[Info] Avoiding Hack Detection

[saebur]

 

[c5]

Nice job, very well put together. Good overview for everyone new in bypassing anticheat area

 

[saebur]

Nice job, very well put together. Good overview for everyone new in bypassing anticheat area

Thanks for your feedback! I'm a sucker for well-put together, well-formatted and quality posts/threads/shares. But do you think it' readable or should i make the images bigger?
And it's definitely a good overview and shows what people need to consider and do

 

[AlphaAnonymous]

Thanks for your feedback! I'm a sucker for well-put together, well-formatted and quality posts/threads/shares. But do you think it' readable or should i make the images bigger?
And it's definitely a good overview and shows what people need to consider and do

I would recommend making the picture bigger, even me myself is having a hard time reading it.

 

[saebur]

I would recommend making the picture bigger, even me myself is having a hard time reading it.

I updated the attachments for a bigger size. The forum automatically formats the image to be smaller so you might wanna look at the attachment instead!

 

[ThatHackerGotSwag]

Nice Job

 

[saebur]

Nice Job

No problem

 

[velreine]

This thread contains ALOT of usefull information, the only problem i can see is that you need to have quite some prior knowledge to reverse engineering to understand this as a whole. I think it would be alot more awesome if you would break it down into sections and try to explain it with images aswell, and maybe create a little bit of a tutorial and show code examples from say how you injected module without using LoadLibrary.


Thanks in advance... Velreine

 

[inZertion]

Thank you, really appreciated this!

 

[AlexSleyore]

[table="width: 618"]
[tr]
	[td][IMG]https://i45.tinypic.com/10eiwbn.jpg[/IMG][/td]
[/tr]
[/table]

Use that, it will display it more correctly. also very nicely done... I do which to go through and point some things out...

For your module finding of backlisted of Dll names, I would assume more companies would have a blacklist of the Dlls MD5 or such data, not a list of blacklisted Dll Names. cause then you could just name your dll SomethingLegit.Dll -.-

Also.. for your useless NOP ideas here are some of the commands

90 - NOP

86 - Mov X,X
C0   EAX
C9   ECX
D2   EDX
DB   EBX
E4   ESP
ED   EBP
F6   ESI
FF   EDI

PUSH-POP
5058 EAX
5159 ECX
525A EDX
535B EBX
545C ESP
555D EBP
565E ESI
575F EDI

 

[ELExTrO]

this is just excelent thats why many people are getting detections no one couldnt say it better, ways to get rid is CreateRemoteThread, CodeCave injection and the ring0 Api´s

finally that cloak dll and manual mapping method sounds to me like that old coder ummm dwarak, darawk or w/e the name was the cloakdll module he posted a long time ago used to work properly now it isnt hiding properly you can use this "updated" version for your cheats

void CTools::HideDLL(HINSTANCE hModule)
{
	DWORD dwPEB_LDR_DATA = 0;
	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]             
		mov eax, [eax+0Ch]               
		mov dwPEB_LDR_DATA, eax	

		InLoadOrderModuleList:
			mov esi, [eax+0Ch]	     
			mov edx, [eax+10h]	     

		LoopInLoadOrderModuleList: 
		    lodsd		         
			mov esi, eax	
			mov ecx, [eax+18h]  
			cmp ecx, hModule	
			jne SkipA		 
		    mov ebx, [eax]	  
		    mov ecx, [eax+4]  
		    mov [ecx], ebx    
		    mov [ebx+4], ecx	  
			jmp InMemoryOrderModuleList 

		SkipA:
			cmp edx, esi     
			jne LoopInLoadOrderModuleList

		InMemoryOrderModuleList:
			mov eax, dwPEB_LDR_DATA
			mov esi, [eax+14h]
			mov edx, [eax+18h]

		LoopInMemoryOrderModuleList: 
			lodsd
			mov esi, eax
			mov ecx, [eax+10h]
			cmp ecx, hModule
			jne SkipB
			mov ebx, [eax] 
			mov ecx, [eax+4]
			mov [ecx], ebx
			mov [ebx+4], ecx
			jmp InInitializationOrderModuleList

		SkipB:
			cmp edx, esi
			jne LoopInMemoryOrderModuleList

		InInitializationOrderModuleList:
			mov eax, dwPEB_LDR_DATA
			mov esi, [eax+1Ch]	  
			mov edx, [eax+20h]	  

		LoopInInitializationOrderModuleList: 
			lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
			cmp ecx, hModule		
			jne SkipC
			mov ebx, [eax] 
			mov ecx, [eax+4]
			mov [ecx], ebx
			mov [ebx+4], ecx
			jmp Finished

		SkipC:
			cmp edx, esi
			jne LoopInInitializationOrderModuleList

		Finished:
			popfd;
			popad;
	}
}

talking about manual mapping sounds really kewl and it still works against some anticheats, for example manually mapping your dll works on hackshield protected games when your source became detected by strings, in gameguard protected games when your page is over 0x1000 bytes and in xtrap get you undtected at least for one use since its a polymorphic anticheat

you can also delete the PE header to remain undetected for more time

void CTools::EraseHeader(HINSTANCE hModule)
{
	/* 
	* func to erase headers, by Croner.
	* keep in mind you wont be able to load 
	* any resources after you erase headers.
	*/

	PIMAGE_DOS_HEADER pDoH; 
	PIMAGE_NT_HEADERS pNtH;
	DWORD i, ersize, protect;

	if (!hModule) return;
	
	// well just to make clear what we doing
	pDoH = (PIMAGE_DOS_HEADER)(hModule);

	pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);

	ersize = sizeof(IMAGE_DOS_HEADER);
	if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pDoH + i) = 0;
	}

	ersize = sizeof(IMAGE_NT_HEADERS);
	if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pNtH + i) = 0;
	}
	return;
}

and finally use ntdll.dll for you hacking purposes

MemoryManage::MemoryManage(void)
{
	hKlDll = NULL;
	hNtDll = NULL;
}

void MemoryManage::InitNtKExt(void)
{
	while(!hNtDll)
	{
		hNtDll = GetModuleHandle("ntdll.dll");
		Sleep(50);
	}
	while(!hKlDll)
	{
		hKlDll = GetModuleHandle("kernel32.dll");
		Sleep(50);
	}
	_GetProcAddress        = reinterpret_cast<GPA>      (  GetProcAddress(hKlDll, "GetProcAddress"));
	if(!_GetProcAddress)
	{

		Sleep(500);
		TerminateProcess(GetCurrentProcess(), 0);
	}
    NtProtectVirtualMemory = reinterpret_cast<NTPVM>    (__GetProcAddress(hNtDll, "NtProtectVirtualMemory"));
    RtlNtStatusToDosError  = reinterpret_cast<RTLNTSTDE>(__GetProcAddress(hNtDll, "RtlNtStatusToDosError"));
	RtlCreateUserThread    = reinterpret_cast<RTLCUT>   (__GetProcAddress(hNtDll, "RtlCreateUserThread"));
	NtResumeThread         = reinterpret_cast<NTRT>     (__GetProcAddress(hNtDll, "NtResumeThread"));
	NtClose                = reinterpret_cast<NTC>      (__GetProcAddress(hNtDll, "NtClose"));
	if(!NtProtectVirtualMemory ||
		!RtlNtStatusToDosError ||
		!RtlCreateUserThread ||
		!NtResumeThread ||
		!NtClose)
	{

		Sleep(500);
		TerminateProcess(GetCurrentProcess(), 0);
	}
	Sleep(500);
}

Credits:
HideDLL made by Th4n4t0s aka Surpintine from the old warhax site (its dead now)
Erase PEHeader by Croner (same site)
InitNtKExt by ELExTrO

 

[Srch_ndstry]

Hmmm...confusing...