yesterday I noticed that AC(Smilegate anti–cheat) for CFBR updated and had an increase in manual syscall calls and HWID banning(something that didn't exist in this version)...
these are some syscalls I noticed, there may be more
Code:
//OFFSETS are the syscall index
4C 8B D1 B8 55 0 0 0 F 5 C3 //NtCreateFile
4C 8B D1 B8 6 0 0 0 F 5 C3 //NtReadFile
4C 8B D1 B8 F 0 0 0 F 5 C3 //NtClose
4C 8B D1 B8 50 0 0 0 F 5 C3 //NtProtectVirtualMemory
4C 8B D1 B8 23 0 0 0 F 5 C3 //NtQueryVirtualMemory
DWORD OFFSETS[] = {0x55, 0x6, 0xf ,0x50, 0x53};
Code:
4C 8B D1 - mov r10,rcx
B8 55000000 - mov eax,OFFSETS
0F05 - syscall
C3 - ret
//function to try to obfuscate the manual syscall call
Code:
51 - push rcx
52 - push rdx
41 50 - push r8
41 51 - push r9
48 83 EC 20 - sub rsp,20
B9 06000100 - mov ecx,0xOffsetParam
E8 5CB2FDFF - call GetOffset()
48 83 C4 20 - add rsp,20
41 59 - pop r9
41 58 - pop r8
5A - pop rdx
59 - pop rcx
4C 8B D1 - mov r10,rcx
0F05 - syscall
C3 - ret
for the HWID ban, they only look at SMART_RCV_DRIVE_DATA
Are you still dealing with this anti-cheat in user mode for internal cheating, or have you already appealed to the kernel? I'm particularly going into the kernel to protect my internal cheat
