Skip to content
This repository has been archived by the owner on Sep 26, 2021. It is now read-only.

VAC bans #177

Closed
rawn7702 opened this issue Nov 12, 2019 · 11 comments
Closed

VAC bans #177

rawn7702 opened this issue Nov 12, 2019 · 11 comments

Comments

@rawn7702
Copy link

Hi, @namazso @M1XT3NZ
I know this issue is a prevailing one with the current nskinz and no complaints, I have been using this cheat since when I found it a year ago and I've been very satisfied with it's results.
Recently, I've been facing VAC bans very regularly as I have to keep using new accounts with the cheat. I compile the .dll as the video provided on youtube using Visual Studio, also used AutoJunkAdder and inject the .dll using Extreme Injector.
But still, it gets detected in the first week of my use. I always take precautions to save the files in a veracrypt drive, delete the .dll and .exe of the injector from the Temp folder but efforts still in vain.
Could you guys suggest something apart from this?
Thank you.
I know this isn't an issue but recently it's been very consistent even after regular compiling.
@M1XT3NZ
Copy link
Contributor

M1XT3NZ commented Nov 12, 2019 via email

@rawn7702
Copy link
Author

I remade nskinz with junk code like every day or every few hours. Deleted the old one before of course. Other than that there is not much you can do. Of course vmprotect is an option but yeah.

On Tue 12. Nov 2019 at 07:09, rawn7702 @.***> wrote: Hi, @namazso https://github.com/namazso @M1XT3NZ https://github.com/M1XT3NZ I know this issue is a prevailing one with the current nskinz and no complaints, I have been using this cheat since when I found it a year ago and I've been very satisfied with it's results. Recently, I've been facing VAC bans very regularly as I have to keep using new accounts with the cheat. I compile the .dll as the video provided on youtube using Visual Studio, also used AutoJunkAdder and inject the .dll using Extreme Injector. But still, it gets detected in the first week of my use. I always take precautions to save the files in a veracrypt drive, delete the .dll and .exe of the injector from the Temp folder but efforts still in vain. Could you guys suggest something apart from this? Thank you. I know this isn't an issue but recently it's been very consistent even after regular compiling. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#177?email_source=notifications&email_token=AG75EZTSFFK62O2OUILQAVLQTJCA7A5CNFSM4JL6XK52YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HYTE2TA>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG75EZVHY4MBLFNMFZHT6NDQTJCA7ANCNFSM4JL6XK5Q .

Hi, @M1XT3NZ
Thank you for replying. So recompiling before every game is necessary? I mean like the best option we have right now?
Also, how do you use vmprotect for this?
Could you explain?
Thank you.

@NNiX1
Copy link

NNiX1 commented Nov 18, 2019

what type of ban are u getting? if untrusted = injector i was getting banned regulary with extreme i switched to rando and its working well also no need to recompile every day if u not sharing it online after compilation

@rawn7702
Copy link
Author

rawn7702 commented Nov 19, 2019
edited

what type of ban are u getting? if untrusted = injector i was getting banned regulary with extreme i switched to rando and its working well also no need to recompile every day if u not sharing it online after compilation

Hi, @NNiX1 thank you for replying.
I don't actually remember which type of vac ban it was but what is it that you're referring to with extreme and random? Can you explain? Also I don't share the dll files with anyone. It's for my own use.

@0xE232FE
Copy link

0xE232FE commented Nov 20, 2019
edited

I use Loadlibrary Injector without issues! After injected remove PE Header from the Memory Image. I do not use Junkcode or VMProtect this two methods are useless and only novice believe that.

@rawn7702
Copy link
Author

rawn7702 commented Nov 20, 2019
edited

I use Loadlibrary Injector without issues! After injected remove PE Header from the Memory Image. I do not use Junkcode or VMProtect this two methods are useless and only novice believe that.

Hi @0xE232FE thank you for replying,
You've never been banned till now for using load library injector? And removing the Pe header.
Could you guide me as to how to do it? I am new to this.
I was using extreme injector till now and tried randi injector but that too cause VAC errors recently.
Could you please guide me with your way?

@0xE232FE
Copy link

0xE232FE commented Nov 21, 2019
edited

Here is the Injector I use. Besides JunkCode or VMProtect doesn't prevent VAC! Only bad hackers that have no skill mention that over and over again and people who are new believe them. So the myth still lives and you don't get smarter if you believe that people who telling you Junk Code make cheat undetected. This is not True! I want to make this clear! I am a white Hacker not a bad script kid that want to play god.

Use flat Assembler. This not including PE Header removal. I actually do the PE Header Removal in external C dll.

Here is the code for PE Header Removal in C

inline void ErasePEHeaderFromMemory()
{
    DWORD OldProtect = 0;
    
    // Get base address of module
    char *pBaseAddr = (char*)GetModuleHandle(NULL);

    // Change memory protection
    VirtualProtect(pBaseAddr, 4096, // Assume x86 page size
            PAGE_READWRITE, &OldProtect);

    // Erase the header
    ZeroMemory(pBaseAddr, 4096);
}

Compile to 1536 Bytes

format PE64 console 6.0
entry main

include 'INCLUDE/win64ax.inc'

struct PROCESSENTRY32
       dwSize                  dd ?
       cntUsage                dd ?
       th32ProcessID           dd ?
       rd 1
       th32DefaultHeapID       dq ?
       th32ModuleID            dd ?
       cntThreads              dd ?
       th32ParentProcessID     dd ?
       pcPriClassBase          dd ?
       dwFlags                 dd ?
       szExeFile               dw MAX_PATH dup (?)
ends

section '.text' code executable

main:
    cinvoke __getmainargs, argc, argv, env, 0
    cmp [argc], 4
    jne error
    mov rsi, [argv]
    cinvoke strcmp, qword [rsi + 8], <'-loadlibrary', 0>
    cmp rax, 0
    je loadlibrary
    retn

proc findProcessId, name
    local snapshot:QWORD, processEntry:PROCESSENTRY32

    mov [name], rcx
    invoke CreateToolhelp32Snapshot, 0x2, 0
    mov [snapshot], rax
    mov [processEntry.dwSize], sizeof.PROCESSENTRY32
    lea rax, [processEntry]
    invoke Process32First, [snapshot], rax
    test rax, rax
    jz .error
    
    .loop1:
        lea rax, [processEntry.szExeFile]
        cinvoke strcmp, rax, [name]
        test rax, rax
        jz .return
        lea rax, [processEntry]
        invoke Process32Next, [snapshot], rax
        test rax, rax
        jnz .loop1

    .error:
        xor rax, rax
        ret

    .return:
        mov eax, [processEntry.th32ProcessID]
        ret
endp

loadlibrary:
    stdcall injectLoadLibraryA
    retn

error:
    cinvoke printf, <'Wrong amount of Command line arguments! Press enter to continue...', 0>
    cinvoke getchar
    retn

proc injectLoadLibraryA
    locals
        dllPath rb MAX_PATH
        dllPathLength dq ?
        processHandle dq ?
        allocatedMemory dq ?
    endl

    mov rsi, [argv]
    lea rax, [dllPath]
    invoke GetFullPathNameA, qword [rsi + 16], MAX_PATH, rax, 0
    lea rax, [dllPath]
    cinvoke strlen, rax
    inc rax
    mov [dllPathLength], rax
    mov rsi, [argv]
    stdcall findProcessId, qword [rsi + 24]
    invoke OpenProcess, PROCESS_VM_WRITE + PROCESS_VM_OPERATION + PROCESS_CREATE_THREAD, FALSE, rax
    mov [processHandle], rax
    lea rax, [dllPathLength]
    invoke VirtualAllocEx, [processHandle], NULL, rax, MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE
    mov [allocatedMemory], rax
    lea rax, [dllPath]
    invoke WriteProcessMemory,[processHandle], [allocatedMemory], rax, [dllPathLength], NULL
    invoke CreateRemoteThread, [processHandle], NULL, 0, <invoke GetProcAddress, <invoke GetModuleHandleA, <'kernel32.dll', 0>>, <'LoadLibraryA', 0>>, [allocatedMemory], 0, NULL
    invoke WaitForSingleObject, rax, 0xFFFFFFFF
    invoke VirtualFreeEx, [processHandle], [allocatedMemory], qword [dllPathLength], MEM_RELEASE
    invoke CloseHandle, [processHandle]
    ret
endp

section '.bss' data readable writable

argc    dq ?
argv    dq ?
env     dq ?

section '.idata' data readable import

library kernel32, 'kernel32.dll', \
        msvcrt, 'msvcrt.dll', \
        Inflame64, 'Inflame64.dll'

import kernel32, \
       CreateToolhelp32Snapshot, 'CreateToolhelp32Snapshot', \
       GetFullPathNameA, 'GetFullPathNameA', \
       GetModuleHandleA, 'GetModuleHandleA', \
       GetProcAddress, 'GetProcAddress', \
       OpenProcess, 'OpenProcess', \
       Process32First, 'Process32First', \
       Process32Next, 'Process32Next', \
       VirtualAllocEx, 'VirtualAllocEx', \
       VirtualFreeEx, 'VirtualFreeEx', \
       WriteProcessMemory, 'WriteProcessMemory', \
       CreateRemoteThread, 'CreateRemoteThread', \
       CloseHandle, 'CloseHandle', \
       WaitForSingleObject, 'WaitForSingleObject'

import msvcrt, \
       __getmainargs, '__getmainargs', \
       printf, 'printf', \
       getchar, 'getchar', \
       strlen, 'strlen', \
       atoi, 'atoi', \
       strcmp, 'strcmp'

@rawn7702
Copy link
Author

Here is the Injector I use. Besides JunkCode or VMProtect doesn't prevent VAC! Only bad hackers that have no skill mention that over and over again and people who are new believe them. So the myth still lives and you don't get smarter if you believe that people who telling you Junk Code make cheat undetected. This is not True! I want to make this clear! I am a white Hacker not a bad script kid that want to play god.

Use flat Assembler. This not including PE Header removal. I actually do the PE Header Removal in external C dll.

Here is the code for PE Header Removal in C

inline void ErasePEHeaderFromMemory()
{
    DWORD OldProtect = 0;
    
    // Get base address of module
    char *pBaseAddr = (char*)GetModuleHandle(NULL);

    // Change memory protection
    VirtualProtect(pBaseAddr, 4096, // Assume x86 page size
            PAGE_READWRITE, &OldProtect);

    // Erase the header
    ZeroMemory(pBaseAddr, 4096);
}

Compile to 1536 Bytes

format PE64 console 6.0
entry main

include 'INCLUDE/win64ax.inc'

struct PROCESSENTRY32
       dwSize                  dd ?
       cntUsage                dd ?
       th32ProcessID           dd ?
       rd 1
       th32DefaultHeapID       dq ?
       th32ModuleID            dd ?
       cntThreads              dd ?
       th32ParentProcessID     dd ?
       pcPriClassBase          dd ?
       dwFlags                 dd ?
       szExeFile               dw MAX_PATH dup (?)
ends

section '.text' code executable

main:
    cinvoke __getmainargs, argc, argv, env, 0
    cmp [argc], 4
    jne error
    mov rsi, [argv]
    cinvoke strcmp, qword [rsi + 8], <'-loadlibrary', 0>
    cmp rax, 0
    je loadlibrary
    retn

proc findProcessId, name
    local snapshot:QWORD, processEntry:PROCESSENTRY32

    mov [name], rcx
    invoke CreateToolhelp32Snapshot, 0x2, 0
    mov [snapshot], rax
    mov [processEntry.dwSize], sizeof.PROCESSENTRY32
    lea rax, [processEntry]
    invoke Process32First, [snapshot], rax
    test rax, rax
    jz .error
    
    .loop1:
        lea rax, [processEntry.szExeFile]
        cinvoke strcmp, rax, [name]
        test rax, rax
        jz .return
        lea rax, [processEntry]
        invoke Process32Next, [snapshot], rax
        test rax, rax
        jnz .loop1

    .error:
        xor rax, rax
        ret

    .return:
        mov eax, [processEntry.th32ProcessID]
        ret
endp

loadlibrary:
    stdcall injectLoadLibraryA
    retn

error:
    cinvoke printf, <'Wrong amount of Command line arguments! Press enter to continue...', 0>
    cinvoke getchar
    retn

proc injectLoadLibraryA
    locals
        dllPath rb MAX_PATH
        dllPathLength dq ?
        processHandle dq ?
        allocatedMemory dq ?
    endl

    mov rsi, [argv]
    lea rax, [dllPath]
    invoke GetFullPathNameA, qword [rsi + 16], MAX_PATH, rax, 0
    lea rax, [dllPath]
    cinvoke strlen, rax
    inc rax
    mov [dllPathLength], rax
    mov rsi, [argv]
    stdcall findProcessId, qword [rsi + 24]
    invoke OpenProcess, PROCESS_VM_WRITE + PROCESS_VM_OPERATION + PROCESS_CREATE_THREAD, FALSE, rax
    mov [processHandle], rax
    lea rax, [dllPathLength]
    invoke VirtualAllocEx, [processHandle], NULL, rax, MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE
    mov [allocatedMemory], rax
    lea rax, [dllPath]
    invoke WriteProcessMemory,[processHandle], [allocatedMemory], rax, [dllPathLength], NULL
    invoke CreateRemoteThread, [processHandle], NULL, 0, <invoke GetProcAddress, <invoke GetModuleHandleA, <'kernel32.dll', 0>>, <'LoadLibraryA', 0>>, [allocatedMemory], 0, NULL
    invoke WaitForSingleObject, rax, 0xFFFFFFFF
    invoke VirtualFreeEx, [processHandle], [allocatedMemory], qword [dllPathLength], MEM_RELEASE
    invoke CloseHandle, [processHandle]
    ret
endp

section '.bss' data readable writable

argc    dq ?
argv    dq ?
env     dq ?

section '.idata' data readable import

library kernel32, 'kernel32.dll', \
        msvcrt, 'msvcrt.dll', \
        Inflame64, 'Inflame64.dll'

import kernel32, \
       CreateToolhelp32Snapshot, 'CreateToolhelp32Snapshot', \
       GetFullPathNameA, 'GetFullPathNameA', \
       GetModuleHandleA, 'GetModuleHandleA', \
       GetProcAddress, 'GetProcAddress', \
       OpenProcess, 'OpenProcess', \
       Process32First, 'Process32First', \
       Process32Next, 'Process32Next', \
       VirtualAllocEx, 'VirtualAllocEx', \
       VirtualFreeEx, 'VirtualFreeEx', \
       WriteProcessMemory, 'WriteProcessMemory', \
       CreateRemoteThread, 'CreateRemoteThread', \
       CloseHandle, 'CloseHandle', \
       WaitForSingleObject, 'WaitForSingleObject'

import msvcrt, \
       __getmainargs, '__getmainargs', \
       printf, 'printf', \
       getchar, 'getchar', \
       strlen, 'strlen', \
       atoi, 'atoi', \
       strcmp, 'strcmp'

Okay first of all, thank you for the insight about the junk code and vmprotect, I will stop doing that from now on. @0xE232FE apart from that,
I'm very confused as to how to actually do this. I don't do code. So as you said above, I need to use the flat assembler program to compile the load library injector? And for Pe header removal I need to use external C dll.
What is external C dll exactly? Is it like normal C?
Also the code you mentioned above is only for Pe header removal right?
What does the section with the code for "Compile to 1536 bytes" mean?
I apologise to bombard you with stupid questions, all these things intrigue me and compiling nSkinz was one of my stepping stones into coding.
Please help.
Thank you.

@0xE232FE
Copy link

0xE232FE commented Nov 21, 2019
edited

Create a dll with ErasePEHeaderFromMemory() and name Inflame64.dll

Then the PE Header gets removed when injecting. You don't need to know to code, just need to know how to make your own DLL and how to compile code with flat assembler.

At this point you do not need to know how to code. :-)

Here I load the Inflame64.dll if it is not present it is not working.

library kernel32, 'kernel32.dll', \
        msvcrt, 'msvcrt.dll', \
        Inflame64, 'Inflame64.dll'

Two techniques to confuse Debuggers and Reverse Engineers. This doesn't change the Program and way of detection at all.

Junk code is an aptly named technique of code obfuscation, and as its name suggests, it utilizes code that is junk or not needed to confuse a reverse engineer as to what the current code is actually trying to accomplish. When the junk code that is inserted into a routine is convincing and successfully manages to confuse a reverse engineer, then this technique can be rather effective; however, there is a performance penalty for utilizing this technique because the more instructions a routine or function contains, the longer the function will take to complete. Another issue utilizing junk code is that for memory and stack manipulation operations like push, pop, and mov ptr [], there is a decent chance for stack or memory corruption; therefore, these instructions are either placed and utilized carefully, or not used at all.

Permutations is defined as "often major or fundamental change (as in character or condition) based primarily on rearrangement of existent elements", which when referring to the world of code means different ways of accomplishing the same goal or task ("permutation").

You do not need this two Obfuscation methods because they are useless against Anti Cheat Detections.

@rawn7702
Copy link
Author

rawn7702 commented Nov 22, 2019
edited

Hi, @0xE232FE
Thank you for your explanation and for your help.
I have a question, is it important that we name the .dll file Inflame64.dll ?
UPDATE : I was going through your repositories and now I understand that Inflame is an Injector by the same developer mentioned below. I am so dumb. Sorry for the trouble, to be honest I am learning a lot of new things from you.
I've been searching on the internet for what ErasePEHeaderFromMemory() is and how to work with it and I stumbled upon 3 github repositories
https://github.com/danielkrupinski/MemJect
UPDATE: I've started using the above injector(MemJect), the instructions were pretty new to me but it was different and challenging, I made a new CS:GO account on which I will be testing daily until the account gets banned. I will only be using this injector with nSkinz on this new account for testing.
I read all of the requirements and the process.
I was also going through the issues and I came upon your comment on "MemJect".
So does it work?
https://github.com/danielkrupinski/Bleak
https://github.com/danielkrupinski/Inflame
Also, I was reading other forums like UC and MPGH.
and I found 2 different threads regarding this same matter.
They were interesting, I'd like you to check them out if at all you wish for it, it's cool if you don't have time for this. Here are the links though :
https://www.mpgh.net/forum/showthread.php?t=743307
https://www.unknowncheats.me/forum/anti-cheat-bypass/321071-erasing-pe-header.html

Awaiting your reply,
Thanks & Regards.

@namazso
Copy link
Owner

namazso commented Jan 4, 2021

duplicate of #27 / out of scope

@namazso namazso closed this as completed Jan 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@namazso @0xE232FE @M1XT3NZ @rawn7702 @NNiX1