Guide How To Bypass VAC Valve Anti Cheat Info

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Game Name
Source Engine games
Anticheat
Valve Anticheat duh
How long you been coding/hacking?
4 Years
Coding Language
N/A
CSGO is now blocking DLLs from being injected using LoadLibrary: Discuss - New CS:GO anti-cheat measures To Block DLLs
Just Manual Map and you bypass it


We answer the same 3 questions about VAC every week, just read this and stop asking:

Write all your code from scratch, don't share it with people and you're 98% safe from VAC. To get 99% safe you need to be really smart and reverse the anticheat yourself. You can never be 100% safe so don't even worry about it. Just write your code from scratch and don't share it and you'll be fine.

VAC is a joke, if you're just learning how to hack don't worry about VAC. Just learn how to hack and write cheats for CSGO, if you get banned just create a new account. Stop asking "how to bypass VAC" it's the dumbest fucking question. All you have to do is not paste.

Apparently VAC detects VMT hooking now, just use a regular detour/trampoline hook. Or one step better, hook mid function so you're not easily detected by checking the first byte of the function.

Is WriteProcessMemory detected? YES, EVERYTHING IS DETECTABLE. Will you get banned for using it? No, so just use it and stop asking.




Insecure Mode

The first thing you must do when creating hacks is to set the game in insecure mode. This is done by adding the "-insecure" command line option to your desktop shortcut. Once this is done you can develop your hack or use Cheat Engine on the game without worrying about being banned. In insecure mode you cannot join secure servers.


What is VAC a VAC Bypass?
Valve AntiCheat aka VAC is made by Valve and has been around since the early days of Counter Strike. It is used mostly in Source Engine games, but any games published to Steam can have it implemented. It's primary detection mechanism is signature scanning. VAC is a usermode anticheat, it does not have a kernel mode driver.

Here you will find a compiled list of information from the forum, most of which came from mambda his original post will be below this one

How to bypass VAC?

There is no magic trick or download we can give you to instantly bypass anticheat. If you have been game hacking for LESS THAN 6 MONTHS, you have no business asking about anticheat. You cannot even understand because you do not have the required knowledge to do so. Learn to hack using our tutorials for a few months before even thinking about bypassing anticheat.

Here's a great quote from c5 regarding VAC
The issue with incapacitating VAC are its heuristics and diversity of checks. It does a lot of cross checking, lies on different techniques on achieving the same task, etc. Besides, some things are only triggered when a specific flag is raised, so even if you might think you have bypassed or caught some of its methods in action, another path can be taken and your efforts countered.

At the end of the day though, you can lie to/emulate/disable anything that's running on your PC. People have emulated anticheats before, disabled them, altered scan results, hidden cheats from them, etc. It can simply get very tedious and not worth the time at all, especially if all you want to actually do is simply bunnyhop around the map.
Simple first steps for VAC Bypass
For the average person, you won't be detected unless you use public source code or distribute your hack. This has been confirmed 1000x. The moment you distribute it, that changes.

  • Write your hack from scratch, do not use any public source code
  • Do not distribute your hack or if you must only share it with a few people, like less than 10
  • Internal hacks: use Manual Mapping - GH Injector does Manual Mapping
  • Manual mapping will hide your module from VAC because it bypasses LoadLibrary() detection, module enumeration & PE header detection.

If external, avoid using WriteProcessMemory
You can make bunny hop, aimbot and triggerbot all using SendInput and an external overlay ESP with GDI, OpenGL or Direct3D
These only require opening a handle to the process and ReadProcessMemory() which will be the least suspicious but it is still 100% detectable

Advanced VAC Bypassing Steps:
  • If you're distributing your hack you will want to have a thorough understanding of VAC, meaning you will need to reverse engineer it or read up on reports people have made from when they reversed VAC.
  • Manual Mapping
  • Encrypt all strings
  • Randomize module and process names
  • Change file hash before touching the game, use polymorphism

VAC Detection Mechanisms

Signature Detection

Using various heuristics VAC can find suspicious code injected into and upload the modules or code to their server for manual or automatic analysis. VAC doesn't have time to analyze every single cheat, they prioritize cheats that are used by many clients, the less people using it the less likely they will build signatures for it. They build signatures for the code, just like we do when pattern scanning or AOB scanning in Cheat Engine. VAC can use any part of your hack to build unique signatures including file hash, strings, PE header, PEB location & window titles.

They scan the game's process for these signatures, if the signature is found they know you're cheating and can ban you in the next ban wave.

VAC uses VirtualQuery to find executable memory and scan the game process for memory pages that are executable, if these pages were not allocated by the game process it's obvious this is injected code and maybe a cheat. That's the first step to VAC sig scanning, it's gotta find the executable memory first because code makes the best unique signatures.

File Integrity Checks
All hacks must be done at runtime, important files are checked for integrity. Patching the files on disk is a no no.

VAC Enumerates all running Processes
VAC uses EnumProcesses to find all processes and does further scanning of these processes. This is the beginning of it's external hack process detection
Hiding your external hacks and injectors from EnumProcesses is the first step. They can't build sigs for something they can't see right? Anyone know how to do this in usermode?

EnumWindows & EnumChildWindows & GetWindowText
If you have a suspicious external process they will find the windows associated with them and get the window title. They make a hash of your window names and compare against known cheat window names. They also grab the window style, size & location which makes for easy external overlay detection.
Maybe make your overlay larger than the game window, that'll confuse 'em lol

File Hashing
VAC creates files hashes for all running files or files recently touched by the OS and compares it against known cheat file hashes.
You can easily change file hash by simply adding bytes at the end of the file with any hex editor, ofcourse you can automate that.

VAC calls NtQueryInformationProcess()
Using ProcessBasicInformation is gets the address of the PEB. Using the PEB is the lowest usermode way of querying a process, by doing this it bypasses any patching/hiding you've done to other higher level documented APIs.

NtFsControlFile() & USN Change Journals
VAC scans the disk for every file that has recently been touched by the operating system, including deleting, renaming, creation & overwriting. Good luck hiding from that :p
To bypass this mambda suggests hooking NtFsControlFile()

Manual Mapping
Manual Mapping defeats many module detection methods that VAC and other anticheat have such as:
  1. LoadLibrary hooks
  2. Toolhelp32Snapshots
  3. EnumprocessModules to find loaded modules
  4. Walking the PEB loaded modules list
  5. GetMappedFileName() on memory addresses to find DLL's on disk

Misc things Valve Anti Cheat does
  • Easily detects debuggers
  • ntdll.dll is scanned, patching functions in here will lead to detection
  • VAC uses EnumDeviceInterfaces() to find all drivers in device manager
  • Reads the Event Log for recent events such as driver loading
  • Reads the registry
New Machine Learning in VAC

How VAC Bans Work

Valve AntiCheat bans in waves usually, you could be banned hours, days weeks or months after using a detected cheat. If it's a public cheat, you can guarantee you will get VAC banned if you use it after they build signatures for it which only takes maybe a week or 2 in most cases. If you haven't been banned within 2-4 weeks you're probably undetected.

VAC doesn't do IP or HWID bans. Every time someone gets banned, they buy a new account, making Valve tons of money so they will never do this. If you get banned, make a new steam account and buy the game again.

Junk Code / Polymorphic Code
Adding junk code to your hack will change the file hash, and avoid detection based on file hash. You can also simply do this by adding bytes to the end of the file. But VAC also hashes the code sections, so junk at the end of the file won't work, but adding junk code will actually solve this problem. Junk code is just code that does nothing in your hack, you can put any shit code you want in there as long as it doesn't modify the functionality of the hack logic.

BUT adding a few pieces of junk code will not bypass signature detection, only hashing

You need to use polymorphism for this. Polymorphism will change the assembly at every byte, ruining every possible signature.

In your Injector and your DLL. So you actually need 3 files.
Polymorpher
Injector
Hack DLL

The Polymorpher takes the injector and Hack DLL as inputs and polymorphs them, then writes them to disk. Then you inject your Hack DLL with your injector, neither will be detected based on code signature detection. Go one step further, embed injector and hack .dll encrypted inside your polymorpher. But from the above USN Journal bullshit, VAC will scan all 3 of the original files so you got some work to bypass that as well.

Read our guide on polymorphic code here

GH VAC Resources:
mambda's original post
c5's VAC Reverse Engineering IDA Scripts

Offsite VAC Resources:
VAC Source Code
Developments | Cra0kalo's Development Adventures
The Raptor Factor | C++, windows internals, games, malware, reverse engineering, and everything in-between.
Valve Anti-Cheat - unkn0wncheats Game Hacking Wiki

Please contribute to this guide by providing corrections & additions, hitting the "Like" button or donating!
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,275
37,938
268
Disclaimer : Information i'm spewing is from reversal that happened quite some time ago ( 6+ months i believe ), more indepth information can be found at: RaptorFactor.com for example, however it seems he no longer wants to update that for the time being.

