[Info] Avoiding Hack Detection

Hexui Undetected CSGO Cheats PUBG Accounts
c5

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
19,938
76
Nice job, very well put together. Good overview for everyone new in bypassing anticheat area
 
S

saebur

Jr.Coder
Full Member
Nobleman
Aug 14, 2012
64
688
0
c5 said:
Nice job, very well put together. Good overview for everyone new in bypassing anticheat area
Click to expand...
Thanks for your feedback! I'm a sucker for well-put together, well-formatted and quality posts/threads/shares. But do you think it' readable or should i make the images bigger?
And it's definitely a good overview and shows what people need to consider and do :)
 
AlphaAnonymous

AlphaAnonymous

*Creating A Perfect World
Dank Tier Donator
Nobleman
Aug 9, 2012
153
1,188
1
saebur said:
Thanks for your feedback! I'm a sucker for well-put together, well-formatted and quality posts/threads/shares. But do you think it' readable or should i make the images bigger?
And it's definitely a good overview and shows what people need to consider and do :)
Click to expand...
I would recommend making the picture bigger, even me myself is having a hard time reading it.
 
S

saebur

Jr.Coder
Full Member
Nobleman
Aug 14, 2012
64
688
0
AustinRush said:
I would recommend making the picture bigger, even me myself is having a hard time reading it.
Click to expand...
I updated the attachments for a bigger size. The forum automatically formats the image to be smaller so you might wanna look at the attachment instead!
 
velreine

velreine

Newbie
Full Member
Aug 27, 2012
36
504
0
This thread contains ALOT of usefull information, the only problem i can see is that you need to have quite some prior knowledge to reverse engineering to understand this as a whole. I think it would be alot more awesome if you would break it down into sections and try to explain it with images aswell, and maybe create a little bit of a tutorial and show code examples from say how you injected module without using LoadLibrary.


Thanks in advance... Velreine
 
A

AlexSleyore

Coder
Full Member
Nobleman
Oct 29, 2012
100
613
1
HTML: 
[table="width: 618"]
[tr]
	[td][IMG]https://i45.tinypic.com/10eiwbn.jpg[/IMG][/td]
[/tr]
[/table]
Use that, it will display it more correctly. also very nicely done... I do which to go through and point some things out...

For your module finding of backlisted of Dll names, I would assume more companies would have a blacklist of the Dlls MD5 or such data, not a list of blacklisted Dll Names. cause then you could just name your dll SomethingLegit.Dll -.-

Also.. for your useless NOP ideas here are some of the commands

C++: 
90 - NOP

86 - Mov X,X
C0   EAX
C9   ECX
D2   EDX
DB   EBX
E4   ESP
ED   EBP
F6   ESI
FF   EDI

PUSH-POP
5058 EAX
5159 ECX
525A EDX
535B EBX
545C ESP
555D EBP
565E ESI
575F EDI
 
E

ELExTrO

Newbie
Full Member
Dec 4, 2012
26
444
0


this is just excelent thats why many people are getting detections no one couldnt say it better, ways to get rid is CreateRemoteThread, CodeCave injection and the ring0 Api´s

finally that cloak dll and manual mapping method sounds to me like that old coder ummm dwarak, darawk or w/e the name was the cloakdll module he posted a long time ago used to work properly now it isnt hiding properly you can use this "updated" version for your cheats

C++: 
void CTools::HideDLL(HINSTANCE hModule)
{
	DWORD dwPEB_LDR_DATA = 0;
	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]             
		mov eax, [eax+0Ch]               
		mov dwPEB_LDR_DATA, eax	

		InLoadOrderModuleList:
			mov esi, [eax+0Ch]	     
			mov edx, [eax+10h]	     

		LoopInLoadOrderModuleList: 
		    lodsd		         
			mov esi, eax	
			mov ecx, [eax+18h]  
			cmp ecx, hModule	
			jne SkipA		 
		    mov ebx, [eax]	  
		    mov ecx, [eax+4]  
		    mov [ecx], ebx    
		    mov [ebx+4], ecx	  
			jmp InMemoryOrderModuleList 

		SkipA:
			cmp edx, esi     
			jne LoopInLoadOrderModuleList

		InMemoryOrderModuleList:
			mov eax, dwPEB_LDR_DATA
			mov esi, [eax+14h]
			mov edx, [eax+18h]

