Developments

VAC3 Updates

Posted on June 8, 2017 by admin

I haven’t posted anything here in a while and well this just happened yesterday.

VAC ban wave

They are indeed doing something to the timestamps of the modules because

File: vac_module_0_4034d3e194a4d269c43e889593b00bcb.dll
Size: 29KB
Export TimeStamp: 13/05/2017 4:07:59 AM
Debug TimeStamp: 13/05/2017 4:07:59 AM
.text hash: 70E41F8439001066DE3FFFB00B1CDE52A0BF9E6F

File: vac_module_0_4034d3e194a4d269c43e889593b00bcb.dll

Size: 29KB

Export TimeStamp: 13/05/2017 4:07:59 AM

Debug TimeStamp: 13/05/2017 4:07:59 AM

.text hash: 70E41F8439001066DE3FFFB00B1CDE52A0BF9E6F

File: vac_module_0_125e53d20a0cbe4849b7ff5f0130a2bf.dll
Size: 29KB
Export TimeStamp: 16/05/2017 4:59:39 AM
Debug TimeStamp: 16/05/2017 4:59:39 AM
.text hash: 3AD50243148A16042AA035749A1AEC049FCEA2A3

File: vac_module_0_125e53d20a0cbe4849b7ff5f0130a2bf.dll

Size: 29KB

Export TimeStamp: 16/05/2017 4:59:39 AM

Debug TimeStamp: 16/05/2017 4:59:39 AM

.text hash: 3AD50243148A16042AA035749A1AEC049FCEA2A3

Same module, which enumerates drivers that is 100% identical has different timestamps.

signed int __thiscall sub_100021AE(char *this)
{
  char *v1; // ebp@1
  signed int v2; // ebx@1
  int v3; // esi@1
  int v4; // eax@2
  _DWORD *v5; // esi@2
  _DWORD *v6; // edi@6
  int v7; // ST38_4@6
  int v8; // esi@6
  int v9; // eax@6
  signed int v10; // eax@8
  bool v11; // cf@8
  bool v12; // zf@8
  int v13; // eax@14
  int v14; // esi@16
  int v15; // ecx@16
  int v16; // eax@16
  int v17; // ecx@16
  int v18; // eax@16
  int v19; // eax@17
  int v20; // edi@19
  int v21; // eax@19
  int v22; // eax@21
  int v23; // edx@21
  int v24; // esi@21
  int v25; // eax@22
  int v26; // ecx@23
  _DWORD *lpMem; // [sp+4Ch] [bp-2918h]@1
  _DWORD *v29; // [sp+50h] [bp-2914h]@13
  int v30; // [sp+54h] [bp-2910h]@1
  unsigned int v31; // [sp+58h] [bp-290Ch]@6
  LPVOID v32; // [sp+5Ch] [bp-2908h]@1
  int v33; // [sp+60h] [bp-2904h]@20
  int v34; // [sp+64h] [bp-2900h]@1
  unsigned int v35; // [sp+68h] [bp-28FCh]@12
  int v36; // [sp+6Ch] [bp-28F8h]@20
  int v37; // [sp+70h] [bp-28F4h]@20
  int v38; // [sp+74h] [bp-28F0h]@1
  int v39; // [sp+78h] [bp-28ECh]@16
  char v40; // [sp+7Ch] [bp-28E8h]@6
  char v41; // [sp+80h] [bp-28E4h]@1
  char v42; // [sp+94h] [bp-28D0h]@1
  char v43; // [sp+A8h] [bp-28BCh]@1
  char v44; // [sp+BCh] [bp-28A8h]@23
  int v45; // [sp+12Ch] [bp-2838h]@23
  char v46; // [sp+134h] [bp-2830h]@16
  char v47; // [sp+135h] [bp-282Fh]@18
  char v48; // [sp+234h] [bp-2730h]@21

  v1 = this;
  v2 = 0;
  v30 = 0;
  v32 = 0;
  lpMem = 0;
  v38 = 0;
  sub_1000505E(&v43);
  sub_1000505E(&v41);
  sub_1000505E(&v42);
  v3 = ((int (__stdcall *)(_DWORD, _DWORD, signed int))vac_import_tbl.OpenSCManagerA)(0, 0, 4);
  v34 = v3;
  if ( !v3 )
    goto LABEL_2;
  v32 = (LPVOID)HeapAllocSimple(0x10000u);
  if ( v32 )
  {
    memset(0x10000);
    v6 = v32;
    v8 = ((int (__thiscall *)(int, int, signed int, signed int, LPVOID, signed int, char *, unsigned int *, int *))vac_import_tbl.EnumServicesStatusA)(
           v7,
           v3,
           11,
           1,
           v32,
           0x10000,
           &v40,
           &v31,
           &v38);
    v9 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();
    if ( !v8 && v9 != 234 )
    {
LABEL_2:
      v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();
      v5 = 0;
LABEL_32:
      v2 = v4;
      goto LABEL_33;
    }
    v10 = v31;
    v11 = v31 < 0xCB;
    v12 = v31 == 203;
    *((_DWORD *)v1 + 6) = 0;
    if ( !v11 && !v12 )
      v10 = 203;
    v31 = v10;
    v5 = (_DWORD *)HeapAllocSimple(0x1000u);
    lpMem = v5;
    if ( v5 )
    {
      v35 = 0;
      if ( v31 > 0 )
      {
        v29 = v6;
        while ( 1 )
        {
          v13 = ((int (__stdcall *)(int, _DWORD, signed int))vac_import_tbl.OpenServiceA)(v34, *v6, 5);
          v30 = v13;
          if ( !v13
            || !((int (__stdcall *)(int, _DWORD *, signed int, char *))vac_import_tbl.QueryServiceConfigA)(
                  v13,
                  v5,
                  4096,
                  &v40) )
          {
            break;
          }
          ((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30);
          v14 = 20 * *((_DWORD *)v1 + 6);
          v15 = *v6;
          v30 = 0;
          v39 = v14;
          v16 = sub_10006495(v15);
          *(_DWORD *)&v1[v14 + 36] = sub_10005043(*v6, v16);
          memset(256);
          v17 = lpMem[3];
          sub_10003C47();
          v18 = sub_10001A77(&v46);
          if ( v18 )
          {
            v19 = sub_10006495(v18 + 8);
            sub_1000633F(v19);
            sub_1000633F(6);
          }
          if ( v47 != 58 )
          {
            v20 = sub_10006495((char *)off_10007290 + 469);
            v21 = sub_10006495(&v46);
            sub_1000633F(v21);
            sub_1000633F(v20);
            *(&v46 + v20) = 92;
            v6 = v29;
          }
          v33 = 0;
          v36 = 0;
          v37 = 0;
          if ( (unsigned __int8)sub_10003677(&v33, &v36) )
          {
            sub_100043AA(&v48);
            v29 = 0;
            v22 = sub_100047B1(v33, v36, v37, &v29);
            v23 = v39;
            *(_DWORD *)&v1[v39 + 44] = v29;
            v24 = (int)&v1[v23];
            *(_DWORD *)&v1[v23 + 40] = v22;
            *(_DWORD *)&v1[v23 + 48] = 0;
            *(_DWORD *)&v1[v23 + 52] = 0;
            if ( !v22 )
            {
              v25 = sub_1000480B(&v48);
              *(_DWORD *)(v24 + 40) = v25;
              if ( !v25 )
              {
                v45 = 1;
                sub_10004FF1(&v44);
                if ( (unsigned __int8)sub_10004EA5(&v44, v26) )
                  sub_10006323(16);
                sub_10004FF1(&v44);
                sub_10004FF1(&v44);
              }
            }
            if ( ++*((_DWORD *)v1 + 6) >= 0xCBu )
            {
              sub_10004936(&v48);
              sub_10003D1B(&v48);
              goto LABEL_5;
            }
            sub_10004936(&v48);
            sub_10003D1B(&v48);
          }
          v6 += 9;
          v5 = lpMem;
          ++v35;
          v29 = v6;
          if ( v35 >= v31 )
            goto LABEL_33;
        }
        v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();
        goto LABEL_32;
      }
    }
    else
    {
      v2 = 8;
    }
  }
  else
  {
    v2 = 8;
LABEL_5:
    v5 = lpMem;
  }
LABEL_33:
  HeapFreeSimple(v5);
  HeapFreeSimple(v32);
  ((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30);
  ((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v34);
  sub_10005089(&v42);
  sub_10005089(&v41);
  sub_10005089(&v43);
  return v2;
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

signed int __thiscall sub_100021AE(char *this)

{

char *v1; // ebp@1

signed int v2; // ebx@1

int v3; // esi@1

int v4; // eax@2

_DWORD *v5; // esi@2

_DWORD *v6; // edi@6

int v7; // ST38_4@6

int v8; // esi@6

int v9; // eax@6

signed int v10; // eax@8

bool v11; // cf@8

bool v12; // zf@8

int v13; // eax@14

int v14; // esi@16

int v15; // ecx@16

int v16; // eax@16

int v17; // ecx@16

int v18; // eax@16

int v19; // eax@17

int v20; // edi@19

int v21; // eax@19

int v22; // eax@21

int v23; // edx@21

int v24; // esi@21

int v25; // eax@22

int v26; // ecx@23

_DWORD *lpMem; // [sp+4Ch] [bp-2918h]@1

_DWORD *v29; // [sp+50h] [bp-2914h]@13

int v30; // [sp+54h] [bp-2910h]@1

unsigned int v31; // [sp+58h] [bp-290Ch]@6

LPVOID v32; // [sp+5Ch] [bp-2908h]@1

int v33; // [sp+60h] [bp-2904h]@20

int v34; // [sp+64h] [bp-2900h]@1

unsigned int v35; // [sp+68h] [bp-28FCh]@12

int v36; // [sp+6Ch] [bp-28F8h]@20

int v37; // [sp+70h] [bp-28F4h]@20

int v38; // [sp+74h] [bp-28F0h]@1

int v39; // [sp+78h] [bp-28ECh]@16

char v40; // [sp+7Ch] [bp-28E8h]@6

char v41; // [sp+80h] [bp-28E4h]@1

char v42; // [sp+94h] [bp-28D0h]@1

char v43; // [sp+A8h] [bp-28BCh]@1

char v44; // [sp+BCh] [bp-28A8h]@23

int v45; // [sp+12Ch] [bp-2838h]@23

char v46; // [sp+134h] [bp-2830h]@16

char v47; // [sp+135h] [bp-282Fh]@18

char v48; // [sp+234h] [bp-2730h]@21

v1 = this;

v2 = 0;

v30 = 0;

v32 = 0;

lpMem = 0;

v38 = 0;

sub_1000505E(&v43);

sub_1000505E(&v41);

sub_1000505E(&v42);

v3 = ((int (__stdcall *)(_DWORD, _DWORD, signed int))vac_import_tbl.OpenSCManagerA)(0, 0, 4);

v34 = v3;

if ( !v3 )

goto LABEL_2;

v32 = (LPVOID)HeapAllocSimple(0x10000u);

if ( v32 )

{

memset(0x10000);

v6 = v32;

v8 = ((int (__thiscall *)(int, int, signed int, signed int, LPVOID, signed int, char *, unsigned int *, int *))vac_import_tbl.EnumServicesStatusA)(

v7,

v3,

11,

v32,

0x10000,

&v40,

&v31,

&v38);

v9 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();

if ( !v8 && v9 != 234 )

{

LABEL_2:

v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();

v5 = 0;

LABEL_32:

v2 = v4;

goto LABEL_33;

}

v10 = v31;

v11 = v31 < 0xCB;

v12 = v31 == 203;

*((_DWORD *)v1 + 6) = 0;

if ( !v11 && !v12 )

v10 = 203;

v31 = v10;

v5 = (_DWORD *)HeapAllocSimple(0x1000u);

lpMem = v5;

if ( v5 )

{

v35 = 0;

if ( v31 > 0 )

{

v29 = v6;

while ( 1 )

{

v13 = ((int (__stdcall *)(int, _DWORD, signed int))vac_import_tbl.OpenServiceA)(v34, *v6, 5);

v30 = v13;

if ( !v13

|| !((int (__stdcall *)(int, _DWORD *, signed int, char *))vac_import_tbl.QueryServiceConfigA)(

v13,

v5,

4096,

&v40) )

{

break;

}

((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30);

v14 = 20 * *((_DWORD *)v1 + 6);

v15 = *v6;

v30 = 0;

v39 = v14;

v16 = sub_10006495(v15);

*(_DWORD *)&v1[v14 + 36] = sub_10005043(*v6, v16);

memset(256);

v17 = lpMem[3];

sub_10003C47();

v18 = sub_10001A77(&v46);

if ( v18 )

{

v19 = sub_10006495(v18 + 8);

sub_1000633F(v19);

sub_1000633F(6);

}

if ( v47 != 58 )

{

v20 = sub_10006495((char *)off_10007290 + 469);

v21 = sub_10006495(&v46);

sub_1000633F(v21);

sub_1000633F(v20);

*(&v46 + v20) = 92;

v6 = v29;

}

v33 = 0;

v36 = 0;

v37 = 0;

if ( (unsigned __int8)sub_10003677(&v33, &v36) )

{

sub_100043AA(&v48);

v29 = 0;

v22 = sub_100047B1(v33, v36, v37, &v29);

v23 = v39;

*(_DWORD *)&v1[v39 + 44] = v29;

v24 = (int)&v1[v23];

*(_DWORD *)&v1[v23 + 40] = v22;

*(_DWORD *)&v1[v23 + 48] = 0;

*(_DWORD *)&v1[v23 + 52] = 0;

if ( !v22 )

{

v25 = sub_1000480B(&v48);

*(_DWORD *)(v24 + 40) = v25;

if ( !v25 )

{

v45 = 1;

sub_10004FF1(&v44);

if ( (unsigned __int8)sub_10004EA5(&v44, v26) )

sub_10006323(16);

sub_10004FF1(&v44);

}

if ( ++*((_DWORD *)v1 + 6) >= 0xCBu )

{

sub_10004936(&v48);

sub_10003D1B(&v48);

goto LABEL_5;

}

sub_10004936(&v48);

sub_10003D1B(&v48);

}

v6 += 9;

v5 = lpMem;

++v35;

v29 = v6;

if ( v35 >= v31 )

goto LABEL_33;

}

v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();

goto LABEL_32;

}

else

{

v2 = 8;

}

else

{

v2 = 8;

LABEL_5:

v5 = lpMem;

}

LABEL_33:

HeapFreeSimple(v5);

HeapFreeSimple(v32);

((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30);

((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v34);

sub_10005089(&v42);

sub_10005089(&v41);

sub_10005089(&v43);

return v2;

}

100% match

Valve what are you up to now… 🙄

Posted in Main | Tagged update, vac | Leave a comment

Valve Anti-cheat (VAC) in 2017

Posted on February 16, 2017 by admin

Lets first talk about Valve’s roadmap for Counter-Strike Global Offensive, mentioned briefly by Valve’s Gabe Newell in a reddit AMA he said the following:

As far as a roadmap is concerned, our priorities for 2017 are to replace the UI with Panorama, to make CS:GO available in more territories where a lot of Counter-Strike fans don’t have easy access to it (like China), and anti-cheat. Of course, we’re also planning on continuing to ship bug fixes and new features throughout the year, as in the past.

So clearly they are or from what Gabe has said looking at improving the game’s anti-cheat. Hard to believe as they haven’t exactly done anything significant in the past year or so but who knows we shall see what happens.

Today another post came out from the Valve Anti-cheat’s official reddit account.

A user asked about why they don’t add automated detection for spinbotters and send them to Overwatch they mentioned that heuristics can be very dangerous as cheat developers could probe the system to determine the edges of the detection approach and that it opens up a lot of room for false positives. I personally agree with them but seriously they could do something if they really wanted to that would be adequate. Their focus however seems more on machine learning and this is reflected actually by the current deployment of VAC modules.

Looking at a very recent dump of the modules we can see that their timestamps date back to last year.

Now at first I thought they were faking these timestamps but it seems they are in fact using dated modules. Comparing the timestamps to ones that I’ve dumped on those exact days we can see there are no differences in function calls or anything really.

So for now we can predict that they are working more on a server-sided heuristics approach to detecting cheaters (like mentioned in the reddit post) instead of focusing more on detecting cheats themselves.

We shall see what happens.. 😮

Posted in Main | Tagged anti, cheat, csgo, fps, game, machine, reddit, steam, vac, Valve, ValveAntiCheat | Leave a comment

A New Year!

Posted on February 7, 2017 by admin

It’s been a while since I posted, now we are well into our second month of the year and here I’m posting for the first time here since last year. 😐

I’ve published some source code for some game data extraction tools I had made in the past on github if people are interested in the FoxEngine or Halo Online you can find them here: https://github.com/cra0kalo?tab=repositories

Posted in Main | Tagged 2017, First, Github, New, Post, Start, Year | Leave a comment

Some VAC3 Modules

Posted on December 17, 2016 by admin

Meh nothing new but here have some modules.

http://cra0.net/some_vac_modules.zip

Posted in Main | Leave a comment

Project7-net Dump/Crack/Leak

Posted on November 29, 2016 by admin

Absolutely disgusting,

I can’t even be bothered with explaining more info here:

https://cra0vision.net/forum/threads/project-7-free-weekend.434/

Posted in Misc | Tagged cheat, crack, csgo, hack, p2c, project7 | Leave a comment

VAC3 Changes

Posted on October 22, 2016 by admin

I’m going to refrain from posting public information about VAC from this post forward. They seem to have noticed we are using the .text section of the modules to keep track of modules and the timestamps to determine if any updates occurred.

The .rdata seems to be merged now with the code section (.text) so we can’t really use section hashes anymore.

No doubt that someone new is working with the VAC team and they have read my posts or they have just picked back up from the inactivity as evident of the recent major banwaves hitting p2cs.

If we look at the pdb paths of the modules we can see that they are not like the old ones which accidentally shipped a while back

E:\p4\s3dev2\src\vac2\vac3\Release\vac3_memoryscan\win32\vac3_memoryscan.pdb
E:\p4\s3dev2\src\vac2\vac3\Release\vac3_primitives\win32\vac3_primitives.pdb
E:\p4\s3dev2\src\vac2\vac3\Release\vac3_verifyclient\win32\vac3_verifyclient.pdb
E:\p4\s3dev2\src\vac2\vac3\release\vac3_processhandle\win32\vac3_processhandle.pdb

The path has changed and I know this doesn’t exactly prove anything but It’s just something I’ve picked up.

Posted in Main | Leave a comment

VAC Banwave (13/09/2016)

Posted on September 15, 2016 by admin

A few days ago there was a massive VAC ban wave. Some of the major P2C providers got hit:

Interwebz
UnityHacks
Aimware

Other providers got hit but I’m not aware of who they are. News sites are reporting this to be the largest ban wave of the year. Firstly I’m going to start by saying this is not a server side detection as a big post on reddit and various other sites have threads titled “untrusted ban wave”. Untrusted though yes mostly is a ban that occurs when the server side anti-cheat detects an anomaly or something that shouldn’t be set on your client however it can also occur when the clientside VAC scanner detects an injection occurring. These bans are delayed as far as I know as when I was using the public Xenos injector I received an untrusted ban which later showed up on my profile as a VAC ban.

So moving on this ban wave was in fact a normal VAC ban wave.

File: vac_module_0_ee76faea4b2d4cdb951ebd9dcff92799.dll
Size: 61KB
Export TimeStamp: 13/09/2016 4:27:31 AM
Debug TimeStamp: 13/09/2016 4:27:31 AM
.text hash: F0B95B4B38F1752FDFCD7E7F6779165339E93FB2

File: vac_module_1_3d7b7d8d50356e415bebe04ad1464257.dll
Size: 60KB
Export TimeStamp: 3/09/2016 6:16:46 AM
Debug TimeStamp: 3/09/2016 6:16:46 AM
.text hash: E922440FEF9D16FCD1DD55329B2C43D2F0EBF7F8

File: vac_module_0_ee76faea4b2d4cdb951ebd9dcff92799.dll

Size: 61KB

Export TimeStamp: 13/09/2016 4:27:31 AM

Debug TimeStamp: 13/09/2016 4:27:31 AM

.text hash: F0B95B4B38F1752FDFCD7E7F6779165339E93FB2

File: vac_module_1_3d7b7d8d50356e415bebe04ad1464257.dll

Size: 60KB

Export TimeStamp: 3/09/2016 6:16:46 AM

Debug TimeStamp: 3/09/2016 6:16:46 AM

.text hash: E922440FEF9D16FCD1DD55329B2C43D2F0EBF7F8

The morning I woke up to the ban news I did another VAC module dump and clearly you can see they updated their modules. The 60kb module is responsible for scanning processes. The 61kb is an updated version which fixes an issue for windows10 (how02 found this). My guess is this VAC wave was targeting P2C loaders and processes that spawn before injection into the game. Remember VAC now can start when you login to Steam so running a potentially flagged loader even before the game is launched can see you VAC banned if you join a VAC secured server.

Lets see what the next wave brings us 🙂

Posted in Main | Tagged Aimware, ban, Interwebz, UnityHacks, vac3, WAVE | Leave a comment

Updated VAC3 Modules

Posted on August 21, 2016 by admin

As mentioned in the previous post Valve has changed the way they do import hiding. Previously there would be a bunch of string objects usually for each module that is being imported so “kernel32.dll” -> “GetProcAddress”,”ReadProcessMemory”, “OutputDebugStringA” etc and these would all be passed through a function which has an initial xor key of 0x55.

       public unsafe string DecryptString(byte[] strData)
        {
            byte[] out_str = new byte[strData.Length];
            byte key = 0x55;


            byte* v3; // edx@1
            byte v4; // bl@1
            byte result; // al@1
            int v6; // edi@1
            int v7; // esi@2

            fixed (byte* str = strData)
                fixed (byte* str_out = out_str)
                {
                    v3 = str_out;
                    v4 = key;
                    result = key;
                    v6 = (char)key ^ *(byte*)str;
                    if ((char)key != *(byte*)str)
                    {
                        v7 = (int)(str + 1 - (byte*)str_out);
                        do
                        {
                            result = (byte)(v4 ^ v3[v7]);
                            v4 = v3[v7];
                            *v3++ = result;
                            --v6;
                        }
                        while (v6 != 0);

                    }
                    *v3 = 0;
                }

            return Encoding.ASCII.GetString(out_str).TrimEnd('\0');
        }

public unsafe string DecryptString(byte[] strData)

{

byte[] out_str = new byte[strData.Length];

byte key = 0x55;

byte* v3; // edx@1

byte v4; // bl@1

byte result; // al@1

int v6; // edi@1

int v7; // esi@2

fixed (byte* str = strData)

fixed (byte* str_out = out_str)

{

v3 = str_out;

v4 = key;

result = key;

v6 = (char)key ^ *(byte*)str;

if ((char)key != *(byte*)str)

{

v7 = (int)(str + 1 - (byte*)str_out);

{

result = (byte)(v4 ^ v3[v7]);

v4 = v3[v7];

*v3++ = result;

--v6;

}

while (v6 != 0);

}

*v3 = 0;

}

return Encoding.ASCII.GetString(out_str).TrimEnd('\0');

}

Now however they changed the operation and they are using IceKey encryption to decode the strings which get decoded in one big block.

Runfunc is what is called to run a vac module for a specific scan.

signed int __stdcall runfunc(int func_to_scan, void *inputPacket, int inputPacketSize, void *outputPacket, int outputPacketSize)

1	signed int __stdcall runfunc(int func_to_scan, void inputPacket, int inputPacketSize, void outputPacket, int outputPacketSize)

The inputPacket now contains a key they use to decode the strings. The decryption routine now looks like this:

Once the input packet is decrypted a 4byte key is then used to decrypt the string block with size of 0xA80.

if ( dword_115E944C )
    decryptImportStrings((int)&unk_115E9440, (int)&unk_115E9440, 0xA80, (int)v1);
  v2 = GetModuleHandleA(ModuleName);
  dword_119EA4D4 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetProcAddress(v2, ProcName);
  dword_119EA4DC = (int (__stdcall *)(_DWORD, _DWORD))GetProcAddress(v2, aP);

if ( dword_115E944C )

decryptImportStrings((int)&unk_115E9440, (int)&unk_115E9440, 0xA80, (int)v1);

v2 = GetModuleHandleA(ModuleName);

dword_119EA4D4 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetProcAddress(v2, ProcName);

dword_119EA4DC = (int (__stdcall *)(_DWORD, _DWORD))GetProcAddress(v2, aP);

There you have it nothing so difficult but I guess they don’t want people who have no idea what they are doing to be able to analyze the modules effectively. That being said though you can just hook GetProcAddress and everything is revealed anyway 😛

¯\_(ツ)_/¯

Posted in Main | Tagged anticheat, csgo, decryption, dota2, hack, IceKey, reverse, runfunc@20, steam, vac, vac3, Valve | Leave a comment

VAC3 Updates

Posted on August 18, 2016 by admin

Valve pushed an update for VAC3 a few days ago or it could of been a week I’m not sure I didn’t actually check the modules for a week.

Heres a log of the modules I dumped today and their time stamp dates.

PETimeSort :: 18/08/2016 4:43:29 PM

File: vac_module_0_8e2837dc1874e71c3ba4c70c493f012bea0597be.dll
Size: 35KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 351654168C6FA1D84709EFAB9369378596B92D7D

File: vac_module_10_9a3d07112e4e379334a448a542bfdea463674fcc.dll
Size: 114KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 2DF41439CF8E91F2D59194D18E33C86DFE1EEB75

File: vac_module_14_c0bbd5951bdf7c3337b0e81b2429d25dc018aa50.dll
Size: 32KB
Export TimeStamp: 6/08/2016 4:35:46 AM
Debug TimeStamp: 6/08/2016 4:35:46 AM
.text hash: 8E9E0E046259943E34699B55C0142F65EB2C2729

File: vac_module_13_7161146422a2783dd2bd69b048d073794c937a54.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 21AD7FAF03D33E6164C9B009D0333F0FEE9AB7D3

File: vac_module_1_1c9adeac978bd1e63ca4aa0e1ed3479a72877809.dll
Size: 69KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 95F61937748CD4AB814120AB7F20D4AC1D09DBF8

File: vac_module_2_d94ea2256edf3c6e03b968240fea154c925130c3.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 86B7B4D3CF07548A96F5F45118FA25CB48F40B88

File: vac_module_5_8500a4687cfabfda2f9fd042971fd481b65b70e6.dll
Size: 33KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: F90141CE8C03CD7E359383C3ADA2015B4074B309

File: vac_module_9_34fccfdc7d987f0e74fb2e546a7abb834ba65b84.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:37 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: E7C549ACB6CCFA4FA384E3840822B6FFA9C286D6

File: vac_module_3_b23a14b07fd555d321e0432fb7f46859a06ec33c.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:36 AM
Debug TimeStamp: 6/08/2016 4:35:37 AM
.text hash: 1011BBCC7ADDFB8009E47A9161699E435EE7DA33

File: vac_module_7_f66f12c2dfc34b29f0d4305184b03d3845b9b0a3.dll
Size: 29KB
Export TimeStamp: 6/08/2016 4:35:24 AM
Debug TimeStamp: 6/08/2016 4:35:25 AM
.text hash: ED084D6562A429CF961267B7343F61212EAB80E4

File: vac_module_11_f260797499ce388f196b546b59260a77a23cbaf2.dll
Size: 32KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 22DCA9E5141D960F1E45BF5735D8B9093B882F26

File: vac_module_12_c7423854a06351f64c30490099e85780f849306e.dll
Size: 27KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: 564FBABA08AFC5E8FD3F18F24DC1A36BF922D8A4

File: vac_module_15_51d5f83421482ab6a9fd0dc0f69ed4ee8d374659.dll
Size: 29KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: A22FD7769504A63C091A6CFC8A40CCB7E4311E71

File: vac_module_4_53b065d69934b4b49c02bfd38cb31f16fd61a7ec.dll
Size: 38KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 06AF72EDDBBC3BA5CA88B6B0AB559B667795FF1F

File: vac_module_6_7cfdd6223b83ed997f22d0d493bc4f6876e474c6.dll
Size: 31KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:24 AM
.text hash: 68D8008E7D6AA4813F493301DAE90F8A25FC58D5

File: vac_module_8_9b09a83cf7a9a95614e061165e2f41b6ac031def.dll
Size: 30KB
Export TimeStamp: 6/08/2016 4:35:23 AM
Debug TimeStamp: 6/08/2016 4:35:23 AM
.text hash: 09A5EABA9F67A030B1FE719A64A74DE627A849D0

PETimeSort :: 18/08/2016 4:43:29 PM

File: vac_module_0_8e2837dc1874e71c3ba4c70c493f012bea0597be.dll

Size: 35KB

Export TimeStamp: 6/08/2016 4:35:46 AM

Debug TimeStamp: 6/08/2016 4:35:46 AM

.text hash: 351654168C6FA1D84709EFAB9369378596B92D7D

File: vac_module_10_9a3d07112e4e379334a448a542bfdea463674fcc.dll

Size: 114KB

Export TimeStamp: 6/08/2016 4:35:46 AM

Debug TimeStamp: 6/08/2016 4:35:46 AM

.text hash: 2DF41439CF8E91F2D59194D18E33C86DFE1EEB75

File: vac_module_14_c0bbd5951bdf7c3337b0e81b2429d25dc018aa50.dll

Size: 32KB

Export TimeStamp: 6/08/2016 4:35:46 AM

Debug TimeStamp: 6/08/2016 4:35:46 AM

.text hash: 8E9E0E046259943E34699B55C0142F65EB2C2729

File: vac_module_13_7161146422a2783dd2bd69b048d073794c937a54.dll

Size: 30KB

Export TimeStamp: 6/08/2016 4:35:37 AM

Debug TimeStamp: 6/08/2016 4:35:37 AM

.text hash: 21AD7FAF03D33E6164C9B009D0333F0FEE9AB7D3

File: vac_module_1_1c9adeac978bd1e63ca4aa0e1ed3479a72877809.dll

Size: 69KB

Export TimeStamp: 6/08/2016 4:35:37 AM

Debug TimeStamp: 6/08/2016 4:35:37 AM

.text hash: 95F61937748CD4AB814120AB7F20D4AC1D09DBF8

File: vac_module_2_d94ea2256edf3c6e03b968240fea154c925130c3.dll

Size: 30KB

Export TimeStamp: 6/08/2016 4:35:37 AM

Debug TimeStamp: 6/08/2016 4:35:37 AM

.text hash: 86B7B4D3CF07548A96F5F45118FA25CB48F40B88

File: vac_module_5_8500a4687cfabfda2f9fd042971fd481b65b70e6.dll

Size: 33KB

Export TimeStamp: 6/08/2016 4:35:37 AM

Debug TimeStamp: 6/08/2016 4:35:37 AM

.text hash: F90141CE8C03CD7E359383C3ADA2015B4074B309

File: vac_module_9_34fccfdc7d987f0e74fb2e546a7abb834ba65b84.dll

Size: 31KB

Export TimeStamp: 6/08/2016 4:35:37 AM

Debug TimeStamp: 6/08/2016 4:35:37 AM

.text hash: E7C549ACB6CCFA4FA384E3840822B6FFA9C286D6

File: vac_module_3_b23a14b07fd555d321e0432fb7f46859a06ec33c.dll

Size: 31KB

Export TimeStamp: 6/08/2016 4:35:36 AM

Debug TimeStamp: 6/08/2016 4:35:37 AM

.text hash: 1011BBCC7ADDFB8009E47A9161699E435EE7DA33

File: vac_module_7_f66f12c2dfc34b29f0d4305184b03d3845b9b0a3.dll

Size: 29KB

Export TimeStamp: 6/08/2016 4:35:24 AM

Debug TimeStamp: 6/08/2016 4:35:25 AM

.text hash: ED084D6562A429CF961267B7343F61212EAB80E4

File: vac_module_11_f260797499ce388f196b546b59260a77a23cbaf2.dll

Size: 32KB