Infinite +rep to CodMaster. He happened to make a working script that bypasses aCI on IW5M.
To quote himAnd his entire thread)
I begin with a first discovering. I was testing my name faker feature on 4D1 servers and I found out if i activate my notifications strings (that uses DrawEngineText), then aCI banned me, all time.
So at first I thought they cheked something related to rendering stuff, but no. Looking thru the assembly of exe, I found out that when you enter a server aCI modify some common used functions in cheats to notifiy aCI they were called and in addition where.
So I think they check if these functions are called from somewhere else than game exe module. If this occurs, its obvious that there's a non-pleasing module loaded into the game, and consequently they nofity you as cheater.
I've seen too something related with EnumWindows (I think it's external hack check) but I don't know exacly what it do.
Well, now, the cool stuff . Here is asm explanation of all said above:
I'm using 1.4.382.
As all we know the address for DrawEngineText in this version is 0042C970. This is the asm before joining any game. As you can see is the same as always. But hey, let's see what happen after joining a game.
Code:
0042C970 */$ 8B4424 04 * * *MOV EAX,DWORD PTR SS:[ESP+4]
0042C974 *|. 8038 00 * * * *CMP BYTE PTR DS:[EAX],0
0042C977 *|. 0F84 32010000 *JE iw5mp.0042CAAF
0042C97D *|. 8D50 01 * * * *LEA EDX,DWORD PTR DS:[EAX+1]
0042C980 *|> 8A08 * * * * * /MOV CL,BYTE PTR DS:[EAX]
0042C982 *|. 40 * * * * * * |INC EAX
0042C983 *|. 84C9 * * * * * |TEST CL,CL
0042C985 *|.^75 F9 * * * * *\JNZ SHORT iw5mp.0042C980
0042C987 *|. 8B0D 3076FA05 *MOV ECX,DWORD PTR DS:[5FA7630]
0042C98D *|. 55 * * * * * * PUSH EBP
0042C98E *|. 8B2D 2476FA05 *MOV EBP,DWORD PTR DS:[5FA7624]
0042C994 *|. 56 * * * * * * PUSH ESI
0042C995 *|. 8B71 08 * * * *MOV ESI,DWORD PTR DS:[ECX+8]
0042C998 *|. 2BC2 * * * * * SUB EAX,EDX
0042C99A *|. 8B51 04 * * * *MOV EDX,DWORD PTR DS:[ECX+4]
0042C99D *|. 57 * * * * * * PUSH EDI
0042C99E *|. 8BF8 * * * * * MOV EDI,EAX
0042C9A0 *|. 2BF2 * * * * * SUB ESI,EDX
0042C9A2 *|. 8D47 54 * * * *LEA EAX,DWORD PTR DS:[EDI+54]
0042C9A5 *|. 83E0 FC * * * *AND EAX,FFFFFFFC
0042C9A8 *|. 8DB42E 00E0FFF>LEA ESI,DWORD PTR DS:[ESI+EBP-2000]
0042C9AF *|. 3BC6 * * * * * CMP EAX,ESI
0042C9B1 *|. 7E 0B * * * * *JLE SHORT iw5mp.0042C9BE
0042C9B3 *|. 5F * * * * * * POP EDI
0042C9B4 *|. 5E * * * * * * POP ESI
0042C9B5 *|. C741 0C 000000>MOV DWORD PTR DS:[ECX+C],0
0042C9BC *|. 5D * * * * * * POP EBP
0042C9BD *|. C3 * * * * * * RETN
0042C9BE *|> 8B31 * * * * * MOV ESI,DWORD PTR DS:[ECX]
0042C9C0 *|. D94424 1C * * *FLD DWORD PTR SS:[ESP+1C]
0042C9C4 *|. 03F2 * * * * * ADD ESI,EDX
0042C9C6 *|. 8971 0C * * * *MOV DWORD PTR DS:[ECX+C],ESI
0042C9C9 *|. 03D0 * * * * * ADD EDX,EAX
0042C9CB *|. 8951 04 * * * *MOV DWORD PTR DS:[ECX+4],EDX
0042C9CE *|. 8B5424 18 * * *MOV EDX,DWORD PTR SS:[ESP+18]
0042C9D2 *|. 66:8946 02 * * MOV WORD PTR DS:[ESI+2],AX
0042C9D6 *|. B9 11000000 * *MOV ECX,11
0042C9DB *|. 66:890E * * * *MOV WORD PTR DS:[ESI],CX
0042C9DE *|. D95E 04 * * * *FSTP DWORD PTR DS:[ESI+4]
0042C9E1 *|. D94424 20 * * *FLD DWORD PTR SS:[ESP+20]
0042C9E5 *|. 8B4C24 30 * * *MOV ECX,DWORD PTR SS:[ESP+30]
0042C9E9 *|. D95E 08 * * * *FSTP DWORD PTR DS:[ESI+8]
0042C9EC *|. 8D46 1C * * * *LEA EAX,DWORD PTR DS:[ESI+1C]
0042C9EF *|. D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
0042C9F3 *|. 50 * * * * * * PUSH EAX
0042C9F4 *|. D95E 0C * * * *FSTP DWORD PTR DS:[ESI+C]
0042C9F7 *|. 51 * * * * * * PUSH ECX
0042C9F8 *|. D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
0042C9FC *|. 8956 10 * * * *MOV DWORD PTR DS:[ESI+10],EDX
0042C9FF *|. D95E 14 * * * *FSTP DWORD PTR DS:[ESI+14]
0042CA02 *|. D94424 30 * * *FLD DWORD PTR SS:[ESP+30]
0042CA06 *|. D95E 18 * * * *FSTP DWORD PTR DS:[ESI+18]
0042CA09 *|. E8 A20AFEFF * *CALL iw5mp.0040D4B0
0042CA0E *|. 8B4424 3C * * *MOV EAX,DWORD PTR SS:[ESP+3C]
0042CA12 *|. 8B5424 1C * * *MOV EDX,DWORD PTR SS:[ESP+1C]
0042CA16 *|. 83C4 08 * * * *ADD ESP,8
0042CA19 *|. 8956 20 * * * *MOV DWORD PTR DS:[ESI+20],EDX
0042CA1C *|. C746 24 000000>MOV DWORD PTR DS:[ESI+24],0
0042CA23 *|. 83F8 03 * * * *CMP EAX,3
0042CA26 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA31
0042CA28 *|. C746 24 040000>MOV DWORD PTR DS:[ESI+24],4
0042CA2F *|. EB 64 * * * * *JMP SHORT iw5mp.0042CA95
0042CA31 *|> 83F8 06 * * * *CMP EAX,6
0042CA34 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA3F
0042CA36 *|. C746 24 0C0000>MOV DWORD PTR DS:[ESI+24],0C
0042CA3D *|. EB 56 * * * * *JMP SHORT iw5mp.0042CA95
0042CA3F *|> 3D 80000000 * *CMP EAX,80
0042CA44 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA4F
0042CA46 *|. C746 24 010000>MOV DWORD PTR DS:[ESI+24],1
0042CA4D *|. EB 46 * * * * *JMP SHORT iw5mp.0042CA95
0042CA4F *|> 3D 84000000 * *CMP EAX,84
0042CA54 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA5F
0042CA56 *|. C746 24 050000>MOV DWORD PTR DS:[ESI+24],5
0042CA5D *|. EB 36 * * * * *JMP SHORT iw5mp.0042CA95
0042CA5F *|> 83F8 07 * * * *CMP EAX,7
0042CA62 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA6D
0042CA64 *|. C746 24 000400>MOV DWORD PTR DS:[ESI+24],400
0042CA6B *|. EB 28 * * * * *JMP SHORT iw5mp.0042CA95
0042CA6D *|> 83F8 08 * * * *CMP EAX,8
0042CA70 *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA7B
0042CA72 *|. C746 24 000C00>MOV DWORD PTR DS:[ESI+24],0C00
0042CA79 *|. EB 1A * * * * *JMP SHORT iw5mp.0042CA95
0042CA7B *|> 83F8 09 * * * *CMP EAX,9
0042CA7E *|. 75 09 * * * * *JNZ SHORT iw5mp.0042CA89
0042CA80 *|. C746 24 001000>MOV DWORD PTR DS:[ESI+24],1000
0042CA87 *|. EB 0C * * * * *JMP SHORT iw5mp.0042CA95
0042CA89 *|> 83F8 0A * * * *CMP EAX,0A
0042CA8C *|. 75 07 * * * * *JNZ SHORT iw5mp.0042CA95
0042CA8E *|. C746 24 002000>MOV DWORD PTR DS:[ESI+24],2000
0042CA95 *|> 8B4424 10 * * *MOV EAX,DWORD PTR SS:[ESP+10]
0042CA99 *|. 57 * * * * * * PUSH EDI
0042CA9A *|. 50 * * * * * * PUSH EAX
0042CA9B *|. 8D4E 50 * * * *LEA ECX,DWORD PTR DS:[ESI+50]
0042CA9E *|. 51 * * * * * * PUSH ECX
0042CA9F *|. E8 7C353000 * *CALL iw5mp.00730020
0042CAA4 *|. 83C4 0C * * * *ADD ESP,0C
0042CAA7 *|. C6443E 50 00 * MOV BYTE PTR DS:[ESI+EDI+50],0
0042CAAC *|. 5F * * * * * * POP EDI
0042CAAD *|. 5E * * * * * * POP ESI
0042CAAE *|. 5D * * * * * * POP EBP
0042CAAF *\> C3 * * * * * * RETN
Asm after joining a game:
Code:
0042C970 * $-E9 8E551216 * *JMP 16551F03
0042C975 * * 38 * * * * * * DB 38 * * * * * * * * * * * * * * * * * *; *CHAR '8'
0042C976 * * 00 * * * * * * DB 00
0042C977 * . 0F84 32010000 *JE iw5m.0042CAAF
0042C97D * . 8D50 01 * * * *LEA EDX,DWORD PTR DS:[EAX+1]
0042C980 * > 8A08 * * * * * MOV CL,BYTE PTR DS:[EAX]
0042C982 * . 40 * * * * * * INC EAX
0042C983 * . 84C9 * * * * * TEST CL,CL
0042C985 * .^75 F9 * * * * *JNZ SHORT iw5m.0042C980
0042C987 * . 8B0D 3076FA05 *MOV ECX,DWORD PTR DS:[5FA7630] * * * * * ; *iw5m.05FA7614
0042C98D * . 55 * * * * * * PUSH EBP
0042C98E * . 8B2D 2476FA05 *MOV EBP,DWORD PTR DS:[5FA7624]
0042C994 * . 56 * * * * * * PUSH ESI
0042C995 * . 8B71 08 * * * *MOV ESI,DWORD PTR DS:[ECX+8]
0042C998 * . 2BC2 * * * * * SUB EAX,EDX
0042C99A * . 8B51 04 * * * *MOV EDX,DWORD PTR DS:[ECX+4]
0042C99D * . 57 * * * * * * PUSH EDI
0042C99E * . 8BF8 * * * * * MOV EDI,EAX
0042C9A0 * . 2BF2 * * * * * SUB ESI,EDX
0042C9A2 * . 8D47 54 * * * *LEA EAX,DWORD PTR DS:[EDI+54]
0042C9A5 * . 83E0 FC * * * *AND EAX,FFFFFFFC
0042C9A8 * . 8DB42E 00E0FFF>LEA ESI,DWORD PTR DS:[ESI+EBP-2000]
0042C9AF * . 3BC6 * * * * * CMP EAX,ESI
0042C9B1 * . 7E 0B * * * * *JLE SHORT iw5m.0042C9BE
0042C9B3 * . 5F * * * * * * POP EDI
0042C9B4 * . 5E * * * * * * POP ESI
0042C9B5 * . C741 0C 000000>MOV DWORD PTR DS:[ECX+C],0
0042C9BC * . 5D * * * * * * POP EBP
0042C9BD * . C3 * * * * * * RETN
0042C9BE * > 8B31 * * * * * MOV ESI,DWORD PTR DS:[ECX]
0042C9C0 * . D94424 1C * * *FLD DWORD PTR SS:[ESP+1C]
0042C9C4 * . 03F2 * * * * * ADD ESI,EDX
0042C9C6 * . 8971 0C * * * *MOV DWORD PTR DS:[ECX+C],ESI
0042C9C9 * . 03D0 * * * * * ADD EDX,EAX
0042C9CB * . 8951 04 * * * *MOV DWORD PTR DS:[ECX+4],EDX
0042C9CE * . 8B5424 18 * * *MOV EDX,DWORD PTR SS:[ESP+18]
0042C9D2 * . 66:8946 02 * * MOV WORD PTR DS:[ESI+2],AX
0042C9D6 * . B9 11000000 * *MOV ECX,11
0042C9DB * . 66:890E * * * *MOV WORD PTR DS:[ESI],CX
0042C9DE * . D95E 04 * * * *FSTP DWORD PTR DS:[ESI+4]
0042C9E1 * . D94424 20 * * *FLD DWORD PTR SS:[ESP+20]
0042C9E5 * . 8B4C24 30 * * *MOV ECX,DWORD PTR SS:[ESP+30]
0042C9E9 * . D95E 08 * * * *FSTP DWORD PTR DS:[ESI+8]
0042C9EC * . 8D46 1C * * * *LEA EAX,DWORD PTR DS:[ESI+1C]
0042C9EF * . D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
0042C9F3 * . 50 * * * * * * PUSH EAX
0042C9F4 * . D95E 0C * * * *FSTP DWORD PTR DS:[ESI+C]
0042C9F7 * . 51 * * * * * * PUSH ECX
0042C9F8 * . D94424 2C * * *FLD DWORD PTR SS:[ESP+2C]
0042C9FC * . 8956 10 * * * *MOV DWORD PTR DS:[ESI+10],EDX
0042C9FF * . D95E 14 * * * *FSTP DWORD PTR DS:[ESI+14]
0042CA02 * . D94424 30 * * *FLD DWORD PTR SS:[ESP+30]
0042CA06 * . D95E 18 * * * *FSTP DWORD PTR DS:[ESI+18]
0042CA09 * . E8 A20AFEFF * *CALL iw5m.0040D4B0
0042CA0E * . 8B4424 3C * * *MOV EAX,DWORD PTR SS:[ESP+3C]
0042CA12 * . 8B5424 1C * * *MOV EDX,DWORD PTR SS:[ESP+1C]
0042CA16 * . 83C4 08 * * * *ADD ESP,8
0042CA19 * . 8956 20 * * * *MOV DWORD PTR DS:[ESI+20],EDX
0042CA1C * . C746 24 000000>MOV DWORD PTR DS:[ESI+24],0
0042CA23 * . 83F8 03 * * * *CMP EAX,3
0042CA26 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA31
0042CA28 * . C746 24 040000>MOV DWORD PTR DS:[ESI+24],4
0042CA2F * . EB 64 * * * * *JMP SHORT iw5m.0042CA95
0042CA31 * > 83F8 06 * * * *CMP EAX,6
0042CA34 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA3F
0042CA36 * . C746 24 0C0000>MOV DWORD PTR DS:[ESI+24],0C
0042CA3D * . EB 56 * * * * *JMP SHORT iw5m.0042CA95
0042CA3F * > 3D 80000000 * *CMP EAX,80
0042CA44 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA4F
0042CA46 * . C746 24 010000>MOV DWORD PTR DS:[ESI+24],1
0042CA4D * . EB 46 * * * * *JMP SHORT iw5m.0042CA95
0042CA4F * > 3D 84000000 * *CMP EAX,84
0042CA54 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA5F
0042CA56 * . C746 24 050000>MOV DWORD PTR DS:[ESI+24],5
0042CA5D * . EB 36 * * * * *JMP SHORT iw5m.0042CA95
0042CA5F * > 83F8 07 * * * *CMP EAX,7
0042CA62 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA6D
0042CA64 * . C746 24 000400>MOV DWORD PTR DS:[ESI+24],400
0042CA6B * . EB 28 * * * * *JMP SHORT iw5m.0042CA95
0042CA6D * > 83F8 08 * * * *CMP EAX,8
0042CA70 * . 75 09 * * * * *JNZ SHORT iw5m.0042CA7B
0042CA72 * . C746 24 000C00>MOV DWORD PTR DS:[ESI+24],0C00
0042CA79 * . EB 1A * * * * *JMP SHORT iw5m.0042CA95
0042CA7B * > 83F8 09 * * * *CMP EAX,9
0042CA7E * . 75 09 * * * * *JNZ SHORT iw5m.0042CA89
0042CA80 * . C746 24 001000>MOV DWORD PTR DS:[ESI+24],1000
0042CA87 * . EB 0C * * * * *JMP SHORT iw5m.0042CA95
0042CA89 * > 83F8 0A * * * *CMP EAX,0A
0042CA8C * . 75 07 * * * * *JNZ SHORT iw5m.0042CA95
0042CA8E * . C746 24 002000>MOV DWORD PTR DS:[ESI+24],2000
0042CA95 * > 8B4424 10 * * *MOV EAX,DWORD PTR SS:[ESP+10]
0042CA99 * . 57 * * * * * * PUSH EDI
0042CA9A * . 50 * * * * * * PUSH EAX
0042CA9B * . 8D4E 50 * * * *LEA ECX,DWORD PTR DS:[ESI+50]
0042CA9E * . 51 * * * * * * PUSH ECX
0042CA9F * . E8 7C353000 * *CALL iw5m.00730020
0042CAA4 * . 83C4 0C * * * *ADD ESP,0C
0042CAA7 * . C6443E 50 00 * MOV BYTE PTR DS:[ESI+EDI+50],0
0042CAAC * . 5F * * * * * * POP EDI
0042CAAD * . 5E * * * * * * POP ESI
0042CAAE * . 5D * * * * * * POP EBP
0042CAAF * > C3 * * * * * * RETN
Hmm, a trampoline hook at first. It JMP to ? (some memory block generated by aCI), but the interesting one here is asm. look:
Code:
165531F0 * A1 00405516 * * *MOV EAX,DWORD PTR DS:[16554000]
165531F5 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
165531FB * 7F 08 * * * * * *JG SHORT 16553205
165531FD * 8B0424 * * * * * MOV EAX,DWORD PTR SS:[ESP]
16553200 * A3 00405516 * * *MOV DWORD PTR DS:[16554000],EAX
16553205 * 8B4424 04 * * * *MOV EAX,DWORD PTR SS:[ESP+4]
16553209 * 8038 00 * * * * *CMP BYTE PTR DS:[EAX],0
1655320C * 68 77C94200 * * *PUSH 42C977
16553211 * C3 * * * * * * * RETN
So they notify were the function is called and comeback the real execution.*
That happens too with RegisterFont, GetBonePos and CG_Trace.
Well, while I was writing this post discovered something more interesting than that. I only say "troll trolled" xD
What I've discovered is where they perform the cheat check.
Looking the one of the constants in the aCI block, I found a curious function, which is the next:
Code:
16553220 * 55 * * * * * * * PUSH EBP
16553221 * 8BEC * * * * * * MOV EBP,ESP
16553223 * 83EC 44 * * * * *SUB ESP,44
16553226 * 53 * * * * * * * PUSH EBX
16553227 * 56 * * * * * * * PUSH ESI
16553228 * 57 * * * * * * * PUSH EDI
16553229 * FF15 54515516 * *CALL DWORD PTR DS:[16555154] * * * * * * ; kernel32.GetTickCount
1655322F * 8945 FC * * * * *MOV DWORD PTR SS:[EBP-4],EAX
16553232 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
16553235 * 2B05 A43A5516 * *SUB EAX,DWORD PTR DS:[16553AA4]
1655323B * 3D 10270000 * * *CMP EAX,2710
16553240 * 73 05 * * * * * *JNB SHORT 16553247
16553242 * E9 D5000000 * * *JMP 1655331C
16553247 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
1655324A * A3 A43A5516 * * *MOV DWORD PTR DS:[16553AA4],EAX
1655324F * 833D A83A5516 00 CMP DWORD PTR DS:[16553AA8],0
16553256 * 75 08 * * * * * *JNZ SHORT 16553260
16553258 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
1655325B * A3 A83A5516 * * *MOV DWORD PTR DS:[16553AA8],EAX
16553260 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
16553263 * 2B05 A83A5516 * *SUB EAX,DWORD PTR DS:[16553AA8]
16553269 * 3D C0D40100 * * *CMP EAX,1D4C0
1655326E * 76 1E * * * * * *JBE SHORT 1655328E
16553270 * 8B45 FC * * * * *MOV EAX,DWORD PTR SS:[EBP-4]
16553273 * A3 A83A5516 * * *MOV DWORD PTR DS:[16553AA8],EAX
16553278 * E8 8BECFFFF * * *CALL 16551F08
1655327D * 85C0 * * * * * * TEST EAX,EAX
1655327F * 74 0D * * * * * *JE SHORT 1655328E
16553281 * 68 439C0000 * * *PUSH 9C43
16553286 * E8 6EECFFFF * * *CALL 16551EF9
1655328B * 83C4 04 * * * * *ADD ESP,4
1655328E * C705 *04405516 00>MOV DWORD PTR DS:[16554004],<&ADVAPI32.C>
16553298 * A1 F43F5516 * * *MOV EAX,DWORD PTR DS:[16553FF4]
1655329D * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
165532A3 * 76 0D * * * * * *JBE SHORT 165532B2
165532A5 * 68 214E0000 * * *PUSH 4E21
165532AA * E8 4AECFFFF * * *CALL 16551EF9
165532AF * 83C4 04 * * * * *ADD ESP,4
165532B2 * A1 F83F5516 * * *MOV EAX,DWORD PTR DS:[16553FF8]
165532B7 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
165532BD * 76 0D * * * * * *JBE SHORT 165532CC
165532BF * 68 234E0000 * * *PUSH 4E23
165532C4 * E8 30ECFFFF * * *CALL 16551EF9
165532C9 * 83C4 04 * * * * *ADD ESP,4
165532CC * A1 FC3F5516 * * *MOV EAX,DWORD PTR DS:[16553FFC]
165532D1 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
165532D7 * 76 0D * * * * * *JBE SHORT 165532E6
165532D9 * 68 244E0000 * * *PUSH 4E24
165532DE * E8 16ECFFFF * * *CALL 16551EF9
165532E3 * 83C4 04 * * * * *ADD ESP,4
165532E6 * A1 00405516 * * *MOV EAX,DWORD PTR DS:[16554000]
165532EB * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
165532F1 * 76 0D * * * * * *JBE SHORT 16553300
165532F3 * 68 254E0000 * * *PUSH 4E25
165532F8 * E8 FCEBFFFF * * *CALL 16551EF9
165532FD * 83C4 04 * * * * *ADD ESP,4
16553300 * E8 F9EBFFFF * * *CALL 16551EFE
16553305 * 6A 00 * * * * * *PUSH 0
16553307 * E8 EDEBFFFF * * *CALL 16551EF9
1655330C * 83C4 04 * * * * *ADD ESP,4
1655330F * B8 90205400 * * *MOV EAX,542090 * * * * * * * * * * * * * ; Entry address
16553314 * FFD0 * * * * * * CALL EAX
16553316 * EB 04 * * * * * *JMP SHORT 1655331C
16553318 * CC * * * * * * * INT3
16553319 * CC * * * * * * * INT3
1655331A * CC * * * * * * * INT3
1655331B * CC * * * * * * * INT3
1655331C * 5F * * * * * * * POP EDI
1655331D * 5E * * * * * * * POP ESI
1655331E * 5B * * * * * * * POP EBX
1655331F * 8BE5 * * * * * * MOV ESP,EBP
16553321 * 5D * * * * * * * POP EBP
16553322 * C3 * * * * * * * RETN
If you can see there's a pattern, hmm, but let's see first function part.
Hmm (GetTickCount()-lastCheckTick) >= 10000:
So they perform a check each 10 seconds. Another way to bypass (Maybe the time perception is pretty different between many functions)
Before that set lastCheckTick = GetTickCount() (obvious)
This is the "troll trolled":
CALL 16551F08*
This function perform all the checks for external hacks, as these other pieces of code do:
Code:
16553298 * A1 F43F5516 * * *MOV EAX,DWORD PTR DS:[16553FF4]
1655329D * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
Code:
165532B2 * A1 F83F5516 * * *MOV EAX,DWORD PTR DS:[16553FF8]
165532B7 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
Code:
165532CC * A1 FC3F5516 * * *MOV EAX,DWORD PTR DS:[16553FFC]
165532D1 * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
Code:
165532E6 * A1 00405516 * * *MOV EAX,DWORD PTR DS:[16554000]
165532EB * 3B05 04405516 * *CMP EAX,DWORD PTR DS:[16554004] * * * * *; <&ADVAPI32.CryptAcquireContextA>
If one of these checks fail they call this function:
CALL 16551EF9 //1 Argument
Which basically calls NP_SendRandomString. And the string sent has this format "troll %d" which %d is the param of the function.
First case 40003 (I've never seen it, but I think is External cheat detected), and others cases 20001 which is cheat detected.
And most important (xD): Why "troll trolled"?
Simply, because using another way to bypass, I've hooked NP_SendRandomString and instead of sending troll 20001 or troll 40003 I send troll trolled.
If there's something left related to aCI, It'd be amazing If you share with us.
Note: checks performed are called where the game is suppused to call SteamAPI_RunCallbacks() (which is called into the aCI function after check performed)
Working coded bypass:
This is the working bypass that i'm using. You should do the same with GetBonePos and CG_Trace:
Code:
* *uint8 fnOffset = 0x08;
* * LPBYTE fnMcCode = NULL;
* * const static uint8 ENGINEBYPASS_LEN = 0x21;
* * LPBYTE EngineACI_Bypass = LPBYTE(MALLOC(ENGINEBYPASS_LEN));
* * LPDWORD pJmpAddresses = LPDWORD(EngineACI_Bypass);
* * pJmpAddresses[0] = OFFSET_DRAW_ENGTEXT + 7;
* * pJmpAddresses[1] = OFFSET_GETFONT_BYNAME + 6;
* * fnMcCode = &EngineACI_Bypass[fnOffset];
* * DrawEngineText = DrawEngineTextType(fnMcCode);
* * memcpy(fnMcCode, "\x8B\x44\x24\x04\x80\x38\x00\xFF\x25", 0x09);
* * fnMcCode+=0x09; *LPDWORD(fnMcCode) = DWORD(&pJmpAddresses[0]); fnMcCode+=0x04;
* * GetFontByName = GetFontByNameType(fnMcCode);
* * memcpy(fnMcCode, "\x8B\x44\x24\x04\x6A\x01\xFF\x25", 0x08);
* * fnMcCode+=0x08; *LPDWORD(fnMcCode) = DWORD(&pJmpAddresses[1]); fnMcCode+=0x04;
* * DWORD dwProtection = PAGE_EXECUTE_READWRITE;
* * VirtualProtect(EngineACI_Bypass, ENGINEBYPASS_LEN, dwProtection, &dwProtection);
Basically what it does is to create another function emulating those instructions overwritten by aCI, and jumping then to the real function after aCI hook.
Extra code posted by BaberZz (+rep)
Didn't notice they started hooking engine functions lol; like the old aCI.
But yeh, I hook NP_SendRandomString to bypass aCI aswell, thats all you need to do
for now really, those engine funcs can be called as normally, no need to worry about the hooks. ( Until aCI updates *)
If you don't let NP_SendRandomString send anything, you will get kicked after a little time.
Time to change to another way to bypass as this is now public.
Code:
CDetour NP_SendRandomStringHook;
void NP_SendRandomString( char* text )
{
* * NP_SendRandomStringHook.OriginalFunc( "troll 0" );
}
void Hook_Anticheat()
{
* * DWORD dwAddress = (DWORD)GetProcAddress( GetModuleHandle( "libnp.dll" ), "NP_SendRandomString" );
* * if( !dwAddress )
* * {
* * * * Print( "WARNING: Unable to locate NP_SendRandomString" );
* * }
* * else
* * {
* * * * NP_SendRandomStringHook.Initiliaze( dwAddress, NP_SendRandomString, DETOUR_TYPE_JMP, 6 );
* * * * NP_SendRandomStringHook.ApplyDetour();
* * }
}
I believe I must give props to the APM Clan as well as they made him publish it.
Anyways coders, LET THE HACKING BEGIN!!!