The Truth About VAC Detection

[Merccy2]

The truth about how VAC detects hacks

Making a public hack undetected using one of these methods does not always work but it does make it a bit safer to use

public hacks.

Contents:

1. 1. What makes a hack VAC detected
2. 2. How can I counter this
3. 3. Internal vs External
4. 4. Common programs
   
   • Hashchanger
   • Enigma
   • VMProtect
   • Other programs

1. What makes a hack VAC detected
The first thing you need to know if you want to make or keep a hack undetected is how does VAC detect hacks.
This information has been found by other people by reverse engineering VAC.

Currently VAC only uses signature scanning and not heuristics scanning.

Heuristics scanning (which VAC does not have) works by analyzing the behavior of programs, external hacks use a call to

a windows function called WriteProcessMemory, with heuristics scanning VAC could see if a program wants to write to

csgo and what they are writing and ban them if it is something illegal.

Signature scanning works by scanning the RAM (all the running processes) and check if a known signature is present in

this data.

The combination of all these blocks is the program in memory and each block is a smaller block/part of memory inside the

application.
A signature could be generated of all those blocks together (the whole application) or they could be generated of a

smaller sequence of (memory) blocks.
VAC uses the latter so the red sequences of blocks illustrate a detected signature.

There is one more thing that VAC which only applies to internal hacks.
They can detect certain hooks.
You might ask what is an hook, I will try to explain it really easy because the answer is quite technical (programmers pls

dont flame me).
How internal hacks work is by redirecting a certain part of code in CSGO to their hack code.
This can only be done at certain parts and not all those parts qualify for everything.
Redirecting a part to your hack code is called a hook and if many people use that hook then they may update VAC to

check if that part is redirected (which makes it detected).

2. How can I counter this
Countering this as a programmer is not that hard, you have to change the signature of your program.
If you are an end user (someone who just downloads hacks) this is harder to do because you cannot change the code of

the program (which translates to how the program is represented in memory), however you can use a few programs (see

4.).

3. Internal vs External
Some people have discussions about what is detected faster, internal vs external.
Some of those use the argument there are more external hacks than internal hacks so obviously internal hacks are easier

to detect.
This is wrong!
Internal is detected just as easily as external hacks but many people do not release their internal hack to the public

because VAC might detect the hooks used and this will make all the cheats that use that hook detected.
It is a lot easier to make an external cheat undetected (well making one is easier as well :P) than making an internal

cheat undetected but that does not mean that internal hacks are detected faster.

4. Common programs
As I have mentioned in 2. you as an end user can use some programs to change the signature of a public hack but still

keep it functioning.

Hashchanger
I will start with hashchanger because it does NOT work.
I explained how signature detection works.

Hashchanger only adds a block of memory (actually a few bytes) to the end of the program and as you can see the red

sequences of detected blocks still stay the same.
You would have to add blocks between the red blocks to make them undetected which you can not easily do and which

hash changer does not do!

Enigma
Website

What does Enigma Protector do?

A range of features and technologies to help protect the executable file from hacking, analysis, modification and

disassembly. A Virtual Machine technology enables part of the application and protection code to be executed in its own

virtual CPU, which makes the code practically impossible to analyze.


tldr; they modify the program to something only the Enigma software understands.
How does this make it undetected? All the memory blocks in the original exe get modified making all the signatures for the

original exe useless.

VMProtect
Website

What does VMProtect do?

VMProtect Virtualizes Code

Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it

at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU

that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.


Essentially it does the same as Enigma Protector but the exact implementation differs.
tldr; they modify the program to something only the VMProtect software understands.
How does this make it undetected? All the memory blocks in the original exe get modified making all the signatures for the

original exe useless.

Other programs
Themida - Website - Works like Enigma/VMProtect

---

Disclaimer: some things have been simplified heavily but the essence of the message is the same.

Please link this to anyone asking for information about this topic.

Hopefully you guys think this is useful,

Merccy

[HippoHash]

Thanks for the info Merccy2!

[Yemiez]

Nice Post

[xbobex1999]

A tutorial for inject wall in enigma?

[mmaaxx129]

Very nice merccy. Well explained.

[LordKevo]

Finally, Great job man.

end users read 4.

[blackrazor]

Worth a thank you mate.

[kakalos1]

So if I use VMProtect. hack will undetected forever? -_-

[Merccy2]

So if I use VMProtect. hack will undetected forever? -_-

Nope, because a significant amount of people use VMProtect with public hacks they will also generate signatures for a VMProtected hack.

[81x08]

How can you check if the updated game? Where can I see? To be aware of.

ps. Thank you for the topic, Merccy

[Merccy2]

How can you check if the updated game? Where can I see? To be aware of.

ps. Thank you for the topic, Merccy

They don't have to update the game to add signatures. They can add the signatures on their server. (I do not have proof of this claim but it would be strange if the signatures were client sided)

[81x08]

They don't have to update the game to add signatures. They can add the signatures on their server. (I do not have proof of this claim but it would be strange if the signatures were client sided)

Just wondering how people know that the game has been updated. I do not think that they spend their accounts at banks to check.

[YouMaadb]

Thanks for this post!

[Spycho57]

Can we do anything for a hack to keeping undetected forever? I didnt understand this.

[LordKevo]

Can we do anything for a hack to keeping undetected forever? I didnt understand this.

sure, just go to disney.com order cs;go package.
for real.

or create your own hack, and keep it to your self.