This blog has been getting quieter and quieter. I have not been doing research or development much that I can share almost to a point I forgot this blog existed.
Neverless if I find something worth posting about I will.
Yes I’m still alive 🙂
BattlEye Anti-Anti LoadLibrary
So while testing some things against a BattlEye protected again I noticed recently there was an update that prevents LoadLibrary from being utilized even after unloading the Anti-cheat.
First of all I thought, maybe Mr Bastian isn’t unloading the minifilter hook or it’s the PsSetLoadImageNotifyRoutine catching the LoadLibrary call but that didn’t really make sense.
Checking the system for any hooks and routinues installed returned nothing, so how is he still blocking the LoadLibrary call even after the BEDaisy driver is unloaded and BEClient.dll gone from the game’s module list.
So let me explain whats going on here:
He is overwritting one of NTDLLs core structued used by the Windows Loader:
|
1 |
ntdll!LdrSystemDllInitBlock |
If you compare the original loaded bytes to the ones that are present in any game BattlEye runs on you will notice that there is an line patch present.
Original:
|
1 |
50 00 00 00 00 00 00 00 |
Modified/Patched:
|
1 |
50 00 00 00 00 00 E7 F9 |
This stops any DLL if it has runtime checks enabled (CRT) and/or manifest resource causing an Access is Denied Error.
Restoring these patched bytes will fix the issue.
Posted in Uncategorized
Tagged BattlEye, fix, Loader, loadlibrary, Rainbow6, TslGame, Windows, x64
Leave a comment
Xenuine Anti-cheat | PlayerUnknown’s Battlegrounds
Blocked Access
It’s been a while since I’ve posted. So my adventures have moved passed the Valve Anti-cheat towards something far more interesting. Battle-Eye AC and now this.
Titled ‘Xenuine’ the new anti-cheat by PUBG Corporation the owners of PlayerUnknown’s Battlegrounds ‘PUBG’ which has been developed to run along side the failing Battle-Eye anti-cheat. Announcement
This anti-cheat after taking a brief look seems to only operate in Ring3 (Usermode) meaning that there is no Ring0 (Kernel) component.
Utilizing this technique: https://github.com/changeofpace/Self-Remapping-Code
They are protecting their game executable code from being touched, on top of that they are doing something which will catch any allocated memory marked as ReadWriteExecute with an exact detail of what instruction and/or process wrote or caused the detection which is surprisingly good for a ring3 anticheat.
I will be doing more research into this, for now here is my post on UnknownCheats about it:
Valve Anti-Cheat Untrusted Bans (VAC) CSGO
Untrusted Bans
So recently I’ve seen people suprized at how they are getting ‘untrusted bans’ on cheating forums. Some even confused at what that term even means.
Even though Valve hasn’t given us a definition of what it means previously it was understood that an ‘untrusted ban’ was the serversided anticheat ban given to players who send incorrect data to the game server in Valve’s official matchmaking. Most prominently player view angles which are stored in the Euler format (X,Y,Z) (Pitch, Yaw, Roll) if sent incorrectly to the game server instantly will flag your account as ‘untrusted’.
Heres some MSPaint diagram I drew showing you what I mean by invalid viewangles and how this is a big no no when the server receives them.
Now without going way off topic let me just point out whats going on, obviously the game character can not be upside down in CSGO there is no possible way for this to happen therefore if the Valve Offical Matchmaking Server receives 180 for the roll angle for example in this case they will instantly flag your account for a ban.
Untrusted bans however have evolved from that, people are getting untrusted bans with correct viewangles and you see the same sort of replies people make on forums online. “You forgot to clamp your angles properly”, “You must of wrote wrong viewangles” when in fact it could be something else causing these types of bans.
Now disclaimer I present to you my take on things this isn’t necessarily why it happens but I believe strongly it’s very likely to be the case based on research I’ve done on the Valve Anti-cheat system.
LoadLibrary
When you load an internal hack into a game (in this case csgo) usually the easiest way to do so is to call a function exported by KERNEL32 called LoadLibrary. LoadLibrary comes in many variants and since it’s the easiest to use one can quickly whip up an injector for their hack or copy paste one from the Internet and make it work.
Now lets talk about VAC3, one of the process scanning modules that resides in VAC returns all loaded modules in CSGO (or the target process) at the time of the scan.
It returns:
- ModuleBase
- MD5 Hash
- VolumeSerialNumber (the module is stored on)
- Some other attributes also present in structure ‘BY_HANDLE_FILE_INFORMATION’
It also has the ability to do deeper scans on individual modules, one of the more interesting scan flags returned is the fact if the module mapped in memory is present in the module list (PEB). Some people using LoadLibrary think it’s smart to unlink their hack module from the PEB which makes it appear even more suspicious as they can easily tell and do log this when scans are run.
(Here is a zip file containing said module and a IDA idb file which has fixed imports and decoded strings)
Scan Function is @ 0x10002f07
https://cra0.net/rel/vac_module_7_ScanMemory_38KB.zip
So where am I going with this you may be wondering? Well 2017.05.02 there was a CSGO update which bought some sneaky changes to game integrity.
http://blog.counter-strike.net/index.php/2017/05/18665/
At first it appeared they did this to stop anti-virus vendors from incorrectly flagging CSGO’s DLL libraries as malware (false positives). However if you think about this was a pretty strategic move on Valve’s part to help them isolate potential cheat specific DLLs.
Since VAC is constantly collecting data from you and I they have a massive sample size of loaded DLLs that could be present in CSGO besides their own signed modules which you can not alter. For example they can easily rule out their official DLL libraries from foreign ones.
There are a ton of legitmate applications which load libraries into other windows applications such as teamviewer ‘tv_w32.dll’ however Valve eventually collects enough data to determine that your hack dll you load everytime CSGO runs is in fact be a cheat and will deem your client as ‘untrusted’
Conclusion?
Write your own manual mapper, and don’t copy paste assembly stubs (they are signatured)
VAC3 Updates
I haven’t posted anything here in a while and well this just happened yesterday.
VAC ban wave
They are indeed doing something to the timestamps of the modules because
|
1 2 3 4 5 |
File: vac_module_0_4034d3e194a4d269c43e889593b00bcb.dll Size: 29KB Export TimeStamp: 13/05/2017 4:07:59 AM Debug TimeStamp: 13/05/2017 4:07:59 AM .text hash: 70E41F8439001066DE3FFFB00B1CDE52A0BF9E6F |
|
1 2 3 4 5 |
File: vac_module_0_125e53d20a0cbe4849b7ff5f0130a2bf.dll Size: 29KB Export TimeStamp: 16/05/2017 4:59:39 AM Debug TimeStamp: 16/05/2017 4:59:39 AM .text hash: 3AD50243148A16042AA035749A1AEC049FCEA2A3 |
Same module, which enumerates drivers that is 100% identical has different timestamps.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
signed int __thiscall sub_100021AE(char *this) { char *v1; // ebp@1 signed int v2; // ebx@1 int v3; // esi@1 int v4; // eax@2 _DWORD *v5; // esi@2 _DWORD *v6; // edi@6 int v7; // ST38_4@6 int v8; // esi@6 int v9; // eax@6 signed int v10; // eax@8 bool v11; // cf@8 bool v12; // zf@8 int v13; // eax@14 int v14; // esi@16 int v15; // ecx@16 int v16; // eax@16 int v17; // ecx@16 int v18; // eax@16 int v19; // eax@17 int v20; // edi@19 int v21; // eax@19 int v22; // eax@21 int v23; // edx@21 int v24; // esi@21 int v25; // eax@22 int v26; // ecx@23 _DWORD *lpMem; // [sp+4Ch] [bp-2918h]@1 _DWORD *v29; // [sp+50h] [bp-2914h]@13 int v30; // [sp+54h] [bp-2910h]@1 unsigned int v31; // [sp+58h] [bp-290Ch]@6 LPVOID v32; // [sp+5Ch] [bp-2908h]@1 int