Home › Forum › MultiPlayer Game Hacks & Cheats › Steam Games Hacks & Cheats › Counter-Strike 2 Hacks › Counter-Strike 2 Coding & Resources › The Truth About VAC Detection
The Truth About VAC Detection
The Truth About VAC Detection
The truth about how VAC detects hacks
Making a public hack undetected using one of these methods does not always work but it does make it a bit safer to use
public hacks.
Contents:
1. What makes a hack VAC detected
The first thing you need to know if you want to make or keep a hack undetected is how does VAC detect hacks.
This information has been found by other people by reverse engineering VAC.
Currently VAC only uses signature scanning and not heuristics scanning.
Heuristics scanning (which VAC does not have) works by analyzing the behavior of programs, external hacks use a call to
a windows function called WriteProcessMemory, with heuristics scanning VAC could see if a program wants to write to
csgo and what they are writing and ban them if it is something illegal.
Signature scanning works by scanning the RAM (all the running processes) and check if a known signature is present in
this data.
The combination of all these blocks is the program in memory and each block is a smaller block/part of memory inside the
application.
A signature could be generated of all those blocks together (the whole application) or they could be generated of a
smaller sequence of (memory) blocks.
VAC uses the latter so the red sequences of blocks illustrate a detected signature.
There is one more thing that VAC which only applies to internal hacks.
They can detect certain hooks.
You might ask what is an hook, I will try to explain it really easy because the answer is quite technical (programmers pls
dont flame me).
How internal hacks work is by redirecting a certain part of code in CSGO to their hack code.
This can only be done at certain parts and not all those parts qualify for everything.
Redirecting a part to your hack code is called a hook and if many people use that hook then they may update VAC to
check if that part is redirected (which makes it detected).
2. How can I counter this
Countering this as a programmer is not that hard, you have to change the signature of your program.
If you are an end user (someone who just downloads hacks) this is harder to do because you cannot change the code of
the program (which translates to how the program is represented in memory), however you can use a few programs (see
4.).
3. Internal vs External
Some people have discussions about what is detected faster, internal vs external.
Some of those use the argument there are more external hacks than internal hacks so obviously internal hacks are easier
to detect.
This is wrong!
Internal is detected just as easily as external hacks but many people do not release their internal hack to the public
because VAC might detect the hooks used and this will make all the cheats that use that hook detected.
It is a lot easier to make an external cheat undetected (well making one is easier as well :P) than making an internal
cheat undetected but that does not mean that internal hacks are detected faster.
4. Common programs
As I have mentioned in 2. you as an end user can use some programs to change the signature of a public hack but still
keep it functioning.
Hashchanger
I will start with hashchanger because it does NOT work.
I explained how signature detection works.
Hashchanger only adds a block of memory (actually a few bytes) to the end of the program and as you can see the red
sequences of detected blocks still stay the same.
You would have to add blocks between the red blocks to make them undetected which you can not easily do and which
hash changer does not do!
Enigma
Website
What does Enigma Protector do?
A range of features and technologies to help protect the executable file from hacking, analysis, modification and
disassembly. A Virtual Machine technology enables part of the application and protection code to be executed in its own
virtual CPU, which makes the code practically impossible to analyze.
tldr; they modify the program to something only the Enigma software understands.
How does this make it undetected? All the memory blocks in the original exe get modified making all the signatures for the
original exe useless.
VMProtect
Website
What does VMProtect do?
VMProtect Virtualizes Code
Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it
at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU
that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.
Essentially it does the same as Enigma Protector but the exact implementation differs.
tldr; they modify the program to something only the VMProtect software understands.
How does this make it undetected? All the memory blocks in the original exe get modified making all the signatures for the
original exe useless.
Other programs
Themida - Website - Works like Enigma/VMProtect
---
Disclaimer: some things have been simplified heavily but the essence of the message is the same.
Please link this to anyone asking for information about this topic.
Hopefully you guys think this is useful,
Merccy
Making a public hack undetected using one of these methods does not always work but it does make it a bit safer to use
public hacks.
Contents:
- 1. What makes a hack VAC detected
- 2. How can I counter this
- 3. Internal vs External
- 4. Common programs
- Hashchanger
- Enigma
- VMProtect
- Other programs
1. What makes a hack VAC detected
The first thing you need to know if you want to make or keep a hack undetected is how does VAC detect hacks.
This information has been found by other people by reverse engineering VAC.
Currently VAC only uses signature scanning and not heuristics scanning.
Heuristics scanning (which VAC does not have) works by analyzing the behavior of programs, external hacks use a call to
a windows function called WriteProcessMemory, with heuristics scanning VAC could see if a program wants to write to
csgo and what they are writing and ban them if it is something illegal.
Signature scanning works by scanning the RAM (all the running processes) and check if a known signature is present in
this data.
The combination of all these blocks is the program in memory and each block is a smaller block/part of memory inside the
application.
A signature could be generated of all those blocks together (the whole application) or they could be generated of a
smaller sequence of (memory) blocks.
VAC uses the latter so the red sequences of blocks illustrate a detected signature.
There is one more thing that VAC which only applies to internal hacks.
They can detect certain hooks.
You might ask what is an hook, I will try to explain it really easy because the answer is quite technical (programmers pls
dont flame me).
How internal hacks work is by redirecting a certain part of code in CSGO to their hack code.
This can only be done at certain parts and not all those parts qualify for everything.
Redirecting a part to your hack code is called a hook and if many people use that hook then they may update VAC to
check if that part is redirected (which makes it detected).
2. How can I counter this
Countering this as a programmer is not that hard, you have to change the signature of your program.
If you are an end user (someone who just downloads hacks) this is harder to do because you cannot change the code of
the program (which translates to how the program is represented in memory), however you can use a few programs (see
4.).
3. Internal vs External
Some people have discussions about what is detected faster, internal vs external.
Some of those use the argument there are more external hacks than internal hacks so obviously internal hacks are easier
to detect.
This is wrong!
Internal is detected just as easily as external hacks but many people do not release their internal hack to the public
because VAC might detect the hooks used and this will make all the cheats that use that hook detected.
It is a lot easier to make an external cheat undetected (well making one is easier as well :P) than making an internal
cheat undetected but that does not mean that internal hacks are detected faster.
4. Common programs
As I have mentioned in 2. you as an end user can use some programs to change the signature of a public hack but still
keep it functioning.
Hashchanger
I will start with hashchanger because it does NOT work.
I explained how signature detection works.
Hashchanger only adds a block of memory (actually a few bytes) to the end of the program and as you can see the red
sequences of detected blocks still stay the same.
You would have to add blocks between the red blocks to make them undetected which you can not easily do and which
hash changer does not do!
Enigma
Website
What does Enigma Protector do?
A range of features and technologies to help protect the executable file from hacking, analysis, modification and
disassembly. A Virtual Machine technology enables part of the application and protection code to be executed in its own
virtual CPU, which makes the code practically impossible to analyze.
tldr; they modify the program to something only the Enigma software understands.
How does this make it undetected? All the memory blocks in the original exe get modified making all the signatures for the
original exe useless.
VMProtect
Website
What does VMProtect do?
VMProtect Virtualizes Code
Code virtualization is the next step in software protection. Most protection systems encrypt the code and then decrypt it
at the application’s startup. VMProtect doesn’t decrypt the code at all! Instead, the encrypted code runs on a virtual CPU
that is markedly different from generic x86 and x64 CPUs as the command set is different for each protected file.
Essentially it does the same as Enigma Protector but the exact implementation differs.
tldr; they modify the program to something only the VMProtect software understands.
How does this make it undetected? All the memory blocks in the original exe get modified making all the signatures for the
original exe useless.
Other programs
Themida - Website - Works like Enigma/VMProtect
---
Disclaimer: some things have been simplified heavily but the essence of the message is the same.
Please link this to anyone asking for information about this topic.
Hopefully you guys think this is useful,
Merccy
Thanks for the info Merccy2! 
Nice Post 
A tutorial for inject wall in enigma?
Very nice merccy. Well explained.
Finally, Great job man.
end users read 4.
end users read 4.
Worth a thank you mate.
So if I use VMProtect. hack will undetected forever? -_-
Originally Posted by kakalos1
So if I use VMProtect. hack will undetected forever? -_-
How can you check if the updated game? Where can I see? To be aware of.
ps. Thank you for the topic, Merccy
ps. Thank you for the topic, Merccy
Originally Posted by 81x08
How can you check if the updated game? Where can I see? To be aware of.
ps. Thank you for the topic, Merccy
ps. Thank you for the topic, Merccy
Originally Posted by Merccy2
They don't have to update the game to add signatures. They can add the signatures on their server. (I do not have proof of this claim but it would be strange if the signatures were client sided)
Thanks for this post! 
Can we do anything for a hack to keeping undetected forever? I didnt understand this.
Originally Posted by Spycho57
Can we do anything for a hack to keeping undetected forever? I didnt understand this.
for real.
or create your own hack, and keep it to your self.
Similar Threads
- 27Last post
- 29Last post
- 29Last post
- 6Last post
- 3Last post