Guide How to Bypass FairFight Anticheat

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Kleon742

0x66 0x90
Member Spotlight
Moderator
Dank Tier VIP
Dank Tier Donator
Sep 2, 2018
308
12,638
38
Game Name
N/A
Anticheat
FairFight
How long you been coding/hacking?
N/A
Coding Language
N/A
FairFight is a serversided anticheat developed by GameBlocks.
The AC does not reside on the player's computer and does not examine the players' devices or look for the latest hacks.
This makes it really easy to "bypass" since it has no impact on the client's side. This is a great start to hack games with anticheat.
You have a lot more freedom, and EVERYTHING, that you see here, will be usefull in your future projects.
Players actions are recorded and tested against multiple statistical markers.

So FairFight will track things such as:
Player's Postion,Kill/Death Ratio, Points, Kills, Accuracy, Aim Angles,Reaction time, etc..

FairFight also has the option to take screenshots.
Source Code - Screenshot Cleaner - Bypass Fairfight & Punkbuster - BitBlt Hook


[Fairfight user clients]:
Dice,EA,Ubisoft,gamersfirst,hoplon,crytek,popcap

[Protected Games]:
-APB-Reloaded
-Battlefield 1
-Battlefield 4
-Battlefield 5
-Battlefield Hardline
H1Z1
TheDivision 1
Titanfall
Titanfall2

[HOW TO "BYPASS"]:
Most important: You have to bypass the screenshot first. Just hook the screenshot function. This should be relatively easy.
After this, you shouldn't worry too much. The client side is ours.
You can NOT use:
-speed hack
-teleport hack
-spinbot
-high fov Aimbot
-RPM(RoundsPerMinute) hack
This is pretty clear. Just do NOT be blatant.

but you CAN use:
-Wallhack,ESP, any other visuals (do not track anyone through walls, FairFight checks that too)
-low fov aimbot

[GENERAL TIPS & TRICKS for AIMBOTS]:
We have to fight against statistics so...
Randomize focused-bones: Tracking a player's head 100% of the time is too obvious.
Create bone sub-points: It's impossible to hit one's belly button 90x in a row. Create offsets like "lungs","belly","chest" etc..
Add random position offsets: Try to hit the hitbox at random positions. Don't aim for the center position All the time.
Use Low Fov: Use it as aim correction, it's too obvious to snap on the enemy's head with a 180.
DoN't snap: Using linear snapping can be obvious, especially if it's monitored by a computer that uses statistics. Use curves, and randomize traveling time.
Randomize time: Randomize the triggerbot, and use it with bit more human-like reaction times.
 
Last edited by a moderator:

IndieAlex

Newbie
Dank Tier Donator
Full Member
Jul 2, 2017
5
362
0
Sorry, I totally overlooked it. Do you have resources, examples or just POC to bypass screenshot in FF?
 

HereToHack

Meme Tier VIP
Dank Tier Donator
Apr 28, 2019
230
3,303
26
Sorry, I totally overlooked it. Do you have resources, examples or just POC to bypass screenshot in FF?
they use bitbit i'm pretty sure and you can probably use a public source for any fairfight game with a screenshot bypass to see how they bypassed the screenshot function. Will probably need to update some things yourself though
 

IndieAlex

Newbie
Dank Tier Donator
Full Member
Jul 2, 2017
5
362
0
they use bitbit i'm pretty sure and you can probably use a public source for any fairfight game with a screenshot bypass to see how they bypassed the screenshot function. Will probably need to update some things yourself though
Yep. IIRC it does work in windowed mode for external but it return black in fullscreen and that's a flag. Anyway, I'm gonna search for POC about safe ss clean. Thank you.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,540
78,998
2,312
basic idea: hook the function, disable drawing your hack, let the screenshot get taken, re-enable drawing. obviously it's more complicated than that, but that's the basic idea
 

IndieAlex

Newbie
Dank Tier Donator
Full Member
Jul 2, 2017
5
362
0
basic idea: hook the function, disable drawing your hack, let the screenshot get taken, re-enable drawing. obviously it's more complicated than that, but that's the basic idea
Yep, in many cases that's enough. Unfortunately in some cases it is much more complicated than that. You have to hook bitblt in the game process but if you are external you have to implement some internal code. Moreover, it can get even more complicated if the game has an integrity check.
 

HereToHack

Meme Tier VIP
Dank Tier Donator
Apr 28, 2019
230
3,303
26
Yep, in many cases that's enough. Unfortunately in some cases it is much more complicated than that. You have to hook bitblt in the game process but if you are external you have to implement some internal code. Moreover, it can get even more complicated if the game has an integrity check.
with fairfight you wouldn't have to worry about much really, you can also send them a clean screenshot which is what speedi13 does on all his fairfight cheats here's old code from 2015 on a forum how to clean the screenshots but the offsets need updated for each game so you'll need to reverse a bit


C++:
namespace fairfight
{
    typedef BOOL(__stdcall* tBitBlt)(HDC hdcDest, int nXDest, int nYDest, int nWidth, int nHeight, HDC hdcSrc, int nXSrc, int nYSrc, DWORD dwRop);
    tBitBlt oBitBlt = nullptr;

    DWORD dwCleanFrameInterval = 0, dwCleanFramesPassed = 0, dwOldCleanFrame = 0;
    bool m_RenderPossible, m_CleanerActive = true;
    HDC hCleanScreenshot = nullptr;

    BOOL WINAPI hkBitBlt(HDC hdcDest, int nXDest, int nYDest, int nWidth, int nHeight, HDC hdcSrc, int nXSrc, int nYSrc, DWORD dwRop)
    {
        void *RetAddress = _ReturnAddress();
//They seem to have two screenshot functions so both calls to BitBlt in the game should account for it
//These return addresses are old and are for the patch before 12/1/15, haven't had time to work on the game and update
        if (reinterpret_cast<DWORD_PTR>(RetAddress) == 0x144497AF2 || reinterpret_cast<DWORD_PTR>(RetAddress) == 0x1445396AC && m_CleanerActive)
        {
            tools::WriteToConsole("Fairfight attempted to take a screenshot: 0x%p\n", RetAddress);
            return oBitBlt(hdcDest, nXDest, nYDest, nWidth, nHeight, hCleanScreenshot, nXSrc, nYSrc, dwRop);
        }
        return oBitBlt(hdcDest, nXDest, nYDest, nWidth, nHeight, hdcSrc, nXSrc, nYSrc, dwRop);
    }

    void PassCleanScreenshot()
    {
        DWORD dwTickCount = GetTickCount();

        if (dwTickCount > dwOldCleanFrame && m_CleanerActive)
        {
            m_RenderPossible = false;

            if (dwCleanFramesPassed > 4)
            {
                dwCleanFramesPassed = 0;

                HWND hWnd = (HWND)fb::DxRenderer::Instance()->m_pScreen->m_WindowHandle;
                HDC hCaptureDC; // rdi@1
                HBITMAP hCaptureBitmap; // rbp@1

                hCleanScreenshot = GetDC(hWnd);
                hCaptureDC = CreateCompatibleDC(hCleanScreenshot);
                hCaptureBitmap = CreateCompatibleBitmap(hCleanScreenshot, fb::DxRenderer::Instance()->m_pScreen->m_ScreenInfo.m_Width, fb::DxRenderer::Instance()->m_pScreen->m_ScreenInfo.m_Height);
                SelectObject(hCaptureDC, hCaptureBitmap);
                BitBlt(hCaptureDC, 0, 0, fb::DxRenderer::Instance()->m_pScreen->m_ScreenInfo.m_Width, fb::DxRenderer::Instance()->m_pScreen->m_ScreenInfo.m_Height, hCleanScreenshot, 0, 0, SRCCOPY);

                saveBitMap(hCaptureBitmap, hCleanScreenshot); //Save screenshot to file

                DeleteDC(hCaptureDC);
                DeleteObject(hCaptureBitmap);

                dwOldCleanFrame = dwTickCount + dwCleanFrameInterval;
            }
            else
            {
                ++dwCleanFramesPassed;
            }
        }
        else
        {
            m_RenderPossible = true;
        }
    }

    void Initialize()
    {
        oBitBlt = reinterpret_cast<tBitBlt>(tools::DetourFunction(reinterpret_cast<PBYTE>(GetProcAddress(GetModuleHandleA("Gdi32.dll"), "BitBlt")), reinterpret_cast<PBYTE>(hkBitBlt), 16)); //I am sure you have your own detour or can find one around the forums
        tools::WriteToConsole("BitBlt Hooked!...\n");
        m_RenderPossible = true;
        dwCleanFrameInterval = 30000;//Take a clean screenshot and store in buffer every 30 seconds
    }
}

credits to USSR for this code
 
  • Like
Reactions: Rake and IndieAlex

jo2305

Dank Tier Donator
Apr 25, 2020
3
202
0
How would this work for external? I cant hook a function externally but I can RPM and make an esp overlay. Can FF see my overlay, and if so, how would I go about hiding it? Is there a variable in memory somewhere that changes right before FF takes a screenshot, so I can disable the overlay immediately before the screenshot is taken?

Thanks for the help.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,276
37,938
268
How would this work for external? I cant hook a function externally but I can RPM and make an esp overlay. Can FF see my overlay, and if so, how would I go about hiding it? Is there a variable in memory somewhere that changes right before FF takes a screenshot, so I can disable the overlay immediately before the screenshot is taken?

Thanks for the help.
cant see it if your esp is an overlay unless they bitblt your overlay for some reason (its unlikely they would, but ive never worked on it)
 

jo2305

Dank Tier Donator
Apr 25, 2020
3
202
0
cant see it if your esp is an overlay unless they bitblt your overlay for some reason (its unlikely they would, but ive never worked on it)
I tested out your theory yesterday and had an account FairFight banned while using my esp overlay on Battlefield V. It's possible that someone reported me but I was playing pretty normally (was 16-8 in the game that I got banned from). It's not a big deal though because accounts are like $5. So let's just assume for the sake of discussion that FF can see everything on my screen - is there a way to detect the screenshot externally? Like right before it happens, perhaps? Or can I hook bitblt in the kernel or something? I think some antivirus does this as an anti-identity theft measure.

Thanks.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,276
37,938
268
I tested out your theory yesterday and had an account FairFight banned while using my esp overlay on Battlefield V. It's possible that someone reported me but I was playing pretty normally (was 16-8 in the game that I got banned from). It's not a big deal though because accounts are like $5. So let's just assume for the sake of discussion that FF can see everything on my screen - is there a way to detect the screenshot externally? Like right before it happens, perhaps? Or can I hook bitblt in the kernel or something? I think some antivirus does this as an anti-identity theft measure.

Thanks.
just inject shellcode and hook bitblt to it and return a black image
 

Kix

Wannabe 1337
Trump Tier Donator
Full Member
Nobleman
Jan 18, 2018
193
2,318
12
just inject shellcode and hook bitblt to it and return a black image
Or I saw people turning off there esp for a few frames when they detect fairfight is going to take a picture
 

Kleon742

0x66 0x90
Member Spotlight
Moderator
Dank Tier VIP
Dank Tier Donator
Sep 2, 2018
308
12,638
38
Or I saw people turning off there esp for a few frames when they detect fairfight is going to take a picture
The good old epilepsy causing hax.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,276
37,938
268
Or I saw people turning off there esp for a few frames when they detect fairfight is going to take a picture
that approach is much more involved externally, because youd need to have shellcode that hooks bitblt (or the function that will eventually call it), then alert your external program via IPC (Packets, sections, events, whatever), then wait until your program disables the ESP and alerts the shellcode, then the shellcode would have to resume the bitblt and then alert the external program again

its much easier to just black out the screen (though idk what fairfight would do in that case these days, is that considered malicious?)
 

jo2305

Dank Tier Donator
Apr 25, 2020
3
202
0
that approach is much more involved externally, because youd need to have shellcode that hooks bitblt (or the function that will eventually call it), then alert your external program via IPC (Packets, sections, events, whatever), then wait until your program disables the ESP and alerts the shellcode, then the shellcode would have to resume the bitblt and then alert the external program again

its much easier to just black out the screen (though idk what fairfight would do in that case these days, is that considered malicious?)
I looked around UC and it seems like sending a black screen would cause a ban, although I'm willing to test it. I found this C# BitBlt Hooker lib but it seems outdated as injecting the hook dll crashes my game (and of course the library is not open source) so I guess I'll have to make something from scratch. Why do you recommend injecting shellcode instead of a DLL?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,276
37,938
268
I looked around UC and it seems like sending a black screen would cause a ban, although I'm willing to test it. I found this C# BitBlt Hooker lib but it seems outdated as injecting the hook dll crashes my game (and of course the library is not open source) so I guess I'll have to make something from scratch. Why do you recommend injecting shellcode instead of a DLL?
if you want to write a dll sure go for it and inject it
shellcodes just smaller and youre already external anyways, shellcode is just the gray space between the two
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts