[SOURCE]HOW TO STOP STEAM BOT

08/30/2016 20:27 Geleia#1
Hello guys i have been working on a solution to try and save the game from noobs with public code. I hope Inix can see this post and patch this cancer once and for all.

For the people that know what they are doing this is easy to bypass but if you post it publicly I will try my best to keep posting a patch.

Stop ruining the game spoon feeding noobs, if anyone want to support me please start posting fixes aswell.

Code:
BOOL X86DetectInterceptionEAT( HMODULE *lpModule ) {
	
	PIMAGE_DOS_HEADER dwDos = reinterpret_cast< PIMAGE_DOS_HEADER >( lpModule[ 0 ] );

	if( dwDos->e_magic == IMAGE_DOS_SIGNATURE ) {

		PIMAGE_NT_HEADERS dwHeader = reinterpret_cast< PIMAGE_NT_HEADERS >( reinterpret_cast< DWORD >( dwDos ) +
			dwDos->e_lfanew );

		if( dwHeader->Signature == IMAGE_NT_SIGNATURE ) {

			PIMAGE_EXPORT_DIRECTORY dwAddrOfDir = reinterpret_cast< PIMAGE_EXPORT_DIRECTORY >( ( reinterpret_cast< DWORD >( dwDos ) +
				dwHeader->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ].VirtualAddress ) );

			PDWORD dwAddrOfNames = reinterpret_cast< PDWORD >( reinterpret_cast< DWORD >( dwDos ) + 
				dwAddrOfDir->AddressOfNames );

			PDWORD dwAddrOfFuncs = reinterpret_cast< PDWORD >( reinterpret_cast< DWORD >( dwDos ) + 
				dwAddrOfDir->AddressOfFunctions );

			PWORD dwAddrOfOrdinals = reinterpret_cast< PWORD >( reinterpret_cast< DWORD >( dwDos ) +
				dwAddrOfDir->AddressOfNameOrdinals );

			for( DWORD dwEntry = 0; dwEntry < dwAddrOfDir->NumberOfFunctions; dwEntry++ ) {

				if( dwAddrOfFuncs[ dwEntry ] ) {

					DWORD dwAddress = reinterpret_cast< DWORD >( dwDos ) + dwAddrOfFuncs[ dwEntry ];
					
					HMODULE dwRes = NULL;

					if( GetModuleHandleExA( GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast< LPCSTR >( dwAddress ), &lpModule[ 4 ] ) ) {

						if( lpModule[ 4 ] != lpModule[ 0 ] && lpModule[ 4 ] != lpModule[ 1 ] &&
							lpModule[ 4 ] != lpModule[ 2 ] && lpModule[ 4 ] != lpModule[ 3 ] ) {
							return TRUE;
						}
					}
				}
			}
		}
	}
	return FALSE;
}

BOOL X86DetectInterceptionIAT( HMODULE lpModule ) {

	PIMAGE_DOS_HEADER dwDos = reinterpret_cast< PIMAGE_DOS_HEADER >( lpModule );

	if( dwDos->e_magic == IMAGE_DOS_SIGNATURE ) {

		PIMAGE_NT_HEADERS dwHeader = reinterpret_cast< PIMAGE_NT_HEADERS >( reinterpret_cast< DWORD >( dwDos ) +
			dwDos->e_lfanew );

		if( dwHeader->Signature == IMAGE_NT_SIGNATURE ) {

			PIMAGE_IMPORT_DESCRIPTOR dwAddrOfDir = reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >( reinterpret_cast< DWORD >( dwDos ) +
				dwHeader->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress );

			while( dwAddrOfDir->Name ) {

				HMODULE dwModule[ 5 ] = {
					GetModuleHandleA( reinterpret_cast< PCHAR >( reinterpret_cast< DWORD >( dwDos ) + dwAddrOfDir->Name ) ),
					//SYSTEM WIDE RESERVATION
					GetModuleHandleA( "KERNEL32.DLL" ),
					GetModuleHandleA( "USER32.DLL" ),
					GetModuleHandleA( "NTDLL.DLL" ),
					NULL
				};

				if( dwModule[ 0 ] ) {

					if( X86DetectInterceptionEAT( dwModule ) ) { //DETECTED EAT HOOK FROM MODULES IN THE IMPORT TABLE
						return TRUE;
					}

					PIMAGE_THUNK_DATA dwAddressOfThunk = reinterpret_cast< PIMAGE_THUNK_DATA >( reinterpret_cast< DWORD >( dwDos ) +
						dwAddrOfDir->FirstThunk );

					while( dwAddressOfThunk->u1.Function ) {

						if( GetModuleHandleExA( GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast< LPCSTR >( dwAddressOfThunk->u1.Function ), &dwModule[ 4 ] ) ) {

							if( dwModule[ 4 ] != dwModule[ 0 ] && dwModule[ 4 ] != dwModule[ 1 ] &&
								dwModule[ 4 ] != dwModule[ 2 ] && dwModule[ 4 ] != dwModule[ 3 ] ) {
								return TRUE;
							}
						}

						dwAddressOfThunk++;
					}
				}
				dwAddrOfDir++;
			}
		}
	}
	return FALSE;
}

//PUT THIS ON THE MAIN THREAD BEFORE RENDERING THE FRAME WITH A TIMER
//This function already includes the EAT scan on all modules listed in the Import Table
if( !X86DetectInterceptionIAT( GetModuleHandle( 0 ) ) ) {
		//user is clean
} else {
		//eat or iat changed
}
*Added the EAT Hook detection.
*Added the IAT Hook detection.

TODO:
Dll Wrapper detection.
08/30/2016 20:52 luki180pl#2
Better tell them how to make server side protection. This what you written is as easy to bypass as their new multiclient check
08/30/2016 21:01 Geleia#3
Quote:
Originally Posted by luki180pl View Post
Better tell them how to make server side protection. This what you written is as easy to bypass as their new multiclient check
I know luki but as long as you or any other coder dont post the fix it should prevent alot leechers to destroy the game.

Keep in mind that there are not many more ways in ring3 to detect a eat hook. If you want to show a better way and help, please do.
08/30/2016 21:06 luki180pl#4
it's not about better or worse way. every clientside protection can be broken. A simple serverside check and gg for inix.
08/30/2016 21:49 nokia999#5
As you can see they wont fix anything xD
They are too stupid or too lazy for it ;]
08/30/2016 23:08 pamz12#6
Quote:
Originally Posted by Geleia View Post
I know luki but as long as you or any other coder dont post the fix it should prevent alot leechers to destroy the game.

Keep in mind that there are not many more ways in ring3 to detect a eat hook. If you want to show a better way and help, please do.
in the past way better coders than you posted things with intention to destroy the game, so gl with your intentions lal
08/30/2016 23:12 mcdraco#7
The moment when do people solve inix problems, although they earn money... Gj anyway !
08/30/2016 23:41 Geleia#8
Quote:
Originally Posted by pamz12 View Post
in the past way better coders than you posted things with intention to destroy the game, so gl with your intentions lal
Beethoven was deaf and composed wonderfull music better than anyone will ever do, the problem is that he is dead now.
But thx anyways.

*Added IAT Hook detection.
08/31/2016 01:06 meak1#9
Quote:
Originally Posted by Geleia View Post
Hello guys i have been working on a solution to try and save the game from noobs with public code. I hope Inix can see this post and patch this cancer once and for all.

For the people that know what they are doing this is easy to bypass but if you post it publicly I will try my best to keep posting a patch.

Stop ruining the game with spoon feeding noobs, if anyone want to support me please start posting fixes aswell.

I will now start work on IAT hook detection and will post here when done.
iat is for noobs, ban all
08/31/2016 08:34 magicjan1#10
meybe they fixed something after last update, becouse now my nokia's bots window goses off after character screen, but kal is still running good.
08/31/2016 10:40 asdfg177#11
Anyone ples how can i use this?
/ironieoff
09/02/2016 20:13 exeduz#12
why should they fix anything, server would lose half population then :D
09/02/2016 22:01 Geleia#13
Quote:
Originally Posted by exeduz View Post
why should they fix anything, server would lose half population then :D
but also could gain more ppl.

loads of ppl quitted due to this issue i knew a few, i dont have anything against cheating when u benefit yourself without harming others. The problem here is that most ppl dont know how to use a cheat and dont even care to thank the real author or make a donation to him. They just want copy paste and piss everybody that plays legit.
09/03/2016 15:41 asdfg177#14
Quote:
Originally Posted by Geleia View Post
but also could gain more ppl.

loads of ppl quitted due to this issue i knew a few, i dont have anything against cheating when u benefit yourself without harming others. The problem here is that most ppl dont know how to use a cheat and dont even care to thank the real author or make a donation to him. They just want copy paste and piss everybody that plays legit.
Hmm... and u think by hacking for geon and selling them which causes big inflation doesnt hurt anyone? All hackings hurt normal players, doesnt matter at which places.
09/04/2016 00:48 TheRealPower#15
Quote:
Originally Posted by Geleia View Post
but also could gain more ppl.

loads of ppl quitted due to this issue i knew a few, i dont have anything against cheating when u benefit yourself without harming others. The problem here is that most ppl dont know how to use a cheat and dont even care to thank the real author or make a donation to him. They just want copy paste and piss everybody that plays legit.
why are u even on epvpers if you hate bots so much? lol