[Guide] How to detect Memory hack

[vinleprince]

Today i will share how to detect memory hack. (not pro code but its work. i still newbie in C++)

there is three part.
- how to cheat with memory editor (for test where we need to protect it)
- detect it from server (send value to server then check it)
- detect it from client (clone variable in omi the encypt and compare and calculate ShuttleChild)

----------------------------------
1. how to cheat with memory editor

you can check it out in video. this is some way to cheat with CE.






in the frist video he cheat it with change some ShuttleChild variable. too easy just find some float value and change it. this way they can instant change value.

in the second video he browse the memory to edit some client memory (from omi.tex loaded) with item name and change data like a reatk missile shot. this way they need to reload data with change character. (not instant)
so now we need to take care that point.

for who don't know that ShuttleChild do. i give some guide


(in the source side)

(in the cheater side) * 9B 43 is 310 (in float)

ShuttleChild will load data from memory (from omi.tex) then calculate data (equip item) for that character
ex. load engine booster speed + enchant item bonus + buff bonus = shuttle value



for who don't know that omi.tex loaded i will call CItemInfo

(in the source side) Range is Booster for Engine Item


(in the cheater side) * 36 01 is 310 (in hex)

2. detect memory hack from server (sync data between client)

from ep 4.3 release have some detect function but i tested it not 100% work to detect who is player or cheater. maybe they not release that part i think. so i continue the job from that function.


file list address for newbie


ProjectAtum Side :
go to AtumApplication.cpp looking CAtumApplication::FrameMove() function. this part will loop every half second
declare: every 30 second SendHackTime_EngineInfo will sync data to server

Code:

int nCheckTime = 1000 * 30; // 30 second to sync
     m_dwHackCheckTime += m_fElapsedTime*1000; //count the time in second
if(m_pTutorial->IsTutorialMode() == FALSE && m_dwHackCheckTime > nCheckTime)
{    
    SendHackTime_EngineInfo();     
    m_dwHackCheckTime=0;
}

then in the same file edit this function for send what variable to server

Code:

void CAtumApplication::SendHackTime_EngineInfo() 
{    
    MSG_FC_CHARACTER_GET_REAL_ENGINE_INFO_OK msg_Engine;
    // struct in AtumProtocal.h what variable you need to send go to declare it on there    
    
    CItemInfo* pItemEngine = g_pStoreData->FindItemInInventoryByWindowPos(POS_REAR);
    //get Engine Data From Item if you Equip

    if(pItemEngine)       {        
          msg_Engine.ItemUID0            = pItemEngine->UniqueNumber;      
          msg_Engine.RangeH0            = pItemEngine->GetItemInfo()->Range;
        m_pFieldWinSocket->SendMsg( T_FC_CHARACTER_GET_REAL_ENGINE_INFO_OK, (char*)&msg_Engine, sizeof(msg_Engine));     
    }
}

in the AtumProtocol.h edit variable you need to send (edit both of them client and server atumprotocal.h)

Code:

struct MSG_FC_CHARACTER_GET_REAL_ENGINE_INFO_OK
{
    UID64_t        ItemUID0;
    float        RangeH0;
};

ProjectServer Side:
go to FieldIOCPSocket2.cpp the put this function for compare float variable

Code:

bool cmpf(float A, float B, float epsilon = 0.005f)
{
    return (fabs(A - B) < epsilon);
}

then go to CFieldIOCPSocket::CheckMemoryHackEngine edit what you need to check

Code:

void CFieldIOCPSocket::CheckMemoryHackEngine(ITEM_GENERAL *i_pItemGen, MSG_FC_CHARACTER_GET_REAL_ENGINE_INFO_OK *i_pRealInfo)
{
     if(NULL == i_pItemGen || ITEMKIND_SUPPORT != i_pItemGen->Kind)
        return;

    int getHackCount =0;
     // Omi Check
     if(cmpf(i_pItemGen->ItemInfo->Range , i_pRealInfo->RangeH0) == FALSE) 
             getHackCount++;
    if(getHackCount > 0) 
    {
         CFieldIOCPSocket *pTargetFISoc = ms_pFieldIOCP->GetFieldIOCPSocketByCharacterUniqueNumber(i_pItemGen->Possess);

         if(NULL == pTargetFISoc || FALSE == pTargetFISoc->IsValidCharacter(FALSE))
        {
                //kick failed
        }

                              g_pFieldGlobal->WriteSystemLogEX(TRUE, "[WLOG] kicked %s (%d) \r\n", GetCharacterString(pTargetFISoc->GetCharacter(), string())  ,i_pItemGen->Possess );
      pTargetFISoc->Close(0x14070);

}

3. detect memory hack from client (self check duplicate value with encypt)
later i write again. this time is too many fail with preview



this is sample video what it should look like be

for citeminfo (client check every 1 second and sync every 30 sec)

for shuttle (client check every 1 second and sync every 30 sec)

i hope this will help you guys.

[MentaL]

[Aesir]

Whatever you did here was already made by masang anyway.
This check maybe would block some noob CE kid who tries to edit random values, but once you jump your function (or even worse, your countdown value gets edited) then the whole thing fucks up.

(Oh, and, the 95% of the people who will read this post aren't even able to understand what an header is used for, i'd stop dealing making such advanced tuts.)

[vinleprince]

3. self check
go to AtumApplication.cpp lookingCAtumApplication::FrameMove() function

Code:

int nCheckTimeSelf = 1000 * 1;
m_dwHackCheckTimeSelf +=  m_fElapsedTime*1000;


if(m_pTutorial->IsTutorialMode() == FALSE && m_dwHackCheckTimeSelf > nCheckTimeSelf) {     SendHackTime_Self();       m_dwHackCheckTimeSelf=0;}

go to AtumApplication.h for declare function

Code:

void    SendHackTime_Self();

then back to AtumApplication.cpp put this function some where

Code:

void CAtumApplication::SendHackTime_Self(){
CItemInfo* pItemEngine = g_pStoreData->FindItemInInventoryByWindowPos(POS_REAR);
if(pItemEngine) {

if(pItemEngine->GetItemInfo()->Range != pItemEngine->GetItemInfo()->RangeE
 || pItemEngine->GetItemInfo()->RangeE != pItemEngine->GetItemInfo()->RangeE2 - 6
 || (pItemEngine->GetItemInfo()->RangeE2 - 6 ) != 
(g_pShuttleChild->m_fShuttleSpeedBoosterOn - g_pShuttleChild->GetEnchantDesParam(pItemEngine, DES_ENGINE_BOOSTER_SPEED_UP)) ) 
{
     char tmpRange[200];
     sprintf(tmpRange, "Range Engine : [%d] [%d] [%d] [%d]", pItemEngine->GetItemInfo()->Range, pItemEngine->GetItemInfo()->RangeE, (pItemEngine->GetItemInfo()->RangeE2 - 6), g_pShuttleChild->m_fShuttleSpeedBoosterOn - g_pShuttleChild->GetEnchantDesParam(pItemEngine, DES_ENGINE_BOOSTER_SPEED_UP));
     g_pD3dApp->m_pChat->CreateChatChild(tmpRange, COLOR_SYSTEM); 
}


if (cmpf(g_pShuttleChild->m_fRealShuttleSpeedBoosterOn , (g_pShuttleChild->m_fShuttleSpeedBoosterOn + (0.0f + GetParamFactor_DesParam( g_pShuttleChild->m_paramFactor, DES_ENGINE_BOOSTER_SPEED_UP) ) )  *
(1.0f + GetParamFactor_DesParam( g_pShuttleChild->m_paramFactor, DES_SPEED) ) ) == FALSE && pItemArmor ) 
{

MessageBox(NULL, "Error #000016 Engine Booster Speed Hack", "Error", MB_OK);                       

}

}

declare this part: you need to edit export omi.tex function. go to AtumDBHelper.cpp in commonserver

Code:

void CAtumDBHelper::BindColITEM(SQLHSTMT &hstmt, ITEM &item, SQLINTEGER *cb)

make duplicate fields name with encypt formula for self check data

if data one hacked you can compare it with data two. in this guide i make it for three.

ex. If(DATA1 != DATA2 || DATA2 != (DATA3 - X ) || ETC for combo check with shuttle)

anyway this code in part two it already did by masang but they didn't check about shuttle that why it not work.

[decarvk]

I think Aesir wish to say if the cheater edit the call to your function (certainly an assembly jmp) and set a "nop" your check will never happened and the player will be able to cheat.

[Davidc96]

I think Aesir wish to say if the cheater edit the call to your function (certainly an assembly jmp) and set a "nop" your check will never happened and the player will be able to cheat.

Maybe one solution to this problem and the countdown value edition is make the server do the sync request, not the client, just like this:

Server ticks 30 s
Server sends to the client a sync request message
Client response with the info
Server do the stuff it does with the info

To avoid the bypass function another solution would be if the Server doesn't receive the client response, close the connection or something like that.
This is one of many possible fixes to solve it, probably the worst, but is one solution anyway xd

[St34lth4ng3l]

Well, you could replace every call with nop, so it doesn't matter how you do it, because as long as it's done in a seperate method you could simply replace it, as long as you bypass the checksum check and thats not very difficult to do.