It’s been a while

Hello?

It’s been a while since I’ve posted anything here though it’s not because I haven’t been doing anything actually I’ve been more productive in these few months then before.

So I’ve been working on many things mainly cVision which will soon be up here. Dynamic code generation has been something I’ve been studying with cVision basically rendering any sort of signature scanning or code hashing useless, with that out of the way cVision is done sort of at least the application side is all functioning if you’re reading this and are interested in purchasing a copy get in contact with me.

As for other stuff well I’ve started working on the Insomniac Games engine again with Ratchet and Clank ill post more about that later.

Posted in Main | Leave a comment

CSGO Far/Extended ESP Concept

So not too long ago this happened.

S1

 

Valve released an update to csgo which basically put PVS to use. This update basically would not network entities(in our case the enemy players) that were not in the visibility leaf of the player. Later on they released another update which bought this concept of player occlusion. The server would now not send any data of enemy players when they were not visible. It wasn’t as bad as what SMAC does but it ended the life of the far ESP cheat in the game, you could no longer see enemy players unless they were close to you.

Since this is handled server side there is no real feasible way to get around this. I’ve seen this done in many other games like dota2 with its fog of war system.

Since there is no way to get around this I thought to myself hmm well the enemy player positions show up on the radar when a friendly spots an enemy. Know where I’m going with this 😛

S2

The remedy to the far ESP fix is to use this data to draw boxes around the enemy when they are out of view because of the visibility check. Lucky for us the data they store in the radar structure is world coordinates XYZ instead of the 2D ones relative to the map.

So taking a look at the data where the radar is stored here is what I was able to reverse:

Here is an example with live data:

S4

 

And so when the enemy is spotted by one of your team members using this data which is networked unlike the entity data we get this.

S3

 

Now I know it doesn’t solve the problem but it helps seeing them when they are visible by one of your team members.

Here is a video:

Posted in Main | Tagged , , , , | Leave a comment

Halo Online (eldorado) Data Extractor 1.0

Quoted from Readme.txt, I don’t want to type anymore am tired

 Download 1.0

Posted in Main | Tagged , , , , , | Leave a comment

Fox Engine Model Studio (Closed beta release)

Since I’ve been busy going to throw this out there as a closed public beta to be eligible fill out the survey please.

http://www.surveymonkey.com/s/WFY5M7K

What does the FMDL exactly?

Lets you extract the game assets .fmdl (Models/Maps/Geometry/Characters) etc

 

 

Posted in Uncategorized | Leave a comment

[REL] Dumping VAC2 and VAC3 the easier way

What is VAC?

VACVAC stand for (Valve Anti-cheat) and is used in many games to prevent cheats be it Valve games or 3rd party titles (Modern Warfare/DayZ). VAC comes in many different versions at the time of writing this the latest version we are calling VAC3. VAC2 and VAC3 are the only activate modules right now for games like Counter-Strike Global Offensive.

 

Where is VAC, how is it loaded?

VAC2 is loaded through SteamService, when you start a game steamservice appears to load it. Valve first dumps the vac2 module into your %temp% directory then calls LoadLibrary. You can see this for yourself by hooking the LoadLibrary API call or by using an API Monitor.

apimonVAC2

Furthermore you can open up the .tmp file which is actually a dll and search for the string “vac2” to confirm thats it.

vac2hex

What about VAC3?

VAC3 works a little differently. It’s manually mapped by steamservice which means there are no calls to LoadLibrary and that means there is no reason for them to write the module to disk.

Dumping VAC2 and VAC3

Tools required

VAC2

Dumping VAC2 is the easiest, run procmon and lets set some filters up.

procmon_filters

The first is the Process Name set this to “steam”, then add another filter for Path set this to your %temp% directory. If you’re unsure what your temp directory is type %temp% into the windows explorer bar and hit enter.

tmpwin32

Now that you have the filter setup launch a game that uses VAC2 for example Counter-Strike Global Offensive.

You will notice that Procmon has some entries now that look like this:

vac2procmon

Head over to that directory and copy out the file to a safe place. Double check its vac2 by opening the file with your hex editor and searching for the vac2 string I mentioned eariler.

VAC3

Forcing LoadLibrary

Since VAC3 is manually mapped into memory the first thought that you might get is “find where its loaded and just dump the region with the size given“. Sure that works and you can do it like that however this way is even easier. Like the subheading says we are going to force steamservice to load it via loadlibrary.

Begin by running patchSteamService.exe

patchSS

 

This will now patch the steamservice module and VAC3 should now load like VAC2 via LoadLibrary.

How it works

Found by kokole, there is a subroutine inside steamservice which is basically like this:

idapressYou can patch this yourself if you know what you’re doing it’s not hard all you need to do is patch the instruction “jz” to “jmp” so it will always call sub_1000F680. Or just use the tool and it will do it for you.

 Now to dump!

Once you have patched steamservice run procmon and setup the filter like you would for VAC2.

Run your VAC3 protected game (eg. Counter-Strike Global Offensive). You will notice now a lot is going on in procmon:

vac_3MlSlowly the VAC3 modules will become visible, initially there are two modules loaded on startup for Counter-Strike Global Offensive (vac2 and vac3Auto)VAC3 auto is used to detect injectors on game launch. The other VAC3 modules will load as you’re playing on a VAC3 secured server.

If you navigate to the path shown there in procmon you may not find the modules this is because they are marked as hidden. Enabling hidden folder will not work here the only way I’ve found to access them is via commandprompt.

Run a command prompt shell (cmd.exe) and cd to the temp directory then type the name of the file or the full path and hit enter.

cmdVac3

It should show a dialog box to open the file select the option “Select a program from a list of installed programs” then select your hex editor. If you see these then most likely you have dumped a vac3 module. You can make sure by opening it with IDA and checking the exports for runfunc.

VAC3_PE1

VAC3_PE2

 

Tutorial End.

Dumped modules (1_02_2015_vac2+3_dump.rar (162.4 KB))

 

 

 

 

 

Posted in Misc | Tagged , , , , , , , , , , , , | Leave a comment

And we have bones ;)

Chico says hi!MGS_Bones

 

Bones

Kojima productions seems to store bone data like so

Now I don’t exactly know whats going on here because my first attempt didn’t work using that quaternion so I re-wrote my matrix class in C# which was originally written in VB.NET and ancient as hell.

Avclass

I ended up zeroing out the bone rotations (for now) since I have no clue what format they are storing the quat in.

After messing around with bones with the help of chrrox and jayk I was able to get skinning working and exported to SMD.

Posted in Main | Tagged , , | Leave a comment

Fox Engine (Metal Gear Solid 5 GZ)

foxBanner

Fox Engine

There has been many advancements from last time I posted both by and the others making it possible to extract assets from Kojima Production’s Metal Gear Solid Ground Zeros. The Foxengine’s superb image quality is made possible by physically-Based Rendering (PBR). It can make a low polygon model look photo-realistic and it can do it well, researching the file format along with JayK, Chrrox and Volfin I’ve discovered that in fact most the models used in game are pretty standard and have a low poly count.

Modding

Anyhow there has been many people in the modding scene playing around with the engine. Mostly its been model swapping which surprisingly works without breaking the game.

Here are some to check out if you haven’t seen them already.

There has even been texture modding

N9OXggn

 

Fox Engine Model Studio

So you may be wondering why I’m talking about all this? Well I’d like to personally contribute to this by making it possible to import/replace actual geometry, thats where my new tool comes into play. The Fox Engine Model Studio I’m dubbing will allow the extraction of the game models and also (yet to be implemented) the ability to replace models in the game.

What is left to do??

The FMDL format by Kojima Productions isn’t overly complex however there are still unknown structures and data in there we have yet to reverse engineer and understand what they exactly do. If model importing is going to be a reality then those structures need to be parsed and understood to a degree. I will post more about that as more research is done.

Thanks to JayK, Chrrox and Volfin with their format research help heres some WIP shots of whats to come.

foxTool

chico_fox

snake

kojima_fox

paz

 

 

 

Posted in Main | Tagged , , , , , , | Leave a comment

Metal Gear Solid 5 GZ (Fox Engine)

I played this game briefly before leaving for my Christmas holidays, when I got back I saw that someone had already managed to figure out the package format they use. “g0s” Extracting the files it seems they have used zlib chunks on textures .ftex. Heres something funny, on top of the encryption the package archives use they xor encrypt their shader files… It’s a dead giveaway when you open the shader binary up in a hex editor.

For example GrModelShaders_dx11.fsop you notice the 0x9c repeated and repeated.

Fox_SHR

Lets Xor that selection of bytes by 0x9C see what happens.

Fox_SHRDec

😎 Easy right?

Heres an overview of what their model format looks like (FMDL). Pretty straight forward..

Fox_MDL

 

 

Posted in Main | Tagged , , , , | Leave a comment

Circumvent (Themida/Hackshield/Etc..) Ultimate Memory Dump Tutorial

Backstory & Information

This tutorial was made possible by Nexon’s Counter-Strike Online 2 that nasty piece of shit left me no choice but to resort to this brutal nasty method.

Now to give a little info first in case anyone reading this has no idea what I’m talking about or doesn’t understand the concept of memory. Games & Applications that run on your system all use RAM. Sometimes they store sensitive information or valuable data there that shouldn’t be accessed by the end-user, for example an AES encryption key or maybe game assets like models/textures/scripts. This data isn’t usually protected as you can force a dump of an application’s memory, however some software/game developers like to restrict user access to this data usually to stop cheaters or people exploiting their software (like myself 😈 ). Now I won’t go into detail on what the kernel is nor what userland means but I will say that these developers use methods of protecting memory data which can be circumvented with a simple trick. The example case I will be using in this tutorial is the game Counter-Strike Online 2. Nexon the developers of this game are utilizing a technique to elevate the game process into kernel level. This means trying to access the game process or memory isn’t possible by the user anymore, normally achieved via a driver installed on the system. In CS Online2’s case Hackshields EagleNT.SYS elevates the process CounterStrikeOnline2.exe and access is not possible anymore.

CSO2_MEMER

So how do we circumvent this?

Since the user can’t access the process and process memory there are two ways around this. The first won’t be covered in this tutorial but requires you to write a driver of your own which has kernel level access. The Second will be to force the system into a BSOD (Blue Screen Of Death), normally this occurring would be a bad thing (faulty hardware/bad drivers) but we are using it to our advantage as you can force the system to dump all of it’s memory to a single file before rebooting.

Prepare for the BSOD memory dump

The first thing that needs to be done and you can read more about this over at this Microsoft site is to configure the system to capture a “complete dump”. A complete dump as stated by MS is:

A memory dump that records all the contents of the system memory when your computer stops unexpectedly.
A complete memory dump may contain data from processes that were running when the memory dump was collected.

This is what we want, a full capture of the system’s memory. The steps are below:

1. Open the Control Panel and double-click on System (alternate method: right-click on My Computer)
2. Select the Advanced tab
3. Under “Startup and Recovery” click the Settings button
4. Under “Write debugging information” select “Complete memory dump” from the drop down list box.
5. Check the box “Overwrite any existing file
6. Click OK
7. A message about pagefile requirements may be displayed — if so, click Yes
8. Click OK

If there is no option for Complete memory dump you can manually enable it through the registry. Firstly exit the Startup and Recovery window then:

1. Open up the Registry Editor regedit (click start & type “regedit” hit enter)
2. Navigate to  HKLM\System\CurrentControlSet\Control\CrashControl
3. Change CrashDumpEnabled to
4. This should now enable the complete memory dump option

REGEDIT_OPTION

A word of warning, if you own a Solid State Drive (SSD) I would recommend you set the dump location to another disk drive as this will degrade your SSDs life if it was to dump a whole 16GB file onto the disk. Make sure you have enough disk space!

save_dmp_ex

Registry key method didn’t work?

You can try using the html application I have packed here to do it in case the above method didn’t work

http://cra0kalo.com/public/BSOD_MemoryDumpTools.zip

Causing the BSOD

Now there are many ways to trigger a BSOD but the “safest” would be to use a manual interrupt which can be done by pressing a few keyboard shortcuts. Once again you need to enable this feature in the registry. More on that here: http://support.microsoft.com/kb/244139

I have packed up a zip file with the required registry keys to enable this here. Now depending on your keyboard (PS/2 or USB) Run the required key files. Some times you will need to run both the PS/2 one and the USB one

regkey

Once you have activated the keyboard shortcut for manual interrupt which is defaulted to:

CTRL+SCROLL LOCK+SCROLL LOCK

Prepare your computer by exiting all other applications that you wish not to capture from, for example your antivirus protection and your Internet browser. Exit as many applications as you can except of course the application you wish to capture from. Once this is done hit those keys and your system should now BSOD, here is a picture from when I did it on my Asus laptop.

BSOD_Asus

 

The dump process

You will now need to wait a while (depending on the size of your RAM) for the dump to take place. Once this has completed your system should reboot.

Analysis and Gold panning!

Alright now navigate to the folder you had set for the dump file

dmp_file

Have fun digging through it with a hex editor :)

Reference & Sources

http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx

http://support.microsoft.com/kb/244139

Alternative way

  1. Visit the following Microsoft Web site to download the NotMyFault tool:
  2. Click Start, and then click Command Prompt.
  3. At the command line, type NotMyfault.exe /crash, and then press ENTER.

 

Posted in Main | Tagged , , , , , , , , , | Leave a comment

Alien Isolation (Omodel) WIP (Vertex Format)

We have figured out the pak tree currently working on each vertex format structure the game throws at us! Up next rigged models

AI_TOOL_WIP2

Posted in Main | Tagged , , , , | Leave a comment