Sign In
Create Account
First of all : ITS NOT MY THREAD/POST/ I JUST FOUND THIS IN OTHER FORUM !!!
#--------------------------------------------------------------------------------------------------------------------
ORGINAL POST : https://www.unknownc...anti-cheat.html
--------------------------------------------------------------------------------------------------------------------
Too many people learned about the AC for my liking so I decided that I might as well make the whole thing public.
League of Legends Anti Cheat - 9001
The anti-cheat itself consists of 3 parts:
Module 0 : External hack detection, file checks, debugger checks and misc (some anti-retard)
Module 1 : DLL detection
Module 2 : Patch detection
Some info before module specific information:
- It's manual mapped.
- Anti-cheat only gets loaded in matchmade games after 10-15 minutes and unloads immediately afterwards.
- (Most likely) Modules are compiled together with the game binary originally and extracted using a script to be encrypted and re-mapped later on.
Why? Because the functions used in the modules directly reference the functions in the game binary for many of the tasks (like memcpy, packet functions, stack overflow guards etc.)
- It uses inlined syscalls so that hooks don't work against them (thus why people go Ring 0)
It also uses a small trick (for some reason) to hide the syscall instruction.
This image has been resized. Click this bar to view the full image. The original image is sized 730x69.
This image has been resized. Click this bar to view the full image. The original image is sized 678x166.
Here's the 64 bit shellcode used in wow64 syscalls:
- Some references
Code:
- Found hashed NTDLL import: NtWriteVirtualMemory (0x0397B6EB @ 0x777AE900)
- Found hashed KERNEL32 import: MapViewOfFile (0x1CBAE118 @ 0x7423C580)
- Found hashed KERNEL32 import: CloseHandle (0x300DBC66 @ 0x74249660)
- Found hashed NTDLL import: NtQueryVirtualMemory (0x361D7DAA @ 0x777AE790)
- Found hashed NTDLL import: NtGetContextThread (0x37288E81 @ 0x777AF3C0)
- Found hashed KERNEL32 import: UnmapViewOfFile (0x475EDC3D @ 0x7423CEC0)
- Found hashed NTDLL import: NtUnmapViewOfSection (0x5B417ADC @ 0x777AE800)
- Found hashed NTDLL import: NtQuerySystemInformation (0x5E235647 @ 0x777AE8C0)
- Found hashed KERNEL32 import: CreateFileA (0x81C32FCD @ 0x742498B0)
- Found hashed NTDLL import: NtMapViewOfSection (0x8E529AEB @ 0x777AE7E0)
- Found hashed NTDLL import: NtClose (0x9379F202 @ 0x777AE630)
- Found hashed NTDLL import: NtQueryInformationFile (0x98A2B252 @ 0x777AE650)
- Found hashed KERNEL32 import: CreateFileMappingA (0x9954916B @ 0x7423A340)
- Found hashed NTDLL import: NtQueryObject (0xA0B5F9A9 @ 0x777AE640)
- Found hashed NTDLL import: NtQueryInformationProcess (0xBD016E11 @ 0x777AE6D0)
- Found hashed KERNEL32 import: GetSystemDirectoryA (0xC7598A17 @ 0x7423D4C0)
- Found hashed NTDLL import: NtCreateDebugObject (0xCF6E95F2 @ 0x777AEF10)
- Found hashed NTDLL import: NtCreateSection (0xD31AD18D @ 0x777AEA00)
- Found hashed NTDLL import: NtReadVirtualMemory (0xDD74CBA6 @ 0x777AE950)
- Found hashed NTDLL import: NtCreateFile (0xFE689E2C @ 0x777AEAB0)
Module 0:
- Checks external processes and sends information about them to the server
- Certain file checks
Quote:
C:\Users\***\AppData\Roaming\Scripter's Rift Dev\awesomium.dll
C:\Users\***\AppData\Roaming\Scripter's Rift Dev\awesomium_process.exe
C:\Windows\SysWOW64\awesomium.dll
C:\Windows\SysWOW64\awesomium_process.exe
- Debugger checks
- Does the "patch detection" platforms like BoL (and many other morons) "found" again to detect who bypassed it (private platform detection, no legit 3rd party program would attempt to bypass anti-cheat)
Module 1:
- Nothing special, dll detection
- VMWare modules and the whole C# framework is blacklisted.
To name a few:
Quote:
System.Xml.Linq.dll
System.Data.dll
System.ServiceModel.Internals.dll
System.Transactions.dll
System.Core.dll
System.dll
System.Xml.dll
System.Drawing.dll
System.IdentityModel.dll
System.Transactions.ni.dll
D3DX9_43.dll
System.ServiceModel.ni.dll
System.Data.ni.dll
System.Data.dll
System.Configuration.ni.dll
System.Core.ni.dll
Module 2:
- Extended patch detection, re-locates the entire league binary to 0x400000, hashes it, and checks the values against the hash-table stored in League of Legends.exe
When a patch is detected, it is checked for many types of je/jz/jmp/call/... re-directors and if anything matches it sends the information about the module where its being re-directed to, to the server.
- You can find the self hash-table inside League of Legend's .rdata by searching for the magic value 0x130F06C8. Each of the entries represent the hash of a block with the size of 0x1000 inside .text.
----------------------------------------------------------------
I'm not going to spoon-feed you on how to find the modules / anti-cheat loader because I'm writing this just to let you know that League of legends has a very good anti-cheat unlike what public thinks.
You might consider not starting a new platform because you didn't get banned with your private cheat -> there should be no anti-cheat and people should use humanizers.
I will attach below the anti-cheat dumps from 7.19 so the curious people can take a look.
(Not the most recent patch because they already started to remove stuff, AC will get a rework pretty soon so I wouldn't recommend you to spend much time on the current version)
Let me know if you have any questions, its been a while since I reversed it so I just wrote a general outline rather than a detailed article but I can answer if there's anything you want to ask.
Note to riot employees:
You might wanna consider taking bug reports more seriously. #
Back to top
Report
