[Client-Side Anticheat - OPTIONAL ] Reading Memory Address -
DeitY - 20.06.2018
So...
I've been using client-side anticheat for detecting cheats, folder detection and process scanning..
However, in the time being people finally figured out how to bypass anticheat, and i wouldn't even bother to fix it, but yeah, its me and i like everything to be near-perfect on my server... So they bypassed in 2 ways:
Implementing cheats via gamemodding, importing cheat in .img, which i think i can fix with checking hashes?
The thing which is harder to fix is lets say sandbox, because sandbox somehow blocks specific processes? Also they can spoof processes, for example if i download aimbot.exe, i can rename it to to chrome.exe and you simply can't figure out if its cheat or a real program, i've setup logs for all players who are FORCED to use anticheat ( it .logs and i can simply check for suspicious cheats)
------------------------------------------------------------------- [17.06.2018. 19:35:40] Process List - Player: <Name> -------------------------------------------------------------------
[ ] taskhost.exe -> C:\Windows\system32\taskhost.exe
[ ] dwm.exe -> C:\Windows\system32\Dwm.exe
[ ] explorer.exe -> C:\Windows\Explorer.EXE
[ ] taskeng.exe -> C:\Windows\system32\taskeng.exe
[ ] avgnt.exe -> C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
[ ] teamviewer.exe -> C:\Program Files\TeamViewer\TeamViewer.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] launcher.exe -> D:\GTA - San Andreas\Launcher.exe
[ ] gta_sa.exe -> D:\GTA - San Andreas\gta_sa.exe
[ ] observer.exe -> D:\GTA - San Andreas\Observer.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
The weird thing is that for example i'm using legit windows licensed and it scans ALL my processes, while some windows 7/8 cracked trash is for some reason not detecting cheats even tho i've setup to check process names and kill if it contains forbidden words.
Now, i've read about some memory addresses, how you can intercept some packets and with RAKNET, and i would realy like some help with it.
I'll even quote some post from (SAMPCAC) anticheat reading memory, which is really complicated for me and i have no idea what it is saying
Quote:
I haven't spent much time REing this anticheat but here is what I know.
SAMPCAC has their own server plugin, and a client .asi.
The client uses RakClient's interface to communicate with the server.
Specifically, SAMPCAC is using RakClientInterface::RPC to send data.
As of SAMPCAC v0.9.0, these are the RPC ids I've found associated with telling the server you're cheating.
Code:
181
183
184
155
You can of course block these from being sent, but the problem with this is that after a while, you'll get kicked. The kick has no message, you are just simply kicked. I haven't looked into it much, but here is what is happening. They place several JMP hooks on areas they need information from, such as when the game stores the camera address (used for aimbot). I ASSUME that inside these hooks, they compare the registers to their own stored value, when its not equal, they send an RPC to the server that you're cheating. For the record, I've tried placing hooks before theirs, overwriting it, noping it. This works for some things, but I had trouble making it work for aimbot (mostly because they placed 13+ hooks just to prevent aimbot). You can get around the aimbot (in a nooby way) though. For ESP, just draw your own.
SAMPCAC is using VMProtect 3, and I haven't bothered trying to unpack it. It makes reversing it that much more of a PITA. It is honestly a unstable POS anticheat, and if you are extremely devoted, you can just spoof the anticheat's existence by replicating their RPC calls. You just need to reverse their server plugin and see what it expects. (Their first RPC sends '0xCAC' lol)
|
Now, i would really like some explanation for this and i'm paying very nice money for some awesome solution.
To be honest, i don't know why i'm even trying to perfect a game this old, but i own a large server and people expect from me the best i guess, but i'm out of solutions definitely..
PS: If you are wondering why i'm not using sampcac, flagged as viruses, trojan, etc.. can't bother to explain players why i'm forcing banned morons to use virus.
Sorry for spelling mistakes.
Anyway, big thanks to jlalt and bigeti, for awesome support they have been giving me all these time.
Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address -
wallee - 20.06.2018
Quote:
Originally Posted by DeitY
The thing which is harder to fix is lets say sandbox, because sandbox somehow blocks specific processes? Also they can spoof processes, for example if i download aimbot.exe, i can rename it to to chrome.exe and you simply can't figure out if its cheat or a real program, i've setup logs for all players who are FORCED to use anticheat ( it .logs and i can simply check for suspicious cheats)
|
why don't you treat using sandboxie same as having a cheat?
and for aimbox.exe -> chrome.exe
https://stackoverflow.com/questions/...hash-of-a-file
so you could detect it that way?
Quote:
Originally Posted by DeitY
PS: If you are wondering why i'm not using sampcac, flagged as viruses, trojan, etc.. can't bother to explain players why i'm forcing banned morons to use virus.
|
it would be easier for you and for the entire sa-mp community if that ac becomes a standard ... then it will become trustworthy and seriously why would you bother with banned morons?
they should be thankful for you even letting them play after they got banned
Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address -
DeitY - 20.06.2018
Quote:
Originally Posted by wallee
why don't you treat using sandboxie same as having a cheat?
and for aimbox.exe -> chrome.exe
https://stackoverflow.com/questions/...hash-of-a-file
so you could detect it that way?
it would be easier for you and for the entire sa-mp community if that ac becomes a standard ... then it will become trustworthy and seriously why would you bother with banned morons?
they should be thankful for you even letting them play after they got banned
|
how can you detect a hash of process? I'm not sure that's possible. Could you give me an example?
Your answer is wrong, according to reply
Quote:
No, the hash is of the file contents only. You can see this in the source for md5sum and its MD5 implementation. You can also test this if you have access to md5sum:
$ echo "some arbitrary content" > file1
$ cp file1 file2
$ md5sum file1
f0007cbddd79de02179de7de12bec4e6 file1
$ md5sum file2
f0007cbddd79de02179de7de12bec4e6 file2
$
|
@because, sometimes human eye can't separate skilled players from cheaters, and then there are dramas, multiple spams, accusing us of banning people "donators" etc... and that's where software comes in handy.
Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address -
IdonTmiss - 21.06.2018
gl finding a solution ( a little bump )
Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address -
DeitY - 12.07.2018
I've given up. Thanks everyone for trying to help, simply isn't worth pursuing anymore.