadLibraryA address is get from IAT during analyze in creator
	MOV DWORD PTR SS:[ESP], EAX      ;hModule = LoadLibrary
	PUSH strExitProcess
	MOV EAX, DWORD PTR SS:[ESP+4]
	PUSH EAX ;hModule
	CAlL DWORD PTR DS:[GetProcAddress]
	MOV DWORD PTR DS:[IAT[0]], EAX ;IAT[0] = GetProcAddress
	
	PUSH strSleep
	MOV EAX, DWORD PTR SS:[ESP+4]
	PUSH EAX ;hModule
	CAlL DWORD PTR DS:[GetProcAddress]
	MOV DWORD PTR DS:[IAT[1]], EAX ;IAT[1] = GetProcAddress
	
	... ;it's frequently, I won't write all of this :P
	    ;loaded modules: 2- kernel32.dll and user32.dll, I know I should use loop :P
	
	PUSH ESP
	PUSH 0
	PUSH 0
	PUSH ScanWindowThread
	PUSH 0
	PUSH 0
	CALL DWORD PTR DS:[CreateTrhead]
	PUSH ESP
	PUSH 0
	PUSH 0
	PUSH ScanProcessThread
	PUSH 0
	PUSH 0
	CALL DWORD PTR DS:[CreateThread]
	CALL PlayerBMDCheck
	PUSH OEP ;Original Entry Point
	RETN     ;JMP OEP by PUSH+RET method
	POP EDX
	RETN

**dante147** · 21-12-10

Anticheat looks very good , only need more addons and will be exellent, but i have a question, any one know how to get the dump of a procces ? some guide ?

**anniston** · 22-12-10

Good work !
Working excellent !

But, if you add anti hidden processes - will be a bomb ! )))

**UnitedOne** · 22-12-10

yeah agreed i will try this one...

**mirraseq** · 22-12-10

dante147, catch video tut (by my cheat mastah- Gunz aka mauka aka LierningDelphi aka Ronaldo)
YouTube - Process dumb - memory signature

**dante147** · 22-12-10

Originally Posted by mirraseq

dante147, catch video tut (by my cheat mastah- Gunz aka mauka aka LierningDelphi aka Ronaldo)
YouTube - Process dumb - memory signature

OMG IS VERY EASY AND VERY USEFULL! THANKS

!!

pszenica (wheat) AntiCheat

Thread Tools

pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Re: pszenica (wheat) AntiCheat

Advertisement