SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Scripting Help

Reply
 
Thread Tools Display Modes
Old 20/06/2018, 01:53 PM   #1
DeitY
Huge Clucker
 
DeitY's Avatar
 
Join Date: Aug 2012
Location: Serbia
Posts: 320
Reputation: 16
Default [Client-Side Anticheat - OPTIONAL ] Reading Memory Address

So...

I've been using client-side anticheat for detecting cheats, folder detection and process scanning..

However, in the time being people finally figured out how to bypass anticheat, and i wouldn't even bother to fix it, but yeah, its me and i like everything to be near-perfect on my server... So they bypassed in 2 ways:

Implementing cheats via gamemodding, importing cheat in .img, which i think i can fix with checking hashes?

The thing which is harder to fix is lets say sandbox, because sandbox somehow blocks specific processes? Also they can spoof processes, for example if i download aimbot.exe, i can rename it to to chrome.exe and you simply can't figure out if its cheat or a real program, i've setup logs for all players who are FORCED to use anticheat ( it .logs and i can simply check for suspicious cheats)

------------------------------------------------------------------- [17.06.2018. 19:35:40] Process List - Player: <Name> -------------------------------------------------------------------
[ ] taskhost.exe -> C:\Windows\system32\taskhost.exe
[ ] dwm.exe -> C:\Windows\system32\Dwm.exe
[ ] explorer.exe -> C:\Windows\Explorer.EXE
[ ] taskeng.exe -> C:\Windows\system32\taskeng.exe
[ ] avgnt.exe -> C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
[ ] teamviewer.exe -> C:\Program Files\TeamViewer\TeamViewer.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] launcher.exe -> D:\GTA - San Andreas\Launcher.exe
[ ] gta_sa.exe -> D:\GTA - San Andreas\gta_sa.exe
[ ] observer.exe -> D:\GTA - San Andreas\Observer.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe
[ ] chrome.exe -> C:\Program Files\******\Chrome\Application\chrome.exe

The weird thing is that for example i'm using legit windows licensed and it scans ALL my processes, while some windows 7/8 cracked trash is for some reason not detecting cheats even tho i've setup to check process names and kill if it contains forbidden words.


Now, i've read about some memory addresses, how you can intercept some packets and with RAKNET, and i would realy like some help with it.

I'll even quote some post from (SAMPCAC) anticheat reading memory, which is really complicated for me and i have no idea what it is saying
Quote:
I haven't spent much time REing this anticheat but here is what I know.

SAMPCAC has their own server plugin, and a client .asi.

The client uses RakClient's interface to communicate with the server.
Specifically, SAMPCAC is using RakClientInterface::RPC to send data.

As of SAMPCAC v0.9.0, these are the RPC ids I've found associated with telling the server you're cheating.
Code:
181
183
184
155
You can of course block these from being sent, but the problem with this is that after a while, you'll get kicked. The kick has no message, you are just simply kicked. I haven't looked into it much, but here is what is happening. They place several JMP hooks on areas they need information from, such as when the game stores the camera address (used for aimbot). I ASSUME that inside these hooks, they compare the registers to their own stored value, when its not equal, they send an RPC to the server that you're cheating. For the record, I've tried placing hooks before theirs, overwriting it, noping it. This works for some things, but I had trouble making it work for aimbot (mostly because they placed 13+ hooks just to prevent aimbot). You can get around the aimbot (in a nooby way) though. For ESP, just draw your own.

SAMPCAC is using VMProtect 3, and I haven't bothered trying to unpack it. It makes reversing it that much more of a PITA. It is honestly a unstable POS anticheat, and if you are extremely devoted, you can just spoof the anticheat's existence by replicating their RPC calls. You just need to reverse their server plugin and see what it expects. (Their first RPC sends '0xCAC' lol)

Now, i would really like some explanation for this and i'm paying very nice money for some awesome solution.

To be honest, i don't know why i'm even trying to perfect a game this old, but i own a large server and people expect from me the best i guess, but i'm out of solutions definitely..

PS: If you are wondering why i'm not using sampcac, flagged as viruses, trojan, etc.. can't bother to explain players why i'm forcing banned morons to use virus.

Sorry for spelling mistakes.

Anyway, big thanks to jlalt and bigeti, for awesome support they have been giving me all these time.
__________________
Proudly hosted by Evolution-Host. Get your server fast and cheap!
Instant deployment & DDoS Protected.

DeitY is offline   Reply With Quote
Old 20/06/2018, 11:09 PM   #2
wallee
Huge Clucker
 
Join Date: Jan 2017
Posts: 264
Reputation: 40
Default Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address

Quote:
Originally Posted by DeitY View Post
The thing which is harder to fix is lets say sandbox, because sandbox somehow blocks specific processes? Also they can spoof processes, for example if i download aimbot.exe, i can rename it to to chrome.exe and you simply can't figure out if its cheat or a real program, i've setup logs for all players who are FORCED to use anticheat ( it .logs and i can simply check for suspicious cheats)
why don't you treat using sandboxie same as having a cheat?

and for aimbox.exe -> chrome.exe

https://stackoverflow.com/questions/...hash-of-a-file

so you could detect it that way?

Quote:
Originally Posted by DeitY View Post
PS: If you are wondering why i'm not using sampcac, flagged as viruses, trojan, etc.. can't bother to explain players why i'm forcing banned morons to use virus.
it would be easier for you and for the entire sa-mp community if that ac becomes a standard ... then it will become trustworthy and seriously why would you bother with banned morons?

they should be thankful for you even letting them play after they got banned
wallee is offline   Reply With Quote
Old 20/06/2018, 11:56 PM   #3
DeitY
Huge Clucker
 
DeitY's Avatar
 
Join Date: Aug 2012
Location: Serbia
Posts: 320
Reputation: 16
Default Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address

Quote:
Originally Posted by wallee View Post
why don't you treat using sandboxie same as having a cheat?

and for aimbox.exe -> chrome.exe

https://stackoverflow.com/questions/...hash-of-a-file

so you could detect it that way?



it would be easier for you and for the entire sa-mp community if that ac becomes a standard ... then it will become trustworthy and seriously why would you bother with banned morons?

they should be thankful for you even letting them play after they got banned
how can you detect a hash of process? I'm not sure that's possible. Could you give me an example?

Your answer is wrong, according to reply
Quote:
No, the hash is of the file contents only. You can see this in the source for md5sum and its MD5 implementation. You can also test this if you have access to md5sum:
$ echo "some arbitrary content" > file1
$ cp file1 file2
$ md5sum file1
f0007cbddd79de02179de7de12bec4e6 file1
$ md5sum file2
f0007cbddd79de02179de7de12bec4e6 file2
$
@because, sometimes human eye can't separate skilled players from cheaters, and then there are dramas, multiple spams, accusing us of banning people "donators" etc... and that's where software comes in handy.
__________________
Proudly hosted by Evolution-Host. Get your server fast and cheap!
Instant deployment & DDoS Protected.

DeitY is offline   Reply With Quote
Old 21/06/2018, 06:03 PM   #4
IdonTmiss
Big Clucker
 
Join Date: Dec 2016
Posts: 145
Reputation: 0
Default Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address

gl finding a solution ( a little bump )
IdonTmiss is offline   Reply With Quote
Old 12/07/2018, 12:15 PM   #5
DeitY
Huge Clucker
 
DeitY's Avatar
 
Join Date: Aug 2012
Location: Serbia
Posts: 320
Reputation: 16
Default Re: [Client-Side Anticheat - OPTIONAL ] Reading Memory Address

I've given up. Thanks everyone for trying to help, simply isn't worth pursuing anymore.
__________________
Proudly hosted by Evolution-Host. Get your server fast and cheap!
Instant deployment & DDoS Protected.

DeitY is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anybody using a client-side anticheat? Type-R Discussion 12 27/05/2017 04:44 PM
Samp Client chat messages memory address JoshuaFoster Everything and Nothing 13 07/12/2013 03:58 AM


All times are GMT. The time now is 03:42 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.