Closed gir489returns closed 1 year ago
Never realized you made more of your stuff in your repo public, will definitly take a look at this, thanks for sharing!
Never realized you made more of your stuff in your repo public, will definitly take a look at this, thanks for sharing!
This was our private repo where we kept changes that only Lima and I used in our private build. We only just recently made it public.
Couldn't that also be used to detect what elements of the AC you are currently enraging? EDIT: Not with that primitive method.
Couldn't that also be used to detect what elements of the AC you are currently enraging? EDIT: Not with that primitive method.
IDK what you mean by primitive method, as it's the only method to hook the AC without crashing your game, but OK. Anyway, yes, you can check the return address EBP+4 and that will tell you which function doesn't like you.
It is primitive because there are better ways. I don't have a issue with how your hooking things, just what you hooked. You don't stop the reports from being created ie, blocking metrics or anything more. You're stopping reports from being pushed to the main queue. In my eyes, the moment you deallocate your module, the game will go boom and the reports will be sent to queue. And yes, you are right. You can check the return address. You can also hook a few other functions to see what was tripped where. Another thing you can do is handle the web requests they send to their servers and format the data to your liking.
And it is not the only way. It is the only way to hook something integ checked without disabling integrity checks.
The anticheat has changed a lot since then. The CE detector, tunable checker and several other modules have been removed with only the sigscanner and DLL name checker left intact. Reports are now being queued through a different function that isn't integrity checked and is already being blocked by YimMenu. Arxan is now centralized and also relies on this unprotected function to run nearly all of its integrity checks for some reason
There were also several other code changes that has occurred since last year. Breakup and lost connection kicks have been patched. Chat spoofing is patched and all chat messages are now being sent to Rockstar. Major RCE exploits that have been in the game since last gen have also been finally patched. You cannot join invite only and solo sessions anymore, since all join requests now require a server signed certificate to prevent data spoofing, forced joins and ban bypasses
Wow, sounds like they really actually put some effort into the game. Gonna close this since the code is irrelevant.
Problem
Lima and I have officially abandoned our project and have no interest in this game anymore. I have moved on to harassing EA with Apex Legends and jumping into streamer's game with a vulnerability in their lobby system and then rage cheating, and Lima has moved on to other games as well. You can find the code here: https://bitbucket.org/gir489/bigbasev2/src/master/
Now, obviously, the functions we found have some slight protection, and the best solution we found to "hook" them was to abuse debug breakpoints. The problem with this method, is now that I'm posting it, Rockstar is gonna know about this shit and try to defeat it/detect the debug breakpoints. So have fun with your cat and mouse game to defeat it.
m_anti_cheat_function is basically the function that keeps track of the amount of infractions the anti-cheat has detected you with. Each time it's called, you are given an infraction. If you are given enough infractions, the anti-cheat will emit something to the SCAPI that will basically request you to be banned. Originally, m_anti_cheat_function belonged to a thread that you could just punch in the mouth and disable. However, they added a heartbeat somewhere inside the thread, so if the thread stops running, you will get kicked fromt he game.
Solution
Implement m_anti_cheat_function hook, or use IDA to snoop around and see if you can find other functions to defeat the anti-cheat.
Reason
Not getting banned is pretty kino.
Additional context
No response