Download GamersClub Anti-Cheat Information (Driver + user mode module)

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
573
19,508
64
Game Name
CS:GO
Anticheat
GamersClub Anti-Cheat
How long you been coding/hacking?
1 year
Coding Language
None
Since I haven't posted anything here for a long time, I decided to post my dump + idb for GCSecure.sys, which is the kernel mode driver for GamersClub (CS:GO). Hope someone finds this useful.

Just some quick notes:

-It only registers a notify routine for CreateProcess using PsSetCreateProcessNotifyRoutine that will "wait" for csgo.exe
-Uses ObRegisterCallbacks
-Checks if Disk.sys IoControl Dispatch is hooked, which can be used for hdd serial spoofing. Screenshot
-You can send an IOCTL (Code: 0x2016E040) to the driver to get your process whitelisted. Check the idb for more information about the structures used.


GCSecure.sys virus scan: Antivirus scan for afb12c195b9e343efc51f007379880edffe16ca84f11665493f8a91cf013017e at 2018-10-20 00:59:32 UTC - VirusTotal

GCSECURE_DUMP.sys virus scan:
Antivirus scan for 5f67f4a18367a4aba468cc565cae9978491946e6afb5d136f4fa8079d07ea0e9 at 2018-10-20 01:01:35 UTC - VirusTotal
 

Attachments

Last edited:

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
573
19,508
64
Dumped their user mode module yesterday. Still reversing it but found some interesting things:

-They hook LdrLoadDll to block module loading (could be done from their driver tho. Guess they are just dumb)

(They call GetProcAddress for LdrInitializeThunk but don't do any shit)
Screenshot_1.png


Whitelisted modules:
C++:
int Trust_Dlls()
{
  PUNICODE_STRING v0; // ecx
  PUNICODE_STRING v1; // ecx
  PUNICODE_STRING v2; // ecx
  PUNICODE_STRING v3; // ecx
  PUNICODE_STRING v4; // ecx
  PUNICODE_STRING v5; // ecx
  PUNICODE_STRING v6; // ecx
  PUNICODE_STRING v7; // ecx
  PUNICODE_STRING v8; // ecx
  PUNICODE_STRING v9; // ecx
  PUNICODE_STRING v10; // ecx
  PUNICODE_STRING v11; // ecx
  PUNICODE_STRING v12; // ecx
  PUNICODE_STRING v13; // ecx
  PUNICODE_STRING v14; // ecx
  PUNICODE_STRING v15; // ecx
  PUNICODE_STRING v16; // ecx
  PUNICODE_STRING v17; // ecx
  PUNICODE_STRING v18; // ecx
  PUNICODE_STRING v19; // ecx
  PUNICODE_STRING v20; // ecx
  PUNICODE_STRING v21; // ecx
  PUNICODE_STRING v22; // ecx
  PUNICODE_STRING v23; // ecx
  PUNICODE_STRING v24; // ecx
  PUNICODE_STRING v25; // ecx
  PUNICODE_STRING v26; // ecx
  int v27; // ecx
  int v29; // [esp+4h] [ebp-29Ch]
  __int16 v30; // [esp+8h] [ebp-298h]
  int v31; // [esp+18h] [ebp-288h]
  int v32; // [esp+1Ch] [ebp-284h]
  __int16 v33; // [esp+20h] [ebp-280h]
  int v34; // [esp+30h] [ebp-270h]
  int v35; // [esp+34h] [ebp-26Ch]
  __int16 v36; // [esp+38h] [ebp-268h]
  int v37; // [esp+48h] [ebp-258h]
  int v38; // [esp+4Ch] [ebp-254h]
  __int16 v39; // [esp+50h] [ebp-250h]
  int v40; // [esp+60h] [ebp-240h]
  int v41; // [esp+64h] [ebp-23Ch]
  __int16 v42; // [esp+68h] [ebp-238h]
  int v43; // [esp+78h] [ebp-228h]
  int v44; // [esp+7Ch] [ebp-224h]
  __int16 v45; // [esp+80h] [ebp-220h]
  int v46; // [esp+90h] [ebp-210h]
  int v47; // [esp+94h] [ebp-20Ch]
  __int16 v48; // [esp+98h] [ebp-208h]
  int v49; // [esp+A8h] [ebp-1F8h]
  int v50; // [esp+ACh] [ebp-1F4h]
  __int16 v51; // [esp+B0h] [ebp-1F0h]
  int v52; // [esp+C0h] [ebp-1E0h]
  int v53; // [esp+C4h] [ebp-1DCh]
  __int16 v54; // [esp+C8h] [ebp-1D8h]
  int v55; // [esp+D8h] [ebp-1C8h]
  int v56; // [esp+DCh] [ebp-1C4h]
  __int16 v57; // [esp+E0h] [ebp-1C0h]
  int v58; // [esp+F0h] [ebp-1B0h]
  int v59; // [esp+F4h] [ebp-1ACh]
  __int16 v60; // [esp+F8h] [ebp-1A8h]
  int v61; // [esp+108h] [ebp-198h]
  int v62; // [esp+10Ch] [ebp-194h]
  __int16 v63; // [esp+110h] [ebp-190h]
  int v64; // [esp+120h] [ebp-180h]
  int v65; // [esp+124h] [ebp-17Ch]
  __int16 v66; // [esp+128h] [ebp-178h]
  int v67; // [esp+138h] [ebp-168h]
  int v68; // [esp+13Ch] [ebp-164h]
  __int16 v69; // [esp+140h] [ebp-160h]
  int v70; // [esp+150h] [ebp-150h]
  int v71; // [esp+154h] [ebp-14Ch]
  __int16 v72; // [esp+158h] [ebp-148h]
  int v73; // [esp+168h] [ebp-138h]
  int v74; // [esp+16Ch] [ebp-134h]
  __int16 v75; // [esp+170h] [ebp-130h]
  int v76; // [esp+180h] [ebp-120h]
  int v77; // [esp+184h] [ebp-11Ch]
  __int16 v78; // [esp+188h] [ebp-118h]
  int v79; // [esp+198h] [ebp-108h]
  int v80; // [esp+19Ch] [ebp-104h]
  __int16 v81; // [esp+1A0h] [ebp-100h]
  int v82; // [esp+1B0h] [ebp-F0h]
  int v83; // [esp+1B4h] [ebp-ECh]
  __int16 v84; // [esp+1B8h] [ebp-E8h]
  int v85; // [esp+1C8h] [ebp-D8h]
  int v86; // [esp+1CCh] [ebp-D4h]
  __int16 v87; // [esp+1D0h] [ebp-D0h]
  int v88; // [esp+1E0h] [ebp-C0h]
  int v89; // [esp+1E4h] [ebp-BCh]
  __int16 v90; // [esp+1E8h] [ebp-B8h]
  int v91; // [esp+1F8h] [ebp-A8h]
  int v92; // [esp+1FCh] [ebp-A4h]
  __int16 v93; // [esp+200h] [ebp-A0h]
  int v94; // [esp+210h] [ebp-90h]
  int v95; // [esp+214h] [ebp-8Ch]
  __int16 v96; // [esp+218h] [ebp-88h]
  int v97; // [esp+228h] [ebp-78h]
  int v98; // [esp+22Ch] [ebp-74h]
  __int16 v99; // [esp+230h] [ebp-70h]
  int v100; // [esp+240h] [ebp-60h]
  int v101; // [esp+244h] [ebp-5Ch]
  __int16 v102; // [esp+248h] [ebp-58h]
  int v103; // [esp+258h] [ebp-48h]
  int v104; // [esp+25Ch] [ebp-44h]
  __int16 v105; // [esp+260h] [ebp-40h]
  int v106; // [esp+270h] [ebp-30h]
  int v107; // [esp+274h] [ebp-2Ch]
  __int16 v108; // [esp+278h] [ebp-28h]
  int v109; // [esp+288h] [ebp-18h]
  int v110; // [esp+28Ch] [ebp-14h]
  int v111; // [esp+290h] [ebp-10h]
  int v112; // [esp+29Ch] [ebp-4h]

  sub_100161E0();
  v32 = 7;
  v31 = 0;
  v30 = 0;
  sub_10017650(v0, L"\\system32\\uxtheme.dll", 21);
  sub_100161E0();
  v35 = 7;
  v34 = 0;
  v33 = 0;
  sub_10017650(v1, L"\\system32\\user32.dll", 20);
  sub_100161E0();
  v38 = 7;
  v37 = 0;
  v36 = 0;
  sub_10017650(v2, L"\\system32\\winrnr.dll", 20);
  sub_100161E0();
  v41 = 7;
  v40 = 0;
  v39 = 0;
  sub_10017650(v3, L"\\system32\\fwpucInt.dll", 22);
  sub_100161E0();
  v44 = 7;
  v43 = 0;
  v42 = 0;
  sub_10017650(v4, L"\\system32\\rasadhlp.dll", 22);
  sub_100161E0();
  v47 = 7;
  v46 = 0;
  v45 = 0;
  sub_10017650(v5, L"\\system32\\windows.ui.dll", 24);
  sub_100161E0();
  v50 = 7;
  v49 = 0;
  v48 = 0;
  sub_10017650(v6, L"\\system32\\dsound.dll", 20);
  sub_100161E0();
  v53 = 7;
  v52 = 0;
  v51 = 0;
  sub_10017650(v7, L"\\system32\\rsaenh.dll", 20);
  sub_100161E0();
  v56 = 7;
  v55 = 0;
  v54 = 0;
  sub_10017650(v8, L"\\system32\\crypt32.dll", 21);
  sub_100161E0();
  v59 = 7;
  v58 = 0;
  v57 = 0;
  sub_10017650(v9, L"\\system32\\wintrust.dll", 22);
  sub_100161E0();
  v62 = 7;
  v61 = 0;
  v60 = 0;
  sub_10017650(v10, L"\\system32\\mswsock.dll", 21);
  sub_100161E0();
  v65 = 7;
  v64 = 0;
  v63 = 0;
  sub_10017650(v11, L"\\system32\\ole32.dll", 19);
  sub_100161E0();
  v68 = 7;
  v67 = 0;
  v66 = 0;
  sub_10017650(v12, L"\\system32\\gdi32.dll", 19);
  sub_100161E0();
  v71 = 7;
  v70 = 0;
  v69 = 0;
  sub_10017650(v13, L"\\system32\\wshtcpip.dll", 22);
  sub_100161E0();
  v74 = 7;
  v73 = 0;
  v72 = 0;
  sub_10017650(v14, L"\\system32\\shell32.dll", 21);
  sub_100161E0();
  v77 = 7;
  v76 = 0;
  v75 = 0;
  sub_10017650(v15, L"\\system32\\advapi32.dll", 22);
  sub_100161E0();
  v80 = 7;
  v79 = 0;
  v78 = 0;
  sub_10017650(v16, L"\\system32\\kernel32.dll", 22);
  sub_100161E0();
  v83 = 7;
  v82 = 0;
  v81 = 0;
  sub_10017650(v17, L"\\system32\\msctf.dll", 19);
  sub_100161E0();
  v86 = 7;
  v85 = 0;
  v84 = 0;
  sub_10017650(v18, L"\\system32\\bcryptprimitives.dll", 30);
  sub_100161E0();
  v89 = 7;
  v88 = 0;
  v87 = 0;
  sub_10017650(v19, L"\\system32\\advapi32.dll", 22);
  sub_100161E0();
  v92 = 7;
  v91 = 0;
  v90 = 0;
  sub_10017650(v20, L"\\system32\\gpapi.dll", 19);
  sub_100161E0();
  v95 = 7;
  v94 = 0;
  v93 = 0;
  sub_10017650(v21, L"\\system32\\cryptsp.dll", 21);
  sub_100161E0();
  v98 = 7;
  v97 = 0;
  v96 = 0;
  sub_10017650(v22, L"\\system32\\hssrv.dll", 19);
  sub_100161E0();
  v101 = 7;
  v100 = 0;
  v99 = 0;
  sub_10017650(v23, L"\\system32\\igc32.dll", 19);
  sub_100161E0();
  v104 = 7;
  v103 = 0;
  v102 = 0;
  sub_10017650(v24, L"\\syswow64\\wintrust.dll", 22);
  sub_100161E0();
  v107 = 7;
  v106 = 0;
  v105 = 0;
  sub_10017650(v25, L"\\syswow64\\crypt32.dll", 21);
  sub_100161E0();
  v110 = 7;
  v109 = 0;
  v108 = 0;
  sub_10017650(v26, L"\\syswow64\\bcryptprimitives.dll", 30);
  v112 = 26;
  sub_100185F0(v27);
  LOBYTE(v29) = 0;
  dword_100B5000 = 0;
  dword_100B5004 = 0;
  dword_100B5008 = 0;
  Alloc_Vector((int)&v30, (int)&v111, v29);
  v112 = -1;
  `eh vector destructor iterator'(&v30, 0x18u, 0x1Bu, sub_10017340);
  return atexit((void (__cdecl *)())sub_10098B20);
}
Just manual map your shit and you're good

-They use D3DXSaveSurfaceToFileInMemory to take screenshots (they analyze the screenshots to see if someone is cheating).

I'm attaching the dll to this post if someone wants to reverse it
 

Attachments

Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,538
78,998
2,312
Just manual map your shit and you're good
For real?

so someone could make a screenshot cleaner by manual mapping, hooking D3DXSaveSurfaceToFileInMemory, disabling the hack visual, then re-enable it after the screenshot is taken?
 

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
767
22,668
47
For real?

so someone could make a screenshot cleaner by manual mapping, hooking D3DXSaveSurfaceToFileInMemory, disabling the hack visual, then re-enable it after the screenshot is taken?
That would be pretty simple to do. In fact you could easily modify that proxy DLL I wrote to do this. You could even have a bunch of static shots that you periodically feed it. In fact you could probably troll them with by overlaying shock pics xD
 

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
573
19,508
64
That would be pretty simple to do. In fact you could easily modify that proxy DLL I wrote to do this. You could even have a bunch of static shots that you periodically feed it. In fact you could probably troll them with by overlaying shock pics xD
Yup. I was also thinking about hooking ID3DXBuffer::GetBufferPointer and GetBufferSize and change the return values, so it would point to a dummy screenshot that I mapped to memory. Gonna be trying some other stuff and see what happens
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,538
78,998
2,312
Yeah I remember back in the day people were sending porn pics to PunkBuster via this lmao!
 
  • Haha
Reactions: XdarionX

wolf22j

Coder
Full Member
Nobleman
Mar 19, 2014
133
1,778
20
Yeah I remember back in the day people were sending porn pics to PunkBuster via this lmao!
I used to send random Minecraft pics to punkbuster, never got banned lmao. And I'm pretty sure one of those days a server admin was checking screenshots and found mine, they made a forum post about it on their clan website out of confusion but I don't think they ever banned me for it ironically.
 
Last edited:
  • Like
Reactions: Rake
Dec 19, 2018
1
2
0
"-Checks if Disk.sys IoControl Dispatch is hooked, which can be used for hdd serial spoofing "
Meaning, if i spoofed my HD they will know and ban me again? Cause my brother caused my HD ban, and i want to play on their servers, but even changing MAC, HD Serial Number, BIOS Serial and IP Address, i have no success
 

Thiago

Newbie
Full Member
Nobleman
Feb 28, 2017
57
508
3
"-Checks if Disk.sys IoControl Dispatch is hooked, which can be used for hdd serial spoofing "
Meaning, if i spoofed my HD they will know and ban me again? Cause my brother caused my HD ban, and i want to play on their servers, but even changing MAC, HD Serial Number, BIOS Serial and IP Address, i have no success
They will detect the hook and prevent you from joining the game.
 

g3m3c

Newbie
Aug 19, 2017
21
94
0
Dumped their user mode module yesterday. Still reversing it but found some interesting things:

-They hook LdrLoadDll to block module loading (could be done from their driver tho. Guess they are just dumb)

(They call GetProcAddress for LdrInitializeThunk but don't do any shit)
View attachment 5053

Whitelisted modules:
C++:
int Trust_Dlls()
{
  PUNICODE_STRING v0; // ecx
  PUNICODE_STRING v1; // ecx
  PUNICODE_STRING v2; // ecx
  PUNICODE_STRING v3; // ecx
  PUNICODE_STRING v4; // ecx
  PUNICODE_STRING v5; // ecx
  PUNICODE_STRING v6; // ecx
  PUNICODE_STRING v7; // ecx
  PUNICODE_STRING v8; // ecx
  PUNICODE_STRING v9; // ecx
  PUNICODE_STRING v10; // ecx
  PUNICODE_STRING v11; // ecx
  PUNICODE_STRING v12; // ecx
  PUNICODE_STRING v13; // ecx
  PUNICODE_STRING v14; // ecx
  PUNICODE_STRING v15; // ecx
  PUNICODE_STRING v16; // ecx
  PUNICODE_STRING v17; // ecx
  PUNICODE_STRING v18; // ecx
  PUNICODE_STRING v19; // ecx
  PUNICODE_STRING v20; // ecx
  PUNICODE_STRING v21; // ecx
  PUNICODE_STRING v22; // ecx
  PUNICODE_STRING v23; // ecx
  PUNICODE_STRING v24; // ecx
  PUNICODE_STRING v25; // ecx
  PUNICODE_STRING v26; // ecx
  int v27; // ecx
  int v29; // [esp+4h] [ebp-29Ch]
  __int16 v30; // [esp+8h] [ebp-298h]
  int v31; // [esp+18h] [ebp-288h]
  int v32; // [esp+1Ch] [ebp-284h]
  __int16 v33; // [esp+20h] [ebp-280h]
  int v34; // [esp+30h] [ebp-270h]
  int v35; // [esp+34h] [ebp-26Ch]
  __int16 v36; // [esp+38h] [ebp-268h]
  int v37; // [esp+48h] [ebp-258h]
  int v38; // [esp+4Ch] [ebp-254h]
  __int16 v39; // [esp+50h] [ebp-250h]
  int v40; // [esp+60h] [ebp-240h]
  int v41; // [esp+64h] [ebp-23Ch]
  __int16 v42; // [esp+68h] [ebp-238h]
  int v43; // [esp+78h] [ebp-228h]
  int v44; // [esp+7Ch] [ebp-224h]
  __int16 v45; // [esp+80h] [ebp-220h]
  int v46; // [esp+90h] [ebp-210h]
  int v47; // [esp+94h] [ebp-20Ch]
  __int16 v48; // [esp+98h] [ebp-208h]
  int v49; // [esp+A8h] [ebp-1F8h]
  int v50; // [esp+ACh] [ebp-1F4h]
  __int16 v51; // [esp+B0h] [ebp-1F0h]
  int v52; // [esp+C0h] [ebp-1E0h]
  int v53; // [esp+C4h] [ebp-1DCh]
  __int16 v54; // [esp+C8h] [ebp-1D8h]
  int v55; // [esp+D8h] [ebp-1C8h]
  int v56; // [esp+DCh] [ebp-1C4h]
  __int16 v57; // [esp+E0h] [ebp-1C0h]
  int v58; // [esp+F0h] [ebp-1B0h]
  int v59; // [esp+F4h] [ebp-1ACh]
  __int16 v60; // [esp+F8h] [ebp-1A8h]
  int v61; // [esp+108h] [ebp-198h]
  int v62; // [esp+10Ch] [ebp-194h]
  __int16 v63; // [esp+110h] [ebp-190h]
  int v64; // [esp+120h] [ebp-180h]
  int v65; // [esp+124h] [ebp-17Ch]
  __int16 v66; // [esp+128h] [ebp-178h]
  int v67; // [esp+138h] [ebp-168h]
  int v68; // [esp+13Ch] [ebp-164h]
  __int16 v69; // [esp+140h] [ebp-160h]
  int v70; // [esp+150h] [ebp-150h]
  int v71; // [esp+154h] [ebp-14Ch]
  __int16 v72; // [esp+158h] [ebp-148h]
  int v73; // [esp+168h] [ebp-138h]
  int v74; // [esp+16Ch] [ebp-134h]
  __int16 v75; // [esp+170h] [ebp-130h]
  int v76; // [esp+180h] [ebp-120h]
  int v77; // [esp+184h] [ebp-11Ch]
  __int16 v78; // [esp+188h] [ebp-118h]
  int v79; // [esp+198h] [ebp-108h]
  int v80; // [esp+19Ch] [ebp-104h]
  __int16 v81; // [esp+1A0h] [ebp-100h]
  int v82; // [esp+1B0h] [ebp-F0h]
  int v83; // [esp+1B4h] [ebp-ECh]
  __int16 v84; // [esp+1B8h] [ebp-E8h]
  int v85; // [esp+1C8h] [ebp-D8h]
  int v86; // [esp+1CCh] [ebp-D4h]
  __int16 v87; // [esp+1D0h] [ebp-D0h]
  int v88; // [esp+1E0h] [ebp-C0h]
  int v89; // [esp+1E4h] [ebp-BCh]
  __int16 v90; // [esp+1E8h] [ebp-B8h]
  int v91; // [esp+1F8h] [ebp-A8h]
  int v92; // [esp+1FCh] [ebp-A4h]
  __int16 v93; // [esp+200h] [ebp-A0h]
  int v94; // [esp+210h] [ebp-90h]
  int v95; // [esp+214h] [ebp-8Ch]
  __int16 v96; // [esp+218h] [ebp-88h]
  int v97; // [esp+228h] [ebp-78h]
  int v98; // [esp+22Ch] [ebp-74h]
  __int16 v99; // [esp+230h] [ebp-70h]
  int v100; // [esp+240h] [ebp-60h]
  int v101; // [esp+244h] [ebp-5Ch]
  __int16 v102; // [esp+248h] [ebp-58h]
  int v103; // [esp+258h] [ebp-48h]
  int v104; // [esp+25Ch] [ebp-44h]
  __int16 v105; // [esp+260h] [ebp-40h]
  int v106; // [esp+270h] [ebp-30h]
  int v107; // [esp+274h] [ebp-2Ch]
  __int16 v108; // [esp+278h] [ebp-28h]
  int v109; // [esp+288h] [ebp-18h]
  int v110; // [esp+28Ch] [ebp-14h]
  int v111; // [esp+290h] [ebp-10h]
  int v112; // [esp+29Ch] [ebp-4h]

  sub_100161E0();
  v32 = 7;
  v31 = 0;
  v30 = 0;
  sub_10017650(v0, L"\\system32\\uxtheme.dll", 21);
  sub_100161E0();
  v35 = 7;
  v34 = 0;
  v33 = 0;
  sub_10017650(v1, L"\\system32\\user32.dll", 20);
  sub_100161E0();
  v38 = 7;
  v37 = 0;
  v36 = 0;
  sub_10017650(v2, L"\\system32\\winrnr.dll", 20);
  sub_100161E0();
  v41 = 7;
  v40 = 0;
  v39 = 0;
  sub_10017650(v3, L"\\system32\\fwpucInt.dll", 22);
  sub_100161E0();
  v44 = 7;
  v43 = 0;
  v42 = 0;
  sub_10017650(v4, L"\\system32\\rasadhlp.dll", 22);
  sub_100161E0();
  v47 = 7;
  v46 = 0;
  v45 = 0;
  sub_10017650(v5, L"\\system32\\windows.ui.dll", 24);
  sub_100161E0();
  v50 = 7;
  v49 = 0;
  v48 = 0;
  sub_10017650(v6, L"\\system32\\dsound.dll", 20);
  sub_100161E0();
  v53 = 7;
  v52 = 0;
  v51 = 0;
  sub_10017650(v7, L"\\system32\\rsaenh.dll", 20);
  sub_100161E0();
  v56 = 7;
  v55 = 0;
  v54 = 0;
  sub_10017650(v8, L"\\system32\\crypt32.dll", 21);
  sub_100161E0();
  v59 = 7;
  v58 = 0;
  v57 = 0;
  sub_10017650(v9, L"\\system32\\wintrust.dll", 22);
  sub_100161E0();
  v62 = 7;
  v61 = 0;
  v60 = 0;
  sub_10017650(v10, L"\\system32\\mswsock.dll", 21);
  sub_100161E0();
  v65 = 7;
  v64 = 0;
  v63 = 0;
  sub_10017650(v11, L"\\system32\\ole32.dll", 19);
  sub_100161E0();
  v68 = 7;
  v67 = 0;
  v66 = 0;
  sub_10017650(v12, L"\\system32\\gdi32.dll", 19);
  sub_100161E0();
  v71 = 7;
  v70 = 0;
  v69 = 0;
  sub_10017650(v13, L"\\system32\\wshtcpip.dll", 22);
  sub_100161E0();
  v74 = 7;
  v73 = 0;
  v72 = 0;
  sub_10017650(v14, L"\\system32\\shell32.dll", 21);
  sub_100161E0();
  v77 = 7;
  v76 = 0;
  v75 = 0;
  sub_10017650(v15, L"\\system32\\advapi32.dll", 22);
  sub_100161E0();
  v80 = 7;
  v79 = 0;
  v78 = 0;
  sub_10017650(v16, L"\\system32\\kernel32.dll", 22);
  sub_100161E0();
  v83 = 7;
  v82 = 0;
  v81 = 0;
  sub_10017650(v17, L"\\system32\\msctf.dll", 19);
  sub_100161E0();
  v86 = 7;
  v85 = 0;
  v84 = 0;
  sub_10017650(v18, L"\\system32\\bcryptprimitives.dll", 30);
  sub_100161E0();
  v89 = 7;
  v88 = 0;
  v87 = 0;
  sub_10017650(v19, L"\\system32\\advapi32.dll", 22);
  sub_100161E0();
  v92 = 7;
  v91 = 0;
  v90 = 0;
  sub_10017650(v20, L"\\system32\\gpapi.dll", 19);
  sub_100161E0();
  v95 = 7;
  v94 = 0;
  v93 = 0;
  sub_10017650(v21, L"\\system32\\cryptsp.dll", 21);
  sub_100161E0();
  v98 = 7;
  v97 = 0;
  v96 = 0;
  sub_10017650(v22, L"\\system32\\hssrv.dll", 19);
  sub_100161E0();
  v101 = 7;
  v100 = 0;
  v99 = 0;
  sub_10017650(v23, L"\\system32\\igc32.dll", 19);
  sub_100161E0();
  v104 = 7;
  v103 = 0;
  v102 = 0;
  sub_10017650(v24, L"\\syswow64\\wintrust.dll", 22);
  sub_100161E0();
  v107 = 7;
  v106 = 0;
  v105 = 0;
  sub_10017650(v25, L"\\syswow64\\crypt32.dll", 21);
  sub_100161E0();
  v110 = 7;
  v109 = 0;
  v108 = 0;
  sub_10017650(v26, L"\\syswow64\\bcryptprimitives.dll", 30);
  v112 = 26;
  sub_100185F0(v27);
  LOBYTE(v29) = 0;
  dword_100B5000 = 0;
  dword_100B5004 = 0;
  dword_100B5008 = 0;
  Alloc_Vector((int)&v30, (int)&v111, v29);
  v112 = -1;
  `eh vector destructor iterator'(&v30, 0x18u, 0x1Bu, sub_10017340);
  return atexit((void (__cdecl *)())sub_10098B20);
}
Just manual map your shit and you're good

-They use D3DXSaveSurfaceToFileInMemory to take screenshots (they analyze the screenshots to see if someone is cheating).

I'm attaching the dll to this post if someone wants to reverse it
Hello, thanks for the dump, could you tell me how you do to dump the module that they inject in CS:GO with manualmap or you could post a dump more recent?
 
Last edited:

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
573
19,508
64
Hello, thanks for the dump, could you tell me how you do to dump the module that they inject in CS:GO with manualmap or you could post a dump more recent?
Attach a debugger to the launcher and set a breakpoint on WriteProcessMemory
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts