Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,881
    My Mood
    Psychedelic

    (For Coders Only) IW5MP aCI Bypass

    Infinite +rep to CodMaster. He happened to make a working script that bypasses aCI on IW5M.
    To quote himAnd his entire thread)
    I begin with a first discovering. I was testing my name faker feature on 4D1 servers and I found out if i activate my notifications strings (that uses DrawEngineText), then aCI banned me, all time.

    So at first I thought they cheked something related to rendering stuff, but no. Looking thru the assembly of exe, I found out that when you enter a server aCI modify some common used functions in cheats to notifiy aCI they were called and in addition where.

    So I think they check if these functions are called from somewhere else than game exe module. If this occurs, its obvious that there's a non-pleasing module loaded into the game, and consequently they nofity you as cheater.

    I've seen too something related with EnumWindows (I think it's external hack check) but I don't know exacly what it do.

    Well, now, the cool stuff . Here is asm explanation of all said above:

    I'm using 1.4.382.

    As all we know the address for DrawEngineText in this version is 0042C970. This is the asm before joining any game. As you can see is the same as always. But hey, let's see what happen after joining a game.
    Code:
    0042C970 */$ 8B4424 04 * * *MOV EAX,DWORD PTR SS:[ESP+4]
    0042C974 *|. 8038 00 * * * *CMP BYTE PTR DS:[EAX],0
    0042C977 *|. 0F84 32010000 *JE iw5mp.0042CAAF
    0042C97D *|. 8D50 01 * * * *LEA EDX,DWORD PTR DS:[EAX+1]
    0042C980 *|> 8A08 * * * * * /MOV CL,BYTE PTR DS:[EAX]
    0042C982 *|. 40 * * * * * * |INC EAX
    0042C983 *|. 84C9 * * * * * |TEST CL,CL
    0042C985 *|.^75 F9 * * * * *\JNZ SHORT iw5mp.0042C980
    0042C987 *|. 8B0D 3076FA05 *MOV ECX,DWORD PTR DS:[5FA7630]
    0042C98D *|. 55 * * * * * * PUSH EBP
    0042C98E *|. 8B2D 2476FA05 *MOV EBP,DWORD PTR DS:[5FA7624]
    0042C994 *|. 56 * * * * * * PUSH ESI
    0042C995 *|. 8B71 08 * * * *MOV ESI,DWORD PTR DS:[ECX+8]
    0042C998 *|. 2BC2 * * * * * SUB EAX,EDX
    0042C99A *|. 8B51 04 * * * *MOV EDX,DWORD PTR DS:[ECX+4]
    0042C99D *|. 57 * * * * * * PUSH EDI
    0042C99E *|. 8BF8 * * * * * MOV EDI,EAX
    0042C9A0 *|. 2BF2 * * * * * SUB ESI,EDX
    0042C9A2 *|. 8D47 54 * * * *LEA EAX,DWORD PTR DS:[EDI+54]
    0042C9A5 *|. 83E0 FC * * * *AND EAX,FFFFFFFC
    0042C9A8 *|. 8DB42E 00E0FFF>LEA ESI,DWORD PTR DS:[ESI+EBP-2000]
    0042C9AF *|. 3BC6 * * * * * CMP EAX,ESI
    0042C9B1 *|. 7E 0B * * * * *JLE SHORT iw5mp.0042C9BE
    0042C9B3 *|. 5F * * * * * * POP EDI
    0042C9B4 *|. 5E * * * * * * POP ESI
    0042C9B5 *|. C741 0C 000000>MOV DWORD PTR DS:[ECX+C],0
    0042C9BC *|. 5D * * * * * * POP EBP
    0042C9BD *|. C3 * * * * * * RETN
    0042C9BE *|> 8B31 * * * * * MOV ESI,DWORD PTR DS:[ECX]
    0042C9C0 *|. D94424 1C * * *FLD DWORD PTR SS:[ESP+1C]
    0042C9C4 *|. 03F2 * * * * * ADD ESI,EDX
    0042C9C6 *|. 8971 0C * * * *MOV DWORD PTR DS:[ECX+C],ESI
    0042C9C9 *|. 03D0 * * * * * ADD EDX,EAX
    0042C9CB *|. 8951 04 * * * *MOV DWORD PTR DS:[ECX+4],EDX
    0042C9CE *|. 8B5424 18 * * *MOV EDX,DWORD PTR SS:[ESP+18]
    0042C9D2 *|. 66:8946 02 * * MOV WORD PTR DS:[ESI+2],AX
    0042C9D6 *|. B9 11000000 * *MOV ECX,11
    0042C9DB *|. 66:890E * * * *MOV WORD PTR DS:[ESI],CX
    0042C9DE *|. D95E 04 * * * *FSTP DWORD PTR DS:[ESI+4]
    0042C9E1 *|. D94424 20 * * *FLD DWORD PTR SS:[ESP+20]
    0042C9E5 *|. 8B4C24 30 * * *MOV ECX,DWORD PTR SS:[ESP+30]
    0042C9E9 *|. D95E 08 * * * *FSTP DWORD PTR DS:[ESI+8]
    0042C9EC *|. 8D46 1C * * * *LEA EAX,DWORD PTR DS:[ESI+1C]
    0042C9EF *|. D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
    0042C9F3 *|. 50 * * * * * * PUSH EAX
    0042C9F4 *|. D95E 0C * * * *FSTP DWORD PTR DS:[ESI+C]
    0042C9F7 *|. 51 * * * * * * PUSH ECX
    0042C9F8 *|. D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
    0042C9FC *|. 8956 10 * * * *MOV DWORD PTR DS:[ESI+10],EDX
    0042C9FF *|. D95E 14 * * * *FSTP DWORD PTR DS:[ESI+14]
    0042CA02 *|. D94424 30 * * *FLD DWORD PTR SS:[ESP+30]
    0042CA06 *|. D95E 18 * * * *FSTP DWORD PTR DS:[ESI+18]
    0042CA09 *|. E8 A20AFEFF * *CALL iw5mp.0040D4B0
    0042CA0E *|. 8B4424 3C * * *MOV EAX,DWORD PTR SS:[ESP+3C]
    0042CA12 *|. 8B5424 1C * * *MOV EDX,DWORD PTR SS:[ESP+1C]
    0042CA16 *|. 83C4 08 * * * *ADD ESP,8
    0042CA19 *|. 8956 20 * * * *MOV DWORD PTR DS:[ESI+20],EDX
    0042CA1C *|. C746 24 000000>MOV DWORD PTR DS:[ESI+24],0
    0042CA23 *|. 83F8 03 * * * *CMP EAX,3
    0042CA26 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA31
    0042CA28 *|. C746 24 040000>MOV DWORD PTR DS:[ESI+24],4
    0042CA2F *|. EB 64 * * * * *JMP SHORT iw5mp.0042CA95
    0042CA31 *|> 83F8 06 * * * *CMP EAX,6
    0042CA34 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA3F
    0042CA36 *|. C746 24 0C0000>MOV DWORD PTR DS:[ESI+24],0C
    0042CA3D *|. EB 56 * * * * *JMP SHORT iw5mp.0042CA95
    0042CA3F *|> 3D 80000000 * *CMP EAX,80
    0042CA44 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA4F
    0042CA46 *|. C746 24 010000>MOV DWORD PTR DS:[ESI+24],1
    0042CA4D *|. EB 46 * * * * *JMP SHORT iw5mp.0042CA95
    0042CA4F *|> 3D 84000000 * *CMP EAX,84
    0042CA54 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA5F
    0042CA56 *|. C746 24 050000>MOV DWORD PTR DS:[ESI+24],5
    0042CA5D *|. EB 36 * * * * *JMP SHORT iw5mp.0042CA95
    0042CA5F *|> 83F8 07 * * * *CMP EAX,7
    0042CA62 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA6D
    0042CA64 *|. C746 24 000400>MOV DWORD PTR DS:[ESI+24],400
    0042CA6B *|. EB 28 * * * * *JMP SHORT iw5mp.0042CA95
    0042CA6D *|> 83F8 08 * * * *CMP EAX,8
    0042CA70 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA7B
    0042CA72 *|. C746 24 000C00>MOV DWORD PTR DS:[ESI+24],0C00
    0042CA79 *|. EB 1A * * * * *JMP SHORT iw5mp.0042CA95
    0042CA7B *|> 83F8 09 * * * *CMP EAX,9
    0042CA7E *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA89
    0042CA80 *|. C746 24 001000>MOV DWORD PTR DS:[ESI+24],1000
    0042CA87 *|. EB 0C * * * * *JMP SHORT iw5mp.0042CA95
    0042CA89 *|> 83F8 0A * * * *CMP EAX,0A
    0042CA8C *|. 75 07 * * * * *JNZ SHORT iw5mp.0042CA95
    0042CA8E *|. C746 24 002000>MOV DWORD PTR DS:[ESI+24],2000
    0042CA95 *|> 8B4424 10 * * *MOV EAX,DWORD PTR SS:[ESP+10]
    0042CA99 *|. 57 * * * * * * PUSH EDI
    0042CA9A *|. 50 * * * * * * PUSH EAX
    0042CA9B *|. 8D4E 50 * * * *LEA ECX,DWORD PTR DS:[ESI+50]
    0042CA9E *|. 51 * * * * * * PUSH ECX
    0042CA9F *|. E8 7C353000 * *CALL iw5mp.00730020
    0042CAA4 *|. 83C4 0C * * * *ADD ESP,0C
    0042CAA7 *|. C6443E 50 00 * MOV BYTE PTR DS:[ESI+EDI+50],0
    0042CAAC *|. 5F * * * * * * POP EDI
    0042CAAD *|. 5E * * * * * * POP ESI
    0042CAAE *|. 5D * * * * * * POP EBP
    0042CAAF *\> C3 * * * * * * RETN
    Asm after joining a game:
    Code:
    0042C970 * $-E9 8E551216 * *JMP 16551F03
    0042C975 * * 38 * * * * * * DB 38 * * * * * * * * * * * * * * * * * *; *CHAR '8'
    0042C976 * * 00 * * * * * * DB 00
    0042C977 * . 0F84 32010000 *JE iw5m.0042CAAF
    0042C97D * . 8D50 01 * * * *LEA EDX,DWORD PTR DS:[EAX+1]
    0042C980 * > 8A08 * * * * * MOV CL,BYTE PTR DS:[EAX]
    0042C982 * . 40 * * * * * * INC EAX
    0042C983 * . 84C9 * * * * * TEST CL,CL
    0042C985 * .^75 F9 * * * * *JNZ SHORT iw5m.0042C980
    0042C987 * . 8B0D 3076FA05 *MOV ECX,DWORD PTR DS:[5FA7630] * * * * * ; *iw5m.05FA7614
    0042C98D * . 55 * * * * * * PUSH EBP
    0042C98E * . 8B2D 2476FA05 *MOV EBP,DWORD PTR DS:[5FA7624]
    0042C994 * . 56 * * * * * * PUSH ESI
    0042C995 * . 8B71 08 * * * *MOV ESI,DWORD PTR DS:[ECX+8]
    0042C998 * . 2BC2 * * * * * SUB EAX,EDX
    0042C99A * . 8B51 04 * * * *MOV EDX,DWORD PTR DS:[ECX+4]
    0042C99D * . 57 * * * * * * PUSH EDI
    0042C99E * . 8BF8 * * * * * MOV EDI,EAX
    0042C9A0 * . 2BF2 * * * * * SUB ESI,EDX
    0042C9A2 * . 8D47 54 * * * *LEA EAX,DWORD PTR DS:[EDI+54]
    0042C9A5 * . 83E0 FC * * * *AND EAX,FFFFFFFC
    0042C9A8 * . 8DB42E 00E0FFF>LEA ESI,DWORD PTR DS:[ESI+EBP-2000]
    0042C9AF * . 3BC6 * * * * * CMP EAX,ESI
    0042C9B1 * . 7E 0B * * * * *JLE SHORT iw5m.0042C9BE
    0042C9B3 * . 5F * * * * * * POP EDI
    0042C9B4 * . 5E * * * * * * POP ESI
    0042C9B5 * . C741 0C 000000>MOV DWORD PTR DS:[ECX+C],0
    0042C9BC * . 5D * * * * * * POP EBP
    0042C9BD * . C3 * * * * * * RETN
    0042C9BE * > 8B31 * * * * * MOV ESI,DWORD PTR DS:[ECX]
    0042C9C0 * . D94424 1C * * *FLD DWORD PTR SS:[ESP+1C]
    0042C9C4 * . 03F2 * * * * * ADD ESI,EDX
    0042C9C6 * . 8971 0C * * * *MOV DWORD PTR DS:[ECX+C],ESI
    0042C9C9 * . 03D0 * * * * * ADD EDX,EAX
    0042C9CB * . 8951 04 * * * *MOV DWORD PTR DS:[ECX+4],EDX
    0042C9CE * . 8B5424 18 * * *MOV EDX,DWORD PTR SS:[ESP+18]
    0042C9D2 * . 66:8946 02 * * MOV WORD PTR DS:[ESI+2],AX
    0042C9D6 * . B9 11000000 * *MOV ECX,11
    0042C9DB * . 66:890E * * * *MOV WORD PTR DS:[ESI],CX
    0042C9DE * . D95E 04 * * * *FSTP DWORD PTR DS:[ESI+4]
    0042C9E1 * . D94424 20 * * *FLD DWORD PTR SS:[ESP+20]
    0042C9E5 * . 8B4C24 30 * * *MOV ECX,DWORD PTR SS:[ESP+30]
    0042C9E9 * . D95E 08 * * * *FSTP DWORD PTR DS:[ESI+8]
    0042C9EC * . 8D46 1C * * * *LEA EAX,DWORD PTR DS:[ESI+1C]
    0042C9EF * . D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
    0042C9F3 * . 50 * * * * * * PUSH EAX
    0042C9F4 * . D95E 0C * * * *FSTP DWORD PTR DS:[ESI+C]
    0042C9F7 * . 51 * * * * * * PUSH ECX
    0042C9F8 * . D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
    0042C9FC * . 8956 10 * * * *MOV DWORD PTR DS:[ESI+10],EDX
    0042C9FF * . D95E 14 * * * *FSTP DWORD PTR DS:[ESI+14]
    0042CA02 * . D94424 30 * * *FLD DWORD PTR SS:[ESP+30]
    0042CA06 * . D95E 18 * * * *FSTP DWORD PTR DS:[ESI+18]
    0042CA09 * . E8 A20AFEFF * *CALL iw5m.0040D4B0
    0042CA0E * . 8B4424 3C * * *MOV EAX,DWORD PTR SS:[ESP+3C]
    0042CA12 * . 8B5424 1C * * *MOV EDX,DWORD PTR SS:[ESP+1C]
    0042CA16 * . 83C4 08 * * * *ADD ESP,8
    0042CA19 * . 8956 20 * * * *MOV DWORD PTR DS:[ESI+20],EDX
    0042CA1C * . C746 24 000000>MOV DWORD PTR DS:[ESI+24],0
    0042CA23 * . 83F8 03 * * * *CMP EAX,3
    0042CA26 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA31
    0042CA28 * . C746 24 040000>MOV DWORD PTR DS:[ESI+24],4
    0042CA2F * . EB 64 * * * * *JMP SHORT iw5m.0042CA95
    0042CA31 * > 83F8 06 * * * *CMP EAX,6
    0042CA34 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA3F
    0042CA36 * . C746 24 0C0000>MOV DWORD PTR DS:[ESI+24],0C
    0042CA3D * . EB 56 * * * * *JMP SHORT iw5m.0042CA95
    0042CA3F * > 3D 80000000 * *CMP EAX,80
    0042CA44 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA4F
    0042CA46 * . C746 24 010000>MOV DWORD PTR DS:[ESI+24],1
    0042CA4D * . EB 46 * * * * *JMP SHORT iw5m.0042CA95
    0042CA4F * > 3D 84000000 * *CMP EAX,84
    0042CA54 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA5F
    0042CA56 * . C746 24 050000>MOV DWORD PTR DS:[ESI+24],5
    0042CA5D * . EB 36 * * * * *JMP SHORT iw5m.0042CA95
    0042CA5F * > 83F8 07 * * * *CMP EAX,7
    0042CA62 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA6D
    0042CA64 * . C746 24 000400>MOV DWORD PTR DS:[ESI+24],400
    0042CA6B * . EB 28 * * * * *JMP SHORT iw5m.0042CA95
    0042CA6D * > 83F8 08 * * * *CMP EAX,8
    0042CA70 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA7B
    0042CA72 * . C746 24 000C00>MOV DWORD PTR DS:[ESI+24],0C00
    0042CA79 * . EB 1A * * * * *JMP SHORT iw5m.0042CA95
    0042CA7B * > 83F8 09 * * * *CMP EAX,9
    0042CA7E * . 75 09 * * * * *JNZ SHORT iw5m.0042CA89
    0042CA80 * . C746 24 001000>MOV DWORD PTR DS:[ESI+24],1000
    0042CA87 * . EB 0C * * * * *JMP SHORT iw5m.0042CA95
    0042CA89 * > 83F8 0A * * * *CMP EAX,0A
    0042CA8C * . 75 07 * * * * *JNZ SHORT iw5m.0042CA95
    0042CA8E * . C746 24 002000>MOV DWORD PTR DS:[ESI+24],2000
    0042CA95 * > 8B4424 10 * * *MOV EAX,DWORD PTR SS:[ESP+10]
    0042CA99 * . 57 * * * * * * PUSH EDI
    0042CA9A * . 50 * * * * * * PUSH EAX
    0042CA9B * . 8D4E 50 * * * *LEA ECX,DWORD PTR DS:[ESI+50]
    0042CA9E * . 51 * * * * * * PUSH ECX
    0042CA9F * . E8 7C353000 * *CALL iw5m.00730020
    0042CAA4 * . 83C4 0C * * * *ADD ESP,0C
    0042CAA7 * . C6443E 50 00 * MOV BYTE PTR DS:[ESI+EDI+50],0
    0042CAAC * . 5F * * * * * * POP EDI
    0042CAAD * . 5E * * * * * * POP ESI
    0042CAAE * . 5D * * * * * * POP EBP
    0042CAAF * > C3 * * * * * * RETN
    Hmm, a trampoline hook at first. It JMP to ? (some memory block generated by aCI), but the interesting one here is asm. look:
    Code:
    165531F0 * A1 00405516 * * *MOV EAX,DWORD PTR DS:[16554000]
    165531F5 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    165531FB * 7F 08 * * * * * *JG SHORT 16553205
    165531FD * 8B0424 * * * * * MOV EAX,DWORD PTR SS:[ESP]
    16553200 * A3 00405516 * * *MOV DWORD PTR DS:[16554000],EAX
    16553205 * 8B4424 04 * * * *MOV EAX,DWORD PTR SS:[ESP+4]
    16553209 * 8038 00 * * * * *CMP BYTE PTR DS:[EAX],0
    1655320C * 68 77C94200 * * *PUSH 42C977
    16553211 * C3 * * * * * * * RETN
    So they notify were the function is called and comeback the real execution.*

    That happens too with RegisterFont, GetBonePos and CG_Trace.

    Well, while I was writing this post discovered something more interesting than that. I only say "troll trolled" xD

    What I've discovered is where they perform the cheat check.
    Looking the one of the constants in the aCI block, I found a curious function, which is the next:
    Code:
    16553220 * 55 * * * * * * * PUSH EBP
    16553221 * 8BEC * * * * * * MOV EBP,ESP
    16553223 * 83EC 44 * * * * *SUB ESP,44
    16553226 * 53 * * * * * * * PUSH EBX
    16553227 * 56 * * * * * * * PUSH ESI
    16553228 * 57 * * * * * * * PUSH EDI
    16553229 * FF15 54515516 * *CALL DWORD PTR DS:[16555154] * * * * * * ; kernel32.GetTickCount
    1655322F * 8945 FC * * * * *MOV DWORD PTR SS:[EBP-4],EAX
    16553232 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
    16553235 * 2B05 A43A5516 * *SUB EAX,DWORD PTR DS:[16553AA4]
    1655323B * 3D 10270000 * * *CMP EAX,2710
    16553240 * 73 05 * * * * * *JNB SHORT 16553247
    16553242 * E9 D5000000 * * *JMP 1655331C
    16553247 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
    1655324A * A3 A43A5516 * * *MOV DWORD PTR DS:[16553AA4],EAX
    1655324F * 833D A83A5516 00 CMP DWORD PTR DS:[16553AA8],0
    16553256 * 75 08 * * * * * *JNZ SHORT 16553260
    16553258 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
    1655325B * A3 A83A5516 * * *MOV DWORD PTR DS:[16553AA8],EAX
    16553260 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
    16553263 * 2B05 A83A5516 * *SUB EAX,DWORD PTR DS:[16553AA8]
    16553269 * 3D C0D40100 * * *CMP EAX,1D4C0
    1655326E * 76 1E * * * * * *JBE SHORT 1655328E
    16553270 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
    16553273 * A3 A83A5516 * * *MOV DWORD PTR DS:[16553AA8],EAX
    16553278 * E8 8BECFFFF * * *CALL 16551F08
    1655327D * 85C0 * * * * * * TEST EAX,EAX
    1655327F * 74 0D * * * * * *JE SHORT 1655328E
    16553281 * 68 439C0000 * * *PUSH 9C43
    16553286 * E8 6EECFFFF * * *CALL 16551EF9
    1655328B * 83C4 04 * * * * *ADD ESP,4
    1655328E * C705 *04405516 00>MOV DWORD PTR DS:[16554004],<&ADVAPI32.C>
    16553298 * A1 F43F5516 * * *MOV EAX,DWORD PTR DS:[16553FF4]
    1655329D * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    165532A3 * 76 0D * * * * * *JBE SHORT 165532B2
    165532A5 * 68 214E0000 * * *PUSH 4E21
    165532AA * E8 4AECFFFF * * *CALL 16551EF9
    165532AF * 83C4 04 * * * * *ADD ESP,4
    165532B2 * A1 F83F5516 * * *MOV EAX,DWORD PTR DS:[16553FF8]
    165532B7 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    165532BD * 76 0D * * * * * *JBE SHORT 165532CC
    165532BF * 68 234E0000 * * *PUSH 4E23
    165532C4 * E8 30ECFFFF * * *CALL 16551EF9
    165532C9 * 83C4 04 * * * * *ADD ESP,4
    165532CC * A1 FC3F5516 * * *MOV EAX,DWORD PTR DS:[16553FFC]
    165532D1 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    165532D7 * 76 0D * * * * * *JBE SHORT 165532E6
    165532D9 * 68 244E0000 * * *PUSH 4E24
    165532DE * E8 16ECFFFF * * *CALL 16551EF9
    165532E3 * 83C4 04 * * * * *ADD ESP,4
    165532E6 * A1 00405516 * * *MOV EAX,DWORD PTR DS:[16554000]
    165532EB * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    165532F1 * 76 0D * * * * * *JBE SHORT 16553300
    165532F3 * 68 254E0000 * * *PUSH 4E25
    165532F8 * E8 FCEBFFFF * * *CALL 16551EF9
    165532FD * 83C4 04 * * * * *ADD ESP,4
    16553300 * E8 F9EBFFFF * * *CALL 16551EFE
    16553305 * 6A 00 * * * * * *PUSH 0
    16553307 * E8 EDEBFFFF * * *CALL 16551EF9
    1655330C * 83C4 04 * * * * *ADD ESP,4
    1655330F * B8 90205400 * * *MOV EAX,542090 * * * * * * * * * * * * * ; Entry address
    16553314 * FFD0 * * * * * * CALL EAX
    16553316 * EB 04 * * * * * *JMP SHORT 1655331C
    16553318 * CC * * * * * * * INT3
    16553319 * CC * * * * * * * INT3
    1655331A * CC * * * * * * * INT3
    1655331B * CC * * * * * * * INT3
    1655331C * 5F * * * * * * * POP EDI
    1655331D * 5E * * * * * * * POP ESI
    1655331E * 5B * * * * * * * POP EBX
    1655331F * 8BE5 * * * * * * MOV ESP,EBP
    16553321 * 5D * * * * * * * POP EBP
    16553322 * C3 * * * * * * * RETN
    If you can see there's a pattern, hmm, but let's see first function part.

