Florin93 Posted October 26 Share Posted October 26 A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more. *Memory Integrity Check Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages). *Thread Blocking Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries. *Memory Honeypots Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners. *Anti-Debugging Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.) TBA: Arbitrary Vectored Exception Handling Detection *Protected Functions Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE. *Process Scanner Scans each process based on the contents (process name, window name) and unique memory signature. *Module Scanner Scans the loaded modules in the process for any with blacklisted names. Download: This is the hidden content, please Sign In or Sign Up 2 Quote Link to comment Share on other sites More sharing options...
Bot Metin2 Bot Posted October 26 Bot Share Posted October 26 Thank you for the post Florin93 Now we will take care that your topic reaches many people by adding tags Forum Description : Metin2 Server Files, Server Files, Metin2 Private Servers, Metin2, Metin2 Systems, C++ and Python, Metin2 Home Pages, Metin2 Private Server, Metin2 Download, Metin2 Support, Metin2 Forum, Metin2 Pvp Servers, Errors, Bugs, Requests, Metin2 Pvp Forum, Everything About Metin2. Tags: #Metin2 Server Files, #Server Files, #Metin2 Private Servers, #Metin2, #Metin2 Systems, #C++ and Python, #Metin2 Home Pages, #Metin2 Private Server, #Metin2 Download, #Metin2 Support, #Metin2 Forum, #Metin2 Pvp Servers, #Errors, #Bugs, #Requests, #Metin2 Pvp #Forum . Quote Link to comment Share on other sites More sharing options...
onetakexd Posted October 26 Share Posted October 26 ty Quote Link to comment Share on other sites More sharing options...
Premium SFX Posted October 26 Premium Share Posted October 26 Ty Quote Link to comment Share on other sites More sharing options...
eg0ist Posted October 26 Share Posted October 26 thx Quote Link to comment Share on other sites More sharing options...
allegato13 Posted October 26 Share Posted October 26 thank you Quote Link to comment Share on other sites More sharing options...
Prznt Posted October 26 Share Posted October 26 ty Quote Link to comment Share on other sites More sharing options...
Onix3 Posted October 26 Share Posted October 26 14 hours ago, Florin93 said: A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more. *Memory Integrity Check Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages). *Thread Blocking Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries. *Memory Honeypots Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners. *Anti-Debugging Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.) TBA: Arbitrary Vectored Exception Handling Detection *Protected Functions Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE. *Process Scanner Scans each process based on the contents (process name, window name) and unique memory signature. *Module Scanner Scans the loaded modules in the process for any with blacklisted names. Download: Hidden Content Reply to this topic to see the hidden content. Quote Link to comment Share on other sites More sharing options...
Color Posted October 26 Share Posted October 26 ty Quote Link to comment Share on other sites More sharing options...
Etzhel Posted October 26 Share Posted October 26 thank you.. Quote Link to comment Share on other sites More sharing options...
Alim Posted October 26 Share Posted October 26 ty Quote Link to comment Share on other sites More sharing options...
Premium xrhstos000 Posted October 28 Premium Share Posted October 28 ty Quote Link to comment Share on other sites More sharing options...
Uffo94 Posted October 28 Share Posted October 28 On 10/26/2024 at 1:25 AM, Florin93 said: A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more. *Memory Integrity Check Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages). *Thread Blocking Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries. *Memory Honeypots Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners. *Anti-Debugging Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.) TBA: Arbitrary Vectored Exception Handling Detection *Protected Functions Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE. *Process Scanner Scans each process based on the contents (process name, window name) and unique memory signature. *Module Scanner Scans the loaded modules in the process for any with blacklisted names. Download: Hidden Content Reply to this topic to see the hidden content. thanks Quote Link to comment Share on other sites More sharing options...
Lupusul Posted October 29 Share Posted October 29 thanks Quote Link to comment Share on other sites More sharing options...
Rajmund Posted Wednesday at 07:22 AM Share Posted Wednesday at 07:22 AM ty Quote Link to comment Share on other sites More sharing options...
tofadi5 Posted Wednesday at 07:49 AM Share Posted Wednesday at 07:49 AM ty Quote Link to comment Share on other sites More sharing options...
MarcoX Posted Wednesday at 09:18 AM Share Posted Wednesday at 09:18 AM ty Quote Link to comment Share on other sites More sharing options...
control Posted Wednesday at 09:33 PM Share Posted Wednesday at 09:33 PM Thx Quote Link to comment Share on other sites More sharing options...
Aaro Posted Saturday at 04:40 AM Share Posted Saturday at 04:40 AM ty Quote Link to comment Share on other sites More sharing options...
TheLic Posted Saturday at 09:19 PM Share Posted Saturday at 09:19 PM Thank you Quote Link to comment Share on other sites More sharing options...
algia Posted 15 hours ago Share Posted 15 hours ago y Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.