You are an unregistered user, you can register here
Navigation

Information

Site

Donations
If you wish to make a donation you can by clicking the image below.


 
Go Back   The Unreal Admins Page > Forums > Hosted Forums > UTPure > Anti-Cheat Development > Anti-Cheat Developer's Corner

Reply
Thread Tools Display Modes
  #21  
Unread 10th August, 2008, 02:39 AM
Azura's Avatar
Azura Azura is offline
Holy Shit!!
 
Join Date: Apr 2003
Posts: 4,029
Default

Here's some links:
http://www.security.org.sg/code/kproccheck.html
http://www.planet-source-code.com/vb...xtCodeId=66529
http://www.codeguru.com/forum/showth...hreadid=348102
http://somebastardstolemyname.wordpr...tkit-detector/
http://assiste.com.free.fr/p/abc/a/rootkit.html
__________________
How to feck up a perfectly good game:
UT (1999) = UnbelievableGameSoCoolIMustHelpBringNewPlayers Tournament
UT (2008) = Unreal ThrustMyPrivatePartsInYourFaceBish

And that's probably why UTIII was a relative flop. New game, same sh*thead players ^^.
Reply With Quote
  #22  
Unread 10th August, 2008, 02:56 AM
dcsnypa dcsnypa is offline
Killing Spree
 
Join Date: Jun 2008
Posts: 20
Default hmm

As far as i know it cant be read and im using cshp to check bytehacking

If you wanna try som things get on your msn and lets talk
This version is alot diffrent than the 1 i gave you
you might have some ideas
Reply With Quote
  #23  
Unread 10th August, 2008, 03:56 PM
The_Undead The_Undead is offline
Forum Newcomer
 
Join Date: Aug 2008
Location: South Africa
Posts: 5
Default

Quote:
Originally Posted by Azura View Post
Hook detection is crucial for anti-cheat systems. That particular program however only scans for ring0 (kernel mode) hooks. Thats a much older version, I carried it on and implemented both detection for detour and table hooks.
here is the newer version.

Quote:
Originally Posted by Azura View Post
Is the dll protected in any way ? Anything clientside can be messed with so it's best to make things as unreadable/decompilable as possible.

I've no idea how to detect processes that have been hidden but I'm willing to do some searching. Also I read an old document about cheats explaining something about accessing ring 0 (an OS' innermost circle). I don't know if that's a problem or of it's been successful but it would mean that code executed in this ring is all powerful.

One idea that's crossed my mind is to block the use of Microsoft's .NET framework seeing as it's used to accelerate the development of cheats. I don't know if it's practical but I haven't seen many essential applications that use it as of yet. Another is to somehow secure the minimum essential files (unrealtournament.exe, dlls, standard u files, anticheat packages) in a custom executable that will decompress everything that's necessary at each launch. This should avoid bytehacking as it would be virtually impossible to modify a file while it's being accessed by a program.

Apart from that I have a few ideas that are serverside only with the equivalent of the Turing test. Since they can never be 100% positives a level system should be implemented so a series of positives can be used to flag a player. This should keep the casual lamers out.
Disabling .NET would not only be near impossible but pretty much useless too. In all my time of writing game-hacks I've never used the .NET framework for it.

Decompression algorithms can and have been broken before.
What you WANT to do is prevent access to all the crucial files and processes. Achieve this by a combination of hooks and other techniques such as DKOM (there is source in my
blog too). I can go into much more intimate detail later on when I'm not so goofed.

Last edited by The_Undead : 10th August, 2008 at 05:51 PM.
Reply With Quote
  #24  
Unread 10th August, 2008, 06:03 PM
Azura's Avatar
Azura Azura is offline
Holy Shit!!
 
Join Date: Apr 2003
Posts: 4,029
Default

Hi The_Undead,

Thanks for stopping by. What references (books or sites) did you use to write your detection program ? It might be helpful to understand the theory behind it. Also, I have very limited experience in C++ and will probably ask someone else to get involved.

Also you say you've written some game hacks. Most of the native, as opposed to unrealscript, hacks for the original UT are based on the "H" hook. It was almost certainly developped without a framework to begin with but, more recently, it's author switched to .NET for the paid versions, probably to gain time. The executable itself seems to have been run through several compressors/encrypters.

As for securing the game executable and base packages (exe + dlls + unreal packages), the idea is to avoid tampering and bytehacking of anything that is clientside. For example, a change in the bytecode of a U package can turn a == into a !=. In terms of public protection, Anthchecker is capable of doing a checksum on small files and UTDC can verify run an md5 but both of these have been bypassed. I'll add that UT doesn't normally support the direct downloads of DLLs. However a few new anticheat mods actually require you to download and install manually.

Anyway, if you want to discuss this in detail I suggest we do this via PM.
__________________
How to feck up a perfectly good game:
UT (1999) = UnbelievableGameSoCoolIMustHelpBringNewPlayers Tournament
UT (2008) = Unreal ThrustMyPrivatePartsInYourFaceBish

And that's probably why UTIII was a relative flop. New game, same sh*thead players ^^.

Last edited by Azura : 10th August, 2008 at 06:24 PM.
Reply With Quote
  #25  
Unread 10th August, 2008, 11:29 PM
The_Undead The_Undead is offline
Forum Newcomer
 
Join Date: Aug 2008
Location: South Africa
Posts: 5
Default

Other than MSDN for the API references, I didnt. Its really not that complex.
To detect detour hooks you just need to scan the first 3 or 5 (5 on post XP SP2 systems) bytes of functions and make sure they are:
Code:
mov edi, edi
push ebp
mov ebp, esp
I didnt bother supporting pre-sp2 systems.
The table hook detection is can be done several ways such as either making sure the addresses are within the appropriate bounds, or even importing them from ntdll.
Process detection yet again can be done in several ways. I've got a peice of code I've been meaning to post on my blog for a while once I've cleaned it up that enumerates the processes from the pspcidtable. You can also do it with the use of csrss.exe.

I'll PM you momentarily.
__________________
Reply With Quote
  #26  
Unread 13th August, 2008, 09:53 AM
dodgethis dodgethis is offline
Godlike
 
Join Date: Jul 2007
Posts: 261
Default

Quote:
Originally Posted by The_Undead View Post
Other than MSDN for the API references, I didnt. Its really not that complex.
To detect detour hooks you just need to scan the first 3 or 5 (5 on post XP SP2 systems) bytes of functions and make sure they are:
Code:
mov edi, edi
push ebp
mov ebp, esp
I didnt bother supporting pre-sp2 systems.
The table hook detection is can be done several ways such as either making sure the addresses are within the appropriate bounds, or even importing them from ntdll.
Process detection yet again can be done in several ways. I've got a peice of code I've been meaning to post on my blog for a while once I've cleaned it up that enumerates the processes from the pspcidtable. You can also do it with the use of csrss.exe.

I'll PM you momentarily.
The detour detection will be easy to bypass then, could easily detour a function on some random location and your detection would be rendered useless.
Reply With Quote
  #27  
Unread 13th August, 2008, 07:59 PM
The_Undead The_Undead is offline
Forum Newcomer
 
Join Date: Aug 2008
Location: South Africa
Posts: 5
Default

Quote:
Originally Posted by dodgethis View Post
The detour detection will be easy to bypass then, could easily detour a function on some random location and your detection would be rendered useless.
As is the case with most detection programs.
There is no easy way (short of perhaps preforming a CRC check on each function) to do so otherwise.
__________________
Reply With Quote
  #28  
Unread 14th August, 2008, 07:54 PM
dodgethis dodgethis is offline
Godlike
 
Join Date: Jul 2007
Posts: 261
Default

Quote:
Originally Posted by The_Undead View Post
As is the case with most detection programs.
There is no easy way (short of perhaps preforming a CRC check on each function) to do so otherwise.
Yep, and unfortunatly that can be spoofed by cheaters as well.
Reply With Quote
  #29  
Unread 14th August, 2008, 08:25 PM
The_Undead The_Undead is offline
Forum Newcomer
 
Join Date: Aug 2008
Location: South Africa
Posts: 5
Default

Yes but the aim of cheat protection is surely to keep the masses from cheating. We will always be able to bypass these systems given sufficient knowledge.
__________________
Reply With Quote
  #30  
Unread 28th August, 2008, 09:15 PM
Azura's Avatar
Azura Azura is offline
Holy Shit!!
 
Join Date: Apr 2003
Posts: 4,029
Default

Quote:
Originally Posted by The_Undead View Post
Yes but the aim of cheat protection is surely to keep the masses from cheating.
It is.
__________________
How to feck up a perfectly good game:
UT (1999) = UnbelievableGameSoCoolIMustHelpBringNewPlayers Tournament
UT (2008) = Unreal ThrustMyPrivatePartsInYourFaceBish

And that's probably why UTIII was a relative flop. New game, same sh*thead players ^^.
Reply With Quote
  #31  
Unread 29th August, 2008, 04:38 AM
dcsnypa dcsnypa is offline
Killing Spree
 
Join Date: Jun 2008
Posts: 20
Default hey

Would it work for demo by any chance?
Reply With Quote
  #32  
Unread 30th August, 2008, 07:08 AM
The_Undead The_Undead is offline
Forum Newcomer
 
Join Date: Aug 2008
Location: South Africa
Posts: 5
Default

Demo?
__________________
Reply With Quote
  #33  
Unread 31st August, 2008, 05:01 AM
Azura's Avatar
Azura Azura is offline
Holy Shit!!
 
Join Date: Apr 2003
Posts: 4,029
Default

Unreal Tournament demo version 3.48. Yes, some people are still playing it since it's release in '98-'99. I won't explain why and will just say it's a village versus town thing.

The anticheat being discussed here is actually designed for the stripped down version of the game.

Quote:
Originally Posted by dcsnypa View Post
Would it work for demo by any chance?
Probably. It's all native and the OS is being targetted, not the game.
__________________
How to feck up a perfectly good game:
UT (1999) = UnbelievableGameSoCoolIMustHelpBringNewPlayers Tournament
UT (2008) = Unreal ThrustMyPrivatePartsInYourFaceBish

And that's probably why UTIII was a relative flop. New game, same sh*thead players ^^.

Last edited by Azura : 31st August, 2008 at 06:10 AM.
Reply With Quote
  #34  
Unread 5th April, 2009, 01:22 PM
-=V@STV$T=- -=V@STV$T=- is offline
Banned
 
Join Date: Mar 2009
Posts: 30
Default

Quote:
Originally Posted by Azura View Post
Is the dll protected in any way ? Anything clientside can be messed with so it's best to make things as unreadable/decompilable as possible.

I've no idea how to detect processes that have been hidden but I'm willing to do some searching. Also I read an old document about cheats explaining something about accessing ring 0 (an OS' innermost circle). I don't know if that's a problem or of it's been successful but it would mean that code executed in this ring is all powerful.

One idea that's crossed my mind is to block the use of Microsoft's .NET framework seeing as it's used to accelerate the development of cheats. I don't know if it's practical but I haven't seen many essential applications that use it as of yet. Another is to somehow secure the minimum essential files (unrealtournament.exe, dlls, standard u files, anticheat packages) in a custom executable that will decompress everything that's necessary at each launch. This should avoid bytehacking as it would be virtually impossible to modify a file while it's being accessed by a program.

Apart from that I have a few ideas that are serverside only with the equivalent of the Turing test. Since they can never be 100% positives a level system should be implemented so a series of positives can be used to flag a player. This should keep the casual lamers out.
Thats true what azura says, u can spend a longtime makign anticheat but if the source isnt encrypted u are doing alot of work for nothing, i know this cause i tested the cscc for nUTcase[bees] i know he has an special encryption program from EPIC to make the files unbrakable for hacking the source,i think the normal encryption is easily cracked by an truthwintered hacker, but with special program from epic it will be more difficult.i dunno the exactly alfha rithm of it but to keep it simple in talk u need at least 2048 bits AES encryption ,by the way am testing alot of stuff for the new HGuard i hope alot of other will to and maby it will run on UT3 also
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 06:04 AM.


 

All pages are copyright The Unreal Admins Page.
You may not copy any pages without our express permission.