Go down
avatar
Admin
Posts : 4
Join date : 2020-01-17
View user profilehttps://minecraftstaffleaks.iftopic.com

ColdNetwork SS Guide Empty ColdNetwork SS Guide

on Sat Jan 18, 2020 10:30 pm

SS-Guide
(Revamped by SearchForMe, Willem, and Losmen)

(Credits to Baum, Zphre, Moni, Froust, Advertzz, and vSyndrome)

━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━

Tools

The follow programs will be needed during an SS

Ban Lengths:

Admitted to Cheating - 15 Day IP Ban > 30 Day IP Ban

Recording an SS - 30 Day IP Ban

Unable to SS - 15 Day Ban

Refusing to SS - 60 Day IP Ban
(this also counts if they don't admit but later on in the Screenshare they do)

Logged out whilst Frozen - 60 Day IP Ban

Clearing files before SS - 30 Day IP Ban

Connected to a VPN - Permanent IP Ban

Illegal Mods found in SS - 30 day IP Ban

Cheats found in SS - Permanent IP Ban
[Players are not able to appeal this]

TeamSpeak
(Used to communicate with whoever you are screen sharing)
www.teamspeak.com/downloads


AnyDesk
(Used to view and control the computer of who you are screen sharing)
www.anydesk.com/downloads


Process Hacker 2
(Used to search for Injects/AutoClickers/Clients)
https://processhacker.sourceforge.io/downloads.php


LastActivityView
(Used to see recent .exe openings made by the user)
https://www.nirsoft.net/utils/lastactivityview.zip


UserAssistView
(Used to see recent .exe openings made by the user)
http://www.nirsoft.net/utils/userassistview.zip


Luyten
(Used to decompile mods)
https://github.com/deathmarine/Luyten/releases/download/v0.5.3/luyten-0.5.3.exe


Search Everything
(Used to see everything on the users computer)
(x86) https://www.voidtools.com/Everything-1.4.1.895.x86.zip
(x64) https://www.voidtools.com/Everything-1.4.1.895.x64.zip

━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━

SS Rules

Below are a list of screen-share rules you must abide by in screen-shares. Please read carefully as some of these can result in ss-warns and the removal of your SS verified with a possible demotion.

[IMPORTANT] Screenshare Rules:

Not checking vital files/programs in screenshares without a valid reason:
0.5 point warning

Using your own strings that aren't proven to be cheats:
1.5 point warning

Being lazy (Only running an SS Tool and not doing other methods)
1.5 point warning

Being toxic in the screenshare (shouting, arguing, name calling, making fun of):
1.0 point warning

Not giving the suspect the right amount of time to initiate the Screenshare
0.5 point warning

Arguing with other staff in a screenshare:
0.5 point warning

Harshly making fun of the person being screenshared's PC and/or being disrespectful to the player:
1. point warning

Going into files that you don't need to go in/don't have a reason to go into:
0.5 point warning

Making up your own rules in screenshares etc, "you can't have this on your pc":
0.5 point warning

Making up a random reason/excuse to ban someone because "you know they're cheating":
1.5 warning and can lead to a staff warn as well.

Downloading an unofficial screenshare tools without receiving permission from an SS Manager:
1.0 point warning

Forcefully making a player run a suspicious program that isn't officially known by the ss managers:
1.5 point warning

Removing files from a person's PC without their permission:
1.5 point warning

Purposely giving the person being screenshared private strings provided by the cold SS team:
0.5 point warning

Keeping someone in a screenshare for an un-necessary amount of time/reason:
0.5 point warning

Accessing the person's personal social media and paypal without their permission:
1.5 point warning

Banning someone for "Manthe Digital Signature" without checking the exe ran:
0.5. point warning

Banning someone for "Anti SS Tool" without checking the cause of the flag:
0.5 point warning

Not taking a screenshot of the evidence of the player's cheats in a screenshare:
0.5 point warning
[IMPORTANT] Screenshare Rules:


━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━

Recycle Bin

This section will teach you how to check if someone cleared their Recycle Bin before the SS

Press WINDOWS + R and type C:\$Recycle.Bin




Once you've loaded the file, click the “View” tab in the top left corner.

Once the drop-down appears, click on the “Options” tab on the far right.




Once the Folder Options appear, where it says “Hidden files and folders” you want to click on “Show hidden files, folders and drivers”.




Now click on "Hide protected operating system files (Recommended)", Once you have clicked it a message like below should pop up, simply click yes.




You will now see something appear named “Recycle bin” check the date modified and it will show you the last time they edited it. If it is close to the time they were frozen then ban them for clearing files before SS.




You can also see when the recycle bin was modified without changing system options and preferences through the application Winrar. Since this method only involves looking with an application that opens .rar and .zip folders, 7-Zip and Win-Zip can also work, but we recommend using Winrar, which is recognized by the icon below.



Now the method's steps are the following: Open Winrar, then if the search bar isn't shown just drag the vertical dots at the top right hand corner towards the left, and search up "C:" press ENTER after you are done typing, then double click $Recycle.Bin which is one of the folders located towards the bottom. You will automatically see the date modified beside the recycle bin icon. This entire process is shown in the link below:

How to use winrar to find date modified of recycle bin:


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Mod Clients

-Go ingame and click "Mod Options". If it just says "Test 1: DISABLED", exit the server and click "Mod Options" again.

-Open the mods folder and compare the in-game loaded mods with the ones inside the folder.
-If some mods that you see ingame (Not ForgeModLoader) are missing inside the folder ban them for modifying files before SS


Mod Sizes:


Batty's Coordinates PLUS Mod for Forge 1.7.10_1.6.0 ( 18KB )

ReiMinimap without Entitiy/Player Radar ( 179KB )

VoxelMap-No-Radar-Mod-1.7.10 ( 455KB )

Batty's Coordinates ( 13KB )

ArmorStatusHUD ( 25-26 KB )

StatusEffectHUD ( 23-24KB )

ShinyPots-1.1 ( 5KB )

MotionBlurMod ( 7KB )

Keystrokes Mod ( 11KB )

DirectionHUD ( 23-24KB )

bspkrsCore ( 193-194KB )

TcpNoDelayMod ( 5-6KB )

ToggleSneak (20-24KB )

PlayerAPI ( 276KB )

Modid-1.0 ( 450KB )

CPS Mod ( 9KB )

Custom Crosshair ( 64KB )

FastChat ( 5KB )

InGameAccountSwitcher-Forge+bp1.7.10(6.1.1.72) ( 81KB )

Powns ToggleSneak Edit ( 35KB )


For this section you will need to use Luyten

Once you have found the mod you want to search, drag the mod into Luyten and drop it underneath the word "Structure".




You should now see everything inside of the mod. Start by clicking all of the "+" signs.




Now that you can see everything in the mod you want to click on anything with the .class next to it (If you see a file named after a hack ban them).


Once you have done that, you should now see the code to the right. You want to look for specific words such as AutoClicker, KillAura, NoKnockback, FastCraft etc.





━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Version clients

You need to follow steps similar to mod clients.
If it is optifine/vanilla it is safe to take a quick look at it through winRAR.

1. Right click

2. Open with WinRAR

3. Go through every folder. There is no need to go though it with luyten. Just WinRAR. Check all the folders for suspicious class names, such as "AutoClicker". If you see that, ban them.

IMPORTANT:
OBFUSCATED MOD RULES DO NOT APPLY TO VERSION CLIENTS. MC DEVELOPERS OBFUSCATE THE VERSIONS, SO DO NOT BAN IF YOU SEE OBFUSCATED CLASS NAMES



━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


Temp File

This section is the most common way to find AutoClickers

Press WINDOWS + R and type %temp%




Once you've loaded the file up, click "Date Modified" above all of the dates.




Now you want to search for any of the strings listed below.
(IF THE STRING WAS MODIFIED MORE THAN 2 HOURS AGO, DON'T BAN THEM)

JNativeHook (Java Clicker)
jna-1965574007 (Vro2.1 Clicker)
jansi-64 (AutoClicker.exe)
air.exe (Air Clicker)
DLL-0175-1149-1881.dll (Fred's Finger Clicker)
clicks_tmp.mp3 (Nhasing)

If you find any of these strings, ban them for "Autoclicker Found In SS"


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Prefetch

This section is the method for finding AutoClickers and Injects

Press WINDOWS + R and type Prefetch




If you get a message like the image below just click continue.




Once you've loaded the file up, click "Date Modified" above all of the dates.




Now you need to look for specific names like AutoClicker, Tap Client, Grape, etc. If you find anything with these kinds of names, ban them.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Razer Synapse

Press Windows Key + R
Type in C:\ProgramData and press ok
Find the Razer file and open it
then go to Razer Central then Accounts
then find a file like: RZR_0010c6c247ed85e14a2235235

Open the file: RZR_0010c6c247ed85e14a2235235
then Emily3

Check the date modified on the Macros folder.
If it was edited before or near the screenshare, you may ban them for clearing files before SS.
[Make sure to open Razer Synapse and check for Macros that are active]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Process Hacker

This application is used for finding AutoClickers, Injects, and Clients.

Method 1 (javaw)

Open Process Hacker 2

Type "javaw" in the box in the top right corner

Double click javaw and click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and Click "contains (case-insensitive)"

Type in any of the strings listed at the BOTTOM of the page


Method 2 (lsass.exe)

Open Process Hacker 2

Type "lsass.exe" in the box in the top right corner

Double click lsass.exe and click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type in any of the strings listed at the BOTTOM of the page

Method 3 (Explorer.exe)

Open Process Hacker 2

Type "explorer.exe" in the box in the top right corner

Click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type in downloads

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type .exe

Search for any suspicious names


Method 4 (Smartscreen.exe)

Open Process Hacker 2

Type "smartscreen.exe" in the box in the top right corner

Double click smartscreen.exe and click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type Vape in the text box and click okay

(IF VAPE.GG/DOWNLOADLITE SHOWS UP THEN BAN THEM FOR VAPE LITE FOUND IN SS)


Method 5 (MsMpeng)

Open Process Hacker 2

Type "MsMpeng" in the box in the top right corner

Double click MsMpeng and click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type Manthe Industries, LLC in the text box and click okay

(IF "Manthe Inudustries, LLC" SHOWS UP BAN THEM FOR VAPE LITE FOUND IN SS)


Method 6 (Registry)
This method is used to find client file-paths and is used to confirm things.

Run Process Hacker 2 as administrator

Type "Registry" in the box in the top right corner

Double click Registry and click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type in anything listed at the bottom of the page under "What to look for in registry" and click okay.

Search for any suspicious names


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

How To Find Deleted Temp Strings Using Process Hacker
Note: This only works if the player shift-deleted strings like Jnativehook from temp.

Open Process Hacker 2

Type "explorer.exe" in the box in the top right corner

Click memory (Will be one of the top tabs)

Un-check the box that says "Hide free regions"

Click strings

Type 4 in the box instead of 10 and select Image and Mapped

Wait for the strings to load

Click filter in the bottom left corner of the window that popped up and click "contains (case-insensitive)"

Type in "jnative" or any other temp string and click okay

(IF ANYTHING LIKE WHAT THE PICTURE BELOW SHOWS UP, BAN THEM FOR "CLEARING FILES BEFORE SS" FOR 30 DAYS.)





━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

LastActivityView

This is a method on finding AutoClickers/Injects

Open LastActivityView


If you see that explorer.exe ran before the SS ban them for Clearing files before SS


If you see something like this ran before the SS ban them for Clearing files before SS:



Now look for any suspicious .exe names. If you find one, simply open Search Everything and search the client name.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

UserAssistView

This is a method on finding AutoClickers and Injects

Open UserAssistView


Click "Date Modified" above all of the dates, so that the arrow points down


Now look for any suspicious .exe names. If you find one, simply open Search Everything and search the client name.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

PowerShell

Windows Powershell is used to see all the .jars, .exes, and files that have been opened on the users computer

Press WNDWS + R and type PowerShell




Now type any of the commands listed below

Get-ChildItem -recurse “*.jar” This will show all the .jars on the PC

Get-ChildItem -recurse “*.exe” This will show all the .exes on the PC

Get-ChildItem -recurse “*.rar” This will show all the .rars on the PC

(To paste in PowerShell, right click and click "Paste")


Once you've typed your command in, look for client/suspicious names. If you find a client/suspicious name look at the date modified (MM/DD/YY) next to it, if the file was recently opened, ban them.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Azran

If you are unable to find anything during a manual ss then you should use Azran. Azran is a very simple tool to use, go into the #SS-Bot discord channel and type !download, this will give you a download link to Azran. Once Azran downloads, open it, you will need a pin to activate it. To do this, go back into the #SS-Bot channel and type !pin, it will give you a 4-digit pin that you need to enter into the box (If you can't type then just tell the person you're screensharing the code). Once you enter the pin in, click login and then click scan. Now you wait for Azran to do its thing, the time it takes to finish its process depends on the users computer, be patient.

When it gets to check 2 it will ask if you want to view the executables ran in this session, click yes and look for any suspicious .exes. If Azran flags the user for modifying their recycle bin check what time they did it, it might of been you checking to see if they cleared anything.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

ScreenSharing a Mac User

First off, you want to check the recents files that have been opened. You do this by going to the left of the screen and click the Apple symbol, then hover over the recents tab. This will show you the recent files/exe's opened.




Another way of finding AutoClickers is by clicking on this icon and search up names.



In-Depth MAC Screenshare Guide:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━◥◣◆◢◤━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Strings

javaw:


Vape v3
->d=?ad=
D$@;D$DH
"#(.01TVWY[mv


Vape v2
>KRTal
yCcADi
L*+Y
kc*[
1*YZ


Private Client
<tTgi
fRAQII
jdGyW!z@
n%\u0007La
i%'Jb
%B7:+


Cocaina Client
AwhhShitHeFuckedUp.java

Drip
<>{n@~O%
<>AVU%A


Cracked Vape 2.47
C()[Lf/r;


Cracked Vape 2.49
nig/aA.classPK


Cracked Vape 2.50
trumpclientftwbapeggC


Demon
+.L0>AL:EHL
{~sG*u
TLPeU8

Phantom Client
PhantomClient.java
phantom\modules.properties

Merge
mergeclient/


Gucci
gucci.java
xyz/gucciclient/gui
x/a/a/x/B.class


Universal
che4tlogprivcli3nt


Misplace
UncommonProxy.java
rowin/destruct
src/a.class
"IQLw
<>X%fF%
UncommonProxy.java
rowin/destruct
src/a.class


Yay Client
Yay_Logo.png


lsass:

lsass:
lsass:

Indigo
indigoclient.xyz


Iridium
oof.iridium.wtf


Apollo Clicker
auth.apolloclicker.pw


OneTap
onetap.cc


Drip Client
*.neverlack.in


Purge Client
purgeclient.xyz


Tap Client
msoftus.host


BIKERBoys Client
bikerboys.cc


Relum AutoClicker
relum.org


Anti SS Tool
Cucklord inside!


What to look for in registry:

Terms such as:
Clicker
Injection
Modules
Any blatant client name

How to filter .exe's
First filter C:
Filter .exe within the results

How to use registry to find file-paths if LAV doesn't work
First filter C:
Fiter the name of what you are trying to find

This method is still a work in progress, so I caution you to double check before banning. -Zphre


If you are going to update anything in here, you must get approval from one of the SS-Manager's. Not having permission to edit will result in a SS-Warn. If you do have permission, please comment the date and what you updated in the post.


[/SPOILER]
Back to top
Permissions in this forum:
You cannot reply to topics in this forum