Halo Infinite
- caliber1942
- Expert Cheater
- Posts: 98
- Joined: Thu Oct 17, 2019 5:15 pm
- Reputation: 219
Re: Halo Infinite
Ahh!! There's the asshole, know it all, self righteous, CH hating, prick we've all come to loathe over the years. It was fun while it lasted contributing NICELY to the discussion here, but as usual the fucker just can't help himself. Did daddy beat you? Little dick? You never been on a date? Whatever it is, man, it's eaten you alive. Why don't you shell code manual map this middle finger?
I already said Arbiter is the main actor, probably involved in setting it up, creating the mapped code, and doing the scans.
I already said there is multiple anticheat threads running outside the main process.. some in MANUALLY MAPPED DLL CODE (or SHELL CODE as you call it), and some in the ARBITER.DLL itself. Likely code mapped is created and thread started BY Arbiter.
My definition of 'detected' means that the trainers, if used un-carefully, or options are repeatedly used over and over, will end up being detected by the scanners, which triggers the game ending pause or closure. Even the stupid instructions for every trainer, as well as the complaints for every trainer, say this.
Lastly, nobody who's played the Halo series is LOST about "Arbiter". There is nothing of value gained from the use of the word Arbiter as the NAME of the .dll in helping defeat the protections. Its just a clever thing the developers decided to call it. If anything it would actually have been SMARTER to call it something more bland or to throw you off, like "api-ms-win-core-processthreads-5-5-1.dll".
This started out nicely, but unfortunately your split personality neurosis kicked in, or some sort of 'reaction' to the fact I am posting about this game in places, has caused your inner jackass to emerge. I gave you +2 rep even, because it was nice to see some maturity, although it only lasted for 48 hours.
Anyone here who was offended by my use of "CRC" or "MANUALLY MAPPED" or any other damn such thing, I am sure you will recover. 99% of the kiddos here have no idea what we are talking about, and probably don't even venture into these discussions.
Now even with all of this... bullshit.. I have to say that I admire you have nearly worked out the entire anti VEH thing. The final step would be seeing where the hash is checked (likely in ARBITER.dll), and then making it be ok with whatever hash it comes up with.
Here is an example of a HASH, or CRC, or whatever the FUCK you want to call it, being created in ARBITER.dll as it scans MANUALLY MAPPED or SHELL CODE or WHATEVER THE FUCK YOU WANT TO CALL IT, which THAT code is responsible for scanning the .text of the game:
Arbiter.dll+25EC80 - 48 8B 05 39620600 - mov rax,[Arbiter.dll+2C4EC0] { (1952253111) }
Arbiter.dll+25EC87 - 48 33 C1 - xor rax,rcx
Arbiter.dll+25EC8A - 48 89 05 87660600 - mov [Arbiter.dll+2C5318],rax { (1421439684) }
Arbiter.dll+25EC91 - 45 85 F6 - test r14d,r14d
Arbiter.dll+25EC94 - 74 31 - je Arbiter.dll+25ECC7
start address being scanned is r15--> Arbiter.dll+25EC96 - 41 0FB6 0F - movzx ecx,byte ptr [r15]
Arbiter.dll+25EC9A - 48 B8 25232284E49CF2CB - mov rax,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECA4 - 48 33 C8 - xor rcx,rax
Arbiter.dll+25ECA7 - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+25ECB1 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+25ECB5 - 4D 8D 46 FF - lea r8,[r14-01]
Arbiter.dll+25ECB9 - 49 8D 57 01 - lea rdx,[r15+01]
continues scan here --> Arbiter.dll+25ECBD - E8 3E43DAFF - call Arbiter.dll+3000
returns CRC or HASH as RAX here --> Arbiter.dll+25ECC2 - 48 8B D8 - mov rbx,rax
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECD1 - F3 0F10 0D 976A0600 - movss xmm1,[Arbiter.dll+2C5770] { (Nan) }
Arbiter.dll+25ECD9 - F3 0F10 05 FF610600 - movss xmm0,[Arbiter.dll+2C4EE0] { (Nan) }
Arbiter.dll+25ECE1 - F3 0F58 C8 - addss xmm1,xmm0
Arbiter.dll+25ECE5 - F3 0F58 0D DB610600 - addss xmm1,[Arbiter.dll+2C4EC8] { (Nan) }
You CAN make changes to THIS CODE without the game crashing or detecting it, so this appears to not be scanned.
for instance:
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
to:
Arbiter.dll+25ECC5 - 90 - nop
Arbiter.dll+25ECC6 - 90 - nop
Arbiter.dll+25ECC7 - 48 BB 8B02C496D1BE2D4E - mov rbx,4E2DBED196C4028B { -1765539189 }
and the game happily continues, because 4E2DBED196C4028B is the hash that is expected at this particular code area for the particular area being scanned. So you could THEORETICALLY modify the code area that was being scanned to ALSO ignore changes, but maybe there is 20 such scans of the same SHELL CODE elsewhere.
I still think it will likely be an elegant solution that kills all of this, that ends up being the stopping of a single thread and faking that it's doing it's job, or removing the "something is wrong" return when this gets called. But for now, that isn't known.
The best solution seems to be to eliminate the VEH problem, allow detours, then capture base values that can be edited or you can write directly at areas that are detoured. This is only best, if there is 1000 "triggers" (look! another term I USED to describe these scans that occur at events, which I've used for 12 years ore more.. Maybe you have a better word for it, almighty one.) that overlap and do the same thing. In Monster Hunter World, they actually kept all the hash/crc and scan start/end/size data one after the next in perfectly aligned segment at the end of the .text for the 81 triggers they had in that game. So it was simple just to copy a safe zone over the others to make them all read the same, non-modified, spot. However, this isn't Monster Hunter World, and people are (and WERE, nicely) capturing info and sharing it in a friendly process. I guess that ends today, but only because.. you can't help yourself.
Carry on mighty super dickless coder of the Gods. I leave you to your proper definitions and condescending noodling, and saving the world from everyone else's "misinformation". This is why you get throttled and smashed out of other forums, and are detested, because you just can't help yourself.
I already said Arbiter is the main actor, probably involved in setting it up, creating the mapped code, and doing the scans.
I already said there is multiple anticheat threads running outside the main process.. some in MANUALLY MAPPED DLL CODE (or SHELL CODE as you call it), and some in the ARBITER.DLL itself. Likely code mapped is created and thread started BY Arbiter.
My definition of 'detected' means that the trainers, if used un-carefully, or options are repeatedly used over and over, will end up being detected by the scanners, which triggers the game ending pause or closure. Even the stupid instructions for every trainer, as well as the complaints for every trainer, say this.
Lastly, nobody who's played the Halo series is LOST about "Arbiter". There is nothing of value gained from the use of the word Arbiter as the NAME of the .dll in helping defeat the protections. Its just a clever thing the developers decided to call it. If anything it would actually have been SMARTER to call it something more bland or to throw you off, like "api-ms-win-core-processthreads-5-5-1.dll".
This started out nicely, but unfortunately your split personality neurosis kicked in, or some sort of 'reaction' to the fact I am posting about this game in places, has caused your inner jackass to emerge. I gave you +2 rep even, because it was nice to see some maturity, although it only lasted for 48 hours.
Anyone here who was offended by my use of "CRC" or "MANUALLY MAPPED" or any other damn such thing, I am sure you will recover. 99% of the kiddos here have no idea what we are talking about, and probably don't even venture into these discussions.
Now even with all of this... bullshit.. I have to say that I admire you have nearly worked out the entire anti VEH thing. The final step would be seeing where the hash is checked (likely in ARBITER.dll), and then making it be ok with whatever hash it comes up with.
Here is an example of a HASH, or CRC, or whatever the FUCK you want to call it, being created in ARBITER.dll as it scans MANUALLY MAPPED or SHELL CODE or WHATEVER THE FUCK YOU WANT TO CALL IT, which THAT code is responsible for scanning the .text of the game:
Arbiter.dll+25EC80 - 48 8B 05 39620600 - mov rax,[Arbiter.dll+2C4EC0] { (1952253111) }
Arbiter.dll+25EC87 - 48 33 C1 - xor rax,rcx
Arbiter.dll+25EC8A - 48 89 05 87660600 - mov [Arbiter.dll+2C5318],rax { (1421439684) }
Arbiter.dll+25EC91 - 45 85 F6 - test r14d,r14d
Arbiter.dll+25EC94 - 74 31 - je Arbiter.dll+25ECC7
start address being scanned is r15--> Arbiter.dll+25EC96 - 41 0FB6 0F - movzx ecx,byte ptr [r15]
Arbiter.dll+25EC9A - 48 B8 25232284E49CF2CB - mov rax,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECA4 - 48 33 C8 - xor rcx,rax
Arbiter.dll+25ECA7 - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+25ECB1 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+25ECB5 - 4D 8D 46 FF - lea r8,[r14-01]
Arbiter.dll+25ECB9 - 49 8D 57 01 - lea rdx,[r15+01]
continues scan here --> Arbiter.dll+25ECBD - E8 3E43DAFF - call Arbiter.dll+3000
returns CRC or HASH as RAX here --> Arbiter.dll+25ECC2 - 48 8B D8 - mov rbx,rax
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECD1 - F3 0F10 0D 976A0600 - movss xmm1,[Arbiter.dll+2C5770] { (Nan) }
Arbiter.dll+25ECD9 - F3 0F10 05 FF610600 - movss xmm0,[Arbiter.dll+2C4EE0] { (Nan) }
Arbiter.dll+25ECE1 - F3 0F58 C8 - addss xmm1,xmm0
Arbiter.dll+25ECE5 - F3 0F58 0D DB610600 - addss xmm1,[Arbiter.dll+2C4EC8] { (Nan) }
You CAN make changes to THIS CODE without the game crashing or detecting it, so this appears to not be scanned.
for instance:
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
to:
Arbiter.dll+25ECC5 - 90 - nop
Arbiter.dll+25ECC6 - 90 - nop
Arbiter.dll+25ECC7 - 48 BB 8B02C496D1BE2D4E - mov rbx,4E2DBED196C4028B { -1765539189 }
and the game happily continues, because 4E2DBED196C4028B is the hash that is expected at this particular code area for the particular area being scanned. So you could THEORETICALLY modify the code area that was being scanned to ALSO ignore changes, but maybe there is 20 such scans of the same SHELL CODE elsewhere.
I still think it will likely be an elegant solution that kills all of this, that ends up being the stopping of a single thread and faking that it's doing it's job, or removing the "something is wrong" return when this gets called. But for now, that isn't known.
The best solution seems to be to eliminate the VEH problem, allow detours, then capture base values that can be edited or you can write directly at areas that are detoured. This is only best, if there is 1000 "triggers" (look! another term I USED to describe these scans that occur at events, which I've used for 12 years ore more.. Maybe you have a better word for it, almighty one.) that overlap and do the same thing. In Monster Hunter World, they actually kept all the hash/crc and scan start/end/size data one after the next in perfectly aligned segment at the end of the .text for the 81 triggers they had in that game. So it was simple just to copy a safe zone over the others to make them all read the same, non-modified, spot. However, this isn't Monster Hunter World, and people are (and WERE, nicely) capturing info and sharing it in a friendly process. I guess that ends today, but only because.. you can't help yourself.
Carry on mighty super dickless coder of the Gods. I leave you to your proper definitions and condescending noodling, and saving the world from everyone else's "misinformation". This is why you get throttled and smashed out of other forums, and are detested, because you just can't help yourself.
- caliber1942
- Expert Cheater
- Posts: 98
- Joined: Thu Oct 17, 2019 5:15 pm
- Reputation: 219
Re: Halo Infinite
OK so I made some progress that might help. At the very least you can use breakpoints live if you use this and unpatch. This pretty much made our trainer immune to detection of quick code changes. Likely still more threads going on, so not sure if you can make PERM changes to the game code. The whole "page_guard" thing is still in play, and it appears the game tries to re-write back over .text code periodically, possibly.
Rather than try to detect threads and freeze them, I am having them loop themselves in same address. Bypass in Arbiter.dll is to avoid detection of changes to manual mapped shell code.
Enjoy.
ANTI CHEAT 1 (block CRC check of manually mapped anticheat code block)
=============
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
to:
Arbiter.dll+25ECC5 - EB FE - jmp Arbiter.dll+25ECC5
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
RAX=4E2DBED196C4028B
Arbiter.dll+25EC3A - 56 - push rsi
Arbiter.dll+25EC3B - 48 8B 0D AE640600 - mov rcx,[Arbiter.dll+2C50F0] { (152) }
Arbiter.dll+25EC42 - 48 8B 05 77650600 - mov rax,[Arbiter.dll+2C51C0] { (545524983) }
Arbiter.dll+25EC49 - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC4C - 48 8B 05 D5610600 - mov rax,[Arbiter.dll+2C4E28] { (-1368219941) }
Arbiter.dll+25EC53 - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC56 - 48 8B 05 AB630600 - mov rax,[Arbiter.dll+2C5008] { (1994045043) }
Arbiter.dll+25EC5D - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC60 - 48 8B 05 71660600 - mov rax,[Arbiter.dll+2C52D8] { (2049626474) }
Arbiter.dll+25EC67 - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC6A - 48 89 0D BF690600 - mov [Arbiter.dll+2C5630],rcx { (-2145861952) }
Arbiter.dll+25EC71 - 48 8B 05 E8660600 - mov rax,[Arbiter.dll+2C5360] { (1912543045) }
Arbiter.dll+25EC78 - B9 2E4E3CED - mov ecx,ED3C4E2E { -314814930 }
Arbiter.dll+25EC7D - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC80 - 48 8B 05 39620600 - mov rax,[Arbiter.dll+2C4EC0] { (-1304840116) }
Arbiter.dll+25EC87 - 48 33 C1 - xor rax,rcx
Arbiter.dll+25EC8A - 48 89 05 87660600 - mov [Arbiter.dll+2C5318],rax { (1421439684) }
Arbiter.dll+25EC91 - 45 85 F6 - test r14d,r14d
Arbiter.dll+25EC94 - 74 31 - je Arbiter.dll+25ECC7
Arbiter.dll+25EC96 - 41 0FB6 0F - movzx ecx,byte ptr [r15]
Arbiter.dll+25EC9A - 48 B8 25232284E49CF2CB - mov rax,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECA4 - 48 33 C8 - xor rcx,rax
Arbiter.dll+25ECA7 - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+25ECB1 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+25ECB5 - 4D 8D 46 FF - lea r8,[r14-01]
Arbiter.dll+25ECB9 - 49 8D 57 01 - lea rdx,[r15+01]
Arbiter.dll+25ECBD - E8 3E43DAFF - call Arbiter.dll+3000
Arbiter.dll+25ECC2 - 48 8B D8 - mov rbx,rax
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECD1 - F3 0F10 0D 976A0600 - movss xmm1,[Arbiter.dll+2C5770] { (Nan) }
Arbiter.dll+25ECD9 - F3 0F10 05 FF610600 - movss xmm0,[Arbiter.dll+2C4EE0] { (Nan) }
Arbiter.dll+25ECE1 - F3 0F58 C8 - addss xmm1,xmm0
Arbiter.dll+25ECE5 - F3 0F58 0D DB610600 - addss xmm1,[Arbiter.dll+2C4EC8] { (Nan) }
Arbiter.dll+25ECED - F3 0F11 0D E3630600 - movss [Arbiter.dll+2C50D8],xmm1 { (Nan) }
Arbiter.dll+25ECF5 - 8B 05 ED6A0600 - mov eax,[Arbiter.dll+2C57E8] { (838395965) }
Arbiter.dll+25ECFB - 35 F62B4C67 - xor eax,674C2BF6 { (113) }
Arbiter.dll+25ED00 - 3D 762EA158 - cmp eax,58A12E76 { 1486958198 }
Arbiter.dll+25ED05 - 0F85 39040000 - jne Arbiter.dll+25F144
Arbiter.dll+25ED0B - F3 0F10 0D F5650600 - movss xmm1,[Arbiter.dll+2C5308] { (Nan) }
Arbiter.dll+25ED13 - F3 0F10 05 4D670600 - movss xmm0,[Arbiter.dll+2C5468] { (-Inf) }
Arbiter.dll+25ED1B - 0F2E C8 - ucomiss xmm1,xmm0
Arbiter.dll+25ED1E - 0F8A 20040000 - jp Arbiter.dll+25F144
Arbiter.dll+25ED24 - 0F85 1A040000 - jne Arbiter.dll+25F144
Arbiter.dll+25ED2A - 8B 05 186B0600 - mov eax,[Arbiter.dll+2C5848] { (4DF0F374) }
Arbiter.dll+25ED30 - 05 771F8655 - add eax,55861F77 { (0) }
Arbiter.dll+25ED35 - 3D 24176C2E - cmp eax,2E6C1724 { (0) }
Arbiter.dll+25ED3A - 0F85 04040000 - jne Arbiter.dll+25F144
Arbiter.dll+25ED40 - 48 8B 0D D1650600 - mov rcx,[Arbiter.dll+2C5318] { (1421439684) }
Arbiter.dll+25ED47 - 48 8B 05 0A650600 - mov rax,[Arbiter.dll+2C5258] { (1985531430) }
ANTI CHEAT 2 (block scan of code and scan of .text copy from page_guard)
================
0317517A - 0F85 406FFDFF - jne 0314C0C0
to:
0317517A - EB FE - jmp 0317517A
0317517C - 90 - nop
0317517D - 90 - nop
0317517E - 90 - nop
0317517F - 90 - nop
0F 85 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B C8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B 4D BF
031750BA - F3 0F59 D0 - mulss xmm2,xmm0
031750BE - F3 0F10 0D 12C70200 - movss xmm1,[031A17D8] { (Nan) }
031750C6 - F3 0F5C D1 - subss xmm2,xmm1
031750CA - F3 0F11 15 F6BB0200 - movss [031A0CC8],xmm2 { (Nan) }
031750D2 - F3 0F10 1D 1EC20200 - movss xmm3,[031A12F8] { (Nan) }
031750DA - F3 0F58 1D A61C0200 - addss xmm3,[03196D88] { (0.13) }
031750E2 - F3 0F10 05 F6BF0200 - movss xmm0,[031A10E0] { (Nan) }
031750EA - F3 0F5C D8 - subss xmm3,xmm0
031750EE - F3 0F10 0D 02C10200 - movss xmm1,[031A11F8] { (Nan) }
031750F6 - F3 0F5C D9 - subss xmm3,xmm1
031750FA - F3 0F58 1D 2AC50200 - addss xmm3,[031A162C] { (Nan) }
03175102 - F3 0F10 05 8EC70200 - movss xmm0,[031A1898] { (Nan) }
0317510A - F3 0F5C D8 - subss xmm3,xmm0
0317510E - F3 0F11 1D 72C00200 - movss [031A1188],xmm3 { (Nan) }
03175116 - 48 8B 0D FBC00200 - mov rcx,[031A1218] { (-789396107) }
0317511D - 48 8B 05 ECC70200 - mov rax,[031A1910] { (-347655310) }
03175124 - 48 33 C8 - xor rcx,rax
03175127 - 48 8B 05 EAC10200 - mov rax,[031A1318] { (-1953388356) }
0317512E - 48 33 C1 - xor rax,rcx
03175131 - 48 89 05 C0C70200 - mov [031A18F8],rax { (0.00) }
03175138 - 65 48 8B 04 25 30000000 - mov rax,gs:[00000030] { 48 }
03175141 - 48 B9 D3715846DCE2E460 - mov rcx,60E4E2DC465871D3 { 211 }
0317514B - 48 3B C1 - cmp rax,rcx
0317514E - 0FB6 5C 24 48 - movzx ebx,byte ptr [rsp+48]
03175153 - 4C 8D 05 06C81200 - lea r8,[032A1960] { (2013296516) }
0317515A - 49 B9 686D8C89970E0000 - mov r9,00000E97898C6D68 { -1987285656 }
03175164 - 4C 8D 15 91C00200 - lea r10,[031A11FC] { (-4194304) }
0317516B - BA E6728DB7 - mov edx,B78D72E6 { (255) }
03175170 - 49 BB 256A5C30ED040000 - mov r11,000004ED305C6A25 { "%j\0?" }
0317517A - 0F85 406FFDFF - jne 0314C0C0
03175180 - 8B 05 42BF0200 - mov eax,[031A10C8] { (C0ACC6E9) }
03175186 - 89 05 44BC0200 - mov [031A0DD0],eax { (297075601) }
0317518C - 8B 05 2EC40200 - mov eax,[031A15C0] { (2ABCBE7D) }
03175192 - B9 39C88B36 - mov ecx,368BC839 { (0) }
03175197 - 2B C8 - sub ecx,eax
03175199 - 89 0D 31C70200 - mov [031A18D0],ecx { (90FAF0EA) }
0317519F - B8 FC1A19BB - mov eax,BB191AFC { (805798147) }
031751A4 - 8B 4D BF - mov ecx,[rbp-41]
031751A7 - 48 8B 05 F0593F00 - mov rax,[0356AB9E] { 56011678 }
031751AE - 88 84 0A 530A0000 - mov [rdx+rcx+00000A53],al
031751B5 - 48 C7 05 4F153E00 8A471052 - mov qword ptr [0355670F],5210478A { 55928591,(0) }
031751C0 - 48 8B 0D 36913D00 - mov rcx,[0354E2FD] { 55894781 }
031751C7 - B8 7C6CC98B - mov eax,8BC96C7C { (0) }
031751CC - 53 - push rbx
031751CD - 74 4A - je 03175219
031751CF - F3 0F58 0D C46D3E00 - addss xmm1,[0355BF9B] { 55951259 }
031751D7 - 8B 05 3DE73E00 - mov eax,[0356391A] { 55982362 }
031751DD - 5F - pop rdi
031751DE - F3 0F11 15 F0903D00 - movss [0354E2D6],xmm2 { 55894742 }
031751E6 - 48 C7 44 24 30 A603EFEC - mov qword ptr [rsp+30],FFFFFFFFECEF03A6 { -319880282 }
031751EF - 34 AF - xor al,-51 { 175 }
031751F1 - F3 0F10 15 C0313F00 - movss xmm2,[035683B9] { 56001465 }
031751F9 - 48 8B 0D BF783E00 - mov rcx,[0355CABF] { 55954111 }
03175200 - C7 05 E28A3F00 BFE0087C - mov [0356DCEC],7C08E0BF { 56024300,(0) }
0317520A - B9 980D31FD - mov ecx,FD310D98 { (0) }
0317520F - 48 C7 05 1B623F00 BC031B7B - mov qword ptr [0356B435],7B1B03BC { 56013877,(0) }
0317521A - 48 33 D1 - xor rdx,rcx
0317521D - 48 C7 44 24 10 5B762A45 - mov qword ptr [rsp+10],452A765B { (0) }
03175226 - 89 05 C6D23E00 - mov [035624F2],eax { 55977202 }
0317522C - 48 35 6423774D - xor rax,4D772364 { (0) }
03175232 - C7 05 FE043F00 D557C568 - mov [0356573A],68C557D5 { 55990074,(160) }
0317523C - 48 3B CA - cmp rcx,rdx
ANTI CHEAT 3 (block detection of VEH breakpoints and detection of undo of ntdll system dll changes, including AddVectoredException)
==============
02FA98FC - 0F89 D5050000 - jns 02FA9ED7
02FA98FC - E9 D6050000 - jmp 02FA9ED7
02FA9901 - 90 - nop
02FA985C - C7 05 5B7B3E00 D9474049 - mov [033913C1],494047D9 { 54072257,(0) }
02FA9866 - 48 8B 05 20D33E00 - mov rax,[03396B8D] { 54094733 }
02FA986D - B9 DEEF87A8 - mov ecx,A887EFDE { (0) }
02FA9872 - 48 C7 44 24 08 7F1B4381 - mov qword ptr [rsp+08],FFFFFFFF81431B7F { (0) }
02FA987B - 55 - push rbp
02FA987C - 48 C7 44 24 08 DEEB5627 - mov qword ptr [rsp+08],2756EBDE { (0) }
02FA9885 - 57 - push rdi
02FA9886 - 48 63 71 3C - movsxd rsi,dword ptr [rcx+3C]
02FA988A - 76 14 - jna 02FA98A0
02FA988C - C6 44 24 10 92 - mov byte ptr [rsp+10],-6E { 146 }
02FA9891 - 48 8B 05 C8791F00 - mov rax,[031A1260] { (-4746.39) }
02FA9898 - 48 89 05 31781F00 - mov [031A10D0],rax { (AE39A53C) }
02FA989F - 8B 15 AF7B1F00 - mov edx,[031A1454] { (-1767199543) }
02FA98A5 - 8B 05 BD761F00 - mov eax,[031A0F68] { (85515110) }
02FA98AB - 03 D0 - add edx,eax
02FA98AD - 8B 05 197B1F00 - mov eax,[031A13CC] { (923873121) }
02FA98B3 - 33 C2 - xor eax,edx
02FA98B5 - 89 05 49761F00 - mov [031A0F04],eax { (208) }
02FA98BB - F3 0F10 35 B5FA1E00 - movss xmm6,[03199378] { (1.77) }
02FA98C3 - 8B 0D BF751F00 - mov ecx,[031A0E88] { (5C1E0142) }
02FA98C9 - 8B 05 3D781F00 - mov eax,[031A110C] { (-1470657255) }
02FA98CF - 3B C8 - cmp ecx,eax
02FA98D1 - 76 22 - jna 02FA98F5
02FA98D3 - 48 8B 05 B6731F00 - mov rax,[031A0C90] { (-258825904) }
02FA98DA - 48 8B 0D 07741F00 - mov rcx,[031A0CE8] { (676241044) }
02FA98E1 - 48 2B C8 - sub rcx,rax
02FA98E4 - 48 8B 05 B57A1F00 - mov rax,[031A13A0] { (684DF730) }
02FA98EB - 48 33 C1 - xor rax,rcx
02FA98EE - 48 89 05 AB7A1F00 - mov [031A13A0],rax { (684DF730) }
02FA98F5 - E8 863BEEFF - call 02E8D480
02FA98FA - 85 C0 - test eax,eax
02FA98FC - 0F89 D5050000 - jns 02FA9ED7
02FA9902 - 48 8B 05 37761F00 - mov rax,[031A0F40] { (1271557805) }
02FA9909 - 48 8B 0D 08771F00 - mov rcx,[031A1018] { (524103020) }
02FA9910 - 48 2B C8 - sub rcx,rax
02FA9913 - 48 8B 05 5E802F00 - mov rax,[032A1978] { (1411036816) }
02FA991A - 48 33 C1 - xor rax,rcx
02FA991D - 48 89 05 9C751F00 - mov [031A0EC0],rax { (-56796513) }
02FA9924 - 65 48 8B 04 25 30000000 - mov rax,gs:[00000030] { 48 }
02FA992D - 48 8D 0D 44731F00 - lea rcx,[031A0C78] { (354300975) }
02FA9934 - 48 3B C8 - cmp rcx,rax
02FA9937 - 0F94 44 24 30 - sete byte ptr [rsp+30]
02FA993C - 0FB6 44 24 30 - movzx eax,byte ptr [rsp+30]
02FA9941 - 84 C0 - test al,al
02FA9943 - 0F84 9F010000 - je 02FA9AE8
02FA9949 - 48 8B 0D 88731F00 - mov rcx,[031A0CD8] { (127382192) }
02FA9950 - 48 8B 05 71791F00 - mov rax,[031A12C8] { (-476502051) }
02FA9957 - 48 33 C8 - xor rcx,rax
02FA995A - 48 89 0D FF7D1F00 - mov [031A1760],rcx { (8953C81E) }
02FA9961 - 8B 0D 15751F00 - mov ecx,[031A0E7C] { (0.00) }
02FA9967 - 8B 05 CB761F00 - mov eax,[031A1038] { (0.00) }
02FA996D - 03 C8 - add ecx,eax
02FA996F - 89 0D 37791F00 - mov [031A12AC],ecx { (-1464394131) }
02FA9975 - F3 0F10 15 0B7D1F00 - movss xmm2,[031A1688] { (Nan) }
02FA997D - F3 0F10 05 A77C1F00 - movss xmm0,[031A162C] { (Nan) }
02FA9985 - F3 0F58 D0 - addss xmm2,xmm0
02FA9989 - F3 0F10 0D 77751F00 - movss xmm1,[031A0F08] { (Nan) }
02FA9991 - F3 0F5C D1 - subss xmm2,xmm1
02FA9995 - F3 0F11 15 3F7C1F00 - movss [031A15DC],xmm2 { (Nan) }
02FA999D - 48 8B 05 94781F00 - mov rax,[031A1238] { (831552535) }
02FA99A4 - 48 8B 0D ED7F2F00 - mov rcx,[032A1998] { (-1709305119) }
ANTI CHEAT 4 (block scan of copy of .text page_guard that occurs roughly every several seconds)
===============
03149BCE - 0F85 0C80FFFF - jne 03141BE0
to:
03149BCE - EB FE - jmp 03149BCE
03149BD0 - 90 - nop
03149BD1 - 90 - nop
03149BD2 - 90 - nop
03149BD3 - 90 - nop
03149B59 - 48 33 C2 - xor rax,rdx
03149B5C - 48 89 05 2D760500 - mov [031A1190],rax { (-1622340404) }
03149B63 - 48 8B 0D CE720500 - mov rcx,[031A0E38] { (217711474) }
03149B6A - 48 8B 05 777D0500 - mov rax,[031A18E8] { (-35006009) }
03149B71 - 48 3B C1 - cmp rax,rcx
03149B74 - 73 10 - jae 03149B86
03149B76 - F3 0F10 05 1E720500 - movss xmm0,[031A0D9C] { (Nan) }
03149B7E - F3 0F11 05 52760500 - movss [031A11D8],xmm0 { (Nan) }
03149B86 - 8B 05 88700500 - mov eax,[031A0C14] { (1952190090) }
03149B8C - 4C 8D 15 81700500 - lea r10,[031A0C14] { (1952190090) }
03149B93 - 8B 0D 6F750500 - mov ecx,[031A1108] { ("I`PxH~???[b?jm?S") }
03149B99 - 49 B8 C91534EC900BE340 - mov r8,40E30B90EC3415C9 { 39004.53 }
03149BA3 - 2B C8 - sub ecx,eax
03149BA5 - 49 B9 7BD08E1EB55DA952 - mov r9,52A95DB51E8ED07B { 512675963 }
03149BAF - 89 0D C3720500 - mov [031A0E78],ecx { (-380994661) }
03149BB5 - 48 8D 05 5C7D0500 - lea rax,[031A1918] { (0.00) }
03149BBC - 8B 0D 567D0500 - mov ecx,[031A1918] { (0.00) }
03149BC2 - 41 BB 8C58C1CE - mov r11d,CEC1588C { (0) }
03149BC8 - 48 03 CE - add rcx,rsi
03149BCB - 48 3B C8 - cmp rcx,rax
03149BCE - 0F85 0C80FFFF - jne 03141BE0
03149BD4 - F3 0F10 0D 787B0500 - movss xmm1,[031A1754] { (Nan) }
03149BDC - 4C 8D 15 31700500 - lea r10,[031A0C14] { (1952190090) }
03149BE3 - F3 0F10 05 3D700500 - movss xmm0,[031A0C28] { (Nan) }
03149BEB - 0F2E C8 - ucomiss xmm1,xmm0
03149BEE - 0F8A EC7FFFFF - jp 03141BE0
03149BF4 - 4C 8D 15 19700500 - lea r10,[031A0C14] { (1952190090) }
03149BFB - 0F85 DF7FFFFF - jne 03141BE0
03149C01 - 48 8D 05 50750500 - lea rax,[031A1158] { (2.34) }
03149C08 - 4C 8D 15 05700500 - lea r10,[031A0C14] { (1952190090) }
03149C0F - 48 3B C6 - cmp rax,rsi
03149C12 - 0F85 C87FFFFF - jne 03141BE0
03149C18 - F3 0F10 15 887C0500 - movss xmm2,[031A18A8] { (Nan) }
03149C20 - F3 0F10 05 407B0500 - movss xmm0,[031A1768] { (Nan) }
03149C28 - F3 0F5C D0 - subss xmm2,xmm0
03149C2C - F3 0F58 15 E4770500 - addss xmm2,[031A1418] { (Nan) }
03149C34 - F3 0F58 15 2C7B0500 - addss xmm2,[031A1768] { (Nan) }
03149C3C - F3 0F10 0D 147A0500 - movss xmm1,[031A1658] { (Nan) }
03149C44 - F3 0F10 05 D8720500 - movss xmm0,[031A0F24] { (Nan) }
03149C4C - F3 0F59 C8 - mulss xmm1,xmm0
03149C50 - F3 0F58 CA - addss xmm1,xmm2
03149C54 - F3 0F11 0D 04770500 - movss [031A1360],xmm1 { (Nan) }
03149C5C - 48 8B 15 4D7A0500 - mov rdx,[031A16B0] { (1656933159) }
03149C63 - 48 8B 05 3E720500 - mov rax,[031A0EA8] { (-646485005) }
03149C6A - 48 8B 0D 0F730500 - mov rcx,[031A0F80] { (547056302) }
03149C71 - 48 0FAF D0 - imul rdx,rax
03149C75 - 48 8B 05 0C7D1500 - mov rax,[032A1988] { (541175851) }
best,
Cal
Rather than try to detect threads and freeze them, I am having them loop themselves in same address. Bypass in Arbiter.dll is to avoid detection of changes to manual mapped shell code.
Enjoy.
ANTI CHEAT 1 (block CRC check of manually mapped anticheat code block)
=============
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
to:
Arbiter.dll+25ECC5 - EB FE - jmp Arbiter.dll+25ECC5
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
RAX=4E2DBED196C4028B
Arbiter.dll+25EC3A - 56 - push rsi
Arbiter.dll+25EC3B - 48 8B 0D AE640600 - mov rcx,[Arbiter.dll+2C50F0] { (152) }
Arbiter.dll+25EC42 - 48 8B 05 77650600 - mov rax,[Arbiter.dll+2C51C0] { (545524983) }
Arbiter.dll+25EC49 - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC4C - 48 8B 05 D5610600 - mov rax,[Arbiter.dll+2C4E28] { (-1368219941) }
Arbiter.dll+25EC53 - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC56 - 48 8B 05 AB630600 - mov rax,[Arbiter.dll+2C5008] { (1994045043) }
Arbiter.dll+25EC5D - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC60 - 48 8B 05 71660600 - mov rax,[Arbiter.dll+2C52D8] { (2049626474) }
Arbiter.dll+25EC67 - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC6A - 48 89 0D BF690600 - mov [Arbiter.dll+2C5630],rcx { (-2145861952) }
Arbiter.dll+25EC71 - 48 8B 05 E8660600 - mov rax,[Arbiter.dll+2C5360] { (1912543045) }
Arbiter.dll+25EC78 - B9 2E4E3CED - mov ecx,ED3C4E2E { -314814930 }
Arbiter.dll+25EC7D - 48 2B C8 - sub rcx,rax
Arbiter.dll+25EC80 - 48 8B 05 39620600 - mov rax,[Arbiter.dll+2C4EC0] { (-1304840116) }
Arbiter.dll+25EC87 - 48 33 C1 - xor rax,rcx
Arbiter.dll+25EC8A - 48 89 05 87660600 - mov [Arbiter.dll+2C5318],rax { (1421439684) }
Arbiter.dll+25EC91 - 45 85 F6 - test r14d,r14d
Arbiter.dll+25EC94 - 74 31 - je Arbiter.dll+25ECC7
Arbiter.dll+25EC96 - 41 0FB6 0F - movzx ecx,byte ptr [r15]
Arbiter.dll+25EC9A - 48 B8 25232284E49CF2CB - mov rax,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECA4 - 48 33 C8 - xor rcx,rax
Arbiter.dll+25ECA7 - 48 B8 B301000000010000 - mov rax,00000100000001B3 { 435 }
Arbiter.dll+25ECB1 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+25ECB5 - 4D 8D 46 FF - lea r8,[r14-01]
Arbiter.dll+25ECB9 - 49 8D 57 01 - lea rdx,[r15+01]
Arbiter.dll+25ECBD - E8 3E43DAFF - call Arbiter.dll+3000
Arbiter.dll+25ECC2 - 48 8B D8 - mov rbx,rax
Arbiter.dll+25ECC5 - EB 0A - jmp Arbiter.dll+25ECD1
Arbiter.dll+25ECC7 - 48 BB 25232284E49CF2CB - mov rbx,CBF29CE484222325 { -2078137563 }
Arbiter.dll+25ECD1 - F3 0F10 0D 976A0600 - movss xmm1,[Arbiter.dll+2C5770] { (Nan) }
Arbiter.dll+25ECD9 - F3 0F10 05 FF610600 - movss xmm0,[Arbiter.dll+2C4EE0] { (Nan) }
Arbiter.dll+25ECE1 - F3 0F58 C8 - addss xmm1,xmm0
Arbiter.dll+25ECE5 - F3 0F58 0D DB610600 - addss xmm1,[Arbiter.dll+2C4EC8] { (Nan) }
Arbiter.dll+25ECED - F3 0F11 0D E3630600 - movss [Arbiter.dll+2C50D8],xmm1 { (Nan) }
Arbiter.dll+25ECF5 - 8B 05 ED6A0600 - mov eax,[Arbiter.dll+2C57E8] { (838395965) }
Arbiter.dll+25ECFB - 35 F62B4C67 - xor eax,674C2BF6 { (113) }
Arbiter.dll+25ED00 - 3D 762EA158 - cmp eax,58A12E76 { 1486958198 }
Arbiter.dll+25ED05 - 0F85 39040000 - jne Arbiter.dll+25F144
Arbiter.dll+25ED0B - F3 0F10 0D F5650600 - movss xmm1,[Arbiter.dll+2C5308] { (Nan) }
Arbiter.dll+25ED13 - F3 0F10 05 4D670600 - movss xmm0,[Arbiter.dll+2C5468] { (-Inf) }
Arbiter.dll+25ED1B - 0F2E C8 - ucomiss xmm1,xmm0
Arbiter.dll+25ED1E - 0F8A 20040000 - jp Arbiter.dll+25F144
Arbiter.dll+25ED24 - 0F85 1A040000 - jne Arbiter.dll+25F144
Arbiter.dll+25ED2A - 8B 05 186B0600 - mov eax,[Arbiter.dll+2C5848] { (4DF0F374) }
Arbiter.dll+25ED30 - 05 771F8655 - add eax,55861F77 { (0) }
Arbiter.dll+25ED35 - 3D 24176C2E - cmp eax,2E6C1724 { (0) }
Arbiter.dll+25ED3A - 0F85 04040000 - jne Arbiter.dll+25F144
Arbiter.dll+25ED40 - 48 8B 0D D1650600 - mov rcx,[Arbiter.dll+2C5318] { (1421439684) }
Arbiter.dll+25ED47 - 48 8B 05 0A650600 - mov rax,[Arbiter.dll+2C5258] { (1985531430) }
ANTI CHEAT 2 (block scan of code and scan of .text copy from page_guard)
================
0317517A - 0F85 406FFDFF - jne 0314C0C0
to:
0317517A - EB FE - jmp 0317517A
0317517C - 90 - nop
0317517D - 90 - nop
0317517E - 90 - nop
0317517F - 90 - nop
0F 85 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B C8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B 4D BF
031750BA - F3 0F59 D0 - mulss xmm2,xmm0
031750BE - F3 0F10 0D 12C70200 - movss xmm1,[031A17D8] { (Nan) }
031750C6 - F3 0F5C D1 - subss xmm2,xmm1
031750CA - F3 0F11 15 F6BB0200 - movss [031A0CC8],xmm2 { (Nan) }
031750D2 - F3 0F10 1D 1EC20200 - movss xmm3,[031A12F8] { (Nan) }
031750DA - F3 0F58 1D A61C0200 - addss xmm3,[03196D88] { (0.13) }
031750E2 - F3 0F10 05 F6BF0200 - movss xmm0,[031A10E0] { (Nan) }
031750EA - F3 0F5C D8 - subss xmm3,xmm0
031750EE - F3 0F10 0D 02C10200 - movss xmm1,[031A11F8] { (Nan) }
031750F6 - F3 0F5C D9 - subss xmm3,xmm1
031750FA - F3 0F58 1D 2AC50200 - addss xmm3,[031A162C] { (Nan) }
03175102 - F3 0F10 05 8EC70200 - movss xmm0,[031A1898] { (Nan) }
0317510A - F3 0F5C D8 - subss xmm3,xmm0
0317510E - F3 0F11 1D 72C00200 - movss [031A1188],xmm3 { (Nan) }
03175116 - 48 8B 0D FBC00200 - mov rcx,[031A1218] { (-789396107) }
0317511D - 48 8B 05 ECC70200 - mov rax,[031A1910] { (-347655310) }
03175124 - 48 33 C8 - xor rcx,rax
03175127 - 48 8B 05 EAC10200 - mov rax,[031A1318] { (-1953388356) }
0317512E - 48 33 C1 - xor rax,rcx
03175131 - 48 89 05 C0C70200 - mov [031A18F8],rax { (0.00) }
03175138 - 65 48 8B 04 25 30000000 - mov rax,gs:[00000030] { 48 }
03175141 - 48 B9 D3715846DCE2E460 - mov rcx,60E4E2DC465871D3 { 211 }
0317514B - 48 3B C1 - cmp rax,rcx
0317514E - 0FB6 5C 24 48 - movzx ebx,byte ptr [rsp+48]
03175153 - 4C 8D 05 06C81200 - lea r8,[032A1960] { (2013296516) }
0317515A - 49 B9 686D8C89970E0000 - mov r9,00000E97898C6D68 { -1987285656 }
03175164 - 4C 8D 15 91C00200 - lea r10,[031A11FC] { (-4194304) }
0317516B - BA E6728DB7 - mov edx,B78D72E6 { (255) }
03175170 - 49 BB 256A5C30ED040000 - mov r11,000004ED305C6A25 { "%j\0?" }
0317517A - 0F85 406FFDFF - jne 0314C0C0
03175180 - 8B 05 42BF0200 - mov eax,[031A10C8] { (C0ACC6E9) }
03175186 - 89 05 44BC0200 - mov [031A0DD0],eax { (297075601) }
0317518C - 8B 05 2EC40200 - mov eax,[031A15C0] { (2ABCBE7D) }
03175192 - B9 39C88B36 - mov ecx,368BC839 { (0) }
03175197 - 2B C8 - sub ecx,eax
03175199 - 89 0D 31C70200 - mov [031A18D0],ecx { (90FAF0EA) }
0317519F - B8 FC1A19BB - mov eax,BB191AFC { (805798147) }
031751A4 - 8B 4D BF - mov ecx,[rbp-41]
031751A7 - 48 8B 05 F0593F00 - mov rax,[0356AB9E] { 56011678 }
031751AE - 88 84 0A 530A0000 - mov [rdx+rcx+00000A53],al
031751B5 - 48 C7 05 4F153E00 8A471052 - mov qword ptr [0355670F],5210478A { 55928591,(0) }
031751C0 - 48 8B 0D 36913D00 - mov rcx,[0354E2FD] { 55894781 }
031751C7 - B8 7C6CC98B - mov eax,8BC96C7C { (0) }
031751CC - 53 - push rbx
031751CD - 74 4A - je 03175219
031751CF - F3 0F58 0D C46D3E00 - addss xmm1,[0355BF9B] { 55951259 }
031751D7 - 8B 05 3DE73E00 - mov eax,[0356391A] { 55982362 }
031751DD - 5F - pop rdi
031751DE - F3 0F11 15 F0903D00 - movss [0354E2D6],xmm2 { 55894742 }
031751E6 - 48 C7 44 24 30 A603EFEC - mov qword ptr [rsp+30],FFFFFFFFECEF03A6 { -319880282 }
031751EF - 34 AF - xor al,-51 { 175 }
031751F1 - F3 0F10 15 C0313F00 - movss xmm2,[035683B9] { 56001465 }
031751F9 - 48 8B 0D BF783E00 - mov rcx,[0355CABF] { 55954111 }
03175200 - C7 05 E28A3F00 BFE0087C - mov [0356DCEC],7C08E0BF { 56024300,(0) }
0317520A - B9 980D31FD - mov ecx,FD310D98 { (0) }
0317520F - 48 C7 05 1B623F00 BC031B7B - mov qword ptr [0356B435],7B1B03BC { 56013877,(0) }
0317521A - 48 33 D1 - xor rdx,rcx
0317521D - 48 C7 44 24 10 5B762A45 - mov qword ptr [rsp+10],452A765B { (0) }
03175226 - 89 05 C6D23E00 - mov [035624F2],eax { 55977202 }
0317522C - 48 35 6423774D - xor rax,4D772364 { (0) }
03175232 - C7 05 FE043F00 D557C568 - mov [0356573A],68C557D5 { 55990074,(160) }
0317523C - 48 3B CA - cmp rcx,rdx
ANTI CHEAT 3 (block detection of VEH breakpoints and detection of undo of ntdll system dll changes, including AddVectoredException)
==============
02FA98FC - 0F89 D5050000 - jns 02FA9ED7
02FA98FC - E9 D6050000 - jmp 02FA9ED7
02FA9901 - 90 - nop
02FA985C - C7 05 5B7B3E00 D9474049 - mov [033913C1],494047D9 { 54072257,(0) }
02FA9866 - 48 8B 05 20D33E00 - mov rax,[03396B8D] { 54094733 }
02FA986D - B9 DEEF87A8 - mov ecx,A887EFDE { (0) }
02FA9872 - 48 C7 44 24 08 7F1B4381 - mov qword ptr [rsp+08],FFFFFFFF81431B7F { (0) }
02FA987B - 55 - push rbp
02FA987C - 48 C7 44 24 08 DEEB5627 - mov qword ptr [rsp+08],2756EBDE { (0) }
02FA9885 - 57 - push rdi
02FA9886 - 48 63 71 3C - movsxd rsi,dword ptr [rcx+3C]
02FA988A - 76 14 - jna 02FA98A0
02FA988C - C6 44 24 10 92 - mov byte ptr [rsp+10],-6E { 146 }
02FA9891 - 48 8B 05 C8791F00 - mov rax,[031A1260] { (-4746.39) }
02FA9898 - 48 89 05 31781F00 - mov [031A10D0],rax { (AE39A53C) }
02FA989F - 8B 15 AF7B1F00 - mov edx,[031A1454] { (-1767199543) }
02FA98A5 - 8B 05 BD761F00 - mov eax,[031A0F68] { (85515110) }
02FA98AB - 03 D0 - add edx,eax
02FA98AD - 8B 05 197B1F00 - mov eax,[031A13CC] { (923873121) }
02FA98B3 - 33 C2 - xor eax,edx
02FA98B5 - 89 05 49761F00 - mov [031A0F04],eax { (208) }
02FA98BB - F3 0F10 35 B5FA1E00 - movss xmm6,[03199378] { (1.77) }
02FA98C3 - 8B 0D BF751F00 - mov ecx,[031A0E88] { (5C1E0142) }
02FA98C9 - 8B 05 3D781F00 - mov eax,[031A110C] { (-1470657255) }
02FA98CF - 3B C8 - cmp ecx,eax
02FA98D1 - 76 22 - jna 02FA98F5
02FA98D3 - 48 8B 05 B6731F00 - mov rax,[031A0C90] { (-258825904) }
02FA98DA - 48 8B 0D 07741F00 - mov rcx,[031A0CE8] { (676241044) }
02FA98E1 - 48 2B C8 - sub rcx,rax
02FA98E4 - 48 8B 05 B57A1F00 - mov rax,[031A13A0] { (684DF730) }
02FA98EB - 48 33 C1 - xor rax,rcx
02FA98EE - 48 89 05 AB7A1F00 - mov [031A13A0],rax { (684DF730) }
02FA98F5 - E8 863BEEFF - call 02E8D480
02FA98FA - 85 C0 - test eax,eax
02FA98FC - 0F89 D5050000 - jns 02FA9ED7
02FA9902 - 48 8B 05 37761F00 - mov rax,[031A0F40] { (1271557805) }
02FA9909 - 48 8B 0D 08771F00 - mov rcx,[031A1018] { (524103020) }
02FA9910 - 48 2B C8 - sub rcx,rax
02FA9913 - 48 8B 05 5E802F00 - mov rax,[032A1978] { (1411036816) }
02FA991A - 48 33 C1 - xor rax,rcx
02FA991D - 48 89 05 9C751F00 - mov [031A0EC0],rax { (-56796513) }
02FA9924 - 65 48 8B 04 25 30000000 - mov rax,gs:[00000030] { 48 }
02FA992D - 48 8D 0D 44731F00 - lea rcx,[031A0C78] { (354300975) }
02FA9934 - 48 3B C8 - cmp rcx,rax
02FA9937 - 0F94 44 24 30 - sete byte ptr [rsp+30]
02FA993C - 0FB6 44 24 30 - movzx eax,byte ptr [rsp+30]
02FA9941 - 84 C0 - test al,al
02FA9943 - 0F84 9F010000 - je 02FA9AE8
02FA9949 - 48 8B 0D 88731F00 - mov rcx,[031A0CD8] { (127382192) }
02FA9950 - 48 8B 05 71791F00 - mov rax,[031A12C8] { (-476502051) }
02FA9957 - 48 33 C8 - xor rcx,rax
02FA995A - 48 89 0D FF7D1F00 - mov [031A1760],rcx { (8953C81E) }
02FA9961 - 8B 0D 15751F00 - mov ecx,[031A0E7C] { (0.00) }
02FA9967 - 8B 05 CB761F00 - mov eax,[031A1038] { (0.00) }
02FA996D - 03 C8 - add ecx,eax
02FA996F - 89 0D 37791F00 - mov [031A12AC],ecx { (-1464394131) }
02FA9975 - F3 0F10 15 0B7D1F00 - movss xmm2,[031A1688] { (Nan) }
02FA997D - F3 0F10 05 A77C1F00 - movss xmm0,[031A162C] { (Nan) }
02FA9985 - F3 0F58 D0 - addss xmm2,xmm0
02FA9989 - F3 0F10 0D 77751F00 - movss xmm1,[031A0F08] { (Nan) }
02FA9991 - F3 0F5C D1 - subss xmm2,xmm1
02FA9995 - F3 0F11 15 3F7C1F00 - movss [031A15DC],xmm2 { (Nan) }
02FA999D - 48 8B 05 94781F00 - mov rax,[031A1238] { (831552535) }
02FA99A4 - 48 8B 0D ED7F2F00 - mov rcx,[032A1998] { (-1709305119) }
ANTI CHEAT 4 (block scan of copy of .text page_guard that occurs roughly every several seconds)
===============
03149BCE - 0F85 0C80FFFF - jne 03141BE0
to:
03149BCE - EB FE - jmp 03149BCE
03149BD0 - 90 - nop
03149BD1 - 90 - nop
03149BD2 - 90 - nop
03149BD3 - 90 - nop
03149B59 - 48 33 C2 - xor rax,rdx
03149B5C - 48 89 05 2D760500 - mov [031A1190],rax { (-1622340404) }
03149B63 - 48 8B 0D CE720500 - mov rcx,[031A0E38] { (217711474) }
03149B6A - 48 8B 05 777D0500 - mov rax,[031A18E8] { (-35006009) }
03149B71 - 48 3B C1 - cmp rax,rcx
03149B74 - 73 10 - jae 03149B86
03149B76 - F3 0F10 05 1E720500 - movss xmm0,[031A0D9C] { (Nan) }
03149B7E - F3 0F11 05 52760500 - movss [031A11D8],xmm0 { (Nan) }
03149B86 - 8B 05 88700500 - mov eax,[031A0C14] { (1952190090) }
03149B8C - 4C 8D 15 81700500 - lea r10,[031A0C14] { (1952190090) }
03149B93 - 8B 0D 6F750500 - mov ecx,[031A1108] { ("I`PxH~???[b?jm?S") }
03149B99 - 49 B8 C91534EC900BE340 - mov r8,40E30B90EC3415C9 { 39004.53 }
03149BA3 - 2B C8 - sub ecx,eax
03149BA5 - 49 B9 7BD08E1EB55DA952 - mov r9,52A95DB51E8ED07B { 512675963 }
03149BAF - 89 0D C3720500 - mov [031A0E78],ecx { (-380994661) }
03149BB5 - 48 8D 05 5C7D0500 - lea rax,[031A1918] { (0.00) }
03149BBC - 8B 0D 567D0500 - mov ecx,[031A1918] { (0.00) }
03149BC2 - 41 BB 8C58C1CE - mov r11d,CEC1588C { (0) }
03149BC8 - 48 03 CE - add rcx,rsi
03149BCB - 48 3B C8 - cmp rcx,rax
03149BCE - 0F85 0C80FFFF - jne 03141BE0
03149BD4 - F3 0F10 0D 787B0500 - movss xmm1,[031A1754] { (Nan) }
03149BDC - 4C 8D 15 31700500 - lea r10,[031A0C14] { (1952190090) }
03149BE3 - F3 0F10 05 3D700500 - movss xmm0,[031A0C28] { (Nan) }
03149BEB - 0F2E C8 - ucomiss xmm1,xmm0
03149BEE - 0F8A EC7FFFFF - jp 03141BE0
03149BF4 - 4C 8D 15 19700500 - lea r10,[031A0C14] { (1952190090) }
03149BFB - 0F85 DF7FFFFF - jne 03141BE0
03149C01 - 48 8D 05 50750500 - lea rax,[031A1158] { (2.34) }
03149C08 - 4C 8D 15 05700500 - lea r10,[031A0C14] { (1952190090) }
03149C0F - 48 3B C6 - cmp rax,rsi
03149C12 - 0F85 C87FFFFF - jne 03141BE0
03149C18 - F3 0F10 15 887C0500 - movss xmm2,[031A18A8] { (Nan) }
03149C20 - F3 0F10 05 407B0500 - movss xmm0,[031A1768] { (Nan) }
03149C28 - F3 0F5C D0 - subss xmm2,xmm0
03149C2C - F3 0F58 15 E4770500 - addss xmm2,[031A1418] { (Nan) }
03149C34 - F3 0F58 15 2C7B0500 - addss xmm2,[031A1768] { (Nan) }
03149C3C - F3 0F10 0D 147A0500 - movss xmm1,[031A1658] { (Nan) }
03149C44 - F3 0F10 05 D8720500 - movss xmm0,[031A0F24] { (Nan) }
03149C4C - F3 0F59 C8 - mulss xmm1,xmm0
03149C50 - F3 0F58 CA - addss xmm1,xmm2
03149C54 - F3 0F11 0D 04770500 - movss [031A1360],xmm1 { (Nan) }
03149C5C - 48 8B 15 4D7A0500 - mov rdx,[031A16B0] { (1656933159) }
03149C63 - 48 8B 05 3E720500 - mov rax,[031A0EA8] { (-646485005) }
03149C6A - 48 8B 0D 0F730500 - mov rcx,[031A0F80] { (547056302) }
03149C71 - 48 0FAF D0 - imul rdx,rax
03149C75 - 48 8B 05 0C7D1500 - mov rax,[032A1988] { (541175851) }
best,
Cal
Re: Halo Infinite
Man, this is your modus operandi:
- you test 60% of the shit
- you assume the rest 40% of it and want to forcefully make the world believe you
- since you give a shit on the terminology, you end-up using words you've gotten used to for YOUR LEVEL of knowledge for years and they stuck
- when someone like me CORRECTS you, you act like all the retarded human beings who go "good thing you know it all", instead of evaluating what I said and deciding whether or not to accept
- you just jump to replying in mid-read of the post, instead of finishing reading everything
- at the same time you call yourself RESPECTED and say "in my reversing experience".. well, your experience vs. the wording you use == paradox
- considering the first 3-4 bullets above, you WANT PEOPLE TO RESPECT you, when you DON'T RESPECT YOURSELF
Your contributions are fine, I never denied what you posted (the parts that make sense, anyway). All I said is 50% of the shit you wrote is inaccurate and not necassarily because of the wording you use, but mostly cuz you went up to a point with the analysis, then assumed the remaining mile without concrete proof.
Who cares? YOU should. And if YOU don't care, but at the same time demand to be respected, then.. if you don't respect yourself with the attitude you're showing while rejecting being corrected here and there, just cuz I am who I am and you hate me, how can you expect someone of your league to respect you back when they see some of the retarded shit you post? The difference between them and me: they ignore you. Maybe I should start doing the same, going neutral and not hinting at all at what you post, no quotes, just talk impersonal. Want me to do that? I can do that just fine.
I'm neurotic? Here:
That's what's gotten me to post all of this. It was fine what you started with posting here, it was fine what I read on UC, but this post on CH really told me you're like a fucking "novel" gas: unstable. What's sad is a lot of people who don't intersect the game-hacking world end up believing the crap you spew and that's how we get another Trump. That's how people end-up being molded into what you want them to be. By giving a shit and believing what others told them. Cuz Caliber is better than them and "he knows his shit". That's what's happening at CH. Brain-washing with "CRC", "manually mapped", "scan thread" and other crap that isn't fucking appropriate for the context of whatever the fuck Arbiter.dll is doing T_T So spare me with the "I don't give a fuck how it's called", as other people literally take by heart what you write. So fucking start having a backbone and address the shit you post, when called on, rather than using your hate for me or belittling to escape correcting yourself.
We're all human beings, we're all stupid. But up to a point. Wanting to evolve is a choice. If you don't want to evolve, then fucking don't vent on me for still calling you stupid. Cuz that was your choice to being with: to remain at the same level of knowledge, grammar ("and faking that it's doing it's job" -- its job, not it's job; possessive, not "it is"), attitude and whatever the fuck you've been employing in your own, convoluted way, for years. Your "ton of trainers a day/month/year" falsely got you to believe you're permitted anything in the open world, but every once in a while you should just fucking accept a slap. That's what Jesus did, remember? He turned the other cheek.
And just like in many other times across the years, CH has turned from that big ass post in the image above where "we won't train the game" to "This pretty much made our trainer immune to detection". So after you've belittled every other trainer out there that worked how it worked, but hey, it worked, you now go "we now have ours". Well, prick, how about you grow a pair and accept the fact that others BEFORE you can come up with ways - even if partially working - that train a game BEFORE CH? That's what you can't stand: the fact that CEV and FL1NG and others have a working trainer (I give a fuck if partially working) and you don't. That's your problem. That's why all this belittling of their work and justifying why CH hasn't done shit. At the same time contradicting yourself in that post that you'd get people banned due to the game's anti-cheat, when all you care about is being able to debug executable code and writing hooks T_T And nothing else.
But hey, kudos for being able to at least have discovered this much, so yeah, you do have some reversing knowledge. You just don't want to improve it, as you don't care much for it. You need it up to the point where it gets the job done and you have a working trainer. Then you forget everything till you need it again.
- you test 60% of the shit
- you assume the rest 40% of it and want to forcefully make the world believe you
- since you give a shit on the terminology, you end-up using words you've gotten used to for YOUR LEVEL of knowledge for years and they stuck
- when someone like me CORRECTS you, you act like all the retarded human beings who go "good thing you know it all", instead of evaluating what I said and deciding whether or not to accept
- you just jump to replying in mid-read of the post, instead of finishing reading everything
- at the same time you call yourself RESPECTED and say "in my reversing experience".. well, your experience vs. the wording you use == paradox
- considering the first 3-4 bullets above, you WANT PEOPLE TO RESPECT you, when you DON'T RESPECT YOURSELF
Your contributions are fine, I never denied what you posted (the parts that make sense, anyway). All I said is 50% of the shit you wrote is inaccurate and not necassarily because of the wording you use, but mostly cuz you went up to a point with the analysis, then assumed the remaining mile without concrete proof.
Who cares? YOU should. And if YOU don't care, but at the same time demand to be respected, then.. if you don't respect yourself with the attitude you're showing while rejecting being corrected here and there, just cuz I am who I am and you hate me, how can you expect someone of your league to respect you back when they see some of the retarded shit you post? The difference between them and me: they ignore you. Maybe I should start doing the same, going neutral and not hinting at all at what you post, no quotes, just talk impersonal. Want me to do that? I can do that just fine.
I'm neurotic? Here:
That's what's gotten me to post all of this. It was fine what you started with posting here, it was fine what I read on UC, but this post on CH really told me you're like a fucking "novel" gas: unstable. What's sad is a lot of people who don't intersect the game-hacking world end up believing the crap you spew and that's how we get another Trump. That's how people end-up being molded into what you want them to be. By giving a shit and believing what others told them. Cuz Caliber is better than them and "he knows his shit". That's what's happening at CH. Brain-washing with "CRC", "manually mapped", "scan thread" and other crap that isn't fucking appropriate for the context of whatever the fuck Arbiter.dll is doing T_T So spare me with the "I don't give a fuck how it's called", as other people literally take by heart what you write. So fucking start having a backbone and address the shit you post, when called on, rather than using your hate for me or belittling to escape correcting yourself.
We're all human beings, we're all stupid. But up to a point. Wanting to evolve is a choice. If you don't want to evolve, then fucking don't vent on me for still calling you stupid. Cuz that was your choice to being with: to remain at the same level of knowledge, grammar ("and faking that it's doing it's job" -- its job, not it's job; possessive, not "it is"), attitude and whatever the fuck you've been employing in your own, convoluted way, for years. Your "ton of trainers a day/month/year" falsely got you to believe you're permitted anything in the open world, but every once in a while you should just fucking accept a slap. That's what Jesus did, remember? He turned the other cheek.
And just like in many other times across the years, CH has turned from that big ass post in the image above where "we won't train the game" to "This pretty much made our trainer immune to detection". So after you've belittled every other trainer out there that worked how it worked, but hey, it worked, you now go "we now have ours". Well, prick, how about you grow a pair and accept the fact that others BEFORE you can come up with ways - even if partially working - that train a game BEFORE CH? That's what you can't stand: the fact that CEV and FL1NG and others have a working trainer (I give a fuck if partially working) and you don't. That's your problem. That's why all this belittling of their work and justifying why CH hasn't done shit. At the same time contradicting yourself in that post that you'd get people banned due to the game's anti-cheat, when all you care about is being able to debug executable code and writing hooks T_T And nothing else.
But hey, kudos for being able to at least have discovered this much, so yeah, you do have some reversing knowledge. You just don't want to improve it, as you don't care much for it. You need it up to the point where it gets the job done and you have a working trainer. Then you forget everything till you need it again.
Re: Halo Infinite
Now.. by the core logic of what you posted as "ANTI CHEAT X", which is causing an infinite loop in several places, you could do this for testing:
Just attaching won't get you detected. The protection isn't detecting CE's VEH, it's detecting hardware breakpoints (another thing you're wrongly flaunting here and there, "VEH here, VEH there, VEH everywhere"; no, it's hardware breakpoints).
Then you will see this:
Start inspecting each of those, you will see the shell code isn't destroyed or recreated, therefore static once game's initialized. Double-click each, then go to the RIPs:
This one makes sure the RAX register of a hardware breakpoint (context) always returns 1. Once out, in the SEH, if the value is any different, RIP changes and game crashes.
This one causes the INT 2C interrupt detection. How does it work: both 2C and 2E interrupts slide over to the next instruction + set RDX to next RIP, which ends-up being incorrect if stepped. Exception caused and caught by the hook placed @ RtlAddVectoredExceptionHandler. Crash.
Checks on the RAX register's value on return. If not 1, boom. Explode.
Checks the integrity of the first 3. This one is the shell code hashed by Arbiter.dll here:
This last bit is something you posted and contributed with.
How to turn all of that into programming and include it in a trainer, that.. I leave it up to your coding skills.
But, like I said, there are multiple OTHER TRIGGERS in the game code that don't need a thread or exception. They're spliced throughout the normal code, in the execution of a regular function and so on. So your EBFE freezes here and there will still get detected at some point. Considering the patches you posted are also temporary, you're no better than all of the other trainers you've belittled.. You might want to pat your back and say "hey, at least mine is somewhat better", but we both know your trainer will still crash the game Good luck with the customer support.
LE: I rest my case..
Sure, better, but still crashing. Kinda sux to see that being written about your trainer, right? Just like you belittled others' trainers..
I'll get back to my "proper definitions and condescending noodling". Ta ta.
BR,
Sun
- attach the debugger to Halo Infinite
Just attaching won't get you detected. The protection isn't detecting CE's VEH, it's detecting hardware breakpoints (another thing you're wrongly flaunting here and there, "VEH here, VEH there, VEH everywhere"; no, it's hardware breakpoints).
- open the Debug Events window
Then you will see this:
Start inspecting each of those, you will see the shell code isn't destroyed or recreated, therefore static once game's initialized. Double-click each, then go to the RIPs:
Code: Select all
1B6CE972CA0 - 48 31 C0 - xor rax,rax
1B6CE972CA3 - 48 C7 C0 01000000 - mov rax,00000001
1B6CE972CAA - C3 - ret
Code: Select all
1B6CE4AE51C - CD 2C - int 2C
1B6CE4AE51E - EB 04 - jmp 1B6CE4AE524
1B6CE4AE520 - 8B 44 24 20 - mov eax,[rsp+20]
1B6CE4AE524 - 83 F8 01 - cmp eax,01
1B6CE4AE527 - 75 19 - jne 1B6CE4AE542
1B6CE4AE529 - 45 33 C0 - xor r8d,r8d
1B6CE4AE52C - 33 D2 - xor edx,edx
1B6CE4AE52E - B9 C46EF59F - mov ecx,9FF56EC4
1B6CE4AE533 - E8 A873FEFF - call 1B6CE4958E0
1B6CE4AE538 - B8 C46EF59F - mov eax,9FF56EC4
1B6CE4AE53D - 48 83 C4 38 - add rsp,38
1B6CE4AE541 - C3 - ret
1B6CE4AE542 - B8 FAFEE70D - mov eax,0DE7FEFA
1B6CE4AE547 - 48 83 C4 38 - add rsp,38
1B6CE4AE54B - C3 - ret
Code: Select all
1B6CE4AE56D - EB 04 - jmp 1B6CE4AE573
1B6CE4AE56F - 8B 44 24 20 - mov eax,[rsp+20]
1B6CE4AE573 - 83 F8 01 - cmp eax,01
1B6CE4AE576 - 75 19 - jne 1B6CE4AE591
1B6CE4AE578 - 45 33 C0 - xor r8d,r8d
1B6CE4AE57B - 33 D2 - xor edx,edx
1B6CE4AE57D - B9 06B3C083 - mov ecx,83C0B306
1B6CE4AE582 - E8 5973FEFF - call 1B6CE4958E0
1B6CE4AE587 - B8 06B3C083 - mov eax,83C0B306
1B6CE4AE58C - 48 83 C4 38 - add rsp,38
1B6CE4AE590 - C3 - ret
1B6CE4AE591 - B8 FAFEE70D - mov eax,0DE7FEFA
1B6CE4AE596 - 48 83 C4 38 - add rsp,38
1B6CE4AE59A - C3 - ret
Code: Select all
1B6CE4AE276 - 8B 05 4C2F3C00 - mov eax,[1B6CE8711C8]
1B6CE4AE27C - 8B 0D A6343C00 - mov ecx,[1B6CE871728]
1B6CE4AE282 - 2B C8 - sub ecx,eax
1B6CE4AE284 - 8B 15 0E313C00 - mov edx,[1B6CE871398]
1B6CE4AE28A - 33 D1 - xor edx,ecx
1B6CE4AE28C - 8B 05 5A2F3C00 - mov eax,[1B6CE8711EC]
1B6CE4AE292 - 33 C2 - xor eax,edx
1B6CE4AE294 - 89 05 422E3C00 - mov [1B6CE8710DC],eax
1B6CE4AE29A - F3 0F10 05 A6B23B00 - movss xmm0,[1B6CE869548]
1B6CE4AE2A2 - F3 0F11 05 9E313C00 - movss [1B6CE871448],xmm0
1B6CE4AE2AA - F3 0F10 15 EA353C00 - movss xmm2,[1B6CE87189C]
1B6CE4AE2B2 - F3 0F10 0D A62E3C00 - movss xmm1,[1B6CE871160]
1B6CE4AE2BA - 0F2F D1 - comiss xmm2,xmm1
1B6CE4AE2BD - 0F86 03020000 - jbe 1B6CE4AE4C6
1B6CE4AE2C3 - 65 48 8B 04 25 30000000 - mov rax,gs:[00000030]
1B6CE4AE2CC - 48 B9 9467FE8A1DFEFD42 - mov rcx,42FDFE1D8AFE6794
1B6CE4AE2D6 - 48 3B C1 - cmp rax,rcx
..
..
1B6CE4AE4BA - F3 0F5C C8 - subss xmm1,xmm0
1B6CE4AE4BE - F3 0F11 0D 62273C00 - movss [1B6CE870C28],xmm1
1B6CE4AE4C6 - B8 FAFEE70D - mov eax,0DE7FEFA
1B6CE4AE4CB - 48 83 C4 38 - add rsp,38
1B6CE4AE4CF - C3 - ret
1B6CE4AE4D0 - 48 8B 05 29293C00 - mov rax,[1B6CE870E00]
1B6CE4AE4D7 - 48 05 8014AB2D - add rax,2DAB1480
1B6CE4AE4DD - 48 89 05 D42A3C00 - mov [1B6CE870FB8],rax
1B6CE4AE4E4 - 45 33 C0 - xor r8d,r8d
1B6CE4AE4E7 - 33 D2 - xor edx,edx
1B6CE4AE4E9 - B9 B734BBF9 - mov ecx,F9BB34B7
1B6CE4AE4EE - E8 ED73FEFF - call 1B6CE4958E0
1B6CE4AE4F3 - B8 B734BBF9 - mov eax,F9BB34B7
1B6CE4AE4F8 - 48 83 C4 38 - add rsp,38
1B6CE4AE4FC - C3 - ret
Code: Select all
Arbiter.dll+3000 - 48 8B C1 - mov rax,rcx
Arbiter.dll+3003 - 4D 85 C0 - test r8,r8
Arbiter.dll+3006 - 74 1F - je Arbiter.dll+3027
Arbiter.dll+3008 - 0FB6 0A - movzx ecx,byte ptr [rdx]
Arbiter.dll+300B - 48 33 C8 - xor rcx,rax
Arbiter.dll+300E - 48 B8 B301000000010000 - mov rax,00000100000001B3
Arbiter.dll+3018 - 48 0FAF C8 - imul rcx,rax
Arbiter.dll+301C - 49 FF C8 - dec r8
Arbiter.dll+301F - 48 FF C2 - inc rdx
Arbiter.dll+3022 - E9 D9FFFFFF - jmp Arbiter.dll+3000
Arbiter.dll+3027 - C3 - ret
How to turn all of that into programming and include it in a trainer, that.. I leave it up to your coding skills.
But, like I said, there are multiple OTHER TRIGGERS in the game code that don't need a thread or exception. They're spliced throughout the normal code, in the execution of a regular function and so on. So your EBFE freezes here and there will still get detected at some point. Considering the patches you posted are also temporary, you're no better than all of the other trainers you've belittled.. You might want to pat your back and say "hey, at least mine is somewhat better", but we both know your trainer will still crash the game Good luck with the customer support.
LE: I rest my case..
Sure, better, but still crashing. Kinda sux to see that being written about your trainer, right? Just like you belittled others' trainers..
I'll get back to my "proper definitions and condescending noodling". Ta ta.
BR,
Sun
- caliber1942
- Expert Cheater
- Posts: 98
- Joined: Thu Oct 17, 2019 5:15 pm
- Reputation: 219
Re: Halo Infinite
VEH HARDWARE breakpoints..
Try using software breakpoints.
The 'infinite loop" is what my solution is. Otherwise the THREADS run over and over.
I don't CARE about the VEH HARDWARE breakpoint detection stuff that you posted. I made a LOOP in place that won't call those functions anymore, then unpatched the patched system .dll mods, and can breakpoint using VEH HARDWARE BREAKPOINTS all day.
I already said there may be MORE detections or scanners. Clearly if you make a change to the .text of the .exe, eventually it's "caught" but seems to be more some sort of detection of page_guard being modified. I am honestly saying it could also be another scanner that fires off 'here and there'.
We get another (or to begin with) TRUMP because people have had enough BULLSHIT. MAGA is a movement beyond ONE MAN. Right now we have an IDIOT called BIDEN, who is a brainless jello walking corpse puppet. Ruinous to the economy, our freedoms, and the "American" way.
I contributed here with NO animosity, no dick waving, no NOTHING. YOU are the one being the 'know it all" asshole putting out the 'better than me' attitude. I also congratulated you for your explanations and gave REP. The mirror is something you have a problem peering into, but it would do you some good to do so every now and then. EVOLVE, even.. But it's just not who you are, or what you can do.
My reactions to your shit is why you don't like me. Well, I just don't take it from you like these other people do. You have the MOD power here, so enjoy your power trip, changing the name of our site, rewriting what I wrote, banning, modifying. But in the end, you are who you are, and you aren't what you aren't.. I don't have 'do' or 'be' a damn thing I don't want to be or do because 'Sunbeam' said so. I am content, bro. You might think these tirades and reactions, and all of this shit you pontificate and write is somehow making you look 'good', but it's not. And you do it EVERYWHERE.
"So fucking start having a backbone and address the shit you post, when called on, rather than using your hate for me or belittling to escape correcting yourself."<-- I have no intention to undo or unwrite anything. It's written as I wanted, and the information is correct and good. YOU CHANGE IT if you don't like my terms or explanation. I haven't BELITTLED YOU until you STARTED THE SHIT, bro. Maybe (again), go back and see where it 'all goes wrong' here. It's YOU that has an issue with how and what I wrote, and NOTHING I wrote was combative or derisive of you, or inaccurate in any way. "other people literally take by heart what you write"<-- not like you do, and unfortunately.. CH and Caliber is ON THE BRAIN in seriously unhealthy ways.
All the trainers, including ours, have the same method of working, and also of being detected. I've added these bypasses/code changes to try and minimize that, but in the end nothing I said is incorrect. There is no 100% bypass and no trainer that works without detection, especially if you use it carelessly.
" You need it up to the point where it gets the job done and you have a working trainer."<-- yes because I have more work and things to support than you can possibly imagine.
"Then you forget everything till you need it again."<-- conjecture.
As a side note, I don't think I've seen a thread in a coding forum anywhere that includes Trump, Jesus, and game hacking all in the same thread. At any rate, there is good content here, if you can get the BIG HEADED BULLSHIT out of the way.
Try using software breakpoints.
The 'infinite loop" is what my solution is. Otherwise the THREADS run over and over.
I don't CARE about the VEH HARDWARE breakpoint detection stuff that you posted. I made a LOOP in place that won't call those functions anymore, then unpatched the patched system .dll mods, and can breakpoint using VEH HARDWARE BREAKPOINTS all day.
I already said there may be MORE detections or scanners. Clearly if you make a change to the .text of the .exe, eventually it's "caught" but seems to be more some sort of detection of page_guard being modified. I am honestly saying it could also be another scanner that fires off 'here and there'.
We get another (or to begin with) TRUMP because people have had enough BULLSHIT. MAGA is a movement beyond ONE MAN. Right now we have an IDIOT called BIDEN, who is a brainless jello walking corpse puppet. Ruinous to the economy, our freedoms, and the "American" way.
I contributed here with NO animosity, no dick waving, no NOTHING. YOU are the one being the 'know it all" asshole putting out the 'better than me' attitude. I also congratulated you for your explanations and gave REP. The mirror is something you have a problem peering into, but it would do you some good to do so every now and then. EVOLVE, even.. But it's just not who you are, or what you can do.
My reactions to your shit is why you don't like me. Well, I just don't take it from you like these other people do. You have the MOD power here, so enjoy your power trip, changing the name of our site, rewriting what I wrote, banning, modifying. But in the end, you are who you are, and you aren't what you aren't.. I don't have 'do' or 'be' a damn thing I don't want to be or do because 'Sunbeam' said so. I am content, bro. You might think these tirades and reactions, and all of this shit you pontificate and write is somehow making you look 'good', but it's not. And you do it EVERYWHERE.
"So fucking start having a backbone and address the shit you post, when called on, rather than using your hate for me or belittling to escape correcting yourself."<-- I have no intention to undo or unwrite anything. It's written as I wanted, and the information is correct and good. YOU CHANGE IT if you don't like my terms or explanation. I haven't BELITTLED YOU until you STARTED THE SHIT, bro. Maybe (again), go back and see where it 'all goes wrong' here. It's YOU that has an issue with how and what I wrote, and NOTHING I wrote was combative or derisive of you, or inaccurate in any way. "other people literally take by heart what you write"<-- not like you do, and unfortunately.. CH and Caliber is ON THE BRAIN in seriously unhealthy ways.
All the trainers, including ours, have the same method of working, and also of being detected. I've added these bypasses/code changes to try and minimize that, but in the end nothing I said is incorrect. There is no 100% bypass and no trainer that works without detection, especially if you use it carelessly.
" You need it up to the point where it gets the job done and you have a working trainer."<-- yes because I have more work and things to support than you can possibly imagine.
"Then you forget everything till you need it again."<-- conjecture.
As a side note, I don't think I've seen a thread in a coding forum anywhere that includes Trump, Jesus, and game hacking all in the same thread. At any rate, there is good content here, if you can get the BIG HEADED BULLSHIT out of the way.
Re: Halo Infinite
To be honest, I am seeing the same ol' Calibur I've known for years: scan, debug, trainer. He only acts like wanting to contribute only when he wants to brag or has really hit a wall. Like he's vented here, at UC and back at CH. Once there's a solution, however tiny, he's out. Cuz {insert all the known modus operandi reasons he's invoked across years}. He's more than often not associating himself to CH or his boss, yet both have the same habits: blowing shit out of proportions, cuz that's what they learned in marketing school:
"I just want to chime in here and reiterate that we are still actively looking at this game in-between the thousands of other games that also require our attention."
I'd fucking like to know how it is humanly possible for 4 people @ CH to "look at THOUSANDS of games". Man, that queue must be looooooooong as fuck, since they've opened up shop. They've been looking at thousands of games since.. 2001 when they started. I, myself, don't have 1000 games in my Steam library T_T. So fuck off already with the euphemisms and figures of speech.
Reason I brought the above into discussion: Calibur's seen his saddle on the horse and now will abandon the fort. He doesn't care for a real solution, he's done his temp-trainer, everyone's happy, boss and pleb. Neeeeeext. At most he's gonna barge back here to extend the proposal to me: "why don't you break it? let's see you do it" like in all those many other times in the past. But reading on this, he probably won't say shit. Or will he? I have a felling I know how TRIGGERS work (oops, used another word he's used to).
Fist fight? I'd rather hit a tree.
"I just want to chime in here and reiterate that we are still actively looking at this game in-between the thousands of other games that also require our attention."
I'd fucking like to know how it is humanly possible for 4 people @ CH to "look at THOUSANDS of games". Man, that queue must be looooooooong as fuck, since they've opened up shop. They've been looking at thousands of games since.. 2001 when they started. I, myself, don't have 1000 games in my Steam library T_T. So fuck off already with the euphemisms and figures of speech.
Reason I brought the above into discussion: Calibur's seen his saddle on the horse and now will abandon the fort. He doesn't care for a real solution, he's done his temp-trainer, everyone's happy, boss and pleb. Neeeeeext. At most he's gonna barge back here to extend the proposal to me: "why don't you break it? let's see you do it" like in all those many other times in the past. But reading on this, he probably won't say shit. Or will he? I have a felling I know how TRIGGERS work (oops, used another word he's used to).
Fist fight? I'd rather hit a tree.
Re: Halo Infinite
Yeah, you might wanna take your so called solution and throw it out.caliber1942 wrote: ↑Tue Dec 14, 2021 11:45 pmVEH HARDWARE breakpoints..
Try using software breakpoints.
The 'infinite loop" is what my solution is. Otherwise the THREADS run over and over.
I don't CARE about the VEH HARDWARE breakpoint detection stuff that you posted. I made a LOOP in place that won't call those functions anymore, then unpatched the patched system .dll mods, and can breakpoint using VEH HARDWARE BREAKPOINTS all day.
I already said there may be MORE detections or scanners. Clearly if you make a change to the .text of the .exe, eventually it's "caught" but seems to be more some sort of detection of page_guard being modified. I am honestly saying it could also be another scanner that fires off 'here and there'.
To be as blunt as possible without being rude...
Your trainer for Infinite has insanely basic functionality, and how you show your understanding of this ac definitely shows why that is...
"I made a LOOP in place that won't call those functions anymore"
Now if only that were the case but from my own testing and research, I've done this and it does not work reliably at all.
I have a pretty solid idea of the long journey you took trying to do something so redundant.
Also, don't quote me but I believe Sunbeam did mention a heartbeat that will run integrity scans every "x" seconds. So that alone I know from testing invalidates your solution.
Even loopy looping scans doesn't circumvent checks. They are hardcoded in areas of memory you clearly don't have access to seeing as the Infinite trainer on CH already apparently doesn't work.
Also, you said "then unpatched the patched system .dll mods". Yeah again, unfortunately this was giving us crashes when reverting patches.
Super fun fact, I don't even bother with trying to stop the checks, because I can just breakpoint as much as I want without doing a thing.
Re: Halo Infinite
Just seeing what he posts, in relation to my own research and other documentation thus far.. His solution (which it's not) works as well as his trainer. Just trying to understand why he posts with that inflated ego amazes me truly.SunBeam wrote: ↑Wed Dec 15, 2021 7:10 pmAt most he's gonna barge back here to extend the proposal to me: "why don't you break it? let's see you do it" like in all those many other times in the past. But reading on this, he probably won't say shit. Or will he? I have a felling I know how TRIGGERS work (oops, used another word he's used to).
Re: Halo Infinite
The mere NFO of the trainer implies the same crap: "probably best to use this sparingly and when facing tough enemies or a large group [...] This basically will remove the shields and set health to low value. NOTE that this will do this to YOU as well". I'm sure we're the stupid ones for not knowing what, where, why and he's the only one who could teach us nubs how his options work. Bottom line: it's no better than any other trainer out there, not to mention the infinite loop "method" isn't used at all. I really doubt he's figured out anything else in the meantime. And since his CH trainer is used by CH members, his bragging has no place on this forum.Suspect wrote: ↑Wed Dec 15, 2021 7:24 pmJust seeing what he posts, in relation to my own research and other documentation thus far.. His solution (which it's not) works as well as his trainer. Just trying to understand why he posts with that inflated ego amazes me truly.SunBeam wrote: ↑Wed Dec 15, 2021 7:10 pmAt most he's gonna barge back here to extend the proposal to me: "why don't you break it? let's see you do it" like in all those many other times in the past. But reading on this, he probably won't say shit. Or will he? I have a felling I know how TRIGGERS work (oops, used another word he's used to).
I'm not interested in this game at all, I've not played it since all of this started. I was just curious, made my observations and discoveries, learned some nice things, like what I'm seeing from the perspective of a user-mode anti-cheat -- imagine others went overkill with kernel drivers, EAC, BattlEye, while 343 is doing it very nicely in user-mode... pffft -- and am done with this crap. I believe it can be done, though I also believe it's too time consuming and will require someone with dedication, checking this 24/7 or 3/7 days a week, focusing on JUST this subject alone (not playing the game). Wanna mark it down that SunBeam wasn't able to do shit about Halo Infinte? Fine by me.
Please have at it, I too wanna enjoy my popcorn. There's already at least 1 user infirming all the shit he's claimed to have done...
P.S.: I did suggest correcting himself, but no. When it comes to hashing and integrity checks, he calls them "CRC". When it comes to kernel mode and user mode, he calls the latter one "ring3". Which is correct. But hey, "user mode" versus "ring3" doesn't make you look smart.. All this mumbling as he pleases, calling some terms the proper way while others the wrong way shows the degree of stability and wanna-be "reverse engineering" experience. Cool, I'm out.
- Chrisfearless
- Expert Cheater
- Posts: 122
- Joined: Sun Sep 23, 2018 5:24 pm
- Reputation: 16
Re: Halo Infinite
This is without sarcasm the most amazing thread I've read on this forums so far. Sun and Cal giving each other flak while providing AMAZING and OUTERWORLDLY tech infos about the whole Arbiter protection scheme.
Great discoveries and superb information gentlemen, kudos.
Great discoveries and superb information gentlemen, kudos.
Re: Halo Infinite
Great info here and thank you for sharing SunBeam and Caliber1942.
Lots of hacking and fun, although I wouldn't be here if 343 support would support me..
I am Linux based in many things and hacked on cryptocurrency software for privacy and am based in Windows growing up hacking Windows ME. I remember when 1 5mb song download took all day to download hehe.
Anyhow, I want to debug my haloinfinite.exe and it seems with VS and CE (after or no modifying CE.ex'se only freezes my gameplay after or during HaloInfinite launch)
I am very new to the overlay of Windows hacking and debugging software...although, i understand the basics..command line just doesn't make sense to me in Windows, besides basic commands.
All I want to do is to be able to troubleshoot my own software!
I shouldn't have to go through some shitty corporate hoops to see what dee eff is the problem with "my software" on "my machine". I have spent two weeks+ of my valuable time and them ignoring me + sharing my PI with them..
I am use to GDB, LDD, LVM, QEMU.
Windows is a whole new ball game at terminal and tbh it is stupid. Nowadays, it depends on Linux and doesn't call itself a distro..
If you are able to point me in the right direction to debug my halo.exe, please share if you are willing.
Lots of hacking and fun, although I wouldn't be here if 343 support would support me..
I am Linux based in many things and hacked on cryptocurrency software for privacy and am based in Windows growing up hacking Windows ME. I remember when 1 5mb song download took all day to download hehe.
Anyhow, I want to debug my haloinfinite.exe and it seems with VS and CE (after or no modifying CE.ex'se only freezes my gameplay after or during HaloInfinite launch)
I am very new to the overlay of Windows hacking and debugging software...although, i understand the basics..command line just doesn't make sense to me in Windows, besides basic commands.
All I want to do is to be able to troubleshoot my own software!
I shouldn't have to go through some shitty corporate hoops to see what dee eff is the problem with "my software" on "my machine". I have spent two weeks+ of my valuable time and them ignoring me + sharing my PI with them..
I am use to GDB, LDD, LVM, QEMU.
Windows is a whole new ball game at terminal and tbh it is stupid. Nowadays, it depends on Linux and doesn't call itself a distro..
If you are able to point me in the right direction to debug my halo.exe, please share if you are willing.
-
- Noobzor
- Posts: 14
- Joined: Fri Mar 20, 2020 11:29 pm
- Reputation: 1
Re: Halo Infinite
As a complete and total amateur when it comes to using CE, all I've figured out from this thread is that there's still no reliable tables for Infinite's campaign and that even *getting* to the start point of establishing a cheat table for Infinite isn't something a run-of-the-mill table maker like me can do.
Still, its been two years, so I hope I'm wrong but...can I assume it's still impossible to make a table for Infinite's Campaign using traditional methods?
Still, its been two years, so I hope I'm wrong but...can I assume it's still impossible to make a table for Infinite's Campaign using traditional methods?
Who is online
Users browsing this forum: No registered users