For the real reason everyone came here: How does VAC detect things?

Well, there are a few methods that it uses in order to flag things, but the main method of detection when it comes to VAC is signature based detection (henceforth known as SBD.).

It's quite simple, you compile something and the resulting binary is a series of bytes, say your ultra leet cheat has the bytes 37 13 37 13 37 13 37 13 all in order, and its only used in one specific place all the time, and that place has the bytes, say, 0x6A <offset to the 37 13 shit above> .

That's something that could potentially be used as a signature. In essence, a signature is simply a pattern that can be found in a binary, preferably something that will be exclusive to that binary, this can be anything from a specific byte sequence in instructions, a specific string, pdb data, etc.

So valve basically hashes various portions of a binary that it deems suspicious, and checks the resulting hash with a few other hashes it has stored to decide whether or not something is a known cheating software, in which case, you get flagged and will get the hammer later.

Of course, it's not the only thing that valve does, they also, for example, enumerate all top level windows and hash things such as the window name, some attributes ( i.e. transparent iirc. ), position and size ( basically checking for overlays on top of the game ).

It's also got some more cool shenanigans, you can read more about some of its external related things here : https://www.unkn0wncheats.me/forum/...197-vac-external-tool-detection-and-more.html


It is to be noted that valve does much more than *just* look at simple bytes in your program, and just because you have a driver doesn't mean you're 100% vac safe. get the binaries and reverse them and everythings clear and all that shit.

Someone buy me a pizza

Wew resurgence of "wat vac do" so here is some stuff i dont care about anymore ( 2015 writeup )

DISCLAIMER: OLD AS FUCK but still good info

VAC
====
Loads many modules during games.

When something attempts to debug ( or open a handle ? ) to steamservice.exe it is immediately checked out.

It doesn't seem to care about anything on community servers, but definitely cares on casual & competitive
In some module it gets the main drive ("C") and recursively queries directories that arent Program Files (? maybe ? ) cheat folder enumeration

On startup SteamService.exe checks SteamService.dll for file integrity, aka no patching on disk.

Clear Information/FilterManager in Event Logs?
OpenEventLog("System")
ClearEventLog(givenHandle);

So how do we package this bad boy?
Have the cheat start before csgo.exe starts.
The cheat first injects the dll, then protects itself and demotes steamservice.exe ( maybe demote and protect first to gain privileges )
Then you run csgo.

Successfull Reversed
=-=-=-=-=-=-=-=-=-=-=-

=========
7C34.tmp
=========
GetNativeSystemInfo() - returns a pretty useless struct for me to care about.
NtQuerySystemInformation [ TimeOfDay, CodeIntegrity, DeviceInformation, KernelDebugger, BootEnvironment, RangeStart ]
Reads some important parts of NtDll.
Does various checks

SteamService.exe
=============
On game launch ( and on steamservice.exe startup ), SteamService.exe calls EnumProcesses with a size of 4096 ( aka 4096 / 4 is the count of processes ) to get all running processes.
Creates a file mapping on startup. format: "Steam_{E9FD3C51-9B58-4DA0-962C-734882B19273}_Pid:%000008X", steamServicePID
Some event triggers telling csgo vac system is being blocked: i know this can happen due to USN being cleared, but could our VQEx hook also do it?
Investigating..

VAC communicates with Pipes. cool stuff, need to research those more.

63CE.tmp - Internal(?) Module
======
Also reads to csgo memory, at some point it calls virtualalloc on its own process with size 18016d , MEM_COMMIT, PAGE_READWRITE
Scratch that, lots of virtualalloc

Basically this guy opens specified PID does some virtualqueryex, i believe this checks for whether there is executable code in the csgo.exe module.
Checks queried memory for protect flag and Allocationprotection 0xF0 ( PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY )
if neither of these are found, v10 = 1

Could this read be doing sig scanning being that it reads information? I wonder if any of these open the file mapping..
v10 is placed in a2 + 60 , so definitely return value.

A2 Struct
=====
a2 + 56 = LastError()
a2 + 60 = returnValue
=====

Later on it queries the process with NtQueryInformationprocess for basicinformation, if this fails to get a buffer of size 24 it returns with 60;
If successful, continues on with ImageFIlename,
reads lots of predetermined memory regions. Virtual allocs it to its own memory possibly for further inspection by host process.

441F.tmp - Device Module
=======
Enumerates hardware devices. with Setup Api.dll
EnumDeviceInterfaces to be exact. literally ALL OF THEM FROM DEVICE MANAGER AND PROBABLY BEYOND LOL.
Thats basically it. Underwhelming tbh.

FAF2.tmp - Volume Module
=======
Begins to search all volumes with FindFirstVolumeW, FindNextVolumeW and closes handles with FindVolumeClose
Gets volume serial with GetVolumeInformationW and checks if it matches a predetermined serial
I assume this is the volume serial hash.

Gets a specific process' name and reads its memory ( i presume this is csgo ).
Also does this with another process where a handle is given. instead of a pid.
Another seciton where they GetMappedFileName

Aha! EnumProcesses!
Opens a process to every handle running with query_information and vm_read , tries to get their name and do some more things that i can't see yet.

Course of action here for my external : Strip handles of those values ^ , i don't really care about anything else. They can't get my name if they dont have the privileges to. Also they couldn't find it on file if they tried.

F335.tmp - Window Module
======
EnumWindows ,finds ALL top level windows ( overlays too) , also does EnumChildWindows.
Reversal:
They enumerate your windows and if your process id == something that they have stored then they will GetWindowInfo your
They will keep your style ( and exStyle ), WindowStatus, WindowBorders ( x and y )
It then calls GetWindowTextA and a secondary function
for most externals exStyle = WS_EX_TOPMOST | WS_EX_TRANSPARENT | WS_EX_LAYERED
Then i got lazy because there was a huge function up next, probably hashing.
Basically, if your PID is something that it's looking for (specified by parameters), then it will try to enumerate your window and log all those things ^ and probably send them back.

In the end they make a hash of your window name ( from GetWindowTextW )
They compare these with various hashes ( 13 to be exact )

7B0B.tmp - File Mapping Module
=======
FileMapping module, for now it seems to be majorly worthless, but there are some indirect function calls that i cant seem to pin down to figure out what its doing to the file mapping.
However it only gets opened with read permissions so i doubt its anything major.

BAC1.tmp - USN Module
================================
GetVolumeInformation
This is later used with NtFsControlFile with FSCTL_QUERY_USN_JOURNAL
You get UsnJournalData via DeviceIoControl ( they use the higher up NtFsControlFile ) , it returns a USN_JOURNAL_DATA struct .
So you set whatever you want (i.e. READ_USN_JOURNAL_DATA struct ) 's id to whatever the jurnal id is
Alright, after some painstaking hours i managed to reproduce their usn querying.
Thankfully cool UC post to this module : http://www.unkn0wncheats.me/forum/843565-post3.html
if USN Region matches these flags: USN_REASON_CLOSE | USN_REASON_STREAM_CHANGE | USN_REASON_REPARSE_POINT_CHANGE | USN_REASON_RENAME_NEW_NAME | USN_REASON_RENAME_OLD_NAME | USN_REASON_FILE_DELETE | USN_REASON_FILE_CREATE | USN_REASON_NAMED_DATA_TRUNCATION | USN_REASON_NAMED_DATA_EXTEND | USN_REASON_NAMED_DATA_OVERWRITE
In laymans terms this means : If the file has recently been closed, created, deleted, renamed , or overwritten/written to, we want to check that out.
Then we hash the partial file name and reaon flag and compare them to some hashes
This happens with various other parts of the usn struct

They do a crapton. The best thing to do is hook NtFsControlFile after it returns from KM and then clean any references to my stuff.

Here's what i can think of for this:
IAT Hook NtFsControlFile and redirect it to my own function with the original address stored.
Call the original function.
parse the allocated memory for any data regarding my own stuff, if found, purge it.
return.

Kay. So you cant IAT hook something you have to GPA, past me. fucking idiot
So we hooked GPA via IAT ( so no modified bytes here )
from that, we check for when GPA is called for NtFsControlFile and we instead return the address of our own function while saving the actual location.
In our function we ( setup stack BITCH ) call the original, then check if the control code was FSCTL_READ_USN_JOURNAL.
if it was, we check out the USN_RECORD and check if the filename contains 'SPQR' , if it does, then we purge it and continue as normal.
================================

69D7.tmp - Event Log Module
=======
Pretty funky encryption here.
Goes through the event log with OpenEventLog, ReadEventLogA, EvtQuery, EvtCreateRenderContext ( for system and user information )
Enumerating newest things first
So i think i want to load my driver then clear the event log.

C022.tmp - Registry Module
=======
Didnt look too far into this one, seems to enumerate registry keys ( possibly to detect drivers or certain p2cs ? )

BBC7.tmp - Majorly worthless, File mapping stuff.
=======
{%02xDEDF05-86E9-%02x17-9E36-1D94%02x334D-FA3%2xA0441} is used as format for opening a file mapping.

991E.tmp - SysEnter module
===============
Manually calls sysenter with the ordinal passed into it by SteamSerive.exe/dll , funky stuff.
Calls EnumprocessModules
Gets module base name and information

CEA4.tmp - VirtualQuerier Module
=====================
Calls VirtualQueryEx on specified regions.
If the type is MEM_FREE it breaks and basically exits.
on MEM_RESERVE it increments region size, possibly to try again and also sets a variable to true
MEM_COMMIT it does checks to see whether the page is executable ( 0xF0 ) and if so it logs that and increments some values

More interestingly, this module gets file names using GetMappedFileName and it opens the file with read access.
It reads the file in its entirety and updates an MD5 hash with the bytes.
Dat public cheat detection tho.
Manual mapping itself fixes this because they won't know the file name to read it on disk.
=====================

steamclient.dll
=======
there is something in here that logs where every injected file is in memory and writes it to a section

{%02x3F1461-5E%02x-4E99-A5AE-CEFDB55A%02x2D-3DED%02x3C}
format = pid >> 8, pid >> 24, (pid >> 16) & 0xFF, (unsigned __int8)pid
We open this with READ_WRITE permissions, we check for our string, if we find it, we zap away the entirety of it from the section
section struct size seems to be 0x4F ( 79 dec )

Theres also another global handle that logs open handles

Okay so: On DLL_THREAD_ATTACH vac queries the memory and does a few scans, checks for some flags that are retarded: http://www.unkn0wncheats.me/forum/anti-cheat-bypass/100197-vac-external-tool-detection-and-more.html
Gets the moduleFileName
"If something suspicious is found, VAC uses the first module to analyze it. I didn't look into the first module, but it extracts the image sections does tons of hashes, maybe something more."

To circumvent this you need to manual map.

E2D5 - Sig Scanner
==================
Calls VQueryEx, RPM, like all vac modules. ( RPM that is, not vqx )
If the return value is not >= 0x1C then it skips all the funky stuff that could be sig scans.

Allocates memory after initialization, 0x10000 bytes MEM_COMMIT | MEM_RESERVE , PAGE_READWRITE
this memory is where the final RPM is placed which they then attempt to hash and compare
==================

Yeah im done with this now.
Get Fukt valve.

Fun Facts:
Seems every module has the ability to get your volume serial, gotta be sure amirite vac? haha.

Plan of action:
Externals : Hook K32Enumprocesses, hide my pid.
Internals : Hook VirtualQueryEx , when they query my memory tell them its non-executable so they bugger off, maybe even hook K32EnumProcessModules if they call it on csgo.exe...
MANUAL MAP BOYS.
 

Attachments

Oneshot

Meme Tier VIP
Apr 4, 2015
233
190
13
i feel that this is to good info to give out so remove it and lets sell it before the scrubs get it :scared:
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,275
37,938
268
man i wrote this 2 years ago and i havent even touched a vac protected game since
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Some good VAC reversing info here as well http://dev.cra0kalo.com/

Anyone remember that video from that european convention with I think the h1z1 anticheat dev? He was explaining how the anticheat works and how they developed it and the challenges they faced. It might not have been h1z1 but it's from a few years ago. It wasn't on youtube, it was on some site for the con
 

tvojama

uz42&4fd
Meme Tier VIP
Dank Tier Donator
Apr 1, 2015
379
2,498
9
Rake;54547 said:
Some good VAC reversing info here as well http://dev.cra0kalo.com/

Anyone remember that video from that european convention with I think the h1z1 anticheat dev? He was explaining how the anticheat works and how they developed it and the challenges they faced. It might not have been h1z1 but it's from a few years ago. It wasn't on youtube, it was on some site for the con
It's not what you're looking for but is a good read lol
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
holy fuck that was painful, VAC guide updated thank you mambda for being a boss

Hopefully no more "how to bypass vac" shit posts
 

Schnee

Newbie
Dec 18, 2017
4
288
0
Rake;54547 said:
Some good VAC reversing info here as well http://dev.cra0kalo.com/

