UCP Anti-Cheat | System Service Hijacking Ban

Official site anti-cheat Ultra Core Protector

Ultra Core Protector - is the client-server anti-cheat freeware, for server protection from unscrupulous players.

Abilities	Supported games
Protection from change and substitution game files Protection from injection and modification game process Protection from use of scripting cheats Ban system based on the PCs unique identifier Semi-automatic installation of anti-cheats client part Steam and non-steam support Ability to take screenshots from players Debug mode for quick identification of problems Ability to play on a server without anticheat	Half-Life Condition Zero Counter-Strike 1.6 Day of Defeat Adrenaline Gamer Team Fortress Classic Counter-Strike Source MU Online Ragnarok Online	Half-Life 2 Deathmatch Adrenaline Gamer 2 Team Fortress 2

System Service Hijacking Ban

I’ve been developing several different bypasses for fun, but one bypass that keeps getting me banned by BE is exploiting a system service.

Currently, before the game is started, I am using a simple, hand-made LoadLibrary injector w/ SEDebug Priv to load a DLL into a system service. It then creates a remote thread and sits dormant for a few minutes while I start up the game. After 2 minutes, it steals a HANDLE to the target game and begins to RPM/WPM.

The DLL itself is not packed, but all give-aways like Strings are XORd. In addition, nothing is C+P since it was written from scratch.

However, I seem to be getting banned from this process after a few days. Anyone see a glaring detection vector or have some pointers about what might be getting detected? I have been trying to the isolate different parts of it, but it’s time consuming due to BE’s ban delay.

Another weird observation is that if I run it during the lobby and the first 5-10 min of the game, I never get banned. But if I play a few full games, the ban is nearly guaranteed.

I appreciate all the help that I can get!

Anticheat for MU Online
Anticheat for Gunz Online
Anticheat for Ragnarok Online