v33; // [sp+60h] [bp-2904h]@20 int v34; // [sp+64h] [bp-2900h]@1 unsigned int v35; // [sp+68h] [bp-28FCh]@12 int v36; // [sp+6Ch] [bp-28F8h]@20 int v37; // [sp+70h] [bp-28F4h]@20 int v38; // [sp+74h] [bp-28F0h]@1 int v39; // [sp+78h] [bp-28ECh]@16 char v40; // [sp+7Ch] [bp-28E8h]@6 char v41; // [sp+80h] [bp-28E4h]@1 char v42; // [sp+94h] [bp-28D0h]@1 char v43; // [sp+A8h] [bp-28BCh]@1 char v44; // [sp+BCh] [bp-28A8h]@23 int v45; // [sp+12Ch] [bp-2838h]@23 char v46; // [sp+134h] [bp-2830h]@16 char v47; // [sp+135h] [bp-282Fh]@18 char v48; // [sp+234h] [bp-2730h]@21 v1 = this; v2 = 0; v30 = 0; v32 = 0; lpMem = 0; v38 = 0; sub_1000505E(&v43); sub_1000505E(&v41); sub_1000505E(&v42); v3 = ((int (__stdcall *)(_DWORD, _DWORD, signed int))vac_import_tbl.OpenSCManagerA)(0, 0, 4); v34 = v3; if ( !v3 ) goto LABEL_2; v32 = (LPVOID)HeapAllocSimple(0x10000u); if ( v32 ) { memset(0x10000); v6 = v32; v8 = ((int (__thiscall *)(int, int, signed int, signed int, LPVOID, signed int, char *, unsigned int *, int *))vac_import_tbl.EnumServicesStatusA)( v7, v3, 11, 1, v32, 0x10000, &v40, &v31, &v38); v9 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)(); if ( !v8 && v9 != 234 ) { LABEL_2: v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)(); v5 = 0; LABEL_32: v2 = v4; goto LABEL_33; } v10 = v31; v11 = v31 < 0xCB; v12 = v31 == 203; *((_DWORD *)v1 + 6) = 0; if ( !v11 && !v12 ) v10 = 203; v31 = v10; v5 = (_DWORD *)HeapAllocSimple(0x1000u); lpMem = v5; if ( v5 ) { v35 = 0; if ( v31 > 0 ) { v29 = v6; while ( 1 ) { v13 = ((int (__stdcall *)(int, _DWORD, signed int))vac_import_tbl.OpenServiceA)(v34, *v6, 5); v30 = v13; if ( !v13 || !((int (__stdcall *)(int, _DWORD *, signed int, char *))vac_import_tbl.QueryServiceConfigA)( v13, v5, 4096, &v40) ) { break; } ((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30); v14 = 20 * *((_DWORD *)v1 + 6); v15 = *v6; v30 = 0; v39 = v14; v16 = sub_10006495(v15); *(_DWORD *)&v1[v14 + 36] = sub_10005043(*v6, v16); memset(256); v17 = lpMem[3]; sub_10003C47(); v18 = sub_10001A77(&v46); if ( v18 ) { v19 = sub_10006495(v18 + 8); sub_1000633F(v19); sub_1000633F(6); } if ( v47 != 58 ) { v20 = sub_10006495((char *)off_10007290 + 469); v21 = sub_10006495(&v46); sub_1000633F(v21); sub_1000633F(v20); *(&v46 + v20) = 92; v6 = v29; } v33 = 0; v36 = 0; v37 = 0; if ( (unsigned __int8)sub_10003677(&v33, &v36) ) { sub_100043AA(&v48); v29 = 0; v22 = sub_100047B1(v33, v36, v37, &v29); v23 = v39; *(_DWORD *)&v1[v39 + 44] = v29; v24 = (int)&v1[v23]; *(_DWORD *)&v1[v23 + 40] = v22; *(_DWORD *)&v1[v23 + 48] = 0; *(_DWORD *)&v1[v23 + 52] = 0; if ( !v22 ) { v25 = sub_1000480B(&v48); *(_DWORD *)(v24 + 40) = v25; if ( !v25 ) { v45 = 1; sub_10004FF1(&v44); if ( (unsigned __int8)sub_10004EA5(&v44, v26) ) sub_10006323(16); sub_10004FF1(&v44); sub_10004FF1(&v44); } } if ( ++*((_DWORD *)v1 + 6) >= 0xCBu ) { sub_10004936(&v48); sub_10003D1B(&v48); goto LABEL_5; } sub_10004936(&v48); sub_10003D1B(&v48); } v6 += 9; v5 = lpMem; ++v35; v29 = v6; if ( v35 >= v31 ) goto LABEL_33; } v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)(); goto LABEL_32; } } else { v2 = 8; } } else { v2 = 8; LABEL_5: v5 = lpMem; } LABEL_33: HeapFreeSimple(v5); HeapFreeSimple(v32); ((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30); ((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v34); sub_10005089(&v42); sub_10005089(&v41); sub_10005089(&v43); return v2; } |
100% match
Valve what are you up to now… 🙄
Valve Anti-cheat (VAC) in 2017
Lets first talk about Valve’s roadmap for Counter-Strike Global Offensive, mentioned briefly by Valve’s Gabe Newell in a reddit AMA he said the following:
As far as a roadmap is concerned, our priorities for 2017 are to replace the UI with Panorama, to make CS:GO available in more territories where a lot of Counter-Strike fans don’t have easy access to it (like China), and anti-cheat. Of course, we’re also planning on continuing to ship bug fixes and new features throughout the year, as in the past.
So clearly they are or from what Gabe has said looking at improving the game’s anti-cheat. Hard to believe as they haven’t exactly done anything significant in the past year or so but who knows we shall see what happens.
Today another post came out from the Valve Anti-cheat’s official reddit account.
A user asked about why they don’t add automated detection for spinbotters and send them to Overwatch they mentioned that heuristics can be very dangerous as cheat developers could probe the system to determine the edges of the detection approach and that it opens up a lot of room for false positives. I personally agree with them but seriously they could do something if they really wanted to that would be adequate. Their focus however seems more on machine learning and this is reflected actually by the current deployment of VAC modules.
Looking at a very recent dump of the modules we can see that their timestamps date back to last year.
Now at first I thought they were faking these timestamps but it seems they are in fact using dated modules. Comparing the timestamps to ones that I’ve dumped on those exact days we can see there are no differences in function calls or anything really.
So for now we can predict that they are working more on a server-sided heuristics approach to detecting cheaters (like mentioned in the reddit post) instead of focusing more on detecting cheats themselves.
We shall see what happens.. 😮
A New Year!
It’s been a while since I posted, now we are well into our second month of the year and here I’m posting for the first time here since last year. 😐
I’ve published some source code for some game data extraction tools I had made in the past on github if people are interested in the FoxEngine or Halo Online you can find them here: https://github.com/cra0kalo?tab=repositories
Project7-net Dump/Crack/Leak
Absolutely disgusting,
I can’t even be bothered with explaining more info here:
https://cra0vision.net/forum/threads/project-7-free-weekend.434/
VAC3 Changes
I’m going to refrain from posting public information about VAC from this post forward. They seem to have noticed we are using the .text section of the modules to keep track of modules and the timestamps to determine if any updates occurred.
The .rdata seems to be merged now with the code section (.text) so we can’t really use section hashes anymore.
No doubt that someone new is working with the VAC team and they have read my posts or they have just picked back up from the inactivity as evident of the recent major banwaves hitting p2cs.
If we look at the pdb paths of the modules we can see that they are not like the old ones which accidentally shipped a while back
E:\p4\s3dev2\src\vac2\vac3\Release\vac3_memoryscan\win32\vac3_memoryscan.pdb
E:\p4\s3dev2\src\vac2\vac3\Release\vac3_primitives\win32\vac3_primitives.pdb
E:\p4\s3dev2\src\vac2\vac3\Release\vac3_verifyclient\win32\vac3_verifyclient.pdb
E:\p4\s3dev2\src\vac2\vac3\release\vac3_processhandle\win32\vac3_processhandle.pdb
The path has changed and I know this doesn’t exactly prove anything but It’s just something I’ve picked up.
Posted in Main
Leave a comment