Anyone remember that video from that european convention with I think the h1z1 anticheat dev? He was explaining how the anticheat works and how they developed it and the challenges they faced. It might not have been h1z1 but it's from a few years ago. It wasn't on youtube, it was on some site for the con
Not sure if you mean the video with Eugen Harton, it´s linked on the BattleEye homepage as well for companies to get an insight on what they are doing.

https://www.youtube.com/watch?v=0M0xBMEuWdU
 

g3m3c

Newbie
Aug 19, 2017
21
94
0
@mambda What kind of way do you recommend to hook in VirtualQuery? Valve does scans by what modification in readables sections, HWBP is detected, VEH Hooking is detected, IAT/EAT is detected
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,275
37,938
268
highly doubt they are but idk i dont even work on vac protected games anymore
 

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
813
21,408
111
NtFsControlFile() & USN Change Journals
VAC scans the disk for every file that has recently been touched by the operating system, including deleting, renaming, creation & overwriting. Good luck hiding from that :p
To bypass this mambda suggests hooking NtFsControlFile()
I was using windows xp service pack 2 so my external hack was exploit switched to ring0 and then set some magic bytes to its disk file and protected mode descriptors so it was 'unreachable' like C:/kernel.sys and my process could not be even opened by OpenProcess or debugged by ANY debugger. Accessing game RAM was as simple as in internal cheat. In shortcut: hack was a part of kernel. And I am not still banned. One disadvantage is that steam will stop supporting this awesome OS. This simple trick bypassed all valve work on their Valve Abortive Co**** :)
 
  • Like
Reactions: Rake

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
813
21,408
111
Since csgo is for free I was experimenting on some accounts with VAC and I want to share some knowledge:
  • VMT hooking is 100% detected (there were some discussions about it and yes it is) btw many skeet users got vacban lmao
  • RDI is probably detected (I am not sure), idk how but be careful with it (stephenfewer/ReflectiveDLLInjection) I guess VAC has some hash for its shellcode or AoB ?
  • Silentaim and Aimbot got better server-sided detection based on delta of view angles (pitch+yaw) but still it affects only rage cheaters, legit like one degree FOV is still safe (to VAC, not OW)
  • Reinforced D3D function hooking detection, avoid using public headers/SDKs for menu, hook em between their prologue and epilogue:
asm:
mov edi,edi
push ebp
mov ebp,esp
//hook comes here
leave
ret
Hope it helps
 
  • Like
Reactions: RenTec and Rake

0xDEC0DE

dead
Dank Tier VIP
Fleep Tier Donator
Dank Tier Donator
Oct 28, 2018
449
18,798
92
Since csgo is for free I was experimenting on some accounts with VAC and I want to share some knowledge:
  • VMT hooking is 100% detected (there were some discussions about it and yes it is) btw many skeet users got vacban lmao
  • RDI is probably detected (I am not sure), idk how but be careful with it (stephenfewer/ReflectiveDLLInjection) I guess VAC has some hash for its shellcode or AoB ?
  • Silentaim and Aimbot got better server-sided detection based on delta of view angles (pitch+yaw) but still it affects only rage cheaters, legit like one degree FOV is still safe (to VAC, not OW)
  • Reinforced D3D function hooking detection, avoid using public headers/SDKs for menu, hook em between their prologue and epilogue:
asm:
mov edi,edi
push ebp
mov ebp,esp
//hook comes here
leave
ret
Hope it helps
Can you tell if imgui is detected ?

I haven't tried it yet, its the only public source i use, everything else is custom build by me.
 

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
813
21,408
111
Can you tell if imgui is detected ?

I haven't tried it yet, its the only public source i use, everything else is custom build by me.
If you mean this ocornut/imgui then idk - I see it first time, I am not making public cheats with menus (my private one commonly has static config loaded from some file on the disk). In that post I meant public well-known menu headers that can be downloaded from public cheating forums like uc and mpqh. Imgui looks like normal open source library that is commonly used for programmers, not hackers so I dont see any reason why should VAC scan for it.
 

0xDEC0DE

dead
Dank Tier VIP
Fleep Tier Donator
Dank Tier Donator
Oct 28, 2018
449
18,798
92
If you mean this ocornut/imgui then idk - I see it first time, I am not making public cheats with menus (my private one commonly has static config loaded from some file on the disk). In that post I meant public well-known menu headers that can be downloaded from public cheating forums like uc and mpqh. Imgui looks like normal open source library that is commonly used for programmers, not hackers so I dont see any reason why should VAC scan for it.
Yeah its not meant for game hacks and ocornut the founder is strongly against it but its used by many many users on uc.

I think i will remove it for now.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts