So the CSGO majors are over, hoping for a big ban wave to flood out the idiots in the scene decided to do a vac3 dump to see if anything has changed since it’s been a good 3 months since I’ve last looked at VAC. There was a few modules deployed prior to this month
Counter-Strike Global Offensive Far ESP Concept #2
As mentioned previously in my other concept point, Valve have disabled the networking of dormant players in CSGO. Dormant meaning the players who your client should not be rendering as they are invisible to you by occlusion of objects or are outside the visibility leaf in the BSP tree. More in-depth information about these concepts can be found below:
These systems are utilized on Valve official servers however there are other techniques 3rd parties use to extend the functionality such as the anti-wall feature in SMAC which is used by leagues use to prevent people wall hacking. The concept presented in this post looks at another way of bypassing this and allowing the user to see the enemy players from anywhere on the map.
!!!Note I’m not going to reveal how this works just yet. This is a concept point only!!!
The Source Dedicated Server (SRCDS)
Although we are going to be looking at Valve’s own instances of srcds they deploy in match-making this should work on any other server too.
There is a way, well rather various ways to interact with the game server and receive information that is not suppose to be disclosed to you. I’m going to be utilizing one of those ways in this demonstration. There are limitations to this method as you will soon see but it works fine so far.
A usual competitive game in CSGO has 5 players on each team. One of the players we use as a relay who captures the enemy player information (eg. position data/health/current weapon) and relays that information to the other connected players. To make the connection easier a server is utilized. Here is a diagram:
Our 5th player (modified spectator client) is receiving data from the game server for all connected players (friendly/enemy). This information is then sent to the relay server which then broadcasts it to each of the other four connected clients. Information can be received and either drawn on a mini-map radar or can be drawn as an ESP like so:
The advantages and disadvantages are pretty obvious. You get the information you need about the enemy team but you pay the price of a fifth player being absent.
This concept could be improved drastically if the requirement of a 5th connected player was removed. Maybe have an external client connected somehow? Any questions contact me via email me[AT]cra0.net or twitter @cra0kalo
I’m a fan of 010 Editor‘s templating system they have in place where you can write layouts for hex dumps or file formats I use it in almost all of my research/reversing. More information about that can be found here even though the hex editor has a built in system to open a live processes memory it’s not really great. I needed a system where the data I was looking at was live and updated almost instantaneously so I wrote LiveDump. LiveDump is a simple memory dumper which will either dump a region of memory once to a file or constantly dump it every X many milliseconds, this way I can see the data updated almost live in 010 editor and make use of their templating to reverse a portion of a data structure or class object. There are things like Reclass which are purposely built for this reason which I do use however my own personal preference is the templating feature built into 010 editor as it’s very robust and you incorporate loops and logic into it to display the data out how you want it.
Usage: Select the process from the process list, then enter an address and size. The address and size input fields accept both decimal and hexadecimal numbers, if your input is going to be hexadecimal then you must add a ‘0x’ prefix or ‘h’ postfix to the numerical value. Now either begin dumping continuously to a file by hitting “Begin Dump” or “Dump Once” if you wish to dump only once.
So someone uploaded a pretty dodgy looking binary to unknowncheats.me and since I moderate the uploaded files and determine if they are safe or not I decided to take a look at the particular submission, turned out to be a safe Cheat Engine trainer (sfx). Cheat Engine allows you to create trainers which include the Cheat Engine base along with the Cheat Engine table which stores the basic offsets and memory edits a user would of created, they allow this to be saved in an ‘encrypted’ manner to stop script kiddies from stealing each others CE tables. The author stated in the source code that this is very trivial however stops most of the idiots who have no idea what they are doing stealing tables. Anyway I wrote a small tool to automatically decrypt them back into plaintext xml. Sorry kids no binary here 🙂
For all that don’t known (and no I’m not referring to Blizzard’s new game) CSGO has a system called Overwatch where basically people who have been reported for cheating get their demos reviewed by other players or “overwatchers”. Typically these demos are stripped of all? most? information about the suspected cheater player, this includes their name, text chat, gun names (if any custom names are given to weapons) and other player names leaving the person watching the demo unaware of who it is they are reviewing. Now this is great as hopefully people who are doing these overwatch cases are not biased towards a certain player because of their name/display picture or even inventory. But hey in my opinion it’s no fun so I’ve made this tool which will reveal the suspected player 😛
It’s been a while since I’ve posted anything here though it’s not because I haven’t been doing anything actually I’ve been more productive in these few months then before.
So I’ve been working on many things mainly cVision which will soon be up here. Dynamic code generation has been something I’ve been studying with cVision basically rendering any sort of signature scanning or code hashing useless, with that out of the way cVision is done sort of at least the application side is all functioning if you’re reading this and are interested in purchasing a copy get in contact with me.
As for other stuff well I’ve started working on the Insomniac Games engine again with Ratchet and Clank ill post more about that later.
Valve released an update to csgo which basically put PVS to use. This update basically would not network entities(in our case the enemy players) that were not in the visibility leaf of the player. Later on they released another update which bought this concept of player occlusion. The server would now not send any data of enemy players when they were not visible. It wasn’t as bad as what SMAC does but it ended the life of the far ESP cheat in the game, you could no longer see enemy players unless they were close to you.
Since this is handled server side there is no real feasible way to get around this. I’ve seen this done in many other games like dota2 with its fog of war system.
Since there is no way to get around this I thought to myself hmm well the enemy player positions show up on the radar when a friendly spots an enemy. Know where I’m going with this 😛
The remedy to the far ESP fix is to use this data to draw boxes around the enemy when they are out of view because of the visibility check. Lucky for us the data they store in the radar structure is world coordinates XYZ instead of the 2D ones relative to the map.
So taking a look at the data where the radar is stored here is what I was able to reverse:
Here is an example with live data:
And so when the enemy is spotted by one of your team members using this data which is networked unlike the entity data we get this.
Now I know it doesn’t solve the problem but it helps seeing them when they are visible by one of your team members.