[Tutorial] [ParaPvP] Screeshare Guide

Screenshare Guide
Created By: RaftJr | November 3rd, 2015

If you screenshare someone, you might forget what to do sometimes. Here is a detailed list of what you should look for, and what that player might be hiding.

Table of Contents:

CheatSmasher Tutorial …… Section 1

Screensharing Guide .…….. Section 2

All Allowed Mods File Sizes …. Section 3

List of All Known Developers …. Section 4

Where These Clients Hide ……. Section 5

Different Operating System? …… Section 6

Section 1
Have them pull up a Join.me
CheatSmasher only works for Windows computers, if they’re running Mac OSX or Linux, use section 2.
Ask them to go to this link and download it: https://www.*******.com/s/bjkhqfi2u9…masher.7z?dl=0
Have them drag the contents of the zip file onto their desktop (the .dll file and the exe file).
Ask them to double-click the CheatSmasher.exe and run it. If Windows gives them a “unknown file” message, have them click “More Options” or “Show More” and click “Run Anyways”.
Have them scroll down to the bottom of the text file that pops up, and there will be a list of “possible cheats”.
If they have anything besides com.minecraft or com.mojang.auth then ban them, but it can’t have anything that doesn’t say com.minecraft or com.mojang, they’re clean.
There currently isn’t any client out there that can “bypass” this. If CheatSmasher doesn’t find anything, they’re clean. If you’re screensharing them for X-Ray, make sure to check their TexturePacks as well.

Section 2

Screensharing Guide (Detailed):
Let them press esc, go to options, then go to controls and scroll down slowly. After that, put “Attack/Destroy” on Right Shift (under enter), GRAVE (`), r, or g. (On Mac, Grave is named CIRCUMFLEX). Next, ask them to change their Attack/Destroy to the up arrow on their keyboard.
While they’re doing this, check for telltale signs of a client. Check places such as the top of their minecraft client where it says “Minecraft 1.7.10” and look for things such as “GUI” or “Trig” next to it, that could indicate that they’re using a client. Also make sure that they’re not using Liteloader, which can be easily checked by looking for the Liteloader tab on the top right of their screen when they press escape.
Do not go to their .minecraft using %appdata%. Let them go to their Minecraft, let them press esc, then go to resource packs, and press “Open resource pack folder” then tell them to go back to their .minecraft, they could be hiding their real .minecraft folder.
Go to their Control Panel > Personalization > Folder options; click “Show all hidden files, folders and drives”.
Check the date modified on all of the folders in their .minecraft, if you’re screensharing them for X-Ray, make sure that their resource packs folder haven’t been edited lately and that they don’t have an X-Ray Texture Pack.
Check their user’s files (C:Users) and they go through all the files in there. The item that is placed in their user’s file is a GC document with stuff like “trig=5.7” or knockback=0.8”, try to delete it. If the player isn’t able to, he is most likely using it.
Compare the mod sizes provided below to theirs, if the real ToggleSneak is 20 KB and theirs is anything over 30KB, they’re using a client. Please remember that the ToggleSneaks file size changes every version. For example: v3.0=21KB, and so on.
Check what version of forge they’re running (if they’re running 1.7.10 mods with forge 1.8 on they’re using a client.).
Check each of their mods by opening it with winrar and inspecting each file.
Let them download Java Decompiler and drag all their mods (.jar files) into Java Decompiler and search for things like “trig, aimbot, gui, unload”.
Ask them to search for an program called “On Screen Keyboard” and test all their keys, make sure to test all their keys including keypad keys.
Check their downloads folder, and also their recent downloads on any browser they use (ex: google chrome)
Check their trash bin to see if it’s empty or been emptied within the last few minutes.
If they can’t open their mods using winrar (Archieved or damaged) it means they have self-destructed their Spook client.
Ask them to go to Folders, then the “Computer” section on the left side of the folders. Then go to “Program Files x86, and look inside their Fraps and Action folder. If any client name or Developer name is inside any of those folders, ban them.

Screenshare Guide (Quick):
Have them go to Options > Controls and set their Attack / Destroy to RSHIFT, test it, then GRAVE (CURCUMFLEX on Mac).
Go to Resource Packs > Open Resource Pack Folder then to .minecraft
Go to mods and open BspkrsCore with WinRaR, if the file is Damaged than ban them.
Check each file size, compare it to yours. If anything is incorrectly sized, open it with WinRaR and check through its contents.
Go to versions and go to the one they’re using, make sure it has a .jar inside of it. If it doesn’t, go to libraries > net > minecraftforge > their version > and make sure the .jar is there.
Check for Paid Spook (see guide on Paid Spook below).

Section 3

List of Allowed Mod File Sizes:
ArmorStatusHUD v1.26 : 25KB
ArmorStatusHUD v1.27 : 25KB
ArmorStatusHUD v1.28 : 26KB
BspkrsCore v6.14-v6.16 : 193-194KB
DirectionHUD v1.23 : 24KB
DirectionHUD v1.24 : 23KB
OptiFine_1.7.10_HD_U_C1 : 849KB
OptiFine_1.7.10_HD_U_B8 :
OptiFine_1.7.10_HD_U_B7 :
OptiFine_1.7.10_HD_U_B6 :
OptiFine_1.7.10_HD_U_B5 :
OptiFine_1.7.10_HD_U_B4 :
OptiFine_1.7.10_HD_U_B1 :
OptiFine_1.7.10_HD_U_A4 :
OptiFine_1.7.10_HD_U_A3 :
OptiFine_1.7.10_HD_U_A2 :
PlayerAPI v1.4 : 276KB
Rei’s MiniMap 1.7.10 : 179KB
StatusEffectHUD v1.26 : 23KB
StatusEffectHUD v1.27 : 24KB
ToggleSneak v3.0-v3.05 : 20-24KB
Under construction
If you have anything that should be added, please let Configuration know!

Section 4

List of Hacked Client Developers:


What Clients They Create:
Thehen101: Mostly ToggleSneak Clients and OptiFine clients, and only uses RSHIFT and GRAVE to activate the GUI.
Manthe: The paid version of spook, as well as the leaked versions.
AWITFC: Several miscellaneous clients such as Wolfram.
Kosel: Unnamed ToggleSneak clients that are 50+ KB.
Latematt: He’s created some of the most popular HCF ghost clients such as Latemod, Latemod 2, and XIV.

Section 5

Leaked Spook:
Check their TS3 Cache folder (roaming > ts3 > cache), and check if they have an folder called “lemote”, if they do they self destructed their Spook client.
Ask them to go to their %appdata% > Roaming > Java and if there is a file called “lib” this means they have a non-destructed Spook client.
Ask them to go their Program Files (x86) > Skype > My Skype received files. If there’s an bspkrscore in it try to open it, if the file is damaged it means they self-destructed the client.

Purchased Spook:
Ask them what program they use as their default browser (whether it be Google Chrome, Internet Explorer, Firefox etc.) and have them open it. Ask them to type into the search bar “Big”. If they type it in and it autocorrects to the website “Bignigginit.com”, have them press enter and go to the website. Once they’re on the website, ask them to click “Login” at the top right. If they have a login already auto-corrected in, ask them to click Login. When they’re logged in, have them click on the My Account tab near the top right. After that’s done, they should be in the page where you enter your UUID and IP Address to the whitelist. On the left side, check if their Account Status is either “Purchased” or “Not Purchased”. If their account is Purchased, ban them.
Ask them to navigate to their History tab in their browser. Ask them to search for “*******” in when they’re in their history. If there’s a ******* that goes to “BspkrsCore-1.7.10 6.16” file, than that’s the ******* link to download the Purchased spook.

Miscellaneous OptiFine Clients:
If their OptiFine which they’re using is around 4500+ KB it means they are using an simple unload client.
Let them press f3 and look at the right side of your F3 menu. If you don’t see anything under “Allocated Memory” it means the player self destructed his client.
Let them press esc, go to options, then go to control, and let them put Sneak on F7 (F7 unloads the client) and let them put Attack/Destroy on RShift (RShift opens the client GUI) then make sure what client they’re using and let them restart their minecraft. Then let them press F5 and hold F7, and after that let them press RShift (Do not let them change anything in the process)

Stallos (1.8.8 OptiFine Client):
Have them restart their Minecraft using the same profile and account as they did before. When they open it, ask them to go to single player. The GUI should be shown up above in the top right corner. If this method doesn’t show a client, move on to step 2.
Every Stallos version that has been released has used the OptiFine version 1.8.8_HD_U_F3. If they are running that version WITHOUT any forge, have them download JDGUI (jd.benow.ca). When they download it, have them open it and drag their 1.8.8_HD_U_F3 OptiFine version in. Once that’s done, have them go to the File tab and select the “Search” or “Find” icon (depends on the version of JDGUI they’re running). From there, have them search several different terms such as: trig, AttackRange, and Aura. If none of those are on the OptiFine package than they don’t have Stallos.

XIV (1.8 OptiFine Client):
Ask them to go to their Libraries. If they have a folder named “pw”, ask them to open it. If the folder named “Latematt” is in there, than move to step 2.
If their version of OptiFine that they’re using is 1.8.0_HD_U_F8 and they have the folder pw with Latematt, than they’re using XIV.

Generic ToggleSneak Clients:
If their ToggleSneak is named differently than yours other than the version, they’ve edited it. Have them open it with WinRaR or 7zip, either one works. When it’s open, ask them to go to the folder “deez”. If a folder inside Deez is named “Thehen101”, that means that they’re using a hacked client created by the Developer “Thehen101”.
If the players ToggleSneak file size is anything below 17KB and anything over 26KB, ban them. No ToggleSneak version ever created has been larger or smaller than that size.

Section 6

UNIX or Arch distributions:
If the user is running any Linux distribution such as UNIX or Arch, ask them if they have TeamViewer, and if they do, continue screensharing them with that. If they don’t have teamviewer, use Skype as your LAST alternative.
If you can’t find anything on them but they were OBVIOUSLY hacking, ban them. You can use Linux to hide a lot of things that you wouldn’t normally be able to hide on more mainstream distributors such as Windows and Mac OSX.