    Hmm (GetTickCount()-lastCheckTick) >= 10000:

    So they perform a check each 10 seconds. Another way to bypass (Maybe the time perception is pretty different between many functions)

    Before that set lastCheckTick = GetTickCount() (obvious)

    This is the "troll trolled":
    CALL 16551F08*

    This function perform all the checks for external hacks, as these other pieces of code do:
    Code:
    16553298 * A1 F43F5516 * * *MOV EAX,DWORD PTR DS:[16553FF4]
    1655329D * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    Code:
    165532B2 * A1 F83F5516 * * *MOV EAX,DWORD PTR DS:[16553FF8]
    165532B7 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    Code:
    165532CC * A1 FC3F5516 * * *MOV EAX,DWORD PTR DS:[16553FFC]
    165532D1 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    Code:
    165532E6 * A1 00405516 * * *MOV EAX,DWORD PTR DS:[16554000]
    165532EB * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
    If one of these checks fail they call this function:
    CALL 16551EF9 //1 Argument

    Which basically calls NP_SendRandomString. And the string sent has this format "troll %d" which %d is the param of the function.

    First case 40003 (I've never seen it, but I think is External cheat detected), and others cases 20001 which is cheat detected.

    And most important (xD): Why "troll trolled"?

    Simply, because using another way to bypass, I've hooked NP_SendRandomString and instead of sending troll 20001 or troll 40003 I send troll trolled.

    If there's something left related to aCI, It'd be amazing If you share with us.

    Note: checks performed are called where the game is suppused to call SteamAPI_RunCallbacks() (which is called into the aCI function after check performed)

    Working coded bypass:

    This is the working bypass that i'm using. You should do the same with GetBonePos and CG_Trace:
    Code:
     * *uint8 fnOffset = 0x08;
    * * LPBYTE fnMcCode = NULL;
    * * const static uint8 ENGINEBYPASS_LEN = 0x21;
    * * LPBYTE EngineACI_Bypass = LPBYTE(MALLOC(ENGINEBYPASS_LEN));
    
    * * LPDWORD pJmpAddresses = LPDWORD(EngineACI_Bypass);
    * * pJmpAddresses[0] = OFFSET_DRAW_ENGTEXT + 7;
    * * pJmpAddresses[1] = OFFSET_GETFONT_BYNAME + 6;
    
    * * fnMcCode = &EngineACI_Bypass[fnOffset];
    * * DrawEngineText = DrawEngineTextType(fnMcCode);
    * * memcpy(fnMcCode, "\x8B\x44\x24\x04\x80\x38\x00\xFF\x25", 0x09);
    * * fnMcCode+=0x09; *LPDWORD(fnMcCode) = DWORD(&pJmpAddresses[0]); fnMcCode+=0x04;
    
    * * GetFontByName = GetFontByNameType(fnMcCode);
    * * memcpy(fnMcCode, "\x8B\x44\x24\x04\x6A\x01\xFF\x25", 0x08);
    * * fnMcCode+=0x08; *LPDWORD(fnMcCode) = DWORD(&pJmpAddresses[1]); fnMcCode+=0x04;
    
    * * DWORD dwProtection = PAGE_EXECUTE_READWRITE;
    * * VirtualProtect(EngineACI_Bypass, ENGINEBYPASS_LEN, dwProtection, &dwProtection);
    Basically what it does is to create another function emulating those instructions overwritten by aCI, and jumping then to the real function after aCI hook.
    Extra code posted by BaberZz (+rep)

    Didn't notice they started hooking engine functions lol; like the old aCI.
    But yeh, I hook NP_SendRandomString to bypass aCI aswell, thats all you need to do
    for now really, those engine funcs can be called as normally, no need to worry about the hooks. ( Until aCI updates *)
    If you don't let NP_SendRandomString send anything, you will get kicked after a little time.
    Time to change to another way to bypass as this is now public.
    Code:
    CDetour NP_SendRandomStringHook;
    void NP_SendRandomString( char* text )
    {
    * * NP_SendRandomStringHook.OriginalFunc( "troll 0" );
    }
    
    void Hook_Anticheat()
    {
    * * DWORD dwAddress = (DWORD)GetProcAddress( GetModuleHandle( "libnp.dll" ), "NP_SendRandomString" );
    * * if( !dwAddress )
    * * {
    * * * * Print( "WARNING: Unable to locate NP_SendRandomString" );
    * * }
    * * else
    * * {
    * * * * NP_SendRandomStringHook.Initiliaze( dwAddress, NP_SendRandomString, DETOUR_TYPE_JMP, 6 );
    * * * * NP_SendRandomStringHook.ApplyDetour();
    * * }
    }
    I believe I must give props to the APM Clan as well as they made him publish it.

    Anyways coders, LET THE HACKING BEGIN!!!
    Last edited by Kenshin13; 09-22-2012 at 10:48 PM.

  2. The Following User Says Thank You to Kenshin13 For This Useful Post:

    mwxplayer (10-27-2012)

  3. #2
          ( ° ͜ʖ͡°)╭∩╮
    Former Staff
    MarkHC's Avatar
    Join Date
    Nov 2011
    Gender
    male
    Location
    127.0.0.1
    Posts
    2,751
    Reputation
    66
    Thanks
    14,310
    My Mood
    Angelic
    Damn.. Hope 4D1 guys doesn't check mpgh.. otherwise my esp will get detected now (((

    btw, it'd be way better if you just quoted BaberzZ aCI bypass (found on the same thread where you found the stuff you posted)


    CoD Minion from 09/19/2012 to 01/10/2013

  4. #3
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,881
    My Mood
    Psychedelic
    @-InSaNe- Still, even if they do, the amount of time it would take to create a whole new patch for their entire aCI system will be too much trouble..they might not bother with it.(Depends on how much a social life they got xD)

    And as you suggested:@BaberZz

    Didn't notice they started hooking engine functions lol; like the old aCI.
    But yeh, I hook NP_SendRandomString to bypass aCI aswell, thats all you need to do
    for now really, those engine funcs can be called as normally, no need to worry about the hooks. ( Until aCI updates *)
    If you don't let NP_SendRandomString send anything, you will get kicked after a little time.
    Time to change to another way to bypass as this is now public.
    Code:
    CDetour NP_SendRandomStringHook;
    void NP_SendRandomString( char* text )
    {
          NP_SendRandomStringHook.OriginalFunc( "troll 0" );
    }
    
    void Hook_Anticheat()
    {
          DWORD dwAddress = (DWORD)GetProcAddress( GetModuleHandle( "libnp.dll" ), "NP_SendRandomString" );
          if( !dwAddress )
          {
                Print( "WARNING: Unable to locate NP_SendRandomString" );
          }
          else
          {
                NP_SendRandomStringHook.Initiliaze( dwAddress, NP_SendRandomString, DETOUR_TYPE_JMP, 6 );
                NP_SendRandomStringHook.ApplyDetour();
          }
    }
    Last edited by MarkHC; 09-22-2012 at 10:51 PM. Reason: Removed the ** thing

  5. #4
    Jorndel's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    Norway
    Posts
    8,674
    Reputation
    905
    Thanks
    18,540
    My Mood
    Angelic
    Quote Originally Posted by -InSaNe- View Post
    Damn.. Hope 4D1 guys doesn't check mpgh.. otherwise my esp will get detected now (((

    btw, it'd be way better if you just quoted BaberzZ aCI bypass (found on the same thread where you found the stuff you posted)
    You mean this one: http://www.mpgh.net/forum/594-call-d...imple-esp.html
    ?

    If so, why can't I see any credit :S

     
    Contributor 01.27.2012 - N/A
    Donator 07-17-2012 - Current
    Editor/Manager 12-16-12 - N/A
    Minion 01-10-2013 - 07.17.13
    Former Staff 09-20-2012 - 01-10-2013 / 07-17-2013 - Current
    Cocksucker 20-04-2013 - N/A

  6. #5
          ( ° ͜ʖ͡°)╭∩╮
    Former Staff
    MarkHC's Avatar
    Join Date
    Nov 2011
    Gender
    male
    Location
    127.0.0.1
    Posts
    2,751
    Reputation
    66
    Thanks
    14,310
    My Mood
    Angelic
    Quote Originally Posted by Jorndel View Post


    You mean this one: http://www.mpgh.net/forum/594-call-d...imple-esp.html
    ?

    If so, why can't I see any credit :S
    I always forgot to add the credits and after 24hrs I couldn't edit the post anymore.. >.< it's not on purpose tho..


    CoD Minion from 09/19/2012 to 01/10/2013

  7. #6
    mike3x3's Avatar
    Join Date
    Feb 2011
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    guys i have to thank you all!

    Boy NTA is mad
    Last edited by mike3x3; 09-23-2012 at 02:05 PM.

  8. #7
    Instrumental's Avatar
    Join Date
    Jul 2012
    Gender
    male
    Location
    Global
    Posts
    1,220
    Reputation
    59
    Thanks
    704
    My Mood
    Cheerful
    Quote Originally Posted by -InSaNe- View Post
    Damn.. Hope 4D1 guys doesn't check mpgh.. otherwise my esp will get detected now (((
    Lol don;t worry mate, it was published b4 ur hack, so if no1 got banned then no1 will

  9. #8
          ( ° ͜ʖ͡°)╭∩╮
    Former Staff
    MarkHC's Avatar
    Join Date
    Nov 2011
    Gender
    male
    Location
    127.0.0.1
    Posts
    2,751
    Reputation
    66
    Thanks
    14,310
    My Mood
    Angelic
    Quote Originally Posted by max620 View Post
    Lol don;t worry mate, it was published b4 ur hack, so if no1 got banned then no1 will
    I know.. but mpgh has more views than the other site =P But you're right But don't think this won't get patched.. might take some time, but it will be. 4D1 guys aren't so lazy as VAC


    CoD Minion from 09/19/2012 to 01/10/2013

  10. #9
    chainzx5555's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    I don't know how to do this?

  11. #10
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,881
    My Mood
    Psychedelic
    Quote Originally Posted by chainzx5555 View Post
    I don't know how to do this?
    It's simpe: Don't.

  12. #11
    chainzx5555's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    How can i bypass it?I don't know how to do?

  13. #12
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,881
    My Mood
    Psychedelic

  14. #13
    GabbeN's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Location
    Alunda, Sweden
    Posts
    2
    Reputation
    10
    Thanks
    0
    My Mood
    Bashful
    What should you do whit that? take the dll's in to an injector or maybe, just put it in folder?
    peace - Gabriel

  15. #14
    Kenshin13's Avatar
    Join Date
    May 2011
    Gender
    male
    Location
    Cloud 9
    Posts
    3,473
    Reputation
    564
    Thanks
    5,881
    My Mood
    Psychedelic
    Quote Originally Posted by GabbeN View Post
    What should you do whit that? take the dll's in to an injector or maybe, just put it in folder?
    peace - Gabriel
    This.....is not for you....And doesn't even work anymore.

  16. #15
    miloool123's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    10
    Reputation
    10
    Thanks
    0
    kenshin please stop posting source code hack for 4d1 D:
    some guys like [ mwxplayer] 'll use this to make hack D: for 4d1

Page 1 of 2 12 LastLast

Similar Threads

  1. [Release] NEW WARROCK BYPASS FOR CODERS!
    By IHelper in forum WarRock Discussions
    Replies: 11
    Last Post: 10-22-2009, 02:40 PM
  2. Request Private S4 League Bypass for subscriptions only
    By xorcheater in forum Suggestions, Requests & Help
    Replies: 2
    Last Post: 03-27-2009, 05:04 PM
  3. i look for warrock coders only for netherlands
    By hardcore4hack in forum WarRock - International Hacks
    Replies: 0
    Last Post: 01-10-2009, 11:33 AM
  4. [Tutorial]Wallhack for WarRock! Only here!
    By ziom2322 in forum WarRock - International Hacks
    Replies: 17
    Last Post: 06-25-2007, 04:56 PM
  5. Inf Ammo (by me) for a working non-public bypass!
    By dezer in forum Trade Accounts/Keys/Items
    Replies: 13
    Last Post: 06-10-2007, 11:28 AM