[Info] Avoiding Hack Detection

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Nice job, very well put together. Good overview for everyone new in bypassing anticheat area
 

saebur

Jr.Coder
Full Member
Nobleman
Aug 14, 2012
64
688
0
Nice job, very well put together. Good overview for everyone new in bypassing anticheat area
Thanks for your feedback! I'm a sucker for well-put together, well-formatted and quality posts/threads/shares. But do you think it' readable or should i make the images bigger?
And it's definitely a good overview and shows what people need to consider and do :)
 

AlphaAnonymous

*Creating A Perfect World
Dank Tier Donator
Nobleman
Aug 9, 2012
153
1,188
1
Thanks for your feedback! I'm a sucker for well-put together, well-formatted and quality posts/threads/shares. But do you think it' readable or should i make the images bigger?
And it's definitely a good overview and shows what people need to consider and do :)
I would recommend making the picture bigger, even me myself is having a hard time reading it.
 

saebur

Jr.Coder
Full Member
Nobleman
Aug 14, 2012
64
688
0
I would recommend making the picture bigger, even me myself is having a hard time reading it.
I updated the attachments for a bigger size. The forum automatically formats the image to be smaller so you might wanna look at the attachment instead!
 

velreine

Newbie
Full Member
Aug 27, 2012
36
504
0
This thread contains ALOT of usefull information, the only problem i can see is that you need to have quite some prior knowledge to reverse engineering to understand this as a whole. I think it would be alot more awesome if you would break it down into sections and try to explain it with images aswell, and maybe create a little bit of a tutorial and show code examples from say how you injected module without using LoadLibrary.


Thanks in advance... Velreine
 

AlexSleyore

Coder
Full Member
Nobleman
Oct 29, 2012
100
613
1
HTML:
[table="width: 618"]
[tr]
	[td][IMG]https://i45.tinypic.com/10eiwbn.jpg[/IMG][/td]
[/tr]
[/table]
Use that, it will display it more correctly. also very nicely done... I do which to go through and point some things out...

For your module finding of backlisted of Dll names, I would assume more companies would have a blacklist of the Dlls MD5 or such data, not a list of blacklisted Dll Names. cause then you could just name your dll SomethingLegit.Dll -.-

Also.. for your useless NOP ideas here are some of the commands

C++:
90 - NOP

86 - Mov X,X
C0   EAX
C9   ECX
D2   EDX
DB   EBX
E4   ESP
ED   EBP
F6   ESI
FF   EDI

PUSH-POP
5058 EAX
5159 ECX
525A EDX
535B EBX
545C ESP
555D EBP
565E ESI
575F EDI
 

ELExTrO

Newbie
Full Member
Dec 4, 2012
26
444
0


this is just excelent thats why many people are getting detections no one couldnt say it better, ways to get rid is CreateRemoteThread, CodeCave injection and the ring0 Api´s

finally that cloak dll and manual mapping method sounds to me like that old coder ummm dwarak, darawk or w/e the name was the cloakdll module he posted a long time ago used to work properly now it isnt hiding properly you can use this "updated" version for your cheats

C++:
void CTools::HideDLL(HINSTANCE hModule)
{
	DWORD dwPEB_LDR_DATA = 0;
	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]             
		mov eax, [eax+0Ch]               
		mov dwPEB_LDR_DATA, eax	

		InLoadOrderModuleList:
			mov esi, [eax+0Ch]	     
			mov edx, [eax+10h]	     

		LoopInLoadOrderModuleList: 
		    lodsd		         
			mov esi, eax	
			mov ecx, [eax+18h]  
			cmp ecx, hModule	
			jne SkipA		 
		    mov ebx, [eax]	  
		    mov ecx, [eax+4]  
		    mov [ecx], ebx    
		    mov [ebx+4], ecx	  
			jmp InMemoryOrderModuleList 

		SkipA:
			cmp edx, esi     
			jne LoopInLoadOrderModuleList

		InMemoryOrderModuleList:
			mov eax, dwPEB_LDR_DATA
			mov esi, [eax+14h]
			mov edx, [eax+18h]

