Possible Anticheat?

Memory scanning, code injection, debugger internals and other gamemodding related discussion
Post Reply
User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 8:49 pm

So I'm hacking this game: "Splinter Cell Blacklist"

I have successful made:

Infinite Money
Infinite Ammo

I was able to find gadgets address, I found what's writing to the address but as soon as It shows the instruction the value goes to 0 of that same gadget and if I try to use another Gadget the game crashes, and if I change the instruction from

dec [esi+xx] to inc, after enable the script the game crashes as well, could It be a possible anti-cheat or it's simply reading Cheat engine and I need to find or change the name of the cheat engine process or some sort?

User avatar
++METHOS
Administration
Administration
Posts: 144
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 10

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 8:54 pm

Inject code at the instruction and set up a default script that does not alter any code (vanilla script). If it crashes, then there is probably a memory integrity check routine. You can use SE plugin.

User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 8:57 pm

Well that's odd the same script, same address and everything same instruction

Code: Select all

[ENABLE]

aobscanmodule(aobGadgets,Blacklist_DX11_game.exe,C0 72 FF FF 4E 04 8B 46 04)
alloc(newmem,$100)

label(code)
label(return)

newmem:

code:
  //dec [esi+04]
  mov eax,[esi+04]
  jmp return

aobGadgets+03:
  jmp newmem
  nop
return:
registersymbol(aobGadgets)

[DISABLE]

aobGadgets+03:
  db FF 4E 04 8B 46 04

unregistersymbol(aobGadgets)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Blacklist_DX11_game.exe"+98CD3B

"Blacklist_DX11_game.exe"+98CD20: 3B 0A                 -  cmp ecx,[edx]
"Blacklist_DX11_game.exe"+98CD22: 75 55                 -  jne Blacklist_DX11_game.exe+98CD79
"Blacklist_DX11_game.exe"+98CD24: 8B 4E 04              -  mov ecx,[esi+04]
"Blacklist_DX11_game.exe"+98CD27: 2B CF                 -  sub ecx,edi
"Blacklist_DX11_game.exe"+98CD29: 8D 14 8D FC FF FF FF  -  lea edx,[ecx*4-00000004]
"Blacklist_DX11_game.exe"+98CD30: 52                    -  push edx
"Blacklist_DX11_game.exe"+98CD31: 8D 48 04              -  lea ecx,[eax+04]
"Blacklist_DX11_game.exe"+98CD34: 51                    -  push ecx
"Blacklist_DX11_game.exe"+98CD35: 50                    -  push eax
"Blacklist_DX11_game.exe"+98CD36: E8 65 C0 72 FF        -  call Blacklist_DX11_game.exe+B8DA0
// ---------- INJECTING HERE ----------
"Blacklist_DX11_game.exe"+98CD3B: FF 4E 04              -  dec [esi+04]
"Blacklist_DX11_game.exe"+98CD3E: 8B 46 04              -  mov eax,[esi+04]
// ---------- DONE INJECTING  ----------
"Blacklist_DX11_game.exe"+98CD41: 8B 4E 08              -  mov ecx,[esi+08]
"Blacklist_DX11_game.exe"+98CD44: 8D 14 09              -  lea edx,[ecx+ecx]
"Blacklist_DX11_game.exe"+98CD47: 8D 1C 40              -  lea ebx,[eax+eax*2]
"Blacklist_DX11_game.exe"+98CD4A: 83 C4 0C              -  add esp,0C
"Blacklist_DX11_game.exe"+98CD4D: 3B DA                 -  cmp ebx,edx
"Blacklist_DX11_game.exe"+98CD4F: 7C 10                 -  jl Blacklist_DX11_game.exe+98CD61
"Blacklist_DX11_game.exe"+98CD51: 8B D1                 -  mov edx,ecx
"Blacklist_DX11_game.exe"+98CD53: 2B D0                 -  sub edx,eax
"Blacklist_DX11_game.exe"+98CD55: 03 D2                 -  add edx,edx
"Blacklist_DX11_game.exe"+98CD57: 03 D2                 -  add edx,edx
}
I simply activated it after restarting the game and looks like it's working fine.

I have another quesiton for example I need to nop 3 times like:

db 90 90 90


And those : db FF 4E 04 8B 46 04

Can I remove those?: "8B 46 04"

User avatar
++METHOS
Administration
Administration
Posts: 144
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 10

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:05 pm

No. The remainder of the originalcode block needs to remain intact. It is the same as:
originalcode:
//dec [esi+04]
mov eax,[esi+04]
jmp return
If you write it out like this:
originalcode:
db 90 90 90
jmp return
Then it would be like writing it out like this:
originalcode:
jmp return
Which could cause the target to crash.

User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 9:06 pm

Oh no I know how to nop it correctly, but I wanted to ask if I do that could I remove the others from [disable]?

User avatar
++METHOS
Administration
Administration
Posts: 144
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 10

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:09 pm

Why would you want to remove them?

Those bytes are there so that the code can revert to its original state when the script is disabled.

User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 9:17 pm

Hmm ok, just asked cause I saw a video of someone Sethioz I think and he removed them and i was like wtf?

User avatar
++METHOS
Administration
Administration
Posts: 144
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 10

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:28 pm

If you remove those bytes, the target will likely crash when you disable the script. Also, your AOB signature may no longer be valid (depending on where your signature begins/ends), so trying to re-enable the script again would not work without closing and restarting the target process.

User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 9:55 pm

Oh no the AOB is unique, seems like the Instruction is accessing other stuff so that's why It crashes the game or for example when loading a new mission It will load forever till I disable the Script again.

User avatar
++METHOS
Administration
Administration
Posts: 144
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 10

Re: Possible Anticheat?

Post by ++METHOS » Tue Mar 14, 2017 9:56 pm

That is not what I am talking about.

User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 10:01 pm

Either way I need to find other instruction because this one is not the right one.

Schnitzelmaker
Cheater
Cheater
Posts: 20
Joined: Fri Mar 03, 2017 6:18 pm
Reputation: 4

Re: Possible Anticheat?

Post by Schnitzelmaker » Tue Mar 14, 2017 10:20 pm

You mean nop only the dec? I this case alloc and jmp are not required.

Code: Select all

[ENABLE]

aobscanmodule(aobGadgets,Blacklist_DX11_game.exe,C0 72 FF FF 4E 04 8B 46 04)
aobGadgets+03:
  db 90 90 90

[DISABLE]

aobGadgets+03:
  db FF 4E 04

unregistersymbol(aobGadgets)

User avatar
Kalas
Cheater
Cheater
Posts: 133
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 3

Re: Possible Anticheat?

Post by Kalas » Tue Mar 14, 2017 10:46 pm

Thank you but that's not the right instruction :P

User avatar
++METHOS
Administration
Administration
Posts: 144
Joined: Thu Mar 02, 2017 9:02 pm
Reputation: 10

Re: Possible Anticheat?

Post by ++METHOS » Wed Mar 15, 2017 8:56 am

Schnitzelmaker wrote:
Tue Mar 14, 2017 10:20 pm
You mean nop only the dec? I this case alloc and jmp are not required.
-Yes, writing it out like this eliminates the need for that.
Kalas wrote:
Tue Mar 14, 2017 10:46 pm
Thank you but that's not the right instruction :P
Schnitzelmaker wrote:
Tue Mar 14, 2017 10:20 pm
aobGadgets+03

User avatar
SunBeam
Administration
Administration
Posts: 95
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 15

Re: Possible Anticheat?

Post by SunBeam » Fri Mar 17, 2017 3:46 pm

As far as my knowledge goes, Splinter Cell is built with Unreal Engine. And if I recall, if you patch global functions that process more than what you need, game will crash. You either need a filter or do it properly. The ammo amount passes through a global function (namely, the ammo value is read/written via a global read/writer used for other tasks).

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest