Guide How To Bypass VAC Valve Anti Cheat Info

[Rake]

Game Name

Source Engine games

Anticheat

Valve Anticheat duh

How long you been coding/hacking?

4 Years

Coding Language

N/A

VAC or Valve AntiCheat is software running on the client and server that attempts to detect cheaters. It is made by Valve and has been around since the early days of Counter Strike, most known for it's usage in CSGO but, is also used in other Source Engine games. VAC is a usermode anticheat, it does not have a kernel mode driver, It's primary detection mechanism is signature scanning for known cheats. Here you will find a list of compiled information from the forum about how Valve Anticheat works and how you can bypass VAC.

This anticheat guide features:

• An explanation of the new VAC updates from 2020
• The 5 simple steps you need to take to bypass VAC
• A brief overview of VAC's modules
• A more in depth look at VAC's capabilities
• A collection of VAC related resources

Before you read this VAC Guide, you may want to read our general overview of how anticheat works -> General Anticheat Guide

We answer the same 3 questions about VAC at least once per week, please just read this information instead of annoying us.

Important VAC Update July 2020
Valve has been actively updating VAC in CSGO this month. Over the years new competitive shooters like Apex, Overwatch & others have been released with either strong anticheat or kernel anticheat and these games have fewer cheaters than CSGO due to VAC being worthless. Now Valorant which is very similar to CSGO has been released with a very good kernel anticheat. 30% of CSGO players are cheating, and now that alternatives are available people are leaving CSGO. This has forced Valve to improve VAC, this month some of the largest changes that have ever happened to VAC are being rolled out and I assume more will come soon.

CSGO is now starting in Trusted Mode by default
Use the -insecure launch argument to practice and develop your hack in a local bot match. After being sure you are able to bypass VAC, launch with Trusted Mode later.

CSGO is now blocking DLLs from being injected using LoadLibrary - DLLs that interact with CSGO must now be digitally signed
To bypass this all you need to do is use Manual Mapping - try the GH Injector's special features.

How to bypass VAC
It's really easy. You do not need to ask us how to bypass it. Just read these few paragraphs and you'll be bypassing VAC in 5 minutes.

• Manually Map your DLL
• Do not use public downloads and source codes
• Write everything yourself, do not share your hack
• Do not use VMT Hooking, use a regular detour / trampoline hook
• Don't rage

If you do these things, the chance that you will get VAC banned is less than 1%. By doing these things you have bypassed 99% of VAC. You can never be 100% safe so don't even worry about it.

VAC is honestly a joke, if you're just learning how to hack don't worry about VAC. Just learn how to hack and write cheats for CSGO, if you get banned just create a new account, the game is free. Stop asking "how to bypass VAC" it's the dumbest question. All you have to do is follow the steps written above.

If you enjoy the content you find here on GH, please considering donating.

VAC Detects VMT Hooking
There is a good amount of evidence that VAC detects VMT hooking, to bypass this just use a regular detour/trampoline hook. Or if you want to be extra safe, do a mid function hook (regular detour, not located at the first byte of the function) so you're not easily detected by checking the first byte of the function.

Is WriteProcessMemory detected?
Everything is detectable, the real question is: will you get banned for using it? No you won't, so just use it and stop asking.

Is _________________ detected by VAC?
VAC is actively scanning all your running processes, files, registry keys & more. If they want to know everything that's happening in usermode, they have no problem doing it. Everything in usermode can be detected by VAC. It doesn't matter if VAC is capable of detecting something. The only thing that matters is: are they banning people for it.

Do I need to use kernel mode to bypass VAC?
NO! VAC is a usermode anticheat. There is no reason to go into kernel unless you want to. It's complete overkill.

Insecure Mode
The first thing you must do when creating hacks is to set the game in insecure mode. This is done by adding the "-insecure" command line option to your desktop shortcut. Once this is done you can develop your hack or use Cheat Engine on the game without worrying about being banned. In insecure mode you cannot join secure servers.

or

How to bypass VAC?
There is no magic trick or download we can give you to instantly bypass anticheat. If you have been game hacking for less than 6 months, you have no business asking about anticheat. You cannot even understand because you do not have the required knowledge to do so. Learn how to hack first for a few months before even thinking about bypassing anticheat, you can learn everything from The Game Hacking Bible.

Here's a great quote from c5 regarding VAC:
The issue with incapacitating VAC are its heuristics and diversity of checks. It does a lot of cross checking, lies on different techniques on achieving the same task, etc. Besides, some things are only triggered when a specific flag is raised, so even if you might think you have bypassed or caught some of its methods in action, another path can be taken and your efforts countered.

At the end of the day though, you can lie to, emulate or disable anything that's running on your PC. People have emulated anticheats before, disabled them, altered scan results, hidden cheats from them, etc. It can simply get very tedious and not worth the time at all, especially if all you want to actually do is simply bunnyhop around the map.

c5 is 100% right. If you're just making cheats for yourself like the other 100,000 that are doing so, there is nothing to worry about, VAC is a joke. But it does have the capability to do much more than they use it for.

VAC's Capabilities
While VAC is loaded it has the capability of and has been seen:

• Scanning all your files
• Scanning all running processes
• Scanning your registry
• Enumerating all open handles
• Scanning for hooks
• Signature scanning for known cheats

With these capabilities it can find and detect cheats very easily.

Valve Anticheat does it basic run of the mill scanning on every client. But, if it finds something that looks sketchy like a hook, it will do a more thorough analysis and it will upload what it finds to the Valve servers. This information can have an affect on your Trusted rank or result in a ban in the future.

VAC Modules

VAC's modules are streamed to the client from the server, they don't exist on disk on your computer at any time but you can dump them if you know how. You can look at VAC as a series of module or as lists of features organized by purpose. The best resources for understanding VAC in depth are:

• Daniel Krupinski's Reversed VAC Source Code
• mamba's writeup of VAC from a few years ago
• Tutorial - RaptorFactor Archive - VAC Modules
• ioncodes/vacation3-emu

Vac's Modules according to Daniel Krupinski

• Module 1: Collect System Information & Configuration
• Module 2: Enumerate running processes and handles
• Module 3: VAC's Process Monitor Implementation

If you're reversing VAC yourself, make sure to look at steamclient.dll, SteamService.exe & steamservice.dll as well. VAC scans all 3 of those as well, so hooking those can be detected.

Advanced VAC Bypassing
If you're distributing a pay cheat you will want to reverse VAC yourself and periodically dump the modules and compare. If VAC updates, you need to know what they changed.

If you're distributing a pay cheat, in addition to our list above, you should:

• Encrypt all strings
• Randomize module, process, window & window class names
• Use polymorphic code to evade signature detection
• Stay off the disk as much as possible, stream everything into memory
• Clean all your tracks, avoid registry keys etc...
• Consider hooking and de-clawing VAC itself

It really depends, if you have 30 users you don't need to go too crazy. But if you have hundreds or thousands you need to be 100% sure you have bypassed VAC.

How does VAC protect itself?
VAC modules are streamed from the server, it does not hit disk. IAT is encrypted, strings are encrypted

VAC Detection Mechanisms

Signature Detection
Using various heuristics VAC can find suspicious code and upload the modules to their server for manual or automatic analysis. VAC doesn't have time to analyze every single cheat, they prioritize cheats that are used by many clients, the less people using it the less likely they will build signatures for it. They build signatures for the code, just like we do when pattern scanning or AOB scanning in Cheat Engine. VAC can use any part of your hack to build unique signatures including file hash, strings, PE header, window titles, PDB path's etc...

They scan the game's process as well as any other running process for these signatures, if the signature is found they know you're cheating and can ban you in the next ban wave.

VAC uses VirtualQuery() to find executable memory and scan the game process for memory pages that are executable, if these pages were not allocated by the game process it's obvious this is injected code and maybe a cheat. That's the first step to VAC sig scanning, it's gotta find the executable memory first because code makes the best unique signatures.

Hook Detection
VAC can detect all hooks, but we know they are very ban happy when it comes to VMT & IAT hooks.
They specifically scan for hooks in these Windows API functions:

• GetMAppedFileNameA
• NtQueryVirtualMemory
• GetModuleHandleA
• GetModuleFileNameA
• OpenProcess
• ReadProcessMemory
• VirtualQuery
• VirtualQueryEx
• CreateToolHelp32Snapshot
• Module32First
• Module32Next
• Process32First
• Process32Next
• EnumnProcessModules
• GetModuleBaseNameA
• GetModuleFileNameExA
• EnumProcesses
• GetModuleHandleExA
• GetMappedFileNameA
• NtReadVirtualMemory
• NtQueryVirtualMemory
• NtMapViewOfSection
• NtOpenProcess
• NtQuerySystemInformation

If a hook is detected, it will find the module where the jmp redirects too and send that data to the server for analysis or ban.

File Integrity Checks
All hacks must be done at runtime, important files are checked for integrity. Patching the files on disk is a no no.

VAC Enumerates all running Processes
VAC uses EnumProcesses to find all processes and does further scanning of these processes. This is the beginning of it's external hack process detection. Hiding your external hacks and injectors from EnumProcesses is the first step. They can't build sigs for something they can't see right?

EnumWindows & EnumChildWindows & GetWindowText
If you have a suspicious external process they will find the windows associated with them and get the window title. They make a hash of your window names and compare against known cheat window names. They also grab the window style, size & location which makes for easy external overlay detection. Maybe make your overlay larger than the game window and then offset all your drawing to the right position. Making your overlay the exact size of the game window is a dead giveaway it's an overlay cheat.

File Hashing
VAC creates files hashes for all running files or files recently touched by the OS and compares it against known cheat file hashes.
You can easily change file hash by simply adding bytes at the end of the file with any hex editor, of course you can automate that. This only prevents file hash signature detection.

VAC calls NtQueryInformationProcess()
Using ProcessBasicInformation it gets the address of the PEB. Using the PEB is the lowest usermode way of querying a process, by doing this it bypasses any patching/hiding you've done to other higher level documented APIs.

NtFsControlFile() & USN Change Journals
VAC scans the disk for every file that has recently been touched by the operating system, including deleting, renaming, creation & overwriting. Good luck hiding from that
To bypass this mambda suggests hooking NtFsControlFile()

Manual Mapping
Manual Mapping defeats many module detection methods that VAC and other anticheat have such as:

1. LoadLibrary hooks
2. Toolhelp32Snapshot
3. EnumprocessModules to find loaded modules
4. Walking the PEB loaded modules list
5. GetMappedFileName() on memory addresses to find DLL's on disk

Misc things Valve Anti Cheat does

• Easily detects debuggers but doesn't prevent them
• ntdll.dll is scanned, patching functions in here will lead to detection
• VAC uses EnumDeviceInterfaces() to find all drivers in device manager
• Reads the Event Log for recent events such as driver loading
• Reads the registry

New Machine Learning in VAC
VacNet: Server Side Machine Learning to find cheaters based on statistics.

How VAC Bans Work
Valve AntiCheat bans in waves usually, you could be banned hours, days weeks or months after using a detected cheat. If it's a public cheat, you can guarantee you will get VAC banned if you use it after they build signatures for it which only takes maybe a week or 2 in most cases. If you haven't been banned within 4 weeks you're probably okay.

VAC doesn't do IP or HWID bans. Every time someone gets banned, they buy a new account, making Valve tons of money so they will never do this. If you get banned, make a new steam account. But HWID and IP are used for Trust Factor, if they detect a new account from a computer with multiple bans, your trust factor will be penalized.

Junk Code / Polymorphic Code
Adding junk code to your hack will change the file hash, and avoid detection based on file hash. You can also simply do this by adding bytes to the end of the file. But VAC also hashes the code sections, so junk at the end of the file won't work, but adding junk code will actually solve this problem. Junk code is just code that does nothing in your hack, you can put any code you want in there as long as it doesn't modify the functionality of the hack logic.

BUT adding a few pieces of junk code will not bypass signature detection, only hashing.

You need to use polymorphism to bypass signature detection. Polymorphism will change the assembly at almost every byte, ruining all possible signatures. Read our guide on polymorphic code here
Or just completely bypass VAC so it can't even sig scan you.

CSGO Overwatch
Overwatch is a crowd sourced moderation system, if you get too many reports, demos of your gameplay will be reviewed by other players. If the majority of other players file their Overwatch reports with the opinion that you are violating the rules, your overwatch reputation will decrease and it will eventually result in a ban.

CSGO Match Making & Trust Factor
Griefers and cheaters will have a lower trust factor, this is based on many things including Overwatch reports. Match Making matches people with high trust factor with other similar players. Conversely it puts cheaters and other people with low trust factor in the same matches.

Trust Factor is tied to HWID/IP, if you get banned and make a new account, some of your old Trust Factor will make it to your new account.

Learn more about Overwatch, Match Making & Trust Factor: #1, #2 & #3

Additional GH VAC Resources:
mambda's Original VAC Writeup
c5's VAC Reverse Engineering IDA Scripts

Offsite VAC Resources:
VAC Source Code
Developments | Cra0kalo's Development Adventures
Valve Anti-Cheat - unkn0wncheats Game Hacking Wiki
zyhp/vac3_inhibitor
danielkrupinski/VAC-Bypass

Continue reading the rest of the thread for more info...

Please contribute to this guide by providing corrections & additions, hitting the "Like" button or donating

Thank you to the contributors to this guide:
@mambda @XdarionX @KF1337 @ZleMyzteX

 

[mambda]

Disclaimer: Information I'm spewing is from reversal that happened in 2015, more in depth information can be found at: RaptorFactor.com for example, however it seems he no longer wants to update that for the time being.

How does VAC detect things?
Well, there are a few methods that it uses in order to flag things, but the main method of detection when it comes to VAC is signature based detection (henceforth known as SBD.).

It's quite simple, you compile something and the resulting binary is a series of bytes, say your ultra leet cheat has the bytes 37 13 37 13 37 13 37 13 all in order, and its only used in one specific place all the time, and that place has the bytes, say, 0x6A <offset to the 37 13 shit above> .

That's something that could potentially be used as a signature. In essence, a signature is simply a pattern that can be found in a binary, preferably something that will be exclusive to that binary, this can be anything from a specific byte sequence in instructions, a specific string, pdb data, etc.

So valve basically hashes various portions of a binary that it deems suspicious, and checks the resulting hash with a few other hashes it has stored to decide whether or not something is a known cheating software, in which case, you get flagged and will get the hammer later.

Of course, it's not the only thing that valve does, they also, for example, enumerate all top level windows and hash things such as the window name, some attributes ( i.e. transparent iirc. ), position and size ( basically checking for overlays on top of the game ).

It's also got some more cool shenanigans, you can read more about some of its external related things here : VAC external

It is to be noted that valve does much more than *just* look at simple bytes in your program, and just because you have a driver doesn't mean you're 100% vac safe. get the binaries and reverse them and everything is clear and all that shit.

VAC

• Loads many modules during games.
• When something attempts to debug ( or open a handle ? ) to steamservice.exe it is immediately checked out
• It doesn't seem to care about anything on community servers, but definitely cares on casual & competitive
• In some module it gets the main drive ("C") and recursively queries directories that aren't Program Files (? maybe ? ) cheat folder enumeration
• On startup SteamService.exe checks SteamService.dll for file integrity, aka no patching on disk.
• Look like searches for Clear Information/FilterManager in Event Logs?
• OpenEventLog("System")
• ClearEventLog(givenHandle);

So how do we make our cheat bypass VAC?

• Have the cheat start before csgo.exe starts
• The cheat first injects the dll, then protects itself and demotes the privelages of steamservice.exe
• Then you run csgo.

Successful Reversed Modules

7C34.tmp

• GetNativeSystemInfo() - returns a pretty useless struct for me to care about.
• NtQuerySystemInformation [ TimeOfDay, CodeIntegrity, DeviceInformation, KernelDebugger, BootEnvironment, RangeStart ]
• Reads some important parts of NtDll.
• Does various checks

SteamService.exe

• On game launch and steamservice.exe startup, SteamService.exe calls EnumProcesses with a size of 4096 ( aka 4096 / 4 is the count of processes ) to get all running processes.
• Creates a file mapping on startup. format: "Steam_{E9FD3C51-9B58-4DA0-962C-734882B19273}_Pid:%000008X", steamServicePID
• Some event triggers telling csgo vac system is being blocked: i know this can happen due to USN being cleared, but could our VQEx hook also do it?
• VAC communicates with Pipes. cool stuff, need to research those more.

63CE.tmp - Internal(?) Module

• at some point it calls VirtualAlloc() on its own process with size 18016d , MEM_COMMIT, PAGE_READWRITE
• Later on it queries the process with NtQueryInformationProcess for ProcessBasicInformation , if this fails to get a buffer of size 24 it returns with 60;
• If successful, continues on with ImageFIlename
• It reads lots of predetermined memory regions. It uses VirtualAlloc on its own memory possibly for further inspection by host process.
• Also reads to csgo memory
• Lots of calls to VirtualAlloc()

Basically this guy opens specified process ID & does some VirtualQueryEx, I believe this checks for whether there is executable code in the csgo.exe module.
Checks queried memory for protect flag and Allocation Protection 0xF0
0xF0 = ( PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY )

If neither of these are found, v10 = 1

Could this read be doing sig scanning being that it reads information? I wonder if any of these open the file mapping.
v10 is placed in a2 + 60 , so definitely return value.

A2 Struct
=====
a2 + 56 = LastError()
a2 + 60 = returnValue
=====

441F.tmp - Device Module
Enumerates hardware devices with Setup Api.dll
EnumDeviceInterfaces to be exact. literally ALL OF THEM FROM DEVICE MANAGER AND PROBABLY BEYOND LOL.
Thats basically it. Underwhelming tbh.

FAF2.tmp - Volume Module

• Begins to search all volumes with FindFirstVolumeW, FindNextVolumeW and closes handles with FindVolumeClose
• Gets volume serial with GetVolumeInformationW and checks if it matches a predetermined serial
• I assume this is the volume serial hash.
• Gets a specific process' name and reads its memory ( i presume this is csgo ).
• Also does this with another process where a handle is given. instead of a pid.
• Another seciton where they GetMappedFileName

Aha! EnumProcesses!
Opens a process to every handle running with query_information and vm_read , tries to get their name and do some more things that i can't see yet.

Course of action here for my external : Strip handles of those values ^ , i don't really care about anything else. They can't get my name if they dont have the privileges to. Also they couldn't find it on file if they tried.

F335.tmp - Window Module

• EnumWindows finds ALL top level windows ( overlays too) , also does EnumChildWindows.
• They enumerate your windows and if your process id == something that they have stored then they will GetWindowInfo your
• They will keep your style ( and exStyle ), WindowStatus, WindowBorders ( x and y )
• It then calls GetWindowTextA and a secondary function
• for most externals exStyle = WS_EX_TOPMOST | WS_EX_TRANSPARENT | WS_EX_LAYERED
• Then i got lazy because there was a huge function up next, probably hashing.
• Basically, if your PID is something that it's looking for (specified by parameters), it will try to enumerate your window and log all those things ^ & probably send them back
• In the end they make a hash of your window name ( from GetWindowTextW )
• They compare these with various hashes ( 13 to be exact )

7B0B.tmp - File Mapping Module
FileMapping module, for now it seems to be majorly worthless, but there are some indirect function calls that i cant seem to pin down to figure out what its doing to the file mapping.
However it only gets opened with read permissions so i doubt its anything major.

BAC1.tmp - USN Module - Update Sequence Number Journal
GetVolumeInformation
This is later used with NtFsControlFile with FSCTL_QUERY_USN_JOURNAL
You get UsnJournalData via DeviceIoControl ( they use the higher up NtFsControlFile ) , it returns a USN_JOURNAL_DATA struct .
So you set whatever you want (i.e. READ_USN_JOURNAL_DATA struct ) 's id to whatever the journal id is
Alright, after some painstaking hours i managed to reproduce their usn querying.
Thankfully cool UC post to this module : unkn0wncheats.me -&nbspThis website is for sale! -&nbspunkn0wncheats Resources and Information.
if USN Region matches these flags: USN_REASON_CLOSE | USN_REASON_STREAM_CHANGE | USN_REASON_REPARSE_POINT_CHANGE | USN_REASON_RENAME_NEW_NAME | USN_REASON_RENAME_OLD_NAME | USN_REASON_FILE_DELETE | USN_REASON_FILE_CREATE | USN_REASON_NAMED_DATA_TRUNCATION | USN_REASON_NAMED_DATA_EXTEND | USN_REASON_NAMED_DATA_OVERWRITE
In laymans terms this means : If the file has recently been closed, created, deleted, renamed , or overwritten/written to, we want to check that out.
Then we hash the partial file name and reaon flag and compare them to some hashes
This happens with various other parts of the usn struct

NtFsControlFile
They do a crapton. The best thing to do is hook NtFsControlFile after it returns from KM and then clean any references to my stuff.

Here's what I can think of for this:

• IAT Hook NtFsControlFile and redirect it to my own function with the original address stored.
• Call the original function.
• parse the allocated memory for any data regarding my own stuff, if found, purge it.
• return.

So you can't IAT hook something you have to GPA, past me
So we hooked GPA via IAT ( so no modified bytes here )
from that, we check for when GPA is called for NtFsControlFile and we instead return the address of our own function while saving the actual location.
In our function we ( setup stack BITCH ) call the original, then check if the control code was FSCTL_READ_USN_JOURNAL.
if it was, we check out the USN_RECORD and check if the filename contains 'SPQR' , if it does, then we purge it and continue as normal.

69D7.tmp - Event Log Module
=======

• Pretty funky encryption here
• Goes through the event log with OpenEventLog, ReadEventLogA, EvtQuery, EvtCreateRenderContext ( for system and user information )
• Enumerating newest things first
• So I think I want to load my driver then clear the event log

C022.tmp - Registry Module
=======
Didn't look too far into this one, seems to enumerate registry keys ( possibly to detect drivers or certain p2cs ? )

BBC7.tmp - Majorly worthless, File mapping stuff.
=======
{%02xDEDF05-86E9-%02x17-9E36-1D94%02x334D-FA3%2xA0441} is used as format for opening a file mapping.

991E.tmp - SysEnter module

• Manually calls sysenter with the ordinal passed into it by SteamSerive.exe/dll , funky stuff.
• Calls EnumprocessModules
• Gets module base name and information

CEA4.tmp - VirtualQuery Module

• Calls VirtualQueryEx on specified regions.
• If the type is MEM_FREE it breaks and basically exits.
• on MEM_RESERVE it increments region size, possibly to try again and also sets a variable to true
• MEM_COMMIT it does checks to see whether the page is executable ( 0xF0 ) and if so it logs that and increments some values
• More interestingly, this module gets file names using GetMappedFileName and it opens the file with read access.
• It reads the file in its entirety and updates an MD5 hash with the bytes.
• Dat public cheat detection tho.
• Manual mapping itself fixes this because they won't know the file name to read it on disk.

steamclient.dll
There is something in here that logs where every injected file is in memory and writes it to a section

{%02x3F1461-5E%02x-4E99-A5AE-CEFDB55A%02x2D-3DED%02x3C}
format = pid >> 8, pid >> 24, (pid >> 16) & 0xFF, (unsigned __int8)pid
We open this with READ_WRITE permissions, we check for our string, if we find it, we zap away the entirety of it from the section
section struct size seems to be 0x4F ( 79 dec )

There's also another global handle that logs open handles

Okay so: On DLL_THREAD_ATTACH vac queries the memory and does a few scans, checks for some flags that are retarded: http://www.unkn0wncheats.me/forum/anti-cheat-bypass/100197-vac-external-tool-detection-and-more.html
Gets the moduleFileName
"If something suspicious is found, VAC uses the first module to analyze it. I didn't look into the first module, but it extracts the image sections does tons of hashes, maybe something more."

To circumvent this you need to manual map.

E2D5 - Sig Scanner

• Calls VQueryEx, RPM, like all vac modules. ( RPM that is, not vqx )
• If the return value is not >= 0x1C then it skips all the funky stuff that could be sig scans.
• Allocates memory after initialization, 0x10000 bytes MEM_COMMIT | MEM_RESERVE , PAGE_READWRITE
• this memory is where the final RPM is placed which they then attempt to hash and compare

Yeah im done with this now. Get Fukt valve.

Fun Facts:
Seems every module has the ability to get your volume serial, gotta be sure amirite vac? haha

Plan of action:
Externals : Hook K32Enumprocesses, hide my pid.
Internals : Hook VirtualQueryEx , when they query my memory tell them its non-executable so they bugger off, maybe even hook K32EnumProcessModules if they call it on csgo.exe...
MANUAL MAP BOYS.

 

[XdarionX]

CSGO Overwatch

Since these features are going on valves servers no one actually knows what exactly is happening. But basically Overwatch occurs when you have at least 150 wins on account. Then you may view other players recorded demos that are assembled from packets sent to server and whole match is reconstructed (scenes are cut around how you kill people so one overwatch takes around 10min, not full match length) they choose who will be reviewed based on how players in game report you, if you watched it till end you will choose from:

If you are not sure than its better to choose insufficient evidence, if you postpone then you can't review any new demo until you submit verdict from that one you have watched (you can watch it more times and also you can manipulate the speed). If you submit verdict then on their servers they will multiply it with your "overwatch trust factor" - it is acquired by submitting accurate verdicts and lowered if you make a mistake and it is independent from your regular trust factor (that's why is insufficient evidence better if you are indecisive)

Than if the "EBRD count" is higher some hard coded constant they will auto-ban you as "overwatch ban" (griefing is punished by tempban for few months, any other is permanent - that means bunnyhop=full hvh aimbot+aa=insta perm ban and no exceptions).

Example: if you rage hack it will take maybe 5 or 8 different people to review you and if all of them submit EBRD you will get banned - same as only 3 people with high "overwatch trust factor" would submit EBRD (there are youtubers and streamers doing this for whole days).

Now maybe you asks what if you hack one game and other play legit? There will only be half EBRD and half insufficient - they wont ban you (ofc) but constantly lower your trust factor as your "average report ratio" is pretty high (if you hack only 1 out of 3 games it will lower your trust factor slower based on ow - it may take weeks or even months until you will only play with cheaters and griefers even when you started with "legit hacks")

CSGO Matchmaking & Trust Factor
If you ever tried queue in CSGO you may have seen something strange: there are thousands people searching but it takes whole minutes to find a game

You can make jokes of valves "arduino servers" but the fact is they are sorting players based on: map they choose to play, their ping to prevent lag, their skill group and their trust factor (too many params to effeciently find your opponents/teamates). If you have low trustfactor you will only play with people who have low trust factor too (= griefers and cheaters) and it is pretty easy to wreck your trustfactor (much easier than level it up

If you have it even lower you will eventually get banned. Then what? Make a new account! CSGO is free! But now your brand new account will have lower trust factor than other "new accounts" because it was created and played on computer that already has one/two/more banned accounts (they do take your disk serial / make hwid) even if you don't cheat on your "main" account but you have alt (they are lying as they say your accounts are "not connected" to each other), since you play on the same PC you will ruin the trustfactor on main too.

That's it, valve works like that and it wasn't easy to find it out (it cost me my main prime acc). If you have any other question you may ask below (I'm not sure if i explained everything).