		LoopInMemoryOrderModuleList: 
			lodsd
			mov esi, eax
			mov ecx, [eax+10h]
			cmp ecx, hModule
			jne SkipB
			mov ebx, [eax] 
			mov ecx, [eax+4]
			mov [ecx], ebx
			mov [ebx+4], ecx
			jmp InInitializationOrderModuleList

		SkipB:
			cmp edx, esi
			jne LoopInMemoryOrderModuleList

		InInitializationOrderModuleList:
			mov eax, dwPEB_LDR_DATA
			mov esi, [eax+1Ch]	  
			mov edx, [eax+20h]	  

		LoopInInitializationOrderModuleList: 
			lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
			cmp ecx, hModule		
			jne SkipC
			mov ebx, [eax] 
			mov ecx, [eax+4]
			mov [ecx], ebx
			mov [ebx+4], ecx
			jmp Finished

		SkipC:
			cmp edx, esi
			jne LoopInInitializationOrderModuleList

		Finished:
			popfd;
			popad;
	}
}
talking about manual mapping sounds really kewl and it still works against some anticheats, for example manually mapping your dll works on hackshield protected games when your source became detected by strings, in gameguard protected games when your page is over 0x1000 bytes :p and in xtrap get you undtected at least for one use since its a polymorphic anticheat

you can also delete the PE header to remain undetected for more time


C++:
void CTools::EraseHeader(HINSTANCE hModule)
{
	/* 
	* func to erase headers, by Croner.
	* keep in mind you wont be able to load 
	* any resources after you erase headers.
	*/

	PIMAGE_DOS_HEADER pDoH; 
	PIMAGE_NT_HEADERS pNtH;
	DWORD i, ersize, protect;

	if (!hModule) return;
	
	// well just to make clear what we doing
	pDoH = (PIMAGE_DOS_HEADER)(hModule);

	pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);

	ersize = sizeof(IMAGE_DOS_HEADER);
	if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pDoH + i) = 0;
	}

	ersize = sizeof(IMAGE_NT_HEADERS);
	if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pNtH + i) = 0;
	}
	return;
}

and finally use ntdll.dll for you hacking purposes

C++:
MemoryManage::MemoryManage(void)
{
	hKlDll = NULL;
	hNtDll = NULL;
}

void MemoryManage::InitNtKExt(void)
{
	while(!hNtDll)
	{
		hNtDll = GetModuleHandle("ntdll.dll");
		Sleep(50);
	}
	while(!hKlDll)
	{
		hKlDll = GetModuleHandle("kernel32.dll");
		Sleep(50);
	}
	_GetProcAddress        = reinterpret_cast<GPA>      (  GetProcAddress(hKlDll, "GetProcAddress"));
	if(!_GetProcAddress)
	{

		Sleep(500);
		TerminateProcess(GetCurrentProcess(), 0);
	}
    NtProtectVirtualMemory = reinterpret_cast<NTPVM>    (__GetProcAddress(hNtDll, "NtProtectVirtualMemory"));
    RtlNtStatusToDosError  = reinterpret_cast<RTLNTSTDE>(__GetProcAddress(hNtDll, "RtlNtStatusToDosError"));
	RtlCreateUserThread    = reinterpret_cast<RTLCUT>   (__GetProcAddress(hNtDll, "RtlCreateUserThread"));
	NtResumeThread         = reinterpret_cast<NTRT>     (__GetProcAddress(hNtDll, "NtResumeThread"));
	NtClose                = reinterpret_cast<NTC>      (__GetProcAddress(hNtDll, "NtClose"));
	if(!NtProtectVirtualMemory ||
		!RtlNtStatusToDosError ||
		!RtlCreateUserThread ||
		!NtResumeThread ||
		!NtClose)
	{

		Sleep(500);
		TerminateProcess(GetCurrentProcess(), 0);
	}
	Sleep(500);
}
Credits:
HideDLL made by Th4n4t0s aka Surpintine from the old warhax site (its dead now)
Erase PEHeader by Croner (same site)
InitNtKExt by ELExTrO :p
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods