How does hack detection work?

[khaozizleet]

How does "hack detection" work? I see public hacks getting "patched" left and right, what exactly is getting patched..?

Yes I know how to C++ program, I do not (obviously) know how to create hacks yet, and just starting right now, and at the point in creating hack DLLs.

[User1]

You should research more into game hacking. Addies change with every release or patch. So each time they patch, people have to find new addresses. The old address would do nothing to affect game play. Nexon also does a string detection, they just search for suspicious strings within itself like "hack" or some popular hacking websites...

They check their own vtable to ensure that it has not be tampered with, and they include A LOT more protection... I don't know that much but thats basically some stuff HSheild and Nexon do.

[khaozizleet]

You should research more into game hacking. Addies change with every release or patch. So each time they patch, people have to find new addresses. The old address would do nothing to affect game play. Nexon also does a string detection, they just search for suspicious strings within itself like "hack" or some popular hacking websites...

They check their own vtable to ensure that it has not be tampered with, and they include A LOT more protection... I don't know that much but thats basically some stuff HSheild and Nexon do.

Thanks...That's all I needed. I didn't want to be missing something I'm supposed to be doing in the dll.

[Stevenom]

You should research more into game hacking. Addies change with every release or patch. So each time they patch, people have to find new addresses. The old address would do nothing to affect game play. Nexon also does a string detection, they just search for suspicious strings within itself like "hack" or some popular hacking websites...

They check their own vtable to ensure that it has not be tampered with, and they include A LOT more protection... I don't know that much but thats basically some stuff HSheild and Nexon do.

There's also a thing called "Signature scan" to find the updated addresses.

[Mouzie]

How does it detect?
It does this by scanning the memory contents of the local machine. A computer identified as using cheats may be banned from connecting to protected servers or in Combat Arms cases, removed the players and force crashes the game or banning the account.

Why is it so slow?
Simply, the antihack is a bot, unless the security company place the a dresses into the server files, the hack can't be 'detected' unless the bot changes the address/source coding.

* Real-time scanning of memory, a feature also prominent in many spyware programs, by placing a Hackshield Client on players' computers searching for known hacks/cheats using a built-in database.
* Throttled two-tiered background auto-update system using multiple Internet Master Servers to provide end-user security ensuring that no false or corrupted updates can be installed on players' computers.
* Frequent status reports (encrypted) are sent to the Hackshield Server by all players. When necessary, the server raises a violation which (depending upon settings) will cause the offending player to be removed from the game.
* Admins (GM) can also manually remove players from the game for a specified number of minutes or permanently ban if desired.
* Servers can optionally be configured to randomly check player settings looking for known exploits of the game engine.
*Servers can be configured to instruct clients to calculate partial MD5 hashes of files inside the game installation directory. The results are compared against a set configuration and differences logged, and optionally, the client removed from the server.
Admins can request actual screenshot samples from specific players and/or can configure the server to randomly grab screenshot samples from players during gameplay. However, it is possible for a game hack to block screenshots (producing a black screenshot) or remove all visual features of a hack (cleaning the screenshot) to remain undetected, leaving the effectiveness of this feature diminished.
An optional "bad name" facility is provided so that Admins can prevent players from using offensive player names containing unwanted profanity or racial slurs.
* Search functions are provided for Admins who wish to search player's keybindings and scripts for anything that may be known to exploit the game.
*Player Power facility (Elites) can be configured to allow players to self-administer game servers when the Server Administrator is not present entirely without the need for passwords, in which the players can call votes to have a player removed from the server for a certain amount of time.
*Servers have an optional built-in mini HTTP web server interface that allows the game server to be remotely administered via a web browser from anywhere over the Internet.
Admins can stream their server logs in real time to another location. Non-profit organizations like Anti-Cheat Inc, Community Ban List.

[User1]

There's also a thing called "Signature scan" to find the updated addresses.

Yes, those scan the memory for the function "signatures", once found it'll use that address.

How does it detect?
It does this by scanning the memory contents of the local machine. A computer identified as using cheats may be banned from connecting to protected servers or in Combat Arms cases, removed the players and force crashes the game or banning the account.

...

*Servers have an optional built-in mini HTTP web server interface that allows the game server to be remotely administered via a web browser from anywhere over the Internet.
Admins can stream their server logs in real time to another location. Non-profit organizations like Anti-Cheat Inc, Community Ban List.

After reading it twice... most of those things are kinda a no-shit fact...

[freedompeace]

There are so many ways I'd never be able to explain them all.

Some methods include
- blacklist signature scanning
- blacklist string detection
- hooking and detecting other hooks on critical functions
- detecting detours of internal functions
- detecting memory modifications and abnormal values
- checking originating caller addresses

[NoZoJiHyo]

this question scares me AHAHHA