Dekaron Anti-Hack

SuperKick · 05/26/2014, 18:32

Hi guys/girls.

Are you annoyed with people always using hacks on your server? Well here I ease you into the basics to help prevent this. In this part I cover adding checks for detecting if there is any irregularities in certain values and working out a balance between execute occurrence of the detection code and not lagging the game too much.

You will need:

Dekaron.exe (Can be found in your bin folder in main games directory)
OllyDbg
Some knowledge of hacks

So first we need to understand what the hack is doing and how it works. Let’s have a look at vac (vacuum hack, it draws as many mobs as defined towards the player). Both editing the data.pak/info.csv or using CE vac script, do exactly the same thing. Only difference is if you edit the data.pak/info.csv than the game loads those modified values, but if you use the CE script vac than it modifies the values of all mobs that come into your screen, so it edits as you play. Now because we know how they work, we must choose how we are gonna do this and where we should add this code. Well cause we’re better off checking both at the same time, then that means we are best of just looking at the CE vac script and editing there.

PHP Code:


			
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)

00450BCD:
jmp newmem
nop
returnhere:

newmem: //this is allocated memory, you have read,write,execute access

//DwExploreRange eax
mov [eax+08],00000020//DwSight    eax+08
mov [eax+04],00000020//DwPersuitRange    eax+04
//DwAvoidRange    eax+0C
mov [eax+10],00000064//DwExploreStandDelay    eax+10
mov [eax+14],00000064//DwExploreMoveDelay    eax+14
mov [eax+18],00000064//DwStandDelay    eax+18
mov [eax+1C],00000064//DwMoveDelay    eax+1C
//DwFollowMyMasterRange    eax+20
//DwStopMasterNear    eax+24
//DwWarpMyMasterRange    eax+28
mov [eax+2C],00000064//DwCallTeamPossibelHP    eax+2C
mov [eax+30],00000020//DwCallTeamCount    eax+30
mov [eax+34],00000000//DwBlockNFirstAttack    eax+34//mov [eax+38],00000020//dwCallTeamCell    byte[eax+38]
//dwFollowTarget    eax+3C
//dwSpecialAttackStartHP
//dwSpecialMeleeAttackRate
//dwSpecialRangeAttackRate
//DwPowerAttacjStartHP
//dwPowerMeleeAttackProbable
//dwPowerRangeAttackProbable
//mov [eax+40],00000000//DwUnderAttackAggro    eax+40
//mov [eax+44],00000000//DwMeleeAttackRangeInAggro    eax+44
//mov [eax+48],00000000//DwRangeAttackRangeInAggro    eax+48
//DwSightInAggro    eax+4C
//DwDefeatAggro    eax+50
mov [eax+54],00000000//DwBlockedAggro    eax+54
mov [eax+58],00000000//DwSlideAggro    eax+58
mov [eax+5C],00000000//DwHealAggro    eax+5C
//DwMasterUnderAttackAggro    eax+50
//DwMasterDefeatAggro    eax+54
//DwMasterBlockingAggro     eax+58
//DwMasterSlideAggro     eax+5C
//DwCOmplusionUnderAttackAggro     eax+60
//dwMaxSummonsMonsterCount      eax+64
//dwReSummonsMonsterTick       eax+68
//dwMaxSummonsMonsterRange       eax+6C
//dwSummonsStartPcCountPatternType     eax+70

originalcode:
mov edx,[eax+1c]
mov [ecx+20],edx

mov edx,10 // number spawn
mov [eax+8c],edx

mov edx,64 // time delay spawn
mov [eax+90],edx

mov edx,30 // # follow monster
mov [eax+3C],edx

//mov [ecx+20],edx // # follow my master
exit:
jmp returnhere

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
00450BCD:
mov edx,[eax+1c]
mov [ecx+20],edx

Now let’s just decide we only want to make a check for DwExploreRange. So only parts that are of interest to us in the script is the offset where the script is injected and the pointer to DwExploreRange.

Offset = 00450BCD

DwExploreRange = [eax]

Now let’s look at the info.csv and see what numbers mobs usually have for DwExploreRange. The numbers normally consist from 0 – 6, so it’s safe to say anything 7 or higher has been modified by the player/hacker. So now we just need to create the check for this.

PHP Code:


			
cmp dword ptr [eax], 6
jle SkipCrash
push 0
call ExitProcess
SkipCrash:

So what happens here is it compares the dword value at pointer eax with 6, if it’s less than or equal then the jump is taken and it skips the call to ExitProcess.

Ok now that we’ve done that part all we got to do now, is add the code into the dekaron.exe. So this is where we use the offset, provided in the CE script to choose where to put our code. Now knowing that if they use CE only code that’s after that offset is modified anything prior for that mob, is normal. So we have to put it after.

PHP Code:


			
00450BCD   . 8B50 1C        MOV EDX,DWORD PTR DS:[EAX+1C]
00450BD0   . 8951 20        MOV DWORD PTR DS:[ECX+20],EDX
00450BD3   . 8B50 20        MOV EDX,DWORD PTR DS:[EAX+20]
00450BD6   . 8951 24        MOV DWORD PTR DS:[ECX+24],EDX

So why don’t we just make the check the code right below it, at offset 004508D3. And then we just need to add the jump to new code at another offset, since there’s too much code then can fit.

PHP Code:


			
00450BCD   . 8B50 1C        MOV EDX,DWORD PTR DS:[EAX+1C]
00450BD0   . 8951 20        MOV DWORD PTR DS:[ECX+20],EDX
00450BD3     E9 C3A85400     JMP dekaron_.0099B49B
00450BD8     90              NOP

0099B49B     8338 06         CMP DWORD PTR DS:[EAX],6
0099B49E    ^0F8E 3457ABFF   JLE dekaron_.00450BD8
0099B4A4     6A 00           PUSH 0
0099B4A6     E8 3F19E87B     CALL kernel32.ExitProcess

Now you can also check to see if any code has been modified. So maybe you’d want to add checks seeing if any of your added code got modified or if the CE has been enabled at a certain address.

PHP Code:


			
00450BCD   . 8B50 1C        MOV EDX,DWORD PTR DS:[EAX+1C]
00450BD0   . 8951 20        MOV DWORD PTR DS:[ECX+20],EDX
00450BD3     813D CD0B4500 8>CMP DWORD PTR DS:[450BCD],891C508B
je Skip
push 0
call ExitProcess
Skip:

here I will be covering encryption/decryption to help make it harder for your work to be bypassed. As well as adding certain needed values/files into the dekaron.exe so they can’t just swap your anti hack dekaron.exe with an unmodified one.

First off for encryption/decryption I’ll give a basic example and explain what’s going on then I’ll just give you some ideas of what you could do. Here’s a basic encryption, showing the pointer address encrypted.

PHP Code:


			
00800A62 >   BB 740A8000     MOV EBX,dekaron_.00800A74
00800A67     2BC9            SUB ECX,ECX
00800A69     FE0419          INC BYTE PTR DS:[ECX+EBX]
00800A6C     41              INC ECX
00800A6D     83F9 03         CMP ECX,3
00800A70    ^75 F7           JNZ SHORT dekaron_.00800A69
00800A72     813D CC0A4400 8>CMP DWORD PTR DS:[440ACC],891C508B

So as you can see ebx holds the address of the encrypted bytes, then ecx is cleared and is then used as the pointer for the byte as well as the amount of loops it needs to do till it leaves function. The encryption is basic just subtracting 1 from each of the 3 bytes in the address in the pointer in the compare command, so all the decryption is doing, is reversing that. Hence the inc byte ptr [ecx+ebx], it’s adding 1 onto each of the 3 bytes in the address. So after the code is run it would be decrypted as 450BCD, then the check could be run etc.

You can have the decryption at any stage in the game and then call the decrypted function much later on. If you have any specific calls you don’t want found you can encrypt them, as well as most of your code. The benefits are that they won’t be able to find references to the command, calls to the command, understand the code unless they either execute it or have the decryption algorithm.

Now to create the dekaron.exe so it can’t be bypassed by simply swapping it with another unedited one. What you must do is add some specific file to the dekaron.exe and remove it from the data.pak. So normal dekaron.exe’s don’t have enough files to run.

PHP Code:


			
004E13C3   . FF52 10        CALL DWORD PTR DS:[EDX+10]
004E13C6   . 50             PUSH EAX
004E13C7     FF15 E0C39900  CALL DWORD PTR DS:[<&ws2_32.inet_addr>]

Well eax holds an address which contains the string of the ip, for your server. So you could have the ip written somewhere in the dekaron.exe then move the address into eax. Then in the file that contains that ip (either loginlist or channellist, i forget which one this address is for, sorry) and just replace each character with 9′s or whatever you want.

Though if you just leave it like that, it is easy for someone to just copy it and put it back into the files. But if you mix the encryption with this, it can work very well.

this is the latest tutorial so far and maybe the last. Here I’ll just show a basic program that will check for a process then end the game. But i will explain what you can do. Here is the code snippet of the win32 C program.

HTML Code:

DWORD Gamepid;
HWND hwnd = FindWindow(NULL, "Dekaron");
GetWindowThreadProcessId(hwnd, &Gamepid);
HANDLE Game = OpenProcess(PROCESS_ALL_ACCESS, 0, Gamepid);
 
for ( ; ; )
{
    if (FindWindow(NULL, "Cheat Engine 5.5"))
    {
        TerminateProcess(Game, 0);
        return 0;
    }
 
    Sleep(2000);
}
 
return 0;

The point of the separate program is to not let the game do everything, cause it will cause too much lag. So cause this is a separate program you are free to build it how you want, whether you want it to be used for detecting if ollydbg, CE or any other hacking software programs are running. This snippet is the simplest form, all it does is search for the the title “Cheat Engine 5.5″ and if it finds that, than it terminates the process Game, which is the dekaron.exe. Now it’s up to you to make the program you want to be responsible for letting hacking software running while the game is active.

Like the one i made (different from the quick example i whipped up), gets created when the dekaron.exe is launched. Then it searches all processes for specific information, while writing a ‘safety’ check to the dekaron.exe. If it finds lets say CE running then the program will terminate the game and end. Though I’ve added things so if people do edit the program, then the dekaron.exe won’t work. Some of the functions i used are

FindWindow()
GetWindowThreadProcessId()
EnumProcess()
ReadProcessMemory()
WriteProcessMemory()
TerminateProcess()

So when you create yours, try and think how you want it to work and if it was to work like that what are some of the things people could do to bypass it. Then try and fix it or add something else to prevent that or make it harder.

Credits:

Bottomy

Farius~ · 05/26/2014, 18:48

looks very good this tutorial, is just try.

guesswho-.- · 05/26/2014, 19:07

quite honestly all of that is really easy to bypass

it's an old tutorial made by bottomy, I guess you copied it from his blog (well at least you gave proper credits, you could also include a link though). it's old and inefficient (the first part) you really wanna spend like 10 hours adding every single hack YOU CAN FIND to make it unhackable? how about I make the same hack at a different spot? it's not patched then

of course it MIGHT stop the average "hacker" from using hacks, but most people with thinking ability turned on will figure it out in a few mins

lifs2000 · 05/26/2014, 19:10

Nice tut but like guesswho said, it's not that hard to bypass it

~~TheBrain_~~ · 05/26/2014, 19:12

you know how to do it, now please make us a tool that u can choose ur 'implants' and it will write the ASM values straight into the .exe

im too lazy to do all that ^^

kokamentos · 05/28/2014, 10:53

HTML Code:


ANITHACK_PROCDUMP g_ProcessesDumps[MAX_PROCESS_DUMP] = {   
   
{0x4CBE2B, {0x8D, 0x55, 0xF0, 0xB9, 0x04, 0x00, 0x00, 0x00, 0x8B, 0xC7, 0xE8, 0x02, 0x15, 0xF5, 0xFF, 0x8B, 0x55, 0xF0, 0x8B, 0xC3, 0xE8, 0x8C, 0xF7, 0xFD, 0xFF, 0x8D, 0x55, 0xF0, 0xB9, 0x04, 0x00, 0x00}},   // Cheat 
Engine 5.3 

}


bool ScanProcessMemory(HANDLE hProcess)      
{     
    for(int i = 0; i < MAX_PROCESS_DUMP; i++)     
    {     
        char aTmpBuffer[MAX_DUMP_SIZE];     
        SIZE_T aBytesRead = 0;     
        ReadProcessMemory(hProcess, (LPCVOID)g_ProcessesDumps[i].m_aOffset, (LPVOID)aTmpBuffer, sizeof(aTmpBuffer), &aBytesRead);     
   
        if(memcmp(aTmpBuffer, g_ProcessesDumps[i].m_aMemDump, MAX_DUMP_SIZE) == 0)     
        {     
            return true;     
            break;     
        }     
}     
return false;     
}

I think it's better than scan name of the program .

Farius~ · 05/28/2014, 20:45

Quote:

Originally Posted by kokamentos

HTML Code:


ANITHACK_PROCDUMP g_ProcessesDumps[MAX_PROCESS_DUMP] = {   
   
{0x4CBE2B, {0x8D, 0x55, 0xF0, 0xB9, 0x04, 0x00, 0x00, 0x00, 0x8B, 0xC7, 0xE8, 0x02, 0x15, 0xF5, 0xFF, 0x8B, 0x55, 0xF0, 0x8B, 0xC3, 0xE8, 0x8C, 0xF7, 0xFD, 0xFF, 0x8D, 0x55, 0xF0, 0xB9, 0x04, 0x00, 0x00}},   // Cheat 
Engine 5.3 

}


bool ScanProcessMemory(HANDLE hProcess)      
{     
    for(int i = 0; i < MAX_PROCESS_DUMP; i++)     
    {     
        char aTmpBuffer[MAX_DUMP_SIZE];     
        SIZE_T aBytesRead = 0;     
        ReadProcessMemory(hProcess, (LPCVOID)g_ProcessesDumps[i].m_aOffset, (LPVOID)aTmpBuffer, sizeof(aTmpBuffer), &aBytesRead);     
   
        if(memcmp(aTmpBuffer, g_ProcessesDumps[i].m_aMemDump, MAX_DUMP_SIZE) == 0)     
        {     
            return true;     
            break;     
        }     
}     
return false;     
}

I think it's better than scan name of the program .

I think this post is good to start talking about it and get everyone to create a safe anti hack.

guesswho-.- · 05/28/2014, 21:40

How can a public anticheat be safe? Lol what a paradox