Possible Anticheat?

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 8:49 pm

So I'm hacking this game: "Splinter Cell Blacklist"

I have successful made:

Infinite Money
Infinite Ammo

I was able to find gadgets address, I found what's writing to the address but as soon as It shows the instruction the value goes to 0 of that same gadget and if I try to use another Gadget the game crashes, and if I change the instruction from

dec [esi+xx] to inc, after enable the script the game crashes as well, could It be a possible anti-cheat or it's simply reading Cheat engine and I need to find or change the name of the cheat engine process or some sort?

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 8:54 pm

Inject code at the instruction and set up a default script that does not alter any code (vanilla script). If it crashes, then there is probably a memory integrity check routine. You can use SE plugin.

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 8:57 pm

Well that's odd the same script, same address and everything same instruction

Code: Select all

[ENABLE]

aobscanmodule(aobGadgets,Blacklist_DX11_game.exe,C0 72 FF FF 4E 04 8B 46 04)
alloc(newmem,$100)

label(code)
label(return)

newmem:

code:
  //dec [esi+04]
  mov eax,[esi+04]
  jmp return

aobGadgets+03:
  jmp newmem
  nop
return:
registersymbol(aobGadgets)

[DISABLE]

aobGadgets+03:
  db FF 4E 04 8B 46 04

unregistersymbol(aobGadgets)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Blacklist_DX11_game.exe"+98CD3B

"Blacklist_DX11_game.exe"+98CD20: 3B 0A                 -  cmp ecx,[edx]
"Blacklist_DX11_game.exe"+98CD22: 75 55                 -  jne Blacklist_DX11_game.exe+98CD79
"Blacklist_DX11_game.exe"+98CD24: 8B 4E 04              -  mov ecx,[esi+04]
"Blacklist_DX11_game.exe"+98CD27: 2B CF                 -  sub ecx,edi
"Blacklist_DX11_game.exe"+98CD29: 8D 14 8D FC FF FF FF  -  lea edx,[ecx*4-00000004]
"Blacklist_DX11_game.exe"+98CD30: 52                    -  push edx
"Blacklist_DX11_game.exe"+98CD31: 8D 48 04              -  lea ecx,[eax+04]
"Blacklist_DX11_game.exe"+98CD34: 51                    -  push ecx
"Blacklist_DX11_game.exe"+98CD35: 50                    -  push eax
"Blacklist_DX11_game.exe"+98CD36: E8 65 C0 72 FF        -  call Blacklist_DX11_game.exe+B8DA0
// ---------- INJECTING HERE ----------
"Blacklist_DX11_game.exe"+98CD3B: FF 4E 04              -  dec [esi+04]
"Blacklist_DX11_game.exe"+98CD3E: 8B 46 04              -  mov eax,[esi+04]
// ---------- DONE INJECTING  ----------
"Blacklist_DX11_game.exe"+98CD41: 8B 4E 08              -  mov ecx,[esi+08]
"Blacklist_DX11_game.exe"+98CD44: 8D 14 09              -  lea edx,[ecx+ecx]
"Blacklist_DX11_game.exe"+98CD47: 8D 1C 40              -  lea ebx,[eax+eax*2]
"Blacklist_DX11_game.exe"+98CD4A: 83 C4 0C              -  add esp,0C
"Blacklist_DX11_game.exe"+98CD4D: 3B DA                 -  cmp ebx,edx
"Blacklist_DX11_game.exe"+98CD4F: 7C 10                 -  jl Blacklist_DX11_game.exe+98CD61
"Blacklist_DX11_game.exe"+98CD51: 8B D1                 -  mov edx,ecx
"Blacklist_DX11_game.exe"+98CD53: 2B D0                 -  sub edx,eax
"Blacklist_DX11_game.exe"+98CD55: 03 D2                 -  add edx,edx
"Blacklist_DX11_game.exe"+98CD57: 03 D2                 -  add edx,edx
}
I simply activated it after restarting the game and looks like it's working fine.

I have another quesiton for example I need to nop 3 times like:

db 90 90 90


And those : db FF 4E 04 8B 46 04

Can I remove those?: "8B 46 04"

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:05 pm

No. The remainder of the originalcode block needs to remain intact. It is the same as:
originalcode:
//dec [esi+04]
mov eax,[esi+04]
jmp return
If you write it out like this:
originalcode:
db 90 90 90
jmp return
Then it would be like writing it out like this:
originalcode:
jmp return
Which could cause the target to crash.

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 9:06 pm

Oh no I know how to nop it correctly, but I wanted to ask if I do that could I remove the others from [disable]?

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:09 pm

Why would you want to remove them?

Those bytes are there so that the code can revert to its original state when the script is disabled.

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 9:17 pm

Hmm ok, just asked cause I saw a video of someone Sethioz I think and he removed them and i was like wtf?

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:28 pm

If you remove those bytes, the target will likely crash when you disable the script. Also, your AOB signature may no longer be valid (depending on where your signature begins/ends), so trying to re-enable the script again would not work without closing and restarting the target process.

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 9:55 pm

Oh no the AOB is unique, seems like the Instruction is accessing other stuff so that's why It crashes the game or for example when loading a new mission It will load forever till I disable the Script again.

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:56 pm

That is not what I am talking about.

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 10:01 pm

Either way I need to find other instruction because this one is not the right one.

Schnitzelmaker
Posts: 9
Joined: Fri Mar 03, 2017 6:18 pm
Reputation: 1

Re: Possible Anticheat?

Post by Schnitzelmaker » Tue Mar 14, 2017 10:20 pm

You mean nop only the dec? I this case alloc and jmp are not required.

Code: Select all

[ENABLE]

aobscanmodule(aobGadgets,Blacklist_DX11_game.exe,C0 72 FF FF 4E 04 8B 46 04)
aobGadgets+03:
  db 90 90 90

[DISABLE]

aobGadgets+03:
  db FF 4E 04

unregistersymbol(aobGadgets)

User avatar
Kalas
Posts: 106
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 2

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 10:46 pm

Thank you but that's not the right instruction :P

User avatar
++METHOS
Posts: 102
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 8

Re: Possible Anticheat?

Post by ++METHOS » Wed Mar 15, 2017 8:56 am

Schnitzelmaker wrote:
Tue Mar 14, 2017 10:20 pm
You mean nop only the dec? I this case alloc and jmp are not required.
-Yes, writing it out like this eliminates the need for that.
Kalas wrote:
Tue Mar 14, 2017 10:46 pm
Thank you but that's not the right instruction :P
Schnitzelmaker wrote:
Tue Mar 14, 2017 10:20 pm
aobGadgets+03

User avatar
SunBeam
Posts: 85
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 8

Re: Possible Anticheat?

Post by SunBeam » Fri Mar 17, 2017 3:46 pm

As far as my knowledge goes, Splinter Cell is built with Unreal Engine. And if I recall, if you patch global functions that process more than what you need, game will crash. You either need a filter or do it properly. The ammo amount passes through a global function (namely, the ammo value is read/written via a global read/writer used for other tasks).

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests