Methods of anticheat

Status
Not open for further replies.
IDEEKAY

IDEEKAY

Newbie Spellweaver
10 Happy Years
Joined
May 24, 2008
Messages
85
Reaction score
5
1. As you know most injectors are coded to the fact that the dll would be loaded w/ LdrLoadDll(); or LoadLibrary(); in your own memory space. Easy solution, hook LdrLoadDll in r0 and use PsGetCurrentProcess(); and check if it's from your process or hook LdrLoadDll(); & LoadLibrary(); in r3;

2. You can't get a window process handle without using OpenProcess(), correct? Hook ZwOpenProcess in r0 & filter it with PsGetCurrentProcess();

3. Even if they bypass that, thank god they'll use
To view the content, you need to sign in or register
. This could be use to prevent memory editing software like ArtMoney, Cheat Engine... etc

4. Memory validations, well if you hate memory editors and somehow they bypassed all of the above you could do a simple MD5 or SHA-1 or SHA-2 of the memory, but don't check it in via clientsided which can just be a simple ZF away from being bypassed. What you could do is create a packet w/ the hash + timestamps for a more secure packet. Packet encryption is optional, but recommended.

5. Never, never, never, never use FindWindows(); or traverse the module or process list. It is one of the most stupidest method to detect a cheat.

6. Once a function is called the data would be in the stack until popped out or the process ends. Simple... Set up your prologue
Code: 
mov edi, edi
push ebp
mov esp, ebp
[code]

mov edi, edi isn't needed.

To read the stacks data just extract the data from the ebp and increment 0x4 bytes every parameter.

:)
 
thanks for this, it is very interesting, however! i believe most people that WOULD use this already know this, but again, thanks for this:-)
 
IDEEKAY said:
1. As you know most injectors are coded to the fact that the dll would be loaded w/ LdrLoadDll(); or LoadLibrary(); in your own memory space. Easy solution, hook LdrLoadDll in r0 and use PsGetCurrentProcess(); and check if it's from your process or hook LdrLoadDll(); & LoadLibrary(); in r3;

2. You can't get a window process handle without using OpenProcess(), correct? Hook ZwOpenProcess in r0 & filter it with PsGetCurrentProcess();

3. Even if they bypass that, thank god they'll use
To view the content, you need to sign in or register
. This could be use to prevent memory editing software like ArtMoney, Cheat Engine... etc

4. Memory validations, well if you hate memory editors and somehow they bypassed all of the above you could do a simple MD5 or SHA-1 or SHA-2 of the memory, but don't check it in via clientsided which can just be a simple ZF away from being bypassed. What you could do is create a packet w/ the hash + timestamps for a more secure packet. Packet encryption is optional, but recommended.

5. Never, never, never, never use FindWindows(); or traverse the module or process list. It is one of the most stupidest method to detect a cheat.

6. Once a function is called the data would be in the stack until popped out or the process ends. Simple... Set up your prologue
Code: 
mov edi, edi
push ebp
mov esp, ebp
[code]

mov edi, edi isn't needed.

To read the stacks data just extract the data from the ebp and increment 0x4 bytes every parameter.

:)[/QUOTE]

1) Remove the hook, or replace the overwritten bytes via assembly, jumping over the hook.
2) Use the same method in number one.
3) Number one, again.
4) The check is still client-sided, whether or not it's sent to the server to validate.  Create a table of valid hashes and set the checksum function to return each hash, depending on which segment is requested.
5) Signature scanning tactics in general will always fail.
6) Pointless tip.

Aren't you the same guy who posted a photoshopped image of his "anti-cheat"?
Click to expand...
 
Rofl @ post. It wasn't failed, it did what it was meant to do, prevent dll injection. What else would you want it to do? Not my fault if you idiots didn't know how to edit the GunZ client for it to work.
 
IDEEKAY said:
Rofl @ post. It wasn't failed, it did what it was meant to do, prevent dll injection. What else would you want it to do? Not my fault if you idiots didn't know how to edit the GunZ client for it to work.
Click to expand...

T6 doesn't know how to edit? Seriously kid, learn your place. You know nothing, or how to do anything.
 
IDEEKAY said:
2. You can't get a window process handle without using OpenProcess(), correct? Hook ZwOpenProcess in r0 & filter it with PsGetCurrentProcess();

3. Even if they bypass that, thank god they'll use
To view the content, you need to sign in or register
. This could be use to prevent memory editing software like ArtMoney, Cheat Engine... etc


6. Once a function is called the data would be in the stack until popped out or the process ends. Simple... Set up your prologue

mov edi, edi
push ebp
mov esp, ebp
Click to expand...

cant understand 2 and 3 but the 6 .... where are the arguments of the functions? on EBP o ESP?
 
Status
Not open for further replies.

RaGEZONE Sponsor

    HyperFilter

About RaGEZONE

RaGEZONE® is the top forum for MMO, MMORPG, and mobile game development. We provide binaries, source codes, and tutorials for your favorite games, making it the go-to resource for developers and fans. You can also find and share private servers, fostering a vibrant gamer community.

Forum Statistics

Members online
804
Guests online
2,258
Total visitors
3,062
Totals may include hidden visitors.

RaGEZONE Partners

    nongamstopbets.com UK sites not on GamStop Casino Deps NZ
Back