Desc:
This tool blocks screenshots taken by M0SS (used in ESL).
Setup:
It contains 2 files, the main tool and a helper executable. Since the main tools process will appear in the log, you should replace any system-file or non-suspicious program with it. Both files have to be in the same folder.
Eg.
C:\Users\*\AppData\Roaming\Spotify\Spotify.exe
Make sure to get a unique SHA-256 by changing "replace_me" at the very end of the file to something random (with notepad).
Usage:
Open before starting MOSS capture and hit start.
CTRL + Shift + F8 to toggle the deadlock, a small red message on top left indicates.
About:
Since hooking BitBlt can be suspicious, I suspend the associated thread instead. Beware, that pausing it for too long may be noticeable. You can hide your cheat, toggle capture and press PrtScrn (print key) every once in a while to make up for this.
Other useful information:
- as you can tell by the cookies in Filestack.jpg attachment: MOSS is sending requests to cluster014.ovh.net for timestamps and pings, you may want to block this and change your system time, if you wish to fake a match
- MOSS logs the process list only once, you can do any change to your system during capture block
- if you dont want to hide the tool as a system process, i suggest you to search this forum for hiding processes
- Screencaptures are temporary stored under
C:\Users\*\AppData\Local\MOS_randomnumber.tmp
- The log is temporary stored under
right before being zipped, if you wish to do any modification to the log, after it has been created, this is the right place to hook in
virustotal.com/file/c7a2be516b339970efdf5f1e82e80c4b584173a7e075f58043 8a51e916b27551
virustotal.com/file/05b8df2106b32e3cbe44d26c2a27fa32078f99ca10d8d8adcf 82b216ba60fbbd
virusscan.jotti.org/filescanjob/ides3090lx
virusscan.jotti.org/filescanjob/0j9m3qzllc
The main executable is an unprotected .NET app, look into the code if you have doubts about it.