Methods of anticheat

[IDEEKAY]

1. As you know most injectors are coded to the fact that the dll would be loaded w/ LdrLoadDll(); or LoadLibrary(); in your own memory space. Easy solution, hook LdrLoadDll in r0 and use PsGetCurrentProcess(); and check if it's from your process or hook LdrLoadDll(); & LoadLibrary(); in r3;

2. You can't get a window process handle without using OpenProcess(), correct? Hook ZwOpenProcess in r0 & filter it with PsGetCurrentProcess();

3. Even if they bypass that, thank god they'll use KeStackAttachProcess. This could be use to prevent memory editing software like ArtMoney, Cheat Engine... etc

4. Memory validations, well if you hate memory editors and somehow they bypassed all of the above you could do a simple MD5 or SHA-1 or SHA-2 of the memory, but don't check it in via clientsided which can just be a simple ZF away from being bypassed. What you could do is create a packet w/ the hash + timestamps for a more secure packet. Packet encryption is optional, but recommended.

5. Never, never, never, never use FindWindows(); or traverse the module or process list. It is one of the most stupidest method to detect a cheat.

6. Once a function is called the data would be in the stack until popped out or the process ends. Simple... Set up your prologue
[code]
mov edi, edi
push ebp
mov esp, ebp
[code]

mov edi, edi isn't needed.

To read the stacks data just extract the data from the ebp and increment 0x4 bytes every parameter.

:)

[MentaL]

[frenchfatcat]

thanks for this, it is very interesting, however! i believe most people that WOULD use this already know this, but again, thanks for this:-)

[robertinh07]

thanks guy =D

[cerealnp]

Thaks, didn't know about the KeStackAttachProcess thing =D

[alfredao]

Very NicE!

[ThievingSix]

Wait Wait Wait! Aren't you that retarded guy that posted the iProtect with the photoshop'd screenshot? Is this the stuff you failed to do?

[XZeenon]

Wait Wait Wait! Aren't you that retarded guy that posted the iProtect with the photoshop'd screenshot? Is this the stuff you failed to do?

LOOOOOL heh T6 has a point

[cerealnp]

Wait Wait Wait! Aren't you that retarded guy that posted the iProtect with the photoshop'd screenshot? Is this the stuff you failed to do?

Lol'd about that.

[alfredao]

wait wait wait! Aren't you that retarded guy that posted the iprotect with the photoshop'd screenshot? Is this the stuff you failed to do?

rofl!! :d

.

[ThePhailure772]

Wait Wait Wait! Aren't you that retarded guy that posted the iProtect with the photoshop'd screenshot? Is this the stuff you failed to do?

I lol'd, but he failed to realize something. Hook a module and make it call LoadLibraryA() :P

[Team Dragon]

that its? ROLF? good luck with +post

[ThePhailure772]

that its? ROLF? good luck with +post

Grow up you fucking idiot. You're spam is quite annoying.

[Guy]

1. As you know most injectors are coded to the fact that the dll would be loaded w/ LdrLoadDll(); or LoadLibrary(); in your own memory space. Easy solution, hook LdrLoadDll in r0 and use PsGetCurrentProcess(); and check if it's from your process or hook LdrLoadDll(); & LoadLibrary(); in r3;

2. You can't get a window process handle without using OpenProcess(), correct? Hook ZwOpenProcess in r0 & filter it with PsGetCurrentProcess();

3. Even if they bypass that, thank god they'll use KeStackAttachProcess. This could be use to prevent memory editing software like ArtMoney, Cheat Engine... etc

4. Memory validations, well if you hate memory editors and somehow they bypassed all of the above you could do a simple MD5 or SHA-1 or SHA-2 of the memory, but don't check it in via clientsided which can just be a simple ZF away from being bypassed. What you could do is create a packet w/ the hash + timestamps for a more secure packet. Packet encryption is optional, but recommended.

5. Never, never, never, never use FindWindows(); or traverse the module or process list. It is one of the most stupidest method to detect a cheat.

6. Once a function is called the data would be in the stack until popped out or the process ends. Simple... Set up your prologue
[code]
mov edi, edi
push ebp
mov esp, ebp
[code]

mov edi, edi isn't needed.

To read the stacks data just extract the data from the ebp and increment 0x4 bytes every parameter.

:)

1) Remove the hook, or replace the overwritten bytes via assembly, jumping over the hook.
2) Use the same method in number one.
3) Number one, again.
4) The check is still client-sided, whether or not it's sent to the server to validate. Create a table of valid hashes and set the checksum function to return each hash, depending on which segment is requested.
5) Signature scanning tactics in general will always fail.
6) Pointless tip.

Aren't you the same guy who posted a photoshopped image of his "anti-cheat"?

[00niels00]

I don't know what to think about this. But can you give a sample of hiding the process or something?

[IDEEKAY]

Rofl @ post. It wasn't failed, it did what it was meant to do, prevent dll injection. What else would you want it to do? Not my fault if you idiots didn't know how to edit the GunZ client for it to work.