 

[KF1337]

Matchmaking
Valve's / CSGO's own System to match people against each other. Usually, this refers to the classic Competitive 5v5 mode of the game.
This might also include Wingman mode, which is a time-shortened 2v2 mode.
Both these game modes involve ranks, starting from Silver 1 to Global Elite (18 ranks in total).
As @XdarionX mentioned, you get into a queue, where you will be matched against players with a similar rank/ping/trust factor.

Trusted
The new mode that is aimed at preventing interaction from third-party dlls (First iteration of trusted mode: Counter-Strike: Global Offensive)

Trust Factor
- official blogpost: Counter-Strike: Global Offensive
A system that is aimed to improve the matchmaking experience, separating "good" players from "bad" ones.
Good and bad are not referring to their actual skill, but to their behavior, like killing teammates, getting in-game reports etcetc.
There has never been any disclosure by Valve what exactly influences this trust factor.
People claiming that they know how this system works are either lying or waaay to overconfident about their assumptions.
There are simply assumptions, which might be right. Some of these are actually very likely to be true based of Valves own statements, but nothing has ever been confirmed.

 

[ZleMyzteX]

I wanna contribute something and since I was cheating in CSGO for some years and never really got caught I wanted to share some things about it.

Overwatch
@XdarionX already said some things about it, but in the end it's just other (experienced) players watching your past games - if you behave like a legit, you won't get into any trouble whatsoever.
So, if you check every corner even though you are wallhacking and die every now and then, you are pretty safe - just don't use too high FOV aimbots and too low delays on triggerbots and you should be fine. Basically everything that doesn't look legit should be avoided.

There are some things that are guaranteed to put you into an overwatch queue, for example antiaim (rage kind of antiaim) or just raging and getting abnormal high amounts of kills. Griefing also throws you into the overwatch pool if you get enough reports.

The "rule" is, that after more then 5 reports you are basically thrown into the overwatch queue and are probably getting banned, if you raged. There's a lot of things nobody really knows about overwatch and VACNET since it's a machine learning thing they got going on there - nobody really knows what it's up to.

A lot of people (me included) think that VACNET is just used to put people into overwatch if it detects some anomalies, like inhuman mouse movements and stuff like that. The easiest way to get a ban is to use a bunnyhop hack - I can guarantee you, that you won't be playing more then 2 or 3 games with bunnyhop hacks, they seem to be pretty easily detected by VACNET. (your mileage may vary tho, nobody knows exactly whats going on there.)

Trusted
just like @KF1337 said, it's

The new mode that is aimed at preventing interaction from third-party dlls

On the forum there's already a tutorial how to bypass it, just use manual mapping. It didn't do much, it basically did more to legits than to hackers - things like obs and stuff didn't (or still don't work, idk) because of trusted mode. Using trusted supposedly also makes your trust factor better, so it's good to use it and just bypass it.


Trust Factor
So, trust factor is still a mysterious thing - there's no real guide or tutorial to make the trust factor go up or down - Valve is probably also using machine learning for that, so nobody really knows whats going on with that.
The higher the trust factor, the better the quality of enemies you are probably going to encounter (enemies are more likely to be legit with a high trust factor)
Low trust factor is like hell - new profiles only, and 99% are either closet cheating or just raging.
How to get a better trust factor you might ask yourself?
well, easiest way is to avoid reports, play "legit", invest some money into skins and stuff and just alltogether be a "legit" player. There's no real way to boosting that up, you can only get it down real quick if you rage and collect reports.

 

[Rake]

I have found on github one cool guy who is reversing vac and than gathered data is rewriting to c language. Looks really interesting, you have to see it:
danielkrupinski/VAC

I'm gonna paste some of his information here in case it gets deleted:

# VAC
This repository contains parts of source code of Valve Anti-Cheat for Windows systems recreated from machine code.

# Introduction
Valve Anti-Cheat (VAC) is user-mode noninvasive anti-cheat system developed by Valve. It is delivered in form of modules (dlls) streamed from the remote server. steamservice.dll loaded into SteamService.exe (or Steam.exe if run as admin) prepares and runs anti-cheat modules. Client VAC infrastructure is built using C++ (indicated by many thiscall convention functions present in disassembly) but this repo contains C code for simplicity. Anti-cheat binaries are currently 32-bit.

# Modules
| ID | Purpose | .text section raw size | Source folder |
| --- | --- | --- | --- |
| 1 | Collect information about system configuration.<br>This module is loaded first and sometimes even before any VAC-secured game is launched. | 0x5C00 | Modules/SystemInfo
| 2 | Enumerate running processes and handles.<br>This module is loaded shortly after game is launched but also repeatedly later. | 0x4A00 | Modules/ProcessHandleList
| 3 | Collect VacProcessMonitor data from filemapping created by steamservice.dll. It's the first module observed to use virtual methods (polymorphism). | 0x6600 | Modules/ProcessMonitor

# Encryption / Hashing
VAC uses several encryption / hashing methods:

• MD5 - hashing data read from process memory
• ICE - decryption of imported functions names and encryption of scan results
• CRC32 - hashing table of WinAPI functions addresses
• Xor - encryption of function names on stack, e.g NtQuerySystemInformation. Strings are xor-ed with ^ or > or & char.

# Module Description

## #1 - SystemInfo
This module is loaded first and sometimes even before any VAC-secured game is launched.

At first module invokes GetVersion function to retrieve major and build system version e.g 0x47BB0A00 - which means:

• 0x47BB - build version (decimal 18363‬)
• 0x0A00 - major version (decimal 10)

The module calls GetNativeSystemInfo function and reads fields from resultant SYSTEM_INFO struct:

• wProcessorArchitecture
• dwProcessorType

Then it calls NtQuerySystemInformation API function with following SystemInformationClass values (in order they appear in code):
- SystemTimeOfDayInformation - returns undocumented SYSTEM_TIMEOFDAY_INFORMATION struct, VAC uses two fields:
- LARGE_INTEGER CurrentTime
- LARGE_INTEGER BootTime

• SystemCodeIntegrityInformation - returns SYSTEM_CODEINTEGRITY_INFORMATION, module saves CodeIntegrityOptions field
• SystemDeviceInformation - returns SYSTEM_DEVICE_INFORMATION, module saves NumberOfDisks field
• SystemKernelDebuggerInformation - returns SYSTEM_KERNEL_DEBUGGER_INFORMATION, VAC uses whole struct
• SystemBootEnvironmentInformation - returns SYSTEM_BOOT_ENVIRONMENT_INFORMATION, VAC copies BootIdentifier GUID
• SystemRangeStartInformation - returns SYSTEM_RANGE_START_INFORMATION which is just void*. Anti-cheat saves returned kernel space start address and sign bit of that address (to check if executable inside which VAC is running is linked with LARGEADDRESSAWARE option)

For more information about SYSTEM_INFORMATION_CLASS enum see Geoff Chappell's page.

Next, anti-cheat calls GetProcessImageFileNameA function to retrieve path of current executable and reads last 36 characters (e.g. \Program Files (x86)\Steam\Steam.exe).

Later VAC retrieves system directory path (e.g C:\WINDOWS\system32) using GetSystemDirectoryW, converts it from wide-char to multibyte string, and stores it (max length of multibyte string - 200).
Anti-cheat queries folder FileID (using GetFileInformationByHandleEx) and volume serial number (GetVolumeInformationByHandleW). Further it does the same with windows directory got from GetWindowsDirectoryW API.

Module reads NtDll.dll file from system directory and does some processing on it (not reversed yet).

VAC saves handles (base addresses) of imported system dlls (max 16, this VAC module loads 12 dlls) and pointers to WINAPI functions (max 160, module uses 172 functions‬). This is done to detect import address table hooking on anti-cheat module, if function address is lower than corresponding module base, function has been hooked.

Anti-cheat gets self module base by performing bitwise and on return address (_ReturnAddress() & 0xFFFF0000). Then it collects:

• module base address
• first four bytes at module base address (from DOS header)
• DWORD at module base + 0x114
• DWORD at module base + 0x400 (start of .text section)

Next it enumerates volumes using FindFirstVolumeW / FindNextVolumeW API. VAC queries volume information by calling GetVolumeInformationW, GetDriveTypeW and GetVolumePathNamesForVolumeNameW functions and fills following struct with collected data:

struct VolumeData {
    UINT volumeGuidHash;
    DWORD getVolumeInformationError;
    DWORD fileSystemFlags;
    DWORD volumeSerialNumber;
    UINT volumeNameHash;
    UINT fileSystemNameHash;
    WORD driveType;
    WORD volumePathNameLength;
    DWORD volumePathNameHash;
}; // sizeof(VolumeData) == 32

VAC gathers data of max. 10 volumes.

If this module was streamed after VAC-secured game had started, it attemps to get handle to the game process (using OpenProcess API).

Eventually, module encrypts data (2048 bytes), DWORD by DWORD XORing with key received from server (e.g 0x1D4855D3)

## #2 - ProcessHandleList

To be disclosed...

## #3 - ProcessMonitor

This module seems to be relatively new or was disabled for a long time. First time I saw this module in January 2020. It has an ability to perform many different types of scans (currently 3). Further scans depends on the results of previous ones.

Each scan type implements four methods of a base class.

Initially VAC server instructs client to perform scan #1.

### Scan #1 - VacProcessMonitor filemapping

First scan function attemps to open Steam_{E9FD3C51-9B58-4DA0-962C-734882B19273}_Pid:%000008X filemapping. The mapping has following layout:

struct VacProcessMonitorMapping {
    DWORD magic; // when initialized - 0x30004
    PVOID vacProcessMonitor;
}; // sizeof(VacProcessMonitorMapping) == 8

VacProcessMonitorMapping::vacProcessMonitor is a pointer to the VacProcessMonitor object (size of which is 292 bytes).

VAC then reads the whole VacProcessMonitor object (292 bytes) and its VMT (Virtual Method Table) containing pointers to 6 methods (24 bytes).
The base address of steamservice.dll is also gathered.

These data are probably used on VAC servers to detect hooking VacProcessMonitor. The procedure may be following:

if (method_ptr & 0xFFFF0000 != steamservice_base)
    hook_detected();

 

[mambda]

man i wrote this 2 years ago and i havent even touched a vac protected game since

 

[Rake]

Some good VAC reversing info here as well Developments | Cra0kalo's Development Adventures

Simple first steps for VAC Bypass
For the average person, you won't be detected unless you use public source code or distribute your hack. This has been confirmed 1000x. The moment you distribute it, that changes.

• Write your hack from scratch, do not use any public source code
• Do not distribute your hack or if you must only share it with a few people, like less than 10
• Internal hacks: use Manual Mapping - GH Injector does Manual Mapping
• Manual mapping will hide your module from VAC because it bypasses LoadLibrary() detection, module enumeration & PE header detection.

If external, avoid using WriteProcessMemory
You can make bunny hop, aimbot and triggerbot all using SendInput and an external overlay ESP with GDI, OpenGL or Direct3D
These only require opening a handle to the process and ReadProcessMemory() which will be the least suspicious but it is still 100% detectable

 

[Schnee]

Some good VAC reversing info here as well http://dev.cra0kalo.com/

Anyone remember that video from that european convention with I think the h1z1 anticheat dev? He was explaining how the anticheat works and how they developed it and the challenges they faced. It might not have been h1z1 but it's from a few years ago. It wasn't on youtube, it was on some site for the con

Not sure if you mean the video with Eugen Harton, it´s linked on the BattleEye homepage as well for companies to get an insight on what they are doing.

https://www.youtube.com/watch?v=0M0xBMEuWdU

 

[mambda]

highly doubt they are but idk i dont even work on vac protected games anymore

 

[XdarionX]

NtFsControlFile() & USN Change Journals
VAC scans the disk for every file that has recently been touched by the operating system, including deleting, renaming, creation & overwriting. Good luck hiding from that
To bypass this mambda suggests hooking NtFsControlFile()

I was using windows xp service pack 2 so my external hack was exploit switched to ring0 and then set some magic bytes to its disk file and protected mode descriptors so it was 'unreachable' like C:/kernel.sys and my process could not be even opened by OpenProcess or debugged by ANY debugger. Accessing game RAM was as simple as in internal cheat. In shortcut: hack was a part of kernel. And I am not still banned. One disadvantage is that steam will stop supporting this awesome OS. This simple trick bypassed all valve work on their Valve Abortive Co****

 

[XdarionX]

Since csgo is for free I was experimenting on some accounts with VAC and I want to share some knowledge:

• VMT hooking is 100% detected (there were some discussions about it and yes it is) btw many skeet users got vacban lmao
• RDI is probably detected (I am not sure), idk how but be careful with it (stephenfewer/ReflectiveDLLInjection) I guess VAC has some hash for its shellcode or AoB ?
• Silentaim and Aimbot got better server-sided detection based on delta of view angles (pitch+yaw) but still it affects only rage cheaters, legit like one degree FOV is still safe (to VAC, not OW)
• Reinforced D3D function hooking detection, avoid using public headers/SDKs for menu, hook em between their prologue and epilogue:

mov edi,edi
push ebp
mov ebp,esp
//hook comes here
leave
ret

Hope it helps

 

[0xDEC0DE]

Since csgo is for free I was experimenting on some accounts with VAC and I want to share some knowledge:

• VMT hooking is 100% detected (there were some discussions about it and yes it is) btw many skeet users got vacban lmao
• RDI is probably detected (I am not sure), idk how but be careful with it (stephenfewer/ReflectiveDLLInjection) I guess VAC has some hash for its shellcode or AoB ?
• Silentaim and Aimbot got better server-sided detection based on delta of view angles (pitch+yaw) but still it affects only rage cheaters, legit like one degree FOV is still safe (to VAC, not OW)
• Reinforced D3D function hooking detection, avoid using public headers/SDKs for menu, hook em between their prologue and epilogue:

mov edi,edi
push ebp
mov ebp,esp
//hook comes here
leave
ret

Hope it helps

Can you tell if imgui is detected ?

I haven't tried it yet, its the only public source i use, everything else is custom build by me.

 

[XdarionX]

Can you tell if imgui is detected ?

I haven't tried it yet, its the only public source i use, everything else is custom build by me.

If you mean this ocornut/imgui then idk - I see it first time, I am not making public cheats with menus (my private one commonly has static config loaded from some file on the disk). In that post I meant public well-known menu headers that can be downloaded from public cheating forums like uc and mpqh. Imgui looks like normal open source library that is commonly used for programmers, not hackers so I dont see any reason why should VAC scan for it.

 

[0xDEC0DE]

If you mean this ocornut/imgui then idk - I see it first time, I am not making public cheats with menus (my private one commonly has static config loaded from some file on the disk). In that post I meant public well-known menu headers that can be downloaded from public cheating forums like uc and mpqh. Imgui looks like normal open source library that is commonly used for programmers, not hackers so I dont see any reason why should VAC scan for it.

Yeah its not meant for game hacks and ocornut the founder is strongly against it but its used by many many users on uc.

I think i will remove it for now.

 

[XdarionX]

i have found on github one cool guy who is reversing vac and than gathered data is rewriting to c language. Looks really interesting, you have to see it:
https://github.com/danielkrupinski/VAC

 

[Rake]

vac LUL

 

[eth0]

I am sorry for bumping this thread, but i do have a question regarding "Insecure Mode" . "Friend" of mine used to code an external cheat on C#, he had his platform running for about year and half, during that period he had not a single vac detection (his player base was around 60 active members), but as we all know VAC is kind of a meme. Anyhow, what he told me was that when you put -insecure, your account's trust factor is getting worse. And since I am no longer talking with him, I can't be sure whether that argument is true, because i blindly used to believe all he said back then.

 

[mambda]

I am sorry for bumping this thread, but i do have a question regarding "Insecure Mode" . "Friend" of mine used to code an external cheat on C#, he had his platform running for about year and half, during that period he had not a single vac detection (his player base was around 60 active members), but as we all know VAC is kind of a meme. Anyhow, what he told me was that when you put -insecure, your account's trust factor is getting worse. And since I am no longer talking with him, I can't be sure whether that argument is true, because i blindly used to believe all he said back then.

certainly possible if they send that information over.

Pretty much all VALVe games are free (the only ones that actually allow -insecure, dont think its built into source engine) so just spin up a cheat dev account

 

[eth0]

certainly possible if they send that information over.

Pretty much all VALVe games are free (the only ones that actually allow -insecure, dont think its built into source engine) so just spin up a cheat dev account

Thank you so much for clarifying it for me brotha