There's only a small part of it, haven't fully reversed all of it and i'm doing some guess work as well but the pattern used is pretty standard in anti cheat mechanism.
First of all I just compared the 1.3.0.g and 1.3.0.i patch. Why? Because the patchnote said only strongbox were fixed and yet a whole .exe with 200/300 new functions was downloaded.
I saw two API calls that weren't there in the past :
http://puu.sh/erMcZ/3fda1ca448.png
The first one is to access "virtual" files/mapped memory and the second one is to get a handle to a file to perform actions on it.
So my theory is part of the anti cheat maps important function that shouldn't be altered in the memory and compares those with the current running exe. If it's altered it's gonna set a big flag and send it to GGG through normal game packets (not http connection, game layer is used directly).
This code is run once every sec :
Code:
char __cdecl sub_9C6360()
{
char result; // al@2
if ( byte_C9067C )
{
result = 1;
}
else
{
if ( sub_9C6440() && dword_C8FF38(0, 0, sub_9C6210, 0, 0, 0) && dword_C8FF38(0, 0, sub_9C6140, 0, 0, 0) )
{
result = 1;
byte_C9067C = 1;
}
else
{
result = 0;
}
}
return result;
}
Code:
char __cdecl sub_9C6440()
{
void *v0; // eax@1
void *v1; // eax@1
void *v2; // eax@1
unsigned int v3; // eax@1
_UNKNOWN *i; // ecx@1
unsigned int v5; // eax@3
_UNKNOWN *j; // ecx@3
unsigned int v7; // eax@5
_UNKNOWN *k; // ecx@5
v0 = sub_9C6810(byte_C754C8);
dword_C8FF60 = GetModuleHandleA((LPCSTR)v0);
v1 = sub_9C6810(byte_C754D8);
dword_C8FF70 = (int)GetModuleHandleA((LPCSTR)v1);
v2 = sub_9C6810(byte_C754E4);
dword_C8FF50 = (int)GetModuleHandleA((LPCSTR)v2);
v3 = strlen(byte_C754C8);
for ( i = (_UNKNOWN *)byte_C754C8; v3; --v3 )
{
*(_BYTE *)i = 0;
i = (char *)i + 1;
}
v5 = strlen(byte_C754D8);
for ( j = (_UNKNOWN *)byte_C754D8; v5; --v5 )
{
*(_BYTE *)j = 0;
j = (char *)j + 1;
}
v7 = strlen(byte_C754E4);
for ( k = (_UNKNOWN *)byte_C754E4; v7; --v7 )
{
*(_BYTE *)k = 0;
k = (char *)k + 1;
}
dword_C8FF58 = sub_9C63C0(&unk_C754F0, (int)dword_C8FF60);
dword_C8FF28 = sub_9C63C0(&unk_C75500, (int)dword_C8FF60);
dword_C8FF38 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))sub_9C63C0(
&unk_C75514,
(int)dword_C8FF60);
dword_C8FF24 = sub_9C63C0(&unk_C75540, (int)dword_C8FF60);
dword_C8FF30 = (int (__stdcall *)(_DWORD, _DWORD))sub_9C63C0(&unk_C75554, dword_C8FF50);
dword_C8FF34 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))sub_9C63C0(&unk_C75564, (int)dword_C8FF60);
dword_C8FF5C = sub_9C63C0(&unk_C75578, (int)dword_C8FF60);
dword_C8FF7C = sub_9C63C0(&unk_C755B4, (int)dword_C8FF60);
dword_C8FF40 = sub_9C63C0(&unk_C755C4, dword_C8FF50);
dword_C8FF20 = sub_9C63C0(&unk_C755D4, (int)dword_C8FF60);
dword_C8FF6C = sub_9C63C0(&unk_C755E4, (int)dword_C8FF60);
dword_C8F70C = sub_9C63C0(&unk_C755F4, (int)dword_C8FF60);
dword_C8FF68 = sub_9C63C0(&unk_C75604, (int)dword_C8FF60);
dword_C8FF78 = sub_9C63C0(&unk_C75614, (int)dword_C8FF60);
dword_C8FF74 = sub_9C63C0(&unk_C75624, (int)dword_C8FF60);
dword_C8FF2C = sub_9C63C0(&unk_C75638, (int)dword_C8FF60);
dword_C8FF64 = sub_9C63C0(&unk_C75648, (int)dword_C8FF60);
dword_C8FF44 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))sub_9C63C0(&unk_C75658, (int)dword_C8FF60);
dword_C8FF48 = sub_9C63C0(&unk_C75668, (int)dword_C8FF60);
dword_C8FF4C = sub_9C63C0(&unk_C75678, (int)dword_C8FF60);
return 1;
}
Debug screen while executing :
http://puu.sh/erNTZ/38d30f0cef.png.
tl;dr: anything that tampers with the memory of the game is detected for sure, not sure about programs that just read data/bots/autohotkey, need further analyzing.
