tepee07 (09-10-2012)
The info on this thread is for Arma2 OA 1.62 and possibly future versions.
Credit goes to Darky.HAX, I did not make this, All credit goes to him.
- Arma2 OA / BattleEye Script Detection -
How script detection works:
The way script detection works is by Arma2 calling a BattlEye callback function notifying it with that a script was executed, and then BattlEye sends the script to the server, and in the server some analysis are done based on a blacklist, in order to determine if the script is legit or not.
Here's how it works under-the-hood:
1.60 Version: When a player presses OK/Continue in the lobby, Arma2 Loads BEClient.dll
1. When a player joins a server Arma2 Loads BEClient.dll
2. When the load is done Arma2 Calls the BattleEye exported Init Function:
Here's the Init function decompiled:Code:.text:004BAF08 push offset ProcName ; "Init" .text:004BAF0D push dword ptr [ebx] ; hModule .text:004BAF0F call ds:GetProcAddress .text:004BAF15 mov [ebp+var_4], eax .text:004BAF18 mov eax, [ebp+arg_0] .text:004BAF1B mov ecx, [eax+194h] .text:004BAF21 mov eax, [ecx] .text:004BAF23 lea edx, [ebp+var_18] .text:004BAF26 push edx .text:004BAF27 call dword ptr [eax+28h] .text:004BAF2A mov ecx, [ebp+var_14] .text:004BAF2D lea eax, [ebx+50h] .text:004BAF30 mov [eax], ecx .text:004BAF32 mov cx, [ebp+var_16] .text:004BAF36 mov esi, 0A4h .text:004BAF3B mov [ebx+54h], cx .text:004BAF3F mov dword ptr [ebx+58h], offset sub_4B6DEE .text:004BAF46 cmp [ebp+var_8], esi .text:004BAF49 jl short loc_4BAF68 .text:004BAF4B cmp [ebp+var_4], edi .text:004BAF4E jz short loc_4BAF68 .text:004BAF50 lea ecx, [ebx+5Ch] .text:004BAF53 push ecx .text:004BAF54 push eax .text:004BAF55 push edi .text:004BAF56 call [ebp+var_4] // Call Init Function
BEClient.dll (1.168) - Init Partial decompiled
BEClient.dll (1.168) - Init Fully decompiledCode:char __cdecl Init(int a1, int a2, int a3) { char result; // al@2 int v4; // eax@3 void *v5; // esi@3 HMODULE v6; // eax@8 unsigned int v7; // eax@10 if ( !InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000000u) ) return 0; EnterCriticalSection(&CriticalSection); v4 = operator new(0x20u); v5 = (void *)v4; if ( !v4 ) goto LABEL_6; if ( !sub_10004930(v4) ) { j__free(v5); LABEL_6: v5 = 0; } dword_1001A644 = v5; if ( v5 && ((v6 = GetModuleHandleA("wsock32.dll"), (dword_1001A558 = (int)GetProcAddress(v6, "recvfrom")) == 0) || (dword_1001A63C = (void *)sub_10004C90(sub_100039D0)) != 0) ) { v7 = GetTickCount(); srand(v7); if ( FindWindowA("ArmA 2 OA", 0) ) dword_100184A4 = 1; else dword_100184A4 = FindWindowA("Ironfront", 0) != 0 ? 2 : 0; *(_DWORD *)&to.sa_data[2] = *(_DWORD *)a2; *(_WORD *)&to.sa_data[0] = *(_WORD *)(a2 + 4); dword_10017BF8 = *(_DWORD *)(a2 + 8); *(_DWORD *)a3 = sub_10003BE0; *(_DWORD *)(a3 + 4) = sub_10003D90; *(_DWORD *)(a3 + 8) = sub_100040B0; *(_DWORD *)(a3 + 12) = sub_10004150; sub_10001000("Initialized (v%u.%03u)", 1); LeaveCriticalSection(&CriticalSection); result = 1; } else { LeaveCriticalSection(&CriticalSection); sub_10003BE0(); result = 0; } return result; }
Init Structures:Code:char __cdecl Init(int Unknown, BE_GameData *GameData, BE_Callback *pCallback) { char result; // al@2 const void *pTrampoline_recvfrom; // eax@3 void *p2Trampoline_recvfrom; // esi@3 HMODULE hMod; // eax@8 FARPROC proc_recvfrom2; // eax@8 unsigned int seed; // eax@10 if ( !InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000000u) ) return 0; EnterCriticalSection(&CriticalSection); pTrampoline_recvfrom = (const void *)operator new(0x20u); p2Trampoline_recvfrom = (void *)pTrampoline_recvfrom; if ( !pTrampoline_recvfrom ) goto HookFail; if ( !JMP_Hook((int)recvfrom_hook, recvfrom, pTrampoline_recvfrom) ) { j__free(p2Trampoline_recvfrom); HookFail: p2Trampoline_recvfrom = 0; } g_Trampoline_recvfrom = p2Trampoline_recvfrom;// Global var to recvfrom trampoline if ( p2Trampoline_recvfrom && ((hMod = GetModuleHandleA("wsock32.dll"), proc_recvfrom2 = GetProcAddress(hMod, "recvfrom"), (dword_1001A558 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))proc_recvfrom2) == 0) || (g_Trampoline_wsock32_recvfrom = JMP_HookEx(proc_recvfrom2, (int)wsock32_recvfrom_hook)) != 0) ) { seed = GetTickCount(); srand(seed); if ( FindWindowA("ArmA 2 OA", 0) ) GameType = 1; else GameType = FindWindowA("Ironfront", 0) != 0 ? 2 : 0; *(_DWORD *)&to.sa_data[2] = GameData->locIP;// local ip *(_WORD *)&to.sa_data[0] = GameData->locPort;// port ChatPrint = (int (__cdecl *)(_DWORD))GameData->pChatPrint; pCallback->pBE_Unload = (DWORD)BE_Unload; // unload function - called to free battleye resources pCallback->pBE_Update = (DWORD)BE_Update; // be update callback pCallback->pBE_DisplayInfo = (DWORD)BE_DisplayInfo;// called when you type #beclient guid, to display your guid or #beclient players pCallback->pBE_BE_ScriptCallBack = (DWORD)BE_ScriptCallBack;// BE_ScriptCallBack Function BE_ChatPrintf("Initialized (v%u.%03u)", 1, 168); LeaveCriticalSection(&CriticalSection); result = 1; } else { LeaveCriticalSection(&CriticalSection); BE_Unload(); result = 0; } return result; }
4. When it's all done and script's are executed an Arma2 Function calls the BattlEye Callback Function with the script codeCode:#pragma pack(push, 4) struct BE_Callback { DWORD pBE_Unload; DWORD pBE_Update; DWORD pBE_DisplayInfo; DWORD pBE_BE_ScriptCallBack; }; #pragma pack(pop) #pragma pack(push, 4) struct BE_GameData { DWORD locIP; WORD locPort; int (__cdecl *pChatPrint)(char *Text); }; #pragma pack(pop)
Here's the Function decompiled:
6. You press abort disconnect and BattlEye is unloaded and so the process repeats.Code:// Function Addr (1.62): // 00AB09C9 55 PUSH EBP // // RVA: 0x6b09c9 <- 1.62 // // Sig: \x55\x8B\xEC\x51\x51\x53\x56\x57\x8B\xF9\x8B\x57\x68 // Mask: xxxxxxxxxxxxx char __thiscall sub_AB09C9(int this, signed __int32 *a2) { int v2; // edi@1 int v3; // edx@1 bool v4; // zf@1 struct _RTL_CRITICAL_SECTION *v5; // ebx@2 signed __int32 *v6; // eax@2 signed __int32 *v7; // eax@5 signed __int32 *v8; // eax@8 int v10; // ebx@17 void (__cdecl *BattleEye_ScriptCallBack)(_DWORD); // edi@20 signed __int32 *scriptcode; // eax@22 bool v13; // bl@26 signed __int32 *v14; // [sp+Ch] [bp-8h]@10 int v15; // [sp+10h] [bp-4h]@8 v2 = this; v3 = *(_DWORD *)(this + 104); v4 = v3 == 0; if ( v3 ) { v5 = &stru_E0CF88; v6 = a2 + 2; if ( !a2 ) v6 = (signed __int32 *)&stru_E0CF88; if ( v6 ) { v7 = a2 + 2; if ( !a2 ) v7 = (signed __int32 *)&stru_E0CF88; if ( *(_BYTE *)v7 ) { v15 = 0; v8 = a2 + 2; if ( !a2 ) v8 = (signed __int32 *)&stru_E0CF88; v14 = v8; if ( !(unsigned __int8)sub_AB04EA(v8, &v15) ) { sub_4AE9BD(&v14); if ( *(_DWORD *)(v2 + 72) > 200 ) { v10 = **(_DWORD **)(v2 + 68); sub_57C82D(0, 1); sub_AB0567(v10, 0); v5 = &stru_E0CF88; } if ( a2 ) _InterlockedExchangeAdd(a2, 1u); sub_AB0834(a2, 0); BattleEye_ScriptCallBack = *(void (__cdecl **)(_DWORD))(v2 + 104);// make a prototype if ( BattleEye_ScriptCallBack ) { if ( a2 ) scriptcode = a2 + 2; else scriptcode = (signed __int32 *)v5; BattleEye_ScriptCallBack(scriptcode);// call the be callback function with the script code } } if ( v15 ) sub_44FD00(v15); if ( a2 ) sub_44FD00(a2); return 1; } } v4 = v3 == 0; } v13 = v4; if ( a2 ) sub_44FD00(a2); return v13; }
- Player ID -
NOTE to all: Player ID is not the GUID, GUID is 32 in length.Code:// Function Addr (1.62): // 00A52508 55 PUSH EBP // // RVA: 0x652508 <- 1.62 // // Sig: \x55\x8B\xEC\x81\xEC\x00\x00\x00\x00\x53\x56\x57\x8B\x3D\x00\x00\x00\x00\x33\xDB\x8D\x45\xF4\x53\x50 // Mask: xxxxx????xxxxx????xxxxxxx int __cdecl sub_A52508(int a1) { int v1; // edi@1 DWORD v2; // ebx@1 DWORD v3; // ebx@5 unsigned __int8 v4; // dl@14 int Int_PlayerID; // eax@14 signed int v6; // esi@14 unsigned __int8 v7; // cl@15 signed int v8; // edi@15 char v9; // bl@16 int v10; // eax@20 const void *v11; // edx@20 char v12; // cl@21 unsigned int v13; // eax@22 void *v14; // edi@22 char v15; // cl@23 char v17; // [sp+Bh] [bp-11Dh]@22 char Out_PlayerID; // [sp+Ch] [bp-11Ch]@20 BYTE *v19; // [sp+10Ch] [bp-1Ch]@5 DWORD v20; // [sp+110h] [bp-18h]@5 BYTE pbData[4]; // [sp+114h] [bp-14h]@1 DWORD pdwDataLen; // [sp+118h] [bp-10h]@4 HCRYPTPROV phProv; // [sp+11Ch] [bp-Ch]@1 HCRYPTHASH hHash; // [sp+120h] [bp-8h]@2 BYTE v25; // [sp+127h] [bp-1h]@1 v1 = dword_E0ABB7; v2 = 0; *(_DWORD *)pbData = dword_E0ABB7; v25 = 0; phProv = 0; if ( (unsigned __int8)sub_B75A8C(&phProv, 0) ) { hHash = 0; if ( CryptCreateHash(phProv, 0x8004u, 0, 0, &hHash) ) { if ( CryptHashData(hHash, pbData, 4u, 0) ) { pdwDataLen = 0; if ( CryptGetHashParam(hHash, 2u, 0, &pdwDataLen, 0) ) { v3 = pdwDataLen; v19 = (BYTE *)(*((int (__stdcall **)(_DWORD))*off_DBD264[0] + 1))(pdwDataLen); v20 = v3; if ( CryptGetHashParam(hHash, 2u, v19, &pdwDataLen, 0) ) v25 = *v19; sub_524DC0(&v19); v2 = 0; } } } if ( hHash != v2 ) CryptDestroyHash(hHash); } if ( phProv != v2 ) CryptReleaseContext(phProv, v2); if ( v25 != byte_E0ABBB ) byte_E08C8B = 1; v4 = 0; Int_PlayerID = v1 & 0xFFFFFFF; v6 = 0; do { v7 = *((_BYTE *)&dword_E0ABB7 + v6); v8 = 8; do { v9 = v4 ^ v7; v4 >>= 1; if ( v9 & 1 ) v4 ^= 0x8Cu; v7 >>= 1; --v8; } while ( v8 ); ++v6; } while ( v6 < 14 ); _i64toa(Int_PlayerID, &Out_PlayerID, 10); // Converts an integer (Player ID) to a string v10 = sub_B75AE1(); v11 = (const void *)v10; do v12 = *(_BYTE *)v10++; while ( v12 ); v13 = v10 - (_DWORD)v11; v14 = &v17; do { v15 = *((_BYTE *)v14 + 1); v14 = (char *)v14 + 1; } while ( v15 ); memcpy(v14, v11, v13); sub_44F610(&Out_PlayerID); return a1; }
NOTE 3: Player ID can be spoofed and sometimes random.
NOTE 4: DayZ DataBase bans are based on Player ID (https://community.bistudio.com/wiki/getPlayerUID)
NOTE 5: Server bans can be both Player ID and BattleEye GUID.
Click this bar to view the full image.
- Arma2 Packets -
NOTE: Arma2 OA 1.61/1.62 these packets are encrypted/compressed
Arma2 Packet Header:
Arma2 Connect Packet:Code:typedef struct { short FullLen; char Type; char subType; long Checksum; // <- CRC32 of the whole packet data }Arma2CorePkt, *pArma2CorePkt; // 8 bytes
Packet Header Credits: alugi (old struct Arma II), me (updated+extra reversing)Code:#pragma pack(push,1) typedef struct { short FullLen; char Type; // 1 char subType; // 8 long Checksum; // <- CRC32 of the whole packet data long unknown1; long unknown2; long unknown3; long unknown4; long unknown5; // this is 0xCCCA1E12 long ver; char nickname[40]; char password[40]; char datafile[80]; long GameID; // 0xA0 - Arma2 OA 1.60 long GameVers; // 0xA0 - Arma2 OA 1.60 short unknown8; // 0 long unknown9; // 1 long unknown10; // time(0) }Arma2ConnectPkt, *pArma2ConnectPkt; // 210 bytes #pragma pack(pop)
Here's an example how to create a connect packet:
crc32.c
Code:static uint32_t crc_tab[256] = { /* CRC polynomial 0xedb88320 */ 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d }; /* crc32buf() -- to a given block, this one calculates the * crc32-checksum until the length is * reached. the crc32-checksum will be * the result. */ uint32_t crc32buf(unsigned char *block, size_t length) { register unsigned long crc; unsigned long i; crc = 0xFFFFFFFF; for (i = 0; i < length; i++) { crc = ((crc >> 8) & 0x00FFFFFF) ^ crc_tab[(crc ^ *block++) & 0xFF]; } return (crc ^ 0xFFFFFFFF); } /* crc32gentab() -- to a global crc_tab[256], this one will * calculate the crcTable for crc32-checksums. * it is generated to the polynom [..] */ void crc32gentab() { unsigned long crc, poly; int i, j; poly = 0xEDB88320L; for (i = 0; i < 256; i++) { crc = i; for (j = 8; j > 0; j--) { if (crc & 1){ crc = (crc >> 1) ^ poly; } else{ crc >>= 1; } } crc_tab[i] = crc; } }
- Arma2 OA PBO Packet -Code:#pragma pack(push,1) typedef struct { short FullLen; char Type; // 1 char subType; // 8 long Checksum; // <- CRC32 of the whole packet data long unknown1; long unknown2; long unknown3; long unknown4; long unknown5; // this is 0xCCCA1E12 long ver; char nickname[40]; char password[40]; char datafile[80]; long GameID; // 0xA0 - Arma2 OA 1.60 long GameVers; // 0xA0 - Arma2 OA 1.60 short unknown8; // 0 long unknown9; // 1 long unknown10; // time(0) }Arma2ConnectPkt, *pArma2ConnectPkt; // 210 bytes #pragma pack(pop) #define Arma2OA_CO_dat "CC15E928BA1CA9CA2CC5658BE67FE4AA642AE47F" int Create_ConnectPacket(pArma2ConnectPkt Out_ConnectPkt, char* NickName, char* Password="", char* DataFile=Arma2OA_CO_dat) { Out_ConnectPkt->FullLen = sizeof(Arma2ConnectPkt); Out_ConnectPkt->Type = 1; Out_ConnectPkt->subType = 8; Out_ConnectPkt->unknown1 = 1; Out_ConnectPkt->unknown2 = 1; Out_ConnectPkt->unknown3 = 0; Out_ConnectPkt->unknown4 = 0; Out_ConnectPkt->unknown5 = 0xCCCA1E12; Out_ConnectPkt->ver = 0x25252525; if (NickName != NULL){ strcpy_s(Out_ConnectPkt->nickname, 40, NickName); } if (Password != NULL){ strcpy_s(Out_ConnectPkt->password, 40, Password); } if (DataFile != NULL){ strcpy_s(Out_ConnectPkt->datafile, 80, DataFile); } Out_ConnectPkt->GameID = 0xA2; // 1.62 Out_ConnectPkt->GameVers = 0xA2; // 1.62 Out_ConnectPkt->unknown8 = 0x7410; Out_ConnectPkt->unknown9 = 1; Out_ConnectPkt->unknown10 = time(NULL); // Calculate the checksum Out_ConnectPkt->Checksum = 0; uint32_t tempCRC = crc32buf((unsigned char *)Out_ConnectPkt, Out_ConnectPkt->FullLen); Out_ConnectPkt->Checksum = tempCRC; return 1; }
The pbo packet is dynamic:Code:#pragma pack(push,1) typedef struct { short FullLen; char Type; char subType; long Checksum; // <- CRC32 of the whole packet data long unknown1; long unknown2; long unknown3; long unknown4; char unknown5; char unknown6; char unknown7; char unknown8; char unknown9; char unknown10; char unknown11; char pboName; }Arma2PBOPacket, *pArma2PBOPacket; #pragma pack(pop)
Reading the pbo name:
Reading the SigVersion:Code:&myPBO->pboName
Result means:Code:(&myPBO+myPBO->FullLen)-1
0 = Bisign v1
2 = Bisign v2
Reading the PBO Sig:
Result is a 32 length Sig.Code:(&myPBO+myPBO->FullLen)-1-32
NOTE: Don't forget to fix the Packet Checksum (CRC32) or BattleEye will slap you...
- Bypassing BattleEye RPM Pattern Scans -
Status: Unknown
BattleEye does pattern scans on all running process looking for cheat engine, wpe or other hack tools.
To bypass it you just need to hook OpenProcess (OpenProcess function) , then SetLastError(5) and return 0.
Do_ExternalScans Function:
Code:// RVA: BEClient.dll + 0x1840 signed __int16 __cdecl Do_ExternalScans()
This may be out of date but the same rule still applies. I thought this would stop all of the threads asking "How do i make a bypass" since this will put into magnitude how much work/skill goes into making one.
Last edited by jjhend; 09-10-2012 at 07:53 PM.
tepee07 (09-10-2012)
In before all the noobs start posting on how to make a bypasser with this, I will answer it. You need to be able to code, or understand how to use it.
No, Thats fine. If the noobs dont catch that they will see your post.
Nice copy and pasting skills will help some people out alot.
We have a winner! yes i did copy and paste/edit it some but i just did this to stop the "OMG TEAHC ME HOWSZ TO MAEK A BYPAZZ"