Metin2 AntiCheat ClientSide Source

Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
Ionut Barbescu

Ionut Barbescu

SuperModerator
SuperModerator
Joined
Dec 23, 2020
Messages
146
Credits
38
AntiCheat Plugin ClientSide
A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more.

*Memory Integrity Check​

Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages).

*Thread Blocking​

Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries.

*Memory Honeypots​

Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners.

*Anti-Debugging​

Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.)

TBA: Arbitrary Vectored Exception Handling Detection

*Protected Functions​

Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE.

*Process Scanner​

Scans each process based on the contents (process name, window name) and unique memory signature.

*Module Scanner​

Scans the loaded modules in the process for any with blacklisted names.

TBA: Signature scanning

🔥DOWNLOAD🔥

To view the content, you need to Sign In or Register.

For OnForum.Net with ♥️
 
Ionut Barbescu said:
AntiCheat Plugin ClientSide
A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more.

*Memory Integrity Check​

Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages).

*Thread Blocking​

Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries.

*Memory Honeypots​

Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners.

*Anti-Debugging​

Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.)

TBA: Arbitrary Vectored Exception Handling Detection

*Protected Functions​

Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE.

*Process Scanner​

Scans each process based on the contents (process name, window name) and unique memory signature.

*Module Scanner​

Scans the loaded modules in the process for any with blacklisted names.

TBA: Signature scanning

🔥DOWNLOAD🔥

*** Hidden text: cannot be quoted. ***

For OnForum.Net with ♥️
Click to expand...
thanks for share i will try it
 
Ionut Barbescu said:
AntiCheat Plugin ClientSide
A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more.

*Memory Integrity Check​

Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages).

*Thread Blocking​

Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries.

*Memory Honeypots​

Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners.

*Anti-Debugging​

Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.)

TBA: Arbitrary Vectored Exception Handling Detection

*Protected Functions​

Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE.

*Process Scanner​

Scans each process based on the contents (process name, window name) and unique memory signature.

*Module Scanner​

Scans the loaded modules in the process for any with blacklisted names.

TBA: Signature scanning

🔥DOWNLOAD🔥

*** Hidden text: cannot be quoted. ***

For OnForum.Net with ♥️
Click to expand...
thank you so much i will try this....
 
Ionut Barbescu said:
AntiCheat Plugin ClientSide
A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more.

*Memory Integrity Check​

Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages).

*Thread Blocking​

Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries.

*Memory Honeypots​

Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners.

*Anti-Debugging​

Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.)

TBA: Arbitrary Vectored Exception Handling Detection

*Protected Functions​

Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE.

*Process Scanner​

Scans each process based on the contents (process name, window name) and unique memory signature.

*Module Scanner​

Scans the loaded modules in the process for any with blacklisted names.

TBA: Signature scanning

🔥DOWNLOAD🔥

*** Hidden text: cannot be quoted. ***

For OnForum.Net with ♥️
Click to expand...
Thank you noticed it's for credit, so thank you, I don't want it
 
You must log in or register to reply here.

Similar threads

Ionut Barbescu
Metin2 (AntiCheat)CShield Free Version
2
Replies
34
Views
13K
Bentdner91
Vanilla
Metin2 AntiCheat Prevention Source File
Replies
3
Views
4K
Treepy
Treepy
Sonia
Metin2 (Anticheat) with Source -DazyShield
Replies
2
Views
5K
Gratios
Gratios
Vanilla
Metin2 How to Generate Source Code Without Extern (vcpkg method)
Replies
3
Views
5K
saggi
saggi
Blaze
Metin2 Vanilla core 71480 with source files
Replies
0
Views
2K
Blaze
Blaze

About Us

OnForum

OnForum.net is a resource community where aspiring webmasters and designers can share content and receive support for a wide variety of software platforms. We are working every day to make sure our community is one of the best.

None of the files are hosted on this site.

PARTNERS

DMCA

    dmca

Newest members

Back
Top