After looking into TAC, i found the following results:
1. The game makes screenshots of your screen (this includes any windows that could be on top Black Ops 2). They also include information like if you are in combat training, private or public match, etc. (0x75CA30)
2. The game hides some of its imports by searching the function to import using a hash combined with a Teb->Peb->Ldr search. (0x5F51F0)
3. The game hooks kernel32.BaseThreadInitThunk. (0x6B7AC0)
When a thread is created, the game knows about it. It checks the thread's start address (LoadLibraryA, LoadLibraryW, VirtualQuery, SetUnhandledExceptionFilter or DbgUiRemoteBreakin).
- If it's LoadLibraryA or LoadLibraryW, it sends the full dll path to their servers.
- If it's VirtualQuery or SetUnhandledExceptionFilter, they do some memmoves around, probably to copy the data queried or your exception handler filter function code.
- If it's DbgUiRemoteBreakin, they just send the detection code to their servers, most likely banning you instantly.
4. The game downloads code (asm) when you connect to their servers, which is then loaded into a game asset called "mp/store_header.img". This file is packed with zlib. (0x504050)
They call EnumWindows inside the code, and then check some stuff for each window. All the checks are done ONLY if the window is WS_EX_TOPMOST and is visible (WS_VISIBLE).
They probably check the process associated with the window.
So this is a list of things that you must do to make sure your cheat is safe:
1. Bypass their screenshot function! (setting 0x3A248F4 to 1 will bypass it)
2. Don't create topmost windows!
3. Don't use LoadLibraryA/LoadLibraryW + CreateRemoteThread/CreateThread injection method!
4. Don't create threads at VirtualQuery or SetUnhandledExceptionFilter!
5. Don't attach any debuggers!
I do have to say that I like TAC, it does a lot of subtle things that are not immediately obvious. For example, there's two functions checking for topmost windows. One simply sends a zlib compressed string containing info about your game (version, gamesettings, fullscreen etc) when an overlay is detected while the screenshot from the other function is sent as a string to the error-event handler. The filenames and the task names are also very misleading :3
Also, screenshots are only taken when you're in a game with multiple clients, so you can't test in custom games. But there's so much more. There's 3 CRC32 functions that scan everything from addresses to whole modules. Dvar uploading and eval() functions. It's worth having a look at even if you're not into cheating.
Going to have it enabled on Redacted in the next version, just as an extra layer. So feel free to poke at it during runtime without risking a VAC ban. Just remember to test in offline mode, else the client can get a little upset =P
Last edited by aIW|Convery; 01-15-2015 at 03:19 AM.