Curious because I'm thinking about botting a steam game just for fun but it's VAC protected and I don't want to get VAC banned.
SRL Junior Member
Is Simba detected by VAC?
Curious because I'm thinking about botting a steam game just for fun but it's VAC protected and I don't want to get VAC banned.
Elitist N00b
No, "color cheating" in VAC games should be fine. But Simba wont be able to read screens of most games that are rendered with OpenGL & D3D.
However, if the game has some sort of user-report system then you might be cought anyway.
SRL Junior Member
Gotcha, thanks for the info.Originally Posted by slacky
SRL Member
Actually, the primary detection component of VAC is signature scanning. Meaning any application intended for cheating could be detected, regardless of the method used. Color or otherwise.
In very much the same way as a virus scanner uses definitions, signature scanning identifies programs based on their fingerprint in memory, and not so-much what they are specifically doing.
If a definition for Simba were to be included in VAC, it would result in you being banned.
Having said that, I find it very unlikely that Simba was ever identified as a possible cheating application by Valve. Not to say it wont ever be, but I doubt you have a risk of it already being identified.
Source:
I make cheats for VAC protected games.
Footer;
If it were to become an issue later the open-source nature of Simba allows for an easy bypass. A simple solution is often just to run the application through a different compiler, with different optimisations. Basically anything you can do to alter its signature. Though I do not have much experience with Delphi compilers outside of Borland. There are also products intended to do exactly this for you.
Elitist N00b
I said color, just to make it clear that my statement ONLY relates to color cheats. Because cheating with "Simba" doesn't say much. If he were to just call OpenProcess to grant access to the games memory, then it doesn't matter if he uses Simba or anything else, the result will be the same: Ban.
Fyi, I am aware that they do signature scans. Which is pretty easy to bypass indeed, and you keep it that way by not sharing your cheat, and your simba build.
Source:
- I just know shit, that's just how cool I am.
Last edited by slacky; 03-20-2017 at 10:31 AM.
God
This isn't correct. No decent (do i even need this word) bot detection bans on the basis of OpenProcess alone. If that were the case I would get banned on every game i played whenever i ran an anti-virus scan or even something more trivial like opening task manager / process monitor.
SRL Member
There's no need to get offended and mock my reply. I was not intending to say your reply was wrong, since it actually wasn't. I just felt there was more information to add to complete a full answer to OP's question. No harm intended.
@OP an easy experiment to see VAC in action is to open Cheat Engine and they try to connect to a VAC secure server. CE does not need to be attached to the game, you can have it debugging a completely different process or none at all. You will receive a ban.
If you're looking for a more advanced solution, I've dabled in dynamic PE generation. Definitely addresses the issue but also must be done correctly otherwise you're still generating a static executable.
But to answer your original question - yes Simba could be VAC detected but it is unlikely they have done so at this point in time.
SRL Junior Member
Thanks for the clarification, I think I'll stay away from it just to be safe. Maybe in the future when I don't care about the game anymore I'll try it out.
Elitist N00b
If you have have access to the games memory, you also have access to shit like positional data of players. I read about bans happening due to OpenProcess+ReadProcessMemory, and it's pretty much instant bans from doing it. You can find a little on it over at unknowncheats.me, and other cheating communities. Anti virus' is probably on some sort of "trusted" lists.
iirc, someone on this community tried it as well, didn't end well.
Last edited by slacky; 03-21-2017 at 01:06 AM.
God
Even with ReadProcessMemory; there are too many legitimate applications which use OpenProcess and ReadProcessMemory. VAC doesn't whitelist either. VAC uses signature scanning W/Blacklisting. That's the confirmation it uses to ban. Maybe OpenProcess/ReadProcessMemory/WriteProcessMemory/etc is used to trigger the signature scanning but it most certainly does not ban based solely on those functions. There are several sources out there to confirm this. You can even check UnknownCheats, they'll say the same thing.
As for Runescape. IDK who you're talking about when you say it didn't end well but Jagex's AC sucks. I have a private OSRS bot that uses OpenProcess/ReadProcessMemory/WriteProcessMemory to grant me a Reflection like interface through the official client. I use mouse moves/clicks with no mouse splines (mouse jumps) with a detour which removes injected/virtual input flags. I haven't even been banned yet never mind instant ban.
SRL Member
As has been discussed on several forums, including the ones you mentioned, the cause of a ban based solely off of those functions is almost always due to the fact they used a publicly available memory utility class in their cheats that has been detected and black listed already.
It gives the sense that those actions alone caused the ban when in fact it was just a part of their code base that led to it.
Many, many, many (too many to categorize into any sort of whitelist) applications read foreign process memory.
EDIT:
Its also worth mentioning that some forms of anticheat systems have been known to use much more dynamic memory analysis which will observe both the values and arithmetic being done and check it against known (publicly available) addresses/base-pointer paths used in the cheats they are trying to detect. This essentially can render ReadProcessMemory detected - by detecting the address and/or chains of addresses used in the cheats themselves. As well as the following arithmetic done on the values.
OpenGL Developer
It isn't from OpenProcess or ReadProcessMemory. It's actually because the process that is doing so is allocating and/or using VirtualProtect on the memory to change its permissions OR launching the process themselves.. Some cheats change the process permissions as well (IE: Set debuggable). Plain reading can't/shouldn't get you banned.
Reading it should be fine. But changing its permissions is a no-no. Anti-virus has to scan the memory as well, and has to open the process to do so. Anti-virus most likely uses the Nt and Zw version of the functions in question.
Last edited by Brandon; 03-21-2017 at 01:04 PM.
I am Ggzz..
Hackintosher
God
@Brandon; VirtualAlloc is fine too right? I always thought malloc called VirtualAlloc/mmap to allocate large amounts of memory.
OpenGL Developer
Not by itself it can't be detected. If it is combined with Injecting into that memory then yes. Why? Because you can use VirtualQueryEx to determine what kind of data is stored in that memory and scan the memory pages. However, you can also hide it so meh.. It's a cat and mouse game.
https://www.defcon.org/images/defcon...-Detection.pdf
I am Ggzz..
Hackintosher
Elitist N00b
I did not say runescape. It was an experiment related to CS:GO (iirc), however, now that I think about it, he might have used CheatEngine to read through the memory, instead of doing it purely in Simba, but this I can't confirm or deny, I simply don't know.
But I assume it's pretty likely, as it's usually a goto tool for tracking which values change when you do something.
Last edited by slacky; 03-22-2017 at 01:48 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