		LoopInMemoryOrderModuleList: 
			lodsd
			mov esi, eax
			mov ecx, [eax+10h]
			cmp ecx, hModule
			jne SkipB
			mov ebx, [eax] 
			mov ecx, [eax+4]
			mov [ecx], ebx
			mov [ebx+4], ecx
			jmp InInitializationOrderModuleList

		SkipB:
			cmp edx, esi
			jne LoopInMemoryOrderModuleList

		InInitializationOrderModuleList:
			mov eax, dwPEB_LDR_DATA
			mov esi, [eax+1Ch]	  
			mov edx, [eax+20h]	  

		LoopInInitializationOrderModuleList: 
			lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
			cmp ecx, hModule		
			jne SkipC
			mov ebx, [eax] 
			mov ecx, [eax+4]
			mov [ecx], ebx
			mov [ebx+4], ecx
			jmp Finished

		SkipC:
			cmp edx, esi
			jne LoopInInitializationOrderModuleList

		Finished:
			popfd;
			popad;
	}
}
talking about manual mapping sounds really kewl and it still works against some anticheats, for example manually mapping your dll works on hackshield protected games when your source became detected by strings, in gameguard protected games when your page is over 0x1000 bytes :p and in xtrap get you undtected at least for one use since its a polymorphic anticheat

you can also delete the PE header to remain undetected for more time


C++: 
void CTools::EraseHeader(HINSTANCE hModule)
{
	/* 
	* func to erase headers, by Croner.
	* keep in mind you wont be able to load 
	* any resources after you erase headers.
	*/

	PIMAGE_DOS_HEADER pDoH; 
	PIMAGE_NT_HEADERS pNtH;
	DWORD i, ersize, protect;

	if (!hModule) return;
	
	// well just to make clear what we doing
	pDoH = (PIMAGE_DOS_HEADER)(hModule);

	pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);

	ersize = sizeof(IMAGE_DOS_HEADER);
	if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pDoH + i) = 0;
	}

	ersize = sizeof(IMAGE_NT_HEADERS);
	if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pNtH + i) = 0;
	}
	return;
}

and finally use ntdll.dll for you hacking purposes

C++: 
MemoryManage::MemoryManage(void)
{
	hKlDll = NULL;
	hNtDll = NULL;
}

void MemoryManage::InitNtKExt(void)
{
	while(!hNtDll)
	{
		hNtDll = GetModuleHandle("ntdll.dll");
		Sleep(50);
	}
	while(!hKlDll)
	{
		hKlDll = GetModuleHandle("kernel32.dll");
		Sleep(50);
	}
	_GetProcAddress        = reinterpret_cast<GPA>      (  GetProcAddress(hKlDll, "GetProcAddress"));
	if(!_GetProcAddress)
	{

		Sleep(500);
		TerminateProcess(GetCurrentProcess(), 0);
	}
    NtProtectVirtualMemory = reinterpret_cast<NTPVM>    (__GetProcAddress(hNtDll, "NtProtectVirtualMemory"));
    RtlNtStatusToDosError  = reinterpret_cast<RTLNTSTDE>(__GetProcAddress(hNtDll, "RtlNtStatusToDosError"));
	RtlCreateUserThread    = reinterpret_cast<RTLCUT>   (__GetProcAddress(hNtDll, "RtlCreateUserThread"));
	NtResumeThread         = reinterpret_cast<NTRT>     (__GetProcAddress(hNtDll, "NtResumeThread"));
	NtClose                = reinterpret_cast<NTC>      (__GetProcAddress(hNtDll, "NtClose"));
	if(!NtProtectVirtualMemory ||
		!RtlNtStatusToDosError ||
		!RtlCreateUserThread ||
		!NtResumeThread ||
		!NtClose)
	{

		Sleep(500);
		TerminateProcess(GetCurrentProcess(), 0);
	}
	Sleep(500);
}
Credits:
HideDLL made by Th4n4t0s aka Surpintine from the old warhax site (its dead now)
Erase PEHeader by Croner (same site)
InitNtKExt by ELExTrO :p
 
Last edited:
Log in to post or download attachments
Similar threads
Thread starter Title Forum Replies Date
K Solved How to modify server info on mmo game Questions & Answers - Hacking Help 5
R Intro Hey! Thanks for all the info Member Introductions 4
timb3r Guide idTech Engine Hacking & Reversing Info GamePhreakers - Game Modding Tutorials 1
J Intro Awesome source of info Member Introductions 2

Similar threads

Community Mods
Top